Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 9.x IOS and Avaya phone vpn issue

Hello,

womndering if anyine has some ideas how to solve this problem. I have asa 5510, runing ios ver 9.x and avaya phone that i need to esatblish vpn tunnel with asa.

THe regular Cisco vpn clients are all working fine.

The error message on teh ASA is:

Jul 22 2013 00:02:31: %ASA-7-713906: IP = 193.173.47.132, Connection landed on tunnel_group TG-PHONES

Jul 22 2013 00:02:31: %ASA-7-715047: Group = TG-PHONES, IP = 193.173.47.132, processing IKE SA payload

Jul 22 2013 00:02:35: %ASA-7-713236: IP = 193.173.47.132, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96

Jul 22 2013 00:02:35: %ASA-7-713906: Group = TG-PHONES, IP = 193.173.47.132, All SA proposals found unacceptable

Jul 22 2013 00:02:35: %ASA-7-713906: IP = 193.173.47.132, All IKE SA proposals found unacceptable!

The error message on Avaya is:

IKE phase 1 no response

Firewall config related to vpn:

ASA Version 9.0(1)

!

ip local pool TGN_POOL 172.30.20.1-172.30.23.254 mask 255.255.252.0

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

!

interface Red1

member-interface Ethernet0/2

member-interface Ethernet0/3

nameif inside

security-level 100

ip address 10.10.10.10 255.255.255.0

!

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name prc.net

object network TGN-POOL

subnet 172.30.20.0 255.255.252.0

access-list ACL-PHONES standard permit 10.0.0.0 255.0.0.0

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

anyconnect enable

group-policy TG-PHONES internal

group-policy TG-PHONES attributes

dns-server value 10.2.2.2 8.8.8.8

vpn-simultaneous-logins 3

vpn-idle-timeout 1440

vpn-session-timeout 14400

vpn-tunnel-protocol ikev1

group-lock value TG-PHONES

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL-PHONES

default-domain value prc.net

vlan none

address-pools value TGN_POOL

tunnel-group TG-PHONES type remote-access

tunnel-group TG-PHONES general-attributes

address-pool TGN_POOL

authentication-server-group RADIUS

authentication-server-group (inside) LOCAL

default-group-policy TG-PHONES

tunnel-group TG-PHONES ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

==========================

Avaya phone setup:

Authentication type: PSK

IKE ID: TG-PHONES

PSK: xxxxx

IKE Ph1:

    IKE ID type: KEY_ID

    IKE Exchange Mode: Agressive

    IKE DH Group: 2

    IKE ENcryption Alg: 3DES

    IKE AUthentication algor: SHA-1

    IKE config mode: enabled

IKE Ph2:

    IPsec PFA DH Group:    2

    IPSec encryption algor: 3DES

    IPsec authentication algor: SHA-1

    Protected networks: 10.0.0.0/8

IKE over TCP: Never

============================

  • VPN
496
Views
0
Helpful
0
Replies
This widget could not be displayed.