Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN ASA 5510 to router 871

Hello,

I try to do a VPN between ASA 5510 and a router 871.

I have enable the debug on the router 871 and I have these errors.

Router 871#

*Mar 3 05:42:32.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.10.100.3, remote x.x.x.194)

*Mar 3 05:42:32.971: ISAKMP: Error while processing SA request: Failed to initialize SA

*Mar 3 05:42:32.971: ISAKMP: Error while processing KMI message 0, error 2.

*Mar 3 05:43:02.975: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)

*Mar 3 05:43:02.975: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)

*Mar 3 05:44:03.491: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)

*Mar 3 05:44:03.491: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)

Regards

4 REPLIES
Hall of Fame Super Gold

Re: VPN ASA 5510 to router 871

Pascal

It is difficult to know what the problem is from this debug. Perhaps if it ran a bit longer we might see more of the attempt to negotiate and might see the problem.

But I would suggest that symptoms like this frequently are the result of a mismatch in configuration between the peers. I would suggest that you check to make sure that the peer addresses do match. Also check to be sure that the pre shared keys used for ISAKMP negotiation match.

HTH

Rick

Community Member

Re: VPN ASA 5510 to router 871

This is a part of my conf.

ASA5510.

access-list nonat extended permit ip 10.10.0.0 255.255.254.0 10.10.3.0 255.255.255.240

crypto ipsec transform-set avalanche esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec df-bit clear-df outside

crypto map MAP 21 match address nonat

crypto map MAP 21 set peer 10.10.100.3

crypto map MAP 21 set transform-set avalanche

crypto map MAP interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

tunnel-group 10.10.100.3 type ipsec-l2l

tunnel-group 10.10.100.3 ipsec-attributes

pre-shared-key *

Router 871

crypto isakmp policy 11

encr 3 des

authentication pre-share

group 2

crypto isakmp key cisco123 address x.x.x.194

crypto ipsec transform-set sharks esp-des esp-md5-hmac

crypto map nolan 11 ipsec-isakmp

set peer x.x.x.194

set transfor-set sharks

match address 120

interface FastEthernet4

ip address 10.10.100.3 255.255.255.240

duplex auto

speed auto

crypto map nolan

access-list 120 permit ip 10.10.3.0 0.0.0.15 10.10.0.0 0.0.1.255

Community Member

Re: VPN ASA 5510 to router 871

The isakmp policy on the router does not have hash sha defined where as the asa does, trying adding that.

Hope this helps.

Community Member

Re: VPN ASA 5510 to router 871

I have try to add hash sha to the policy of my router but I have the same problem

*Mar 3 05:42:32.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.10.100.3, remote x.x.x.194)

*Mar 3 05:42:32.971: ISAKMP: Error while processing SA request: Failed to initialize SA

*Mar 3 05:42:32.971: ISAKMP: Error while processing KMI message 0, error 2.

*Mar 3 05:43:02.975: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)

*Mar 3 05:43:02.975: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)

*Mar 3 05:44:03.491: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)

*Mar 3 05:44:03.491: ISAKMP:(0):deleting SA reason "Death by retransmission P1"state (I) MM_NO_STATE (peer x.x.x.194)

Regards

1427
Views
0
Helpful
4
Replies
CreatePlease to create content