Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec tunnel fail, phase one, please advise.

I am really new at this, so please forgive my ignorace. I've configured, to the best of my ability, a tunnel between my asa5505 and a firebox X using this guide, I had to feel my way through it since the ASDM in the guide is an older version:

http://www.watchguard.com/help/docs/edge/10/en-us/content/en-us/bovpn/manual/manual_bovpn_edge_cisco.html

When I attempt to bring the tunnel up using Ping Inside on the ASA to one of the machines on the watchguard subnet I get the following error messages, even though the ping states 100% success. I cannot ping, rdp or anything out from any of the hosts on my 192.168.240.0/24 network to the 192.168.254.0/24 network whatseover.

Can anyone point me in the right direction?

Nov 25 11:49:54 [IKEv1 DECODE]: IP = 204.116.253.76, IKE Responder starting QM: msg id = 108a9682

Nov 25 11:49:54 [IKEv1]: Group = 204.116.253.76, IP = 204.116.253.76, Received encrypted Oakley Quick Mode packet with invalid payloads, MessID = 277517954

Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, sending notify message

Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, Can't send p2 'Payload malformed' notify message: no SPIs (msg id 108a9682)!

Nov 25 11:49:54 [IKEv1]: Group = 204.116.253.76, IP = 204.116.253.76, QM FSM error (P2 struct &0xc9d588b0, mess id 0x108a9682)!

Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, IKE QM Responder FSM error history (struct &0xc9d588b0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_VALIDATE_FAIL-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_DECRYPT_MSG-->QM_BLD_MSG2, EV_INIT_RESPONDER-->QM_START, EV_RCV_MSG

Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, sending delete/delete with reason message

Nov 25 11:49:54 [IKEv1]: Group = 204.116.253.76, IP = 204.116.253.76, Removing peer from correlator table failed, no match!

Everyone's tags (4)
2 REPLIES
New Member

IPSec tunnel fail, phase one, please advise.

Hmmm I can ping\rdp\whatever from the 192.168.254.0/24 (firebox) side of the tunnel into the 192.168.240.0/24(ASA) side, but not the other way around.

Purple

IPSec tunnel fail, phase one, please advise.

hi,

verify your crypto ACLs are mirrored on both tunnel endpoints.

Regards.

Alain

Don't forget to rate helpful posts.
1476
Views
0
Helpful
2
Replies
CreatePlease to create content