Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1390
Views
0
Helpful
1
Replies

ASA 5505 to Sonicwall VPN troubles

James Dykes
Level 1
Level 1

‎07-26-2013 05:00 PM

I have an ASA 5505 that I'm trying to create a L2L tunnel with to a Sonicwall device. Phase 1 settings appear to match on both sides from the screenshots sent from the client's office and my settings here, but something is off. My settings are below and the endpoint's settings are screenshotted in attachments.

The error I'm getting is:

Jul 26 11:22:40 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92

Jul 26 11:22:40 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92

Jul 26 11:22:40 [IKEv1]: IP = 66.208.251.193, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

Jul 26 11:22:40 [IKEv1]: IP = 66.208.251.193, Information Exchange processing failed

Jul 26 11:22:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jul 26 11:22:43 [IKEv1]: IP = 66.208.251.193, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 148

Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92

Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92

Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, Information Exchange processing failed

Jul 26 11:22:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jul 26 11:22:48 [IKEv1]: IP = 66.208.251.193, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 148

Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92

Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 92

Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

Jul 26 11:22:56 [IKEv1]: IP = 66.208.251.193, Information Exchange processing failed

Jul 26 11:23:04 [IKEv1 DEBUG]: IP = 66.208.251.193, IKE MM Initiator FSM error history (struct &0x3c6caf8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Jul 26 11:23:04 [IKEv1 DEBUG]: IP = 66.208.251.193, IKE SA MM:9300f290 terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Jul 26 11:23:04 [IKEv1 DEBUG]: IP = 66.208.251.193, sending delete/delete with reason message

Jul 26 11:23:04 [IKEv1]: IP = 66.208.251.193, Removing peer from peer table failed, no match!

Jul 26 11:23:04 [IKEv1]: IP = 66.208.251.193, Error: Unable to remove PeerTblEntry

5753-FWL001# sho run

: Saved

:

ASA Version 7.2(3)

!

hostname 5753-FWL001

domain-name coffeefest.com

enable password 8GJ1Rq/1t25uy0R3 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.133.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address XXX.XXX.XXX.196 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name coffeefest.com

object-group network FTP-ALLOW

description Hosts allowed to FTP into servers

object-group network RDP-ALLOW

description Palador Allowed for RDP

network-object host 64.3.25.178

network-object host 64.3.25.179

network-object host 64.3.25.180

network-object host 64.3.25.181

network-object host 64.3.25.182

network-object host 64.3.25.183

network-object host 64.3.25.184

network-object host 64.3.25.185

network-object host 64.3.25.186

network-object host 64.3.25.187

network-object host 64.3.25.188

access-list outside_acl extended permit ip 216.211.143.64 255.255.255.192 any

access-list outside_acl extended permit tcp any host XXX.XXX.XXX.198 eq www

access-list outside_acl extended permit tcp any host XXX.XXX.XXX.198 eq https

access-list outside_acl extended permit tcp host 216.254.1.194 host XXX.XXX.XXX.197 eq 1433

access-list outside_acl extended permit tcp host 69.88.113.154 host XXX.XXX.XXX.197 eq 1433

access-list outside_acl extended permit tcp host 69.88.113.155 host XXX.XXX.XXX.197 eq 3389

access-list outside_acl extended permit tcp host 69.88.113.155 host XXX.XXX.XXX.197 eq 1433

access-list outside_acl extended permit tcp host 69.88.113.154 host XXX.XXX.XXX.197 eq 3389

access-list outside_acl extended permit tcp host 69.88.113.154 host XXX.XXX.XXX.198 eq 1433

access-list outside_acl extended permit tcp host 69.88.113.154 host XXX.XXX.XXX.198 eq 3389

access-list outside_acl extended permit tcp host 69.88.113.155 host XXX.XXX.XXX.198 eq 3389

access-list outside_acl extended permit tcp host 69.88.113.155 host XXX.XXX.XXX.198 eq 1433

access-list outside_acl extended permit tcp host 67.51.49.138 any eq 3389

access-list outside_acl extended permit tcp host 67.51.49.138 any eq 1433

access-list outside_acl extended permit tcp host 64.3.25.178 host XXX.XXX.XXX.197 eq imap4

access-list outside_acl extended permit tcp 64.3.25.176 255.255.255.240 any eq 3389

access-list outside_acl extended permit tcp object-group RDP-ALLOW any eq 3389

access-list outside_acl extended permit tcp host 207.115.95.194 host XXX.XXX.XXX.198 eq 3389

access-list outside_acl extended permit tcp host 207.115.95.194 host XXX.XXX.XXX.197 eq 1433

access-list coffeefest_vpn_splitTunnelAcl standard permit 192.168.133.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.133.0 255.255.255.0 192.168.133.16 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.133.0 255.255.255.0 10.0.43.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.133.0 255.255.255.0 10.0.43.0 255.255.255.0

pager lines 24

logging enable

logging console debugging

logging buffered debugging

logging history debugging

logging device-id hostname

logging host outside 216.211.143.116

mtu inside 1500

mtu outside 1500

ip local pool coffeefest_pool 192.168.133.16-192.168.133.32 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) XXX.XXX.XXX.197 192.168.133.197 netmask 255.255.255.255

static (inside,outside) XXX.XXX.XXX.198 192.168.133.198 netmask 255.255.255.255

static (inside,outside) XXX.XXX.XXX.199 192.168.133.199 netmask 255.255.255.255

static (inside,outside) XXX.XXX.XXX.200 192.168.133.200 netmask 255.255.255.255

access-group outside_acl in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server tacacs protocol tacacs+

aaa-server tacacs (outside) host 216.211.143.68

key 0b0bmlult

aaa authentication ssh console tacacs LOCAL

aaa authentication enable console tacacs LOCAL

aaa authentication http console tacacs LOCAL

http server enable

http 192.168.133.0 255.255.255.0 inside

http 216.211.143.64 255.255.255.192 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 66.208.251.193

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp nat-traversal  20

telnet timeout 5

ssh 216.211.143.64 255.255.255.192 outside

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

tftp-server outside 216.211.143.116 5753-FWL001

group-policy coffeefest_vpn internal

group-policy coffeefest_vpn attributes

dns-server value 216.211.128.12 66.119.192.11

vpn-session-timeout none

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value coffeefest_vpn_splitTunnelAcl

default-domain value coffeefest.com

username palador password Tcn05BksapoGh4oq encrypted privilege 0

username palador attributes

vpn-group-policy coffeefest_vpn

username adhostadm password SNuHaf3vLSQl9DfR encrypted privilege 15

tunnel-group coffeefest_vpn type ipsec-ra

tunnel-group coffeefest_vpn general-attributes

address-pool coffeefest_pool

default-group-policy coffeefest_vpn

tunnel-group coffeefest_vpn ipsec-attributes

pre-shared-key *

tunnel-group 66.208.251.193 type ipsec-l2l

tunnel-group 66.208.251.193 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:2dea922083637b4704baefd9d073e9d0

: end

Labels:
Preview file
274 KB
Preview file
90 KB
Preview file
101 KB
Preview file
90 KB
Preview file
85 KB
0 Helpful
1 Reply 1

mabuarja
Level 1
Level 1

‎07-28-2013 05:51 AM

hi

it seems that the ASA is sending phase 1 proposal but not receiving reply ( waiting message 2) , to verify this please collect captures at ASA outside interface while triggering the tunnel ( sending traffic through the tunnel) :

access-list CAP permit ip host  66.208.251.193 host

access-list CAP permit ip host host  66.208.251.193

capture CAP interface outside access-list CAP

and send us "show capture" outputs , if packets are not received from the remote firewal (Sonic) , then they might be dropped by ISP or any edge device , or not sent by the Sonic FW.

Regards,

Mohammad

0 Helpful
Customers Also Viewed These Support Documents