Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA site-site VPN error using Microsoft Digital Certificates.

Hi,

I configured site-site between ASA's with authentication type as RSA-SIG for Phase1. I got manual certificates from Microsoft CA Server but not able to form the tunnel. Need someones help badly on this issue.

ASA1 Config:

----------------------

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash sha

group 1

lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

tunnel-group 200.160.126.30 type ipsec-l2l

tunnel-group 200.160.126.30 ipsec-attributes

peer-id-validate cert

trust-point CA1

crypto map outside_map 1 match address vpn

crypto map outside_map 1 set peer 200.160.126.30

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set trustpoint CA1

crypto map outside_map interface outside

access-list vpn extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto ca trustpoint CA1

enrollment terminal

fqdn asa1.cisco.com

keypair my.ca.key

crl configure

ASA-2 Config:

--------------------

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash sha

group 1

lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address vpn

crypto map outside_map 1 set peer 59.160.128.50

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set trustpoint CA1

crypto map outside_map interface outside

tunnel-group 59.160.128.50 type ipsec-l2l

tunnel-group 59.160.128.50 ipsec-attributes

peer-id-validate cert

trust-point CA1

access-list vpn extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto ca trustpoint CA1

enrollment terminal

fqdn asa2.cisco.com

keypair my.ca.key

crl configure

Debug Output:

----------------------------

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-5-713041: IP = 59.160.128.50, IKE Initiator: New Phase 1, Intf inside, IKE Peer 59.160.128.50  local Proxy Address 172.16.1.0, remote Proxy Address 192.168.1.0,  Crypto map (outside_map)

%ASA-7-715046: IP = 59.160.128.50, constructing ISAKMP SA payload

%ASA-7-715046: IP = 59.160.128.50, constructing Fragmentation VID + extended capabilities payload

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

%ASA-7-609001: Built local-host NP Identity Ifc:200.160.126.30

%ASA-7-609001: Built local-host outside:59.160.128.50

%ASA-6-302015: Built outbound UDP connection 122 for outside:59.160.128.50/500 (59.160.128.50/500) to NP Identity Ifc:200.160.126.30/500 (200.160.126.30/500)

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

%ASA-7-715047: IP = 59.160.128.50, processing SA payload

%ASA-7-713906: IP = 59.160.128.50, Oakley proposal is acceptable

%ASA-7-715047: IP = 59.160.128.50, processing VID payload

%ASA-7-715049: IP = 59.160.128.50, Received Fragmentation VID

%ASA-7-715064: IP = 59.160.128.50, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True

%ASA-7-715046: IP = 59.160.128.50, constructing ke payload

%ASA-7-715046: IP = 59.160.128.50, constructing nonce payload

%ASA-7-715046: IP = 59.160.128.50, constructing certreq payload

%ASA-7-715046: IP = 59.160.128.50, constructing Cisco Unity VID payload

%ASA-7-715046: IP = 59.160.128.50, constructing xauth V6 VID payload

%ASA-7-715048: IP = 59.160.128.50, Send IOS VID

%ASA-7-715038: IP = 59.160.128.50, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

%ASA-7-715046: IP = 59.160.128.50, constructing VID payload

%ASA-7-715048: IP = 59.160.128.50, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 322

%ASA-7-715047: IP = 59.160.128.50, processing ke payload

%ASA-7-715047: IP = 59.160.128.50, processing ISA_KE payload

%ASA-7-715047: IP = 59.160.128.50, processing nonce payload

%ASA-7-715047: IP = 59.160.128.50, processing cert request payload

%ASA-7-715047: IP = 59.160.128.50, processing VID payload

%ASA-7-715049: IP = 59.160.128.50, Received Cisco Unity client VID

%ASA-7-715047: IP = 59.160.128.50, processing VID payload

%ASA-7-715049: IP = 59.160.128.50, Received xauth V6 VID

%ASA-7-715047: IP = 59.160.128.50, processing VID payload

%ASA-7-715038: IP = 59.160.128.50, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

%ASA-7-715047: IP = 59.160.128.50, processing VID payload

%ASA-7-715049: IP = 59.160.128.50, Received Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713906: IP = 59.160.128.50, Generating keys for Initiator...

%ASA-7-715046: IP = 59.160.128.50, constructing ID payload

%ASA-7-715046: IP = 59.160.128.50, constructing cert payload

%ASA-7-715001: IP = 59.160.128.50, constructing RSA signature

%ASA-7-715076: IP = 59.160.128.50, Computing hash for ISAKMP

%ASA-7-713906: Constructed Signature Len: 128

%ASA-7-713906: Constructed Signature:

0000: 4FB66432 FCA9DA52 5420E6C1 DF8293AC     O.d2...RT ......

0010: DE3533F1 7036E5C8 40B11A9D 5C68C884     .53.p6..@...\h..

0020: D4BCA531 BAE87710 09D1AD06 7994CD1B     ...1..w.....y...

0030: DCEDB9CE E971F21B 0104C06A 1901FACE     .....q.....j....

0040: D1E8AED1 7684DFDA 40E98BC2 E195F3C8     ....v...@.......

0050: 3625E936 E35F47A3 F44BC326 62E99135     6%.6._G..K.&b..5

0060: 88EB90FF 10938CC3 0FFAA576 A9DBD9AD     ...........v....

0070: 65592C71 5A13C4C5 8EBA60F6%ASA-7-715034: IP = 59.160.128.50, Constructing IOS keep alive payload: proposal=32767/32767 sec.

%ASA-7-715046: IP = 59.160.128.50, constructing dpd vid payload

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1668

%ASA-7-609001: Built local-host inside:172.16.1.10

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-7-609001: Built local-host inside:172.16.1.10

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-7-609001: Built local-host inside:172.16.1.10

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-7-609001: Built local-host inside:172.16.1.10

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-609001: Built local-host inside:172.16.1.10

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-7-609001: Built local-host inside:172.16.1.10

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-7-609001: Built local-host inside:172.16.1.10

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-609001: Built local-host inside:172.16.1.10

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-609001: Built local-host inside:172.16.1.10

%ASA-7-609001: Built local-host outside:192.168.1.10

%ASA-7-609002: Teardown local-host inside:172.16.1.10 duration 0:00:00

%ASA-7-609002: Teardown local-host outside:192.168.1.10 duration 0:00:00

%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0

%ASA-6-713219: IP = 59.160.128.50, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

%ASA-5-713904: IP = 59.160.128.50, Received an un-encrypted INVALID_COOKIE notify message, dropping

%ASA-4-713903: IP = 59.160.128.50, Information Exchange processing failed

%ASA-7-715065: IP = 59.160.128.50, IKE MM Initiator FSM error history (struct &0xd8a30d08)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT

%ASA-7-713906: IP = 59.160.128.50, IKE SA MM:f2cbbafa terminating:  flags 0x0100c022, refcnt 0, tuncnt 0

%ASA-7-713906: IP = 59.160.128.50, sending delete/delete with reason message

%ASA-7-715046: IP = 59.160.128.50, constructing blank hash payload

%ASA-7-715046: IP = 59.160.128.50, constructing IKE delete payload

%ASA-7-715046: IP = 59.160.128.50, constructing qm hash payload

%ASA-7-713236: IP = 59.160.128.50, IKE_DECODE SENDING Message (msgid=372e03ac) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

%ASA-3-713902: IP = 59.160.128.50, Removing peer from peer table failed, no match!

%ASA-4-713903: IP = 59.160.128.50, Error: Unable to remove PeerTblEntry

Kindly suggest me for further steps.

Regards,

Mon

2 REPLIES
Cisco Employee

ASA site-site VPN error using Microsoft Digital Certificates.

HI Mate ,

your ASA is sending the ASA certificate :

but after that we are recieving an isakmp notify message which tears down the connection ?

somehow the remote peer didn't like the ASA certificate

do you have access to that peer ? is it a CISCO ASA?

is the time synchronized with that side ?

it the CA certificate installed on that peer?

HTH

Mohammad.

New Member

ASA site-site VPN error using Microsoft Digital Certificates.

Hi,

Thank you for the response.

Yes both ASA has same time syn with my Corporate Microsoft CA server.

And yes the remote end is also a Cisco ASA and it has the certificate from Corporate Microsoft CA server.

Regards,

Mon

1191
Views
0
Helpful
2
Replies
CreatePlease login to create content