Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN from ISA550 PPPOE to ASA5510

Before I used a VPN from a ASA5505 in PPPOE (dynamic ip) to a ASA5510 (fixe public ip)

Now I replaced my ASA5505 by a ISA550 in PPPOE (dynamic ip).

In the ISA the aggressive mode is not present and the ASA5510 write in the log

Group = 23.33.33.44,IP = 23.33.33.44, Can't find a valid tunnel group, aborting...!

the group is the dynamique ip

Before with the ASA5505 the group was the name of the asa like (Group = ciscoasa, IP = 23.33.33.44)

Someone had the same problem ?

Someone a solution ?

Everyone's tags (1)
16 REPLIES

Re: VPN from ISA550 PPPOE to ASA5510

Jacques,
Are you using the same VPN settings on the 5510 that applied to the 5505 or did you create a new VPN policy for the ISA? I have an ISA550 to ASA5510 VPN, but both ends are static IPs with no use of PPPoE. Getting the VPN up the first time was troublesome and I've had a couple of instances where I've had to reboot the ISA to get VPN re-established again. I can say that I created a VPN policy on the ISA that was different from the default and the same on the ASA. From a firmware standpoint, my ISA is 1.2.17 and my ASA is 9.x.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: VPN from ISA550 PPPOE to ASA5510

Tanks for your help.

Yes I created a new VPN policy for the ISA.

I thinks if the ISA receive a dynamic IP from ISP (PPPOE) then the ISA must set "IKE Negotiation Mode" in aggressive mode and in the IKE parameters the identity send to Peer must by set in "Hostname" like my old ASA5505. But this setting do not exist on ISA.

I use 2 Cisco RV082 VPN "PPPOE dynamique IP" connected to my ASA5510 without problem.

Because the RV082 manage very well the Name and aggressive mode.

Config ASA5510 you can see this info

[OK] access-list outside_cryptomap_6 line 1 extended permit ip object-group All_Internal_Vlan_Remote_Admin 172.16.120.0 255.255.255.128

[OK] group-policy GroupPolicy1 internal

[OK] group-policy GroupPolicy1 attributes

      group-policy GroupPolicy1 attributes

[OK] vpn-tunnel-protocol ipsec

[OK] exit

[WARNING] tunnel-group firewall-Name type ipsec-l2l

     L2L tunnel-groups that have names which are not an IP    YES this is DHCP from ISP

address may only be used if the tunnel authentication

method is Digital Certificates and/or The peer is

configured to use Aggressive Mode

[OK] tunnel-group firewall-Name general-attributes

      tunnel-group firewall-Name general-attributes

[OK] default-group-policy GroupPolicy1

[OK] tunnel-group firewall-Name ipsec-attributes

      tunnel-group firewall-Name ipsec-attributes

[OK] pre-shared-key **********

[OK] isakmp keepalive threshold 10 retry 2

[OK] crypto dynamic-map firewall-Name 7 match address outside_cryptomap_6

[OK] crypto dynamic-map firewall-Name 7 set  transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

[OK] crypto map outside_map 7 ipsec-isakmp dynamic firewall-Name

Re: VPN from ISA550 PPPOE to ASA5510

Here's the VPN configuration that I'm using, as an FYI.

Transform - ESP_SHA1_HMAC, ESP_AES_256

IKE Policy - AES_256, SHA1, PRE_SHARE, Group_5

IKE Negotiation - Main

PFS - Off

DPD - On

Net BIOS Broadcast - Off

Certificate - No

This configuration required the creation of a new IKE Policy in the ISA as the default was AES-256 with Group-2.  Technically speaking AES-256 is supposed to be Group-5.

I'd recommend turning off Agressive Mode.  Agressive Mode does speed up VPN negotiation by requiring only two exchanges between peers (totaling 3 messages) rather than Main Mode's three exchanges (totaling 6 messages), however it doesn't protect the identities of the peers requiring the peers to exchange identification information before establishing a secure SA.  The only real downside to disabling Agressive Mode is that it would prevetn VPN Clients from using preshared keys for authentication.  However since this policy is only used for a L2L VPN, it wouldn't have any impact on VPN Clients, if they exist.

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

VPN from ISA550 PPPOE to ASA5510

Did you use the ASA5505 as an EasyVPN client? Then this won't work since ISA doesn't support EasyVPN.

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

VPN from ISA550 PPPOE to ASA5510

Hi Michael

Tank you for help.

"Did you use the ASA5505 as an EasyVPN client?" no Site-to-Site VPN

Site-to-site ASA5505  Dynamic IP (PPPOE) to ASA5510 fix IP work very well.

Site-to-site ISA550  Dynamic IP (PPPOE) to ASA5510 fix IP does not work.

Have you heard if some people can create a VPN like this with ISA550 ?

VPN from ISA550 PPPOE to ASA5510

I've only some ISA's with static IP's to ASA5510.

Can you show me the error logs from the ASA and also the setup?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

VPN from ISA550 PPPOE to ASA5510

The ASA5510 log

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713236: IP = 84.226.187.187, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing SA payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713906: IP = 84.226.187.187, Oakley proposal is acceptable

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715049: IP = 84.226.187.187, Received DPD VID

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715049: IP = 84.226.187.187, Received NAT-Traversal RFC VID

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715049: IP = 84.226.187.187, Received NAT-Traversal ver 03 VID

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715049: IP = 84.226.187.187, Received NAT-Traversal ver 02 VID

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing IKE SA payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715028: IP = 84.226.187.187, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 3

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing ISAKMP SA payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing NAT-Traversal VID ver 02 payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing Fragmentation VID + extended capabilities payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713236: IP = 84.226.187.187, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713236: IP = 84.226.187.187, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 292

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing ke payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing ISA_KE payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing nonce payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing NAT-Discovery payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713906: IP = 84.226.187.187, computing NAT Discovery hash

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715047: IP = 84.226.187.187, processing NAT-Discovery payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713906: IP = 84.226.187.187, computing NAT Discovery hash

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing ke payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing nonce payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing Cisco Unity VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing xauth V6 VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715048: IP = 84.226.187.187, Send IOS VID

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715038: IP = 84.226.187.187, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing VID payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715048: IP = 84.226.187.187, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing NAT-Discovery payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713906: IP = 84.226.187.187, computing NAT Discovery hash

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715046: IP = 84.226.187.187, constructing NAT-Discovery payload

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713906: IP = 84.226.187.187, computing NAT Discovery hash

09-10-2013          16:57:10          Local4.Warning          ecufw1          Oct 09 2013 16:57:11: %ASA-4-713903: Group = 84.226.187.187, IP = 84.226.187.187, Can't find a valid tunnel group, aborting...!

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-715065: Group = 84.226.187.187, IP = 84.226.187.187, IKE MM Responder FSM error history (struct &0xabb5a2c8)  , :  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713906: Group = 84.226.187.187, IP = 84.226.187.187, IKE SA MM:55a8022e terminating:  flags 0x01000002, refcnt 0, tuncnt 0

09-10-2013          16:57:10          Local4.Debug          ecufw1          Oct 09 2013 16:57:11: %ASA-7-713906: Group = 84.226.187.187, IP = 84.226.187.187, sending delete/delete with reason message

09-10-2013          16:57:20          Local4.Warning          ecufw1          Oct 09 2013 16:57:21: %ASA-4-713903: IP = 84.226.187.187, Header invalid, missing SA payload! (next payload = 4)

And the ISA550 log

2013-09-28 15:58:19 - Warning - IPsec VPN: msg="Maillefer-SA" #68: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 ;

2013-09-28 15:58:19 - Warning - IPsec VPN: msg="Maillefer-SA" #68: ignoring Vendor ID payload [FRAGMENTATION c0000000];

2013-09-28 15:58:19 - Warning - IPsec VPN: msg="Maillefer-SA" #68: STATE_MAIN_I2: sent MI2, expecting MR2;

2013-09-28 15:58:19 - Warning - IPsec VPN: msg=initiating all conns with alias='Tunnel0' ;

2013-09-28 15:58:19 - Warning - IPsec VPN: msg=terminating all conns with alias='Tunnel0' ;

2013-09-28 15:58:29 - Warning - IPsec VPN: msg="Maillefer-SA" #68: ignoring informational payload, type INVALID_COOKIE msgid=00000000;

2013-09-28 15:58:29 - Warning - IPsec VPN: msg="Maillefer-SA" #68: received and ignored informational message;

2013-09-28 15:58:49 - Warning - IPsec VPN: msg="Maillefer-SA" #68: ignoring informational payload, type INVALID_COOKIE msgid=00000000;

2013-09-28 15:58:49 - Warning - IPsec VPN: msg="Maillefer-SA" #68: received and ignored informational message;

2013-09-28 15:59:29 - Warning - IPsec VPN: msg="Maillefer-SA" #68: max number of retransmissions (2) reached STATE_MAIN_I2;

2013-09-28 15:59:29 - Warning - IPsec VPN: msg="Maillefer-SA" #68: Quick mode retry fail, please Check if local IKE/Transform/PFS are the same as remote site;

Re: VPN from ISA550 PPPOE to ASA5510

Have you tried turning off Aggressive Mode on the ASA?

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: VPN from ISA550 PPPOE to ASA5510

Hello

Site-to-site ASA5505  Dynamic IP (PPPOE) to ASA5510 fix IP work very well with aggressive mode.

Site-to-site ASA5505  Dynamic IP (PPPOE) to ASA5510 fix IP without aggressive mode "main mode" = not working

Re: VPN from ISA550 PPPOE to ASA5510

Jacques,
I'm confused. Do you mean that a site-to-site VPN without Aggressive Mode between the ISA and the ASA isn't working? I ask because you stated ASA5505 to ASA5510.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: VPN from ISA550 PPPOE to ASA5510

My old config is from ASA5505 to ASA5510 VPN this config work because you can set the ASA5505 in aggressive mode.

My new config is from ISA550 to ASA5510 VPN this config can't work because i can't set the ISA550 to aggressive mode.

And on the ASA5505 i can set on IKE parameters -> identity ->Sent to Peer  "hostname"

then the ASA5510 receive the cisco name of my ASA5505

Log in ASA5510 like this    Group = cisconame, IP = 23.23.23.23 <-dynamic public ip from isp = OK VPN work

if no "hostname" then log in ASA5510 like this  Group = 23.23.23.23, IP = 23.23.23.23 <-dynamic public ip from isp = VPN can't work.

Re: VPN from ISA550 PPPOE to ASA5510

Jacques,

I understand how the ASA5505 to ASA5510 was setup using Aggressive mode.  Now that your remote VPN Peer is an ISA550, have you edited the Site-to-Site VPN profile in the ASA5510 for that connection and switched the IKE Negotiation Mode under Advanced -> Crypto Map Entry from Aggressive to Main?

Shawn Eftink
CCNA/CCDA

Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: VPN from ISA550 PPPOE to ASA5510

The old ASA5505 or the new ISA550  initialise the VPN to ASA5510 therefore the aggressive mode is set inside this appliances.

if i set the ASA5505 to main mode in place of aggressive mode the VPN is not initialised.

Re: VPN from ISA550 PPPOE to ASA5510

I think there's some confusion here. My understanding is that you're not using the ASA5505 anymore and instead using the ISA550. So where you would need to turn off Aggressive mode is in the 5510 but just on the profile for the ISA550 site, if you have more than one site/profile.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
New Member

Re: VPN from ISA550 PPPOE to ASA5510

Hello,

Sorry for my poor english..

I need to replace the ASA5505 by a ISA550 but the ISA550 can not by set in "aggressive mode" like ASA5505 or the RV082 ,RV042 router.

like that

crypto map outside_map 3 set  phase1-mode aggressive group5

aggressive mode is needed if the appliance (ISA550,ASA5505,RV082) is in dynamic public ip

like this setting as requested

Config ASA5510 you can see when i create the VPN

bla bla bla...

[WARNING] tunnel-group firewall-Name type ipsec-l2l

     L2L tunnel-groups that have names which are not an IP

address may only be used if the tunnel authentication

method is Digital Certificates and/or The peer is

configured to use Aggressive Mode

[OK] tunnel-group firewall-Name general-attributes

Re: VPN from ISA550 PPPOE to ASA5510

What firmware version is your ASA5510.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
1605
Views
0
Helpful
16
Replies