Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

L2L VPN with MS ISA 2004

Hi, I am trying to set up a Lan2Lan VPn between an ASA 5510 and a MS ISA Server 2004 machine. The configuration matches on both ends, but I get the following error in the ASA logs:

113019: Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error

713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x3180ef8, mess id 0x469cca44)!

713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: Invalid ID info (18)

713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

713903: Group = x.x.x.x, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes

713041: IP = x.x.x.x, IKE Initiator: New Phase 1, Intf 2, IKE Peer x.x.x.x local Proxy Address 10.10.0.0, remote Proxy Address 192.168.0.0, Crypto map (outside_map)

Please help....

5 REPLIES
Cisco Employee

Re: L2L VPN with MS ISA 2004

Hello,

We need a bit more of information. It seems like phase 2 is failing to complete. To get more information please turn on IPsec debugging via "debug crypto ipsec 128". The attempt to bring up the tunnel by generating interesting traffic and see what messages are generated in the debugging log.

Community Member

Re: L2L VPN with MS ISA 2004

Hi, Thanks for the reply... here is your log:

IPSEC: New embryonic SA created @ 0x035D1808,

SCB: 0x038E41C0,

Direction: inbound

SPI : 0x44691D15

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x035D1808,

SCB: 0x02F44080,

Direction: inbound

SPI : 0xD98C22C8

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x038EBBE0,

SCB: 0x038D73E0,

Direction: inbound

SPI : 0xF94561E9

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

IPSEC: New embryonic SA created @ 0x035D1808,

SCB: 0x02F44080,

Direction: inbound

SPI : 0x43F6A2BB

Session ID: 0x0000000A

VPIF num : 0x00000001

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds

Cisco Employee

Re: L2L VPN with MS ISA 2004

Sorry, my bad, "debug crypto isakmp 200" will give us the information we need. There's no useful information in the debugging information provided by "debug crypto ipsec" in this case.

Community Member

Re: L2L VPN with MS ISA 2004

Elparis, Thanks you very much for your help in this matter; however, the problem has been solved. It turns out that it was a problem with the ISA server I was trying to connect to. Thanks for your input

Cisco Employee

Re: L2L VPN with MS ISA 2004

Great! Glad to hear everything is working now.

Cheers!

265
Views
0
Helpful
5
Replies
CreatePlease to create content