Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA to IOS: strange error in phase 2

Hi all,

I am facing a problem trying to establish a tunnel with one of our supplier.

Their side is terminated on a IOS router currently unknown type and version (should be 12.2 - 12.4), my side is an ASA 7.2(2), configurations are attached (at least the snippet of the IOS config I was sent).

Apparently Phase 1 completes correctly but P2 fails with "Received non-routine Notify message: No proposal chosen (14)", I also attach debug from ASA with " debug crypto isakmp 129" and "debug crypto ipsec 129".

I double checked transform sets and IKE policies.

BTW I never had to use static NAT AND IPSec as here (I was asked to do so by other side), I have found few config examples on that (to solve overlapping networks), I hope it is possible with ASA o.s. too.

Many thanx in advance...

Ivano

5 REPLIES
Hall of Fame Super Blue

Re: ASA to IOS: strange error in phase 2

Hi

In my experience IPSEC phase 2 fails for one of two reasons

1) Incorrect settings ie. the ecnryption algorithms, lifetimes etc.

2) The local and remote subnets as defined in the crpyto map access-lists are different.

2) looks okay from the configs.

Could you

1) Get a debug output from the customer on their side or alternativley get them to initiate the connection and send a debug.

2) Before doing that could you explicitly set up PFS under phase2 on both the ASA and the IOS. Each device is using it's default setting for PFS and they may be different.

HTH

Jon

New Member

Re: ASA to IOS: strange error in phase 2

Hi Jon,

too bad we are the "customer side" so I am close to none in control of the IOS router config.

Anyway I inserted explicit parameters for pfs and requested them to adapt and send back a debug output.

I will post results asap.

Thanks a lot

Ivano

New Member

Re: ASA to IOS: strange error in phase 2

Not an expert but just had similar problem: in your ASA you have:

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 3600

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

and in IOS you have:

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

( no encryption and no DH group )

also couldnt work out what this refers to (may be knowledge gap):

match address ip-isauto

I would have thought this should refer to an access list.

I dont know if any of this will help but hope you find problem. regards, sean.

New Member

Re: ASA to IOS: strange error in phase 2

Hi Sean and thanks for replying,

parameters that takes default values don't show up in "show running-config" so that's why you can't find DH Group and encryption in the IOS ISAKMP policy, anyway they matched.

BTW exactly last Friday 22/06 we found what was blocking P2 to complete.

On the IOS router they have stated:

crypto map MAPNAME local-address Loopback0

which I understand use the Loopback0 address as identity in IPSec SA, too bad in some other place of the configuration they never showed me they put:

Interface Loopback0

no ip address

That, without any experience, sounded very strange to me so I asked them to remove the former statement (crypto map .... local-address) and voila' IPSec SA ok and VPN traffic flowing, of course using the physical interfaces IP address as IPSec identities.

It remains the question of why other (IOS based) peers were working correctly (and still are!) with that router totally unregarding the guilty piece of config....

Anyway, thanks to everybody who helped.

Greetings from Italy

Ivano

New Member

Re: ASA to IOS: strange error in phase 2

... me again, just wanted to add a little comment.

I wouldn't have been able to solve this if I weren't finally given the debug output of the IOS router where the "local-address" error was clearly pinned.

I then have to say that the debug of the ASA side lacks (or hides) a lot of important informations with respect to IOS platform.

Am I the only one thinking that, or perhaps is that due to my always too limited knowledge?

Thanks again, c u

Ivano

238
Views
0
Helpful
5
Replies