Solved: Re: Dynamic to Static IPSec with Certificate Authentication - Page 2

garyshanes · ‎12-02-2009

I'm trying to set up a dynamic-to-static LAN2LAN vpn from a ASA 5505 (with a dynamic IP) to an ASA5520 (with a Static IP)
I'd like to have a small (/30) network on the Dynamic side that I can connect to a larger (/24) network on the Static side.
I'm also trying to use Identity Certificates for the Authentication.

I generated a root CA, and intermediate CA, signed the intermediate CA with the root CA, and then created identity CAs for
the ASAs, and signed them with the intermediate CA using OpenSSL, and imported them to a trustpoint

I tried using the instructions at:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
to set up the certificates (replacing MS with OpenSSL) and using the instructions at:

I then tried to use the ASDM to set the appropriate indentity cert on the outside interface
[ Configuration->Device Management->Advanced->SSL Settings ]

and set up a Connection Profile [ Configuration->Device Management->Connection Profiles ] on both devices,
setting the side that gets its IP via DHCP to static and the side that has the permanent IP to accept from dynamic.

I apply settings and nothing happens.

show crypto isakmp just returns "There are no isakmp sas".

I'm not sure where to begin debugging this. How do I force the DHCP side to initiate a connection?

garyshanes · ‎12-07-2009

What should the policy look like? That is the same policy on both ends? Is it just wrong?

crypto isakmp policy 150
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400

Ivan Martinon · ‎12-07-2009

the isakmp policy looks good on both ends, again, the certificate map is ok, but I rather use CO instead of EQ, have the crypto ca debugs enabled, I want to see how is the mapping processed.

garyshanes · ‎12-07-2009

that error output was with:

debug crypto isakmp 15
debug crypto ca messages 15

should I up it to 25 and retry?

garyshanes · ‎12-07-2009

I changed eq to co and set debug crypto isakmp 25 and debug crypto ca messages 25 and sent a single ping: attached is the debugs from each side.

SYS-ASA01# debug crypto isakmp 25
SYS-ASA01# debug crypto ca messages 25
SYS-ASA01# Dec 07 11:22:17 [IKEv1]: IP = 96.24.196.33, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing SA payload
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Oakley proposal is acceptable
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Fragmentation VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing IKE SA payload
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 5
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 11
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing ISAKMP SA payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing Fragmentation VID + extended capabilities payload
Dec 07 11:22:17 [IKEv1]: IP = 96.24.196.33, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 11:22:17 [IKEv1]: IP = 96.24.196.33, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing ke payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing ISA_KE payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing nonce payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Cisco Unity client VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Received xauth V6 VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing ke payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing nonce payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing Cisco Unity VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing xauth V6 VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Send IOS VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 96.24.196.33, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:22:17 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Can't find a valid tunnel group, aborting...!
Dec 07 11:22:17 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, IKE MM Responder FSM error history (struct &0xd14a21b0) , : MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
Dec 07 11:22:17 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, IKE SA MM:28baec2d terminating: flags 0x0100c002, refcnt 0, tuncnt 0
Dec 07 11:22:17 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, sending delete/delete with reason message
Dec 07 11:22:17 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Removing peer from peer table failed, no match!
Dec 07 11:22:17 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Error: Unable to remove PeerTblEntry
Dec 07 11:22:25 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 11:22:25 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:33 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 11:22:33 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:41 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 11:22:41 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
SYS-ASA01#

################################################################################
sys-ii-asa00# Dec 07 11:19:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:19:42 [IKEv1]: IP = 74.255.131.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.255.131.2 local Proxy Address 10.254.254.0, remote Proxy Address 192.168.7.0, Crypto map (outside_map1)
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ISAKMP SA payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Fragmentation VID + extended capabilities payload
Dec 07 11:19:42 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 11:19:42 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, processing SA payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Oakley proposal is acceptable
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, processing VID payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Received Fragmentation VID
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ke payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing nonce payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Cisco Unity VID payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing xauth V6 VID payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Send IOS VID
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing VID payload
Dec 07 11:19:42 [IKEv1 DEBUG]: IP = 74.255.131.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:19:42 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:19:50 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:19:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:19:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:19:51 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:19:51 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:19:58 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:19:59 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:19:59 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:19:59 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:19:59 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:06 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:07 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:07 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:07 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:20:07 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:14 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE MM Initiator FSM error history (struct &0xd8b999d0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
Dec 07 11:20:14 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE SA MM:8fbf96d7 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Dec 07 11:20:14 [IKEv1 DEBUG]: IP = 74.255.131.2, sending delete/delete with reason message
Dec 07 11:20:14 [IKEv1]: IP = 74.255.131.2, Removing peer from peer table failed, no match!
Dec 07 11:20:14 [IKEv1]: IP = 74.255.131.2, Error: Unable to remove PeerTblEntry
Dec 07 11:20:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:27 [IKEv1]: IP = 74.255.131.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.255.131.2 local Proxy Address 10.254.254.0, remote Proxy Address 192.168.7.0, Crypto map (outside_map1)
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ISAKMP SA payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Fragmentation VID + extended capabilities payload
Dec 07 11:20:27 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 11:20:27 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, processing SA payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Oakley proposal is acceptable
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, processing VID payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Received Fragmentation VID
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ke payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing nonce payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Cisco Unity VID payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing xauth V6 VID payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Send IOS VID
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing VID payload
Dec 07 11:20:27 [IKEv1 DEBUG]: IP = 74.255.131.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:20:27 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:28 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:29 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:30 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:31 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:32 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:33 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:34 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:20:35 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:20:36 [IKEv1]: IP = 74.255.131.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:20:43 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:20:51 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:20:59 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE MM Initiator FSM error history (struct &0xd8b999d0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
Dec 07 11:20:59 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE SA MM:3cdf16c7 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Dec 07 11:20:59 [IKEv1 DEBUG]: IP = 74.255.131.2, sending delete/delete with reason message
Dec 07 11:20:59 [IKEv1]: IP = 74.255.131.2, Removing peer from peer table failed, no match!
Dec 07 11:20:59 [IKEv1]: IP = 74.255.131.2, Error: Unable to remove PeerTblEntry
debug crypto isakmp 25
sys-ii-asa00# debug crypto ca messages 25
sys-ii-asa00# Dec 07 11:22:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 11:22:17 [IKEv1]: IP = 74.255.131.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 74.255.131.2 local Proxy Address 10.254.254.0, remote Proxy Address 192.168.7.0, Crypto map (outside_map1)
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ISAKMP SA payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Fragmentation VID + extended capabilities payload
Dec 07 11:22:17 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 11:22:17 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, processing SA payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Oakley proposal is acceptable
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, processing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Received Fragmentation VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing ke payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing nonce payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing Cisco Unity VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing xauth V6 VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Send IOS VID
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, constructing VID payload
Dec 07 11:22:17 [IKEv1 DEBUG]: IP = 74.255.131.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 11:22:17 [IKEv1]: IP = 74.255.131.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:22:25 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:22:33 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
Dec 07 11:22:41 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed
Dec 07 11:22:49 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE MM Initiator FSM error history (struct &0xd8b999d0) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
Dec 07 11:22:49 [IKEv1 DEBUG]: IP = 74.255.131.2, IKE SA MM:ed9498ca terminating: flags 0x01000022, refcnt 0, tuncnt 0
Dec 07 11:22:49 [IKEv1 DEBUG]: IP = 74.255.131.2, sending delete/delete with reason message
Dec 07 11:22:49 [IKEv1]: IP = 74.255.131.2, Removing peer from peer table failed, no match!
Dec 07 11:22:49 [IKEv1]: IP = 74.255.131.2, Error: Unable to remove PeerTblEntry

garyshanes · ‎12-07-2009

If I run the following while it's negotiating I get:

sys-ii-asa00# show crypto isakmp sa detail

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 74.255.131.2
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG4
    Encrypt : aes-256         Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 2147479890

--

Why does it say "Auth: preshared" if I'm using rsa?

Ivan Martinon · ‎12-07-2009

That is because it seems it is negotiating with another isakmp policy using preshared, please go ahead and do the following command on both ASA and paste it here

show run all isakmp

garyshanes · ‎12-07-2009

sys-ii-asa00# show run all isakmp
crypto isakmp identity auto
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 130
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 150
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

SYS-ASA01#
crypto isakmp identity auto
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 130
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 150
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

Ivan Martinon · ‎12-07-2009

As you can see, there are several policies that match on both sides before it goes to rsa-sig (policy 150), since they will both send their policies and match with the first one that is there and that matches all values, then it will match, in this case with policy 10, and so on... before it goes to policy 150, my advise is that if on the dynamic you do not have the need of using all of those policies just leave the rsa-sig, or if you do need to use the other presahre policies move it on top of the list on the ASA.

garyshanes · ‎12-07-2009

on the dynamic side I removed all of them and added:

crypto isakmp policy 5
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400

I then added the same policy ( at priority 5, before everything else ) and now the dynamic side says:

sys-ii-asa00# show debug
debug crypto ca messages enabled at level 25
debug crypto isakmp enabled at level 25
eft-ii-asa00# Dec 07 13:40:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 13:40:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!
Dec 07 13:40:53 [IKEv1]: Removing peer from peer table failed, no match!
Dec 07 13:40:53 [IKEv1]: Error: Unable to remove PeerTblEntry

and the static side says nothing at the same debug level

Ivan Martinon · ‎12-07-2009

isakmp enable outside is on right? can you post your show run from both sides pls?

garyshanes · ‎12-07-2009

I put them in a private gist so I can delete them. There is site-specific data in them that I'd prefer not be made public on a forum.

static : https://gist.github.com/98990153ae735b0a3e64
dynamic: https://gist.github.com/757e833f6c4d3690c2e5

I did what I could to scrub passwords out and global replace public IPs.

Ivan Martinon · ‎12-07-2009

Ok, so there are 2 things I would change, one on the SYS-ASA01, that is having the dynamic tunnel on the very end of the crypto map statements:

crypto map vpn 8 ipsec-isakmp dynamic instant-issue-00 ------This move it down
crypto map vpn 10 match address 205.255.226.10
crypto map vpn 10 set peer 205.255.226.10 
crypto map vpn 10 set transform-set AES-SHA
crypto map vpn 10 set security-association lifetime seconds 28800
crypto map vpn 10 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside

crypto map vpn 65535 ipsec-isakmp dynamic instant-issue-00

On the sys-ii-asa00 go ahead and add the following:

crypto map outside_map1 1 set trustopoint sys-ii-asa00

As well, please add the following debug too

debug crypto ca transactions 25

ON both sides please

garyshanes · ‎12-07-2009

################################################################################

I moved 8->65535

crypto map vpn 65535 ipsec-isakmp dynamic instant-issue-00
crypto dynamic-map instant-issue-00 65535 match address outside_cryptomap_2
crypto dynamic-map instant-issue-00 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

I keep seeing things like: Dec 07 17:27:02 [IKEv1]: Ignoring msg to mark SA with specified coordinates dead
when I configure it.

and added:

crypto map outside_map1 1 set trustpoint sys-ii-asa00

to sys-ii-asa00, but it's truspoint for this vpn is sys-asa01, isn't it?

################################################################################
when I ping:

SYS-ASA01# show debug
debug crypto ca messages enabled at level 25
debug crypto ca transactions enabled at level 25
debug crypto isakmp enabled at level 25
SYS-ASA01#

sys-ii-asa00# show debug
debug crypto ca messages enabled at level 25
debug crypto ca transactions enabled at level 25
debug crypto isakmp enabled at level 25
sys-ii-asa00# Dec 07 17:30:49 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Dec 07 17:30:49 [IKEv1]: Initiator failed to open cert context
Dec 07 17:30:49 [IKEv1]: Removing peer from peer table failed, no match!
Dec 07 17:30:49 [IKEv1]: Error: Unable to remove PeerTblEntry

that's all I see.

jreese · ‎01-10-2010

Gary, Have you solved this issue? Having a Similar issue and was hoping for some advice.