Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 can not establish IKE phase 2

Trying to establish VPN between two ASA5520

Got stuck at

ciscoasa# sh crypto isa sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 10.254.17.9

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

Looks like IKE phase 2 doesn not go through..

config1:

access-list 110 extended permit ip any any

route outside 0.0.0.0 0.0.0.0 10.254.17.9 1

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.9

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 10.254.17.9 type ipsec-l2l

tunnel-group 10.254.17.9 ipsec-attributes

pre-shared-key *

Config2:

access-list 110 extended permit ip any any

route outside 0.0.0.0 0.0.0.0 10.254.17.10 1

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 10 match address 110

crypto map mymap 10 set peer 10.254.17.10

crypto map mymap 10 set transform-set myset

crypto map mymap interface outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 10.254.17.10 type ipsec-l2l

tunnel-group 10.254.17.10 ipsec-attributes

pre-shared-key *

I would appreciate any help..

12 REPLIES
Cisco Employee

Re: ASA 5520 can not establish IKE phase 2

You need "crypto isakmp enable outside" on the ASA's.

New Member

Re: ASA 5520 can not establish IKE phase 2

After I enabled isakmp on the outside interface, I get the following error in debug messages:

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, All SA proposals found unaccept

able

Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Error processing payload: Payload ID:

1

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, IKE MM Initiator FSM error hist

ory (struct &0xc958f6c0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, E

V_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1

, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1-->MM_BLD_MSG

1, EV_CREATE_TMR

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, IKE SA MM:64292783 terminating:

flags 0x01000022, refcnt 0, tuncnt 0

Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, sending delete/delete with reas

on message

Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Removing peer from peer table failed,

no match!

Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Error: Unable to remove PeerTblEntry

Jun 22 07:06:51 [IKEv1]: IP = 10.254.17.9, Invalid packet detected!

Cisco Employee

Re: ASA 5520 can not establish IKE phase 2

Make sure crypto isakmp enable outside is on both ASA's.

New Member

Re: ASA 5520 can not establish IKE phase 2

It is enabled on both ASA's.

What bothers me is this message

Jun 22 07:53:44 [IKEv1 DEBUG]: IP = 10.254.17.9, All SA proposals found unacceptable

Jun 22 07:53:44 [IKEv1]: IP = 10.254.17.9, Error processing payload: Payload ID:1

Jun 22 07:54:16 [IKEv1]: IP = 10.254.17.9, Invalid packet detected!

Cisco Employee

Re: ASA 5520 can not establish IKE phase 2

Please can you post the entire debugs from both ASA's:

debug crypto isakmp 127

debug crypto ipsec 127

Attach the debug as text files.

Also, please change your IPSec crypto ACL (acl 110) to only include the internal subnets, and not any any.

New Member

Re: ASA 5520 can not establish IKE phase 2

This is the output from one of the ASA's. Unfortunatelly, I have no access to the second right now.

Cisco Employee

Re: ASA 5520 can not establish IKE phase 2

We would need to see the debugs from the other side. This debug says that we sent a packet to the ASA, but never got a response back.

New Member

Re: ASA 5520 can not establish IKE phase 2

I will be able to do it tomorrow. Thank you for your help!

New Member

Re: ASA 5520 can not establish IKE phase 2

This is debug from another peer

New Member

Re: ASA 5520 can not establish IKE phase 2

The issue is solved now.. It is weird, I used 3des instead of des and config worked just fine.. Thank you

Re: ASA 5520 can not establish IKE phase 2

New Member

Re: ASA 5520 can not establish IKE phase 2

Unfortunally, it didnt help

4143
Views
0
Helpful
12
Replies
CreatePlease login to create content