Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot finish "phase 2" while establishing site-to-site VPN tunnel.

I'm trying to establish a site-to-site VPN tunnel between a Cisco 1921 and an ASA.

I'm debugging using:

debug crypto isakmp

debug crypto ipsec

No debug messages are coming up on the 1921.

The following debug message keeps coming up on the ASA:

Jan 15 16:42:55 [IKEv1]: Group = 184.1.126.140, IP = 184.1.126.140, construct_   ipsec_delete(): No SPI to identify Phase 2 SA!

ASA config: http://pastebin.com/raw.php?i=wgTxe3gF

1921 config: http://pastebin.com/raw.php?i=TEihijEF

Why won't the two establish a VPN tunnel?

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cannot finish "phase 2" while establishing site-to-site VPN

It's very strange that the ASA shows the tunnel up, but the router does not. It looks like the router is expecting authentication.

Can you add-

crypto isakmp key  address 184.1.96.42 no-xauth

Can you debug isakmp and ipsec on the router and post it?

8 REPLIES

Cannot finish "phase 2" while establishing site-to-site VPN tunn

Add the transform set on the router

crypto map SDM_CMAP_1 1 ipsec-isakmp
  set transform-set ESP-3DES-SHA

Also run a debug cry ipsec and post the results

Cannot finish "phase 2" while establishing site-to-site VPN tunn

We really need to see more of the debug. If that is all there is, can you add

debug cry isa 127

and post?

New Member

Re: Cannot finish "phase 2" while establishing site-to-site VPN

Here's the debug cry isa 127 and debug cry ipsec results for the ASA:

http://pastebin.com/raw.php?i=0DWVNdXc

There doesn't appear to be any debug result output for the 1921.

Re: Cannot finish "phase 2" while establishing site-to-site VPN

Thanks for the debug. What is the state in a show cry isa sa? If it's blank, please try the tunnel again and then run the command.

New Member

Re: Cannot finish "phase 2" while establishing site-to-site VPN

ASA:          

VMON-ASA# show crypto isakmp sa

   Active SA: 4
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 4

1   IKE Peer: 184.1.116.218
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 199.111.175.5
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
3   IKE Peer: 184.0.251.78
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
4   IKE Peer: 184.1.126.140
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

1921:

PG-1921#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
184.1.126.140  199.111.175.5   QM_IDLE           4359 ACTIVE
184.1.96.42    184.1.126.140  MM_NO_STATE       4677 ACTIVE (deleted)
211.232.113.52  184.1.126.140  MM_NO_STATE          0 ACTIVE
184.1.126.140  184.1.96.42    CONF_XAUTH        4679 ACTIVE
184.1.126.140  184.1.96.42    MM_NO_STATE       4678 ACTIVE (deleted)
184.1.126.140  184.71.109.110  QM_IDLE           4594 ACTIVE
184.1.116.218  184.1.126.140  QM_IDLE           5047 ACTIVE

Note:

WAN IP of ASA:

184.1.96.42

WAN IP of 1921:

184.1.126.140

Re: Cannot finish "phase 2" while establishing site-to-site VPN

It's very strange that the ASA shows the tunnel up, but the router does not. It looks like the router is expecting authentication.

Can you add-

crypto isakmp key  address 184.1.96.42 no-xauth

Can you debug isakmp and ipsec on the router and post it?

New Member

Cannot finish "phase 2" while establishing site-to-site VPN tunn

After adding this line, the tunnel came up, and has been reliably up ever since. Thank you!

Cannot finish "phase 2" while establishing site-to-site VPN tunn

Sweet. Glad to hear it's working.

700
Views
0
Helpful
8
Replies
This widget could not be displayed.