Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

problem establishing site to site vpn between asa and 1811 router

I keep getting the following error.

3|Jan 08 2008|15:47:31|710003|192.168.0.45|192.168.0.50|TCP access denied by ACL from 192.168.0.45/3698 to LAN:192.168.0.50/80

3|Jan 08 2008|15:47:28|710003|192.168.0.45|192.168.0.50|TCP access denied by ACL from 192.168.0.45/3698 to LAN:192.168.0.50/80

6|Jan 08 2008|15:47:28|302021|192.168.0.45|192.168.0.50|Teardown ICMP connection for faddr 192.168.0.45/1024 gaddr 192.168.0.50/0 laddr 192.168.0.50/0

6|Jan 08 2008|15:47:28|302020|192.168.0.45|192.168.0.50|Built inbound ICMP connection for faddr 192.168.0.45/1024 gaddr 192.168.0.50/0 laddr 192.168.0.50/0

5|Jan 08 2008|15:47:03|713904|||IP = Public IP, Received encrypted packet with no matching SA, dropping

4|Jan 08 2008|15:47:03|113019|||Group = Public IP, Username = Public IP, IP = Public IP, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

3|Jan 08 2008|15:47:03|713902|||Group = Public IP, IP = Public IP, Removing peer from correlator table failed, no match!

3|Jan 08 2008|15:47:03|713902|||Group = Public IP, IP = Public IP, QM FSM error (P2 struct &0x4969c90, mess id 0xf3d044e8)!

5|Jan 08 2008|15:47:03|713904|||Group = Public IP, IP = Public IP, All IPSec SA proposals found unacceptable!

3|Jan 08 2008|15:47:03|713119|||Group = Public IP, IP = Public IP, PHASE 1 COMPLETED

6|Jan 08 2008|15:47:03|113009|||AAA retrieved default group policy (DfltGrpPolicy) for user = Public IP

4|Jan 08 2008|15:47:03|713903|||Group = Public IP, IP = Public IP, Freeing previously allocated memory for authorization-dn-attributes

I dont think this because of encryption mismatch. Any help is appreciated.

Thanks

nilesh

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: problem establishing site to site vpn between asa and 1811 r

You have PFS (Perfect Forward Secrecy) Configured on the ASA and not on the router. This could be one of the reason why the tunnel is failing in Phase 2.

If you do not need PFS, can you do a " no crypto map WAN_map 1 set pfs" from the ASA configuration and bring up the tunnel.

Regards,

Arul

4 REPLIES
Cisco Employee

Re: problem establishing site to site vpn between asa and 1811 r

Looks like your IPSEC policies are not matching. Make sure that the encryption, hashing algorithm, etc., match. Also, the IPSEC Access Lists have to be mirror images of each other. BTW, do you have PFS Configured?

Regards,

Arul

New Member

Re: problem establishing site to site vpn between asa and 1811 r

I have attached a file which contains ASA 5500, 1800 router configuration and debug log . I have removed the IP.

Thanks for all your help.

Nilesh

Cisco Employee

Re: problem establishing site to site vpn between asa and 1811 r

You have PFS (Perfect Forward Secrecy) Configured on the ASA and not on the router. This could be one of the reason why the tunnel is failing in Phase 2.

If you do not need PFS, can you do a " no crypto map WAN_map 1 set pfs" from the ASA configuration and bring up the tunnel.

Regards,

Arul

New Member

Re: problem establishing site to site vpn between asa and 1811 r

It worked !!! Thank you very much.

Best Regards

nilesh

213
Views
5
Helpful
4
Replies