Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

Hi,

I am trying to establish a Site-to-Site VPN to our customer. I am using ASA5510 and the customer was using Fortigate 1000A. The problem that we're having was regarding the IKE Phase 2, I think!. Cisco debug information indicates "All IPSec SA proposals found unacceptable!" Can someone give some light to solve this problem?

11 REPLIES
Cisco Employee

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

Hi John,

Can you take debugs of level 255 and paste the debugs right where it says all ipsec SA proposals found unacceptable?

You need to match crypto access list on both end. Can you verify the settings at Fortigate end for crypto access list? The range option in fortigate does not work with Cisco. Can you send the snap shot of both end phase 1 and 2 with crypto access list?

Thanks,

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
New Member

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

Here it is.

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing hash payload

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing SA payload

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing nonce payload

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing ID payload

Dec 02 20:51:18 [IKEv1 DECODE]: Group = 210.24.168.8, IP = 210.24.168.8, ID_IPV4_ADDR_SUBNET ID received--10.21.0.0--255.255.0.0

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Received remote IP Proxy Subnet data in ID Payload:   Address 10.21.0.0, Mask 255.255.0.0, Protocol 0, Port 0

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing ID payload

Dec 02 20:51:18 [IKEv1 DECODE]: Group = 210.24.168.8, IP = 210.24.168.8, ID_IPV4_ADDR_SUBNET ID received--10.177.177.0--255.255.255.0

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Received local IP Proxy Subnet data in ID Payload:   Address 10.177.177.0, Mask 255.255.255.0, Protocol 0, Port 0

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, QM IsRekeyed old sa not found by addr

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, checking map = VPN-MAP, seq = 10...

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map = VPN-MAP, seq = 10, ACL does not match proxy IDs src:10.21.0.0 dst:10.177.177.0

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, checking map = VPN-MAP, seq = 20...

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map VPN-MAP, seq = 20 is a successful match

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, IKE Remote Peer configured for crypto map: VPN-MAP

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, processing IPSec SA payload

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, All IPSec SA proposals found unacceptable!

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, sending notify message

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, constructing blank hash payload

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, constructing ipsec notify payload for msg id a0425c41

Dec 02 20:51:18 [IKEv1 DEBUG]: Group = 210.24.168.8, IP = 210.24.168.8, constructing qm hash payload

Dec 02 20:51:18 [IKEv1]: IP = 210.24.168.8, IKE_DECODE SENDING Message (msgid=391c082f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

I think the key phrase here is:

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, map = VPN-MAP, seq = 10, ACL does not match proxy IDs src:10.21.0.0 dst:10.177.177.0

Crypto ACL doesn't match on both sides.

HTH. Please rate if it was helpful.

New Member

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

Crypto map sequence 10 is for a different group and I have different crypto maps. See details below.

Dec 02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static Crypto Map check, checking map = VPN-MAP, seq = 20...

Dec  02 20:51:18 [IKEv1]: Group = 210.24.168.8, IP = 210.24.168.8, Static  Crypto Map check, map VPN-MAP, seq = 20 is a successful match

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

Ok, you rigth. Looking forward...

New Member

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

Would you know someone who has successfully establish a vpn between fortigate and cisco?

New Member

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

new update.

2   IKE Peer: 210.24.168.8

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

but after a while it drops. Any info regarding this?

Cisco Employee

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

John,

Try to do following things

1. Can you disable the keepalives on both end ?

2. Is crypto access list on fortigate is subnet type and not network range? If it is range change it to subnet.

Let me know if it works

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
New Member

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

Where do I disable the keepalives?

New Member

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

i think the command is deprecated. i cannot issue the command in ASA.

Cisco Employee

Establishing Site-to-Site VPN between ASA5510 and Fortigate1000A

Keepalives on ASA are disabled with follwoing command

tunnelgroup x.x.x.x ipsec attributes

isakmp keepalives disable

--It is required to be disabled on peer end as well.

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
1241
Views
0
Helpful
11
Replies