Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue with Phase 1 not coming up.

Hi all,

I have a very perplexing issue.

Side A - ASA 5510

Side B - Cisco 891

Side B initiates connection,

Phase 1 settings

Pre-Share, AES-256, DH Grp 5, Hash - SHA, Lifetime - 28800.

Now there wasn't a IKE policy to this value on the ASA, so I added one (see screenshot).

And the remote end added / changed their phase 1 to match the default entries at the Side A (ASA) end.

But all we get on the ASDM log is the second screen shot saying about mis-match on configured policies.

Any one any ideas as to what's wrong.

Many Thanks

Stephen

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Issue with Phase 1 not coming up.

So far if you are able to get far end site is fine.Atleast you can ask what is the other end configuration for UK tunnel.

Also based on logs DH group 5 is coming and Group 2 is configured try to change that might fix your issue.

5 REPLIES

Issue with Phase 1 not coming up.

Please post both end configuration.

New Member

Issue with Phase 1 not coming up.

Hi there,

Thanks for the interest, before I get hold of the config's. (One is a separate company and they may not give me their side of things.) I have had a thought.

The A end is in the UK, and the B end is in Auz (Sydney).

Could there be latency issues with the phase exchange, and if so, can anything be done to alter the timers ?

Thanks

Stephen

Issue with Phase 1 not coming up.

So far if you are able to get far end site is fine.Atleast you can ask what is the other end configuration for UK tunnel.

Also based on logs DH group 5 is coming and Group 2 is configured try to change that might fix your issue.

New Member

Issue with Phase 1 not coming up.

Hi there,

Believe it or not, this issue is caused by the request being sent back to the originator on the wrong port.

There were a few firewall inbetween, and one wasn't set to use NAT-T, so I'm told.

When amended all worked wonderfully well.

New Member

Issue with Phase 1 not coming up.

To those that read this post, I actually resolved the issue myself. See previous post.

788
Views
0
Helpful
5
Replies
CreatePlease to create content