Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC issue between ASA 5525-X 9.1 and sonicwall

i have issue on L2L link between ASA and Sonicwall.

actually IPSEC bring up normally between some of remote, local networks but other networks when initiate traffic between them asdm show message

Jul 07 20:43:02 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Received an un-encrypted INVALID_COOKIE notify message, dropping
Jul 07 20:43:02 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Information Exchange processing failed 

we use IKEv1. 

i use the same config on asa 5510 code version 8.2(1) no issue faced, then i replace device with 5525-x code version 9.1, then ipsec tunnel issue started 

IKEv1 deb output when initiate traffic from ASA side  is

========================================== 

show deb
debug crypto ikev1 enabled at level 255

Crypto conditional debug is turned ON

IKE peer IP address filters:
A.A.A.A/32

ASA-FW-Sah(config)# deb crypto ikev1 255
ASA-FW-Sah(config)# Jul 07 20:43:01 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending notify message
Jul 07 20:43:01 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload
Jul 07 20:43:01 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing ipsec notify payload for msg id 0
Jul 07 20:43:01 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload
Jul 07 20:43:01 [IKEv1]IP = A.A.A.A, IKE_DECODE SENDING Message (msgid=522fac4c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68

BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
0b 74 d4 76 5f e8 2d 46 0f dc 2d bf c5 7c a7 7e    |  .t.v_.-F..-..|.~
08 10 05 00 4c ac 2f 52 1c 00 00 00 0b 00 00 18    |  ....L./R........
4f 70 44 1c 9f 5f b7 7f 92 00 d7 79 f7 2a 5b d1    |  OpD.._....y.*[.
e5 2e 5c 67 00 00 00 10 00 00 00 01 03 04 00 0b    |  ..\g............
ae 56 9d 6c                                        |  .V.l

ISAKMP Header
  Initiator COOKIE: 0b 74 d4 76 5f e8 2d 46
  Responder COOKIE: 0f dc 2d bf c5 7c a7 7e
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 4CAC2F52
  Length: 469762048
  Payload Hash
    Next Payload: Notification
    Reserved: 00
    Payload Length: 24
    Data:
      4f 70 44 1c 9f 5f b7 7f 92 00 d7 79 f7 2a 5b d1
      e5 2e 5c 67
  Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 16
    DOI: IPsec
    Protocol-ID: PROTO_IPSEC_ESP
    Spi Size: 4
    Notify Type: INVALID_SPI
    SPI: ae 56 9d 6c


IKE Recv RAW packet dump
0b 74 d4 76 5f e8 2d 46 0f dc 2d bf c5 7c a7 7e    |  .t.v_.-F..-..|.~
0b 10 05 00 93 e2 08 ee 00 00 00 98 00 00 00 7c    |  ...............|
00 00 00 01 00 04 00 04 00 00 00 00 00 06 00 04    |  ................
52 2f ac 4c 00 02 00 44 0b 74 d4 76 5f e8 2d 46    |  R/.L...D.t.v_.-F
0f dc 2d bf c5 7c a7 7e 08 10 05 01 52 2f ac 4c    |  ..-..|.~....R/.L
00 00 00 44 e6 57 44 56 f9 6e cf d3 bc 97 cc 0d    |  ...D.WDV.n......
27 b3 70 d8 39 db 3c 35 a1 e7 a8 b7 11 03 f2 5e    |  '.p.9.<5.......^
7f 9d f7 53 bc 5e 2b 41 5b 51 73 0a 00 04 00 18    |  ..S.^+A[Qs.....
00 00 00 54 68 65 20 63 6f 6f 6b 69 65 20 69 73    |  ...The cookie is
20 69 6e 76 61 6c 69 64                            |   invalid

 RECV PACKET from A.A.A.A
ISAKMP Header
  Initiator COOKIE: 0b 74 d4 76 5f e8 2d 46
  Responder COOKIE: 0f dc 2d bf c5 7c a7 7e
  Next Payload: Notification
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 93E208EE
  Length: 152
  Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 124
    DOI: IPsec
    Protocol-ID: Reserved
    Spi Size: 4
    Notify Type: INVALID_COOKIE
    SPI: 00 00 00 00
    Data:
      00 06 00 04 52 2f ac 4c 00 02 00 44 0b 74 d4 76
      5f e8 2d 46 0f dc 2d bf c5 7c a7 7e 08 10 05 01
      52 2f ac 4c 00 00 00 44 e6 57 44 56 f9 6e cf d3
      bc 97 cc 0d 27 b3 70 d8 39 db 3c 35 a1 e7 a8 b7
      11 03 f2 5e 7f 9d f7 53 bc 5e 2b 41 5b 51 73 0a
      00 04 00 18 00 00 00 54 68 65 20 63 6f 6f 6b 69
      65 20 69 73 20 69 6e 76 61 6c 69 64
Jul 07 20:43:02 [IKEv1]IP = A.A.A.A, IKE_DECODE RECEIVED Message (msgid=93e208ee) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 152
Jul 07 20:43:02 [IKEv1]IP = A.A.A.A, IKE_DECODE RECEIVED Message (msgid=93e208ee) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 152
Jul 07 20:43:02 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Received an un-encrypted INVALID_COOKIE notify message, dropping
Jul 07 20:43:02 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Information Exchange processing failed

  • VPN
3 REPLIES
Cisco Employee

Hi , Looking at the errors,

Hi ,

 

Looking at the errors, you can see that received  packet from SonicWall was invalid thus parameter negotiation failed between the VPN peers.
Perhaps simultaneous logs from SonicWall might be able to tell what caused this event.
Usually with 3rdp party appliances , it is relevant to make sure that peer ID and peer IP are configured in the same format(Using IP addressing in both the cases rather hostname).

You can go through the following link to verify your configuration.
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/66171-vpn-sonicwall-pixfw.html

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

 

New Member

Thank you Dinesh,the reason

Thank you Dinesh,

the reason is  ACL is not symmetric, problem eliminated after  ACL editing on both side. Sonicwall model is NSA 3500

And we remove PFS, but i don't think it is it .

Cisco Employee

Hi, I am glad it is working

Hi,

 

I am glad it is working for you.
Just to add, as long as PFS is set on both the side, it should allow you to negotiate the parameters and get the tunnel up and working.

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.
 

794
Views
5
Helpful
3
Replies