Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN not authorized =PSK

Hello,

I support a Dr office with 5 locations. Each has a Cisco ASA5500 with public static IP and a VPN tunnel set up to each other location as well as back to the data center at Dell. I recently put a cisco VOIP system in one location with its own SIP trunk static IP and want to tunnel to the same ASA devices. I bought a Cisco RV042 vpn router and configured the VPN tunnels on it and then tried one ASA device. If I initiate a connection from the ASA the ASA sees nothing and the RV042 looks like it fails at phase one. If I initiate it from the rv042, ASA still sees nothing.

I want to say upfront that the ISP is not blocking port 500. I know this because we already have tunnels set up that work. Also, all settings have been double checked on each device to make sure they match.

I was receiving the below errors until I did a firmware update. After that now it just fails but does not report anything in the logs.

Here are the errors:

packet from : initial Main Mode message received on  but no connection has been authorized with policy=PSK

ERROR: asynchronous network error report on eth1 for message to  port 500, complainant: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]

5 REPLIES
Community Member

I should also say that I

I should also say that I could have setup an additional VLAN for the voice data on each existing tunnel but the license cost was $800 per device ($4000) and doc didn't go for that.

Community Member

Sorry.... typo they are 5505

Sorry.... typo they are 5505

Community Member

Hi,

Hi,

About the ISP blocking port 500 that you stated, the ISP may still be blocking the port. Having other tunnel to a specific device does not necessary mean your provider is allowing it through. There are several providers that your provider most likely connect to and since an IPSec tunnel connection goes directly from 1 peer to another the paths taken by each tunnel are most likely completely different so the path for this particular tunnel may have UDP port 500 packets blocked while other tunnels paths are fine.

With that said, based on your description of the issue there is a very high chance the packets from the router to the ASA are not getting to the ASA. We find this out by doing the following:

1. Apply a capture on the outside interface by doing the following commands:

ASA (config)#  capture CAP interface <outside interface name> trace detail match ip host <peer IP> host <local outside IP>

ASA (config)#  capture CAP2 interface <outside interface name> trace detail match esp host <peer IP> host <local outside IP>

first capture will capture all IP traffic between the 2 peers so make sure there are no pings or other traffic so we don't get much noise in the capture. second capture is for ESP packets once the tunnel is up in case you have issues with this being blocked on the internet as well.

2. Run debugs on the ASA:

debug crypto condition peer <peer IP>

debug crypto isakmp 250

debug crypto ipsec 250

3. Attempt to establish the tunnel from the router to the ASA first. Retrieve the captures, as well as show crypto isakmp sa and show cry ipsec sa peer <Peer IP> and debugs outputs. Then clear the capture contents and attempt another connection from the ASA, be sure to retrieve the new information once again. show capture <capture name> to see capture content and clear capture <capture name> to clear content.

Please post the outputs to understand the behavior, also a copy of the config can help. 

Community Member

Thank you for your reply. I

Thank you for your reply. I will do the suggested steps and post my results (Probably Monday)

Community Member

I found the problem. I was

I found the problem. I was putting the ISP device IP as the gateway and the VPN router IP as the IP.

I changed it so the router IP was the gateway and the internal subnet was the IP and it connected.

Now I am on to my next problem and will start a new thread.

Thank you for your help on this one :)

269
Views
5
Helpful
5
Replies
CreatePlease to create content