Solved: L2L VPN between ASA with public IP and CISCO2911 behind ISP router with port forwarding

michalstaporek · ‎05-09-2014

Hello All,

Apologies if this is a trivial question but I have spent some considerable time trying to research it and had no luck.

I have come across a problem trying to set up a temporary L2L VPN from a customer location with CISCO2911 sitting behind ISP's router to an ASA. ISP informed that I can not bypass their device and terminate the Internet circuit on the Cisco for some reason so I am stuck with it. The setup is:

corporate LAN - 10.x.x.2 -------- x.x.x.1 - ASA - y.y.y.y -------- Internet -------- z.z.z.z - ISP router - 10.1.17.1-------- 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

where 10.x.x.x is a private range company LAN network, y.y.y.y is a public ip assigned to the ASA's outside interface and z.z.z.z is the public IP on the ISP router.

I have forwarded ports 500, 4500 and ESP on the ISP router to 10.1.17.2. Config of the 2911 attached below, what I can't figure out is what peer IP address to configure on the ASA, because if I use z.z.z.z there is going to be an identity mismatch cause 2911 will identify itself as 10.1.17.2....

!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ********** address y.y.y.y no-xauth

!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
ip access-list extended crymap
permit ip 10.1.15.0 0.0.0.255 10.0.0.0 0.255.255.255
crypto ipsec transform-set ESP-3DES-SHA esp-3es esp-sha-hmac
crypto map VPN-TUNNEL 1 ipsec-isakmp
set peer y.y.y.y
set transform-set ESP-3DES-SHA
match address crymap

interface Gi0/2
crypto map VPN-TUNNEL

Jan Rolny · ‎05-11-2014

Hi,

from debug output it seems that it goes over all IPSEC states to final QM_IDLE bud tunnel don't go up.

What I noticed in your configuration of ASA box is that you are usig PFS but not on router 2911.

So I would suggest you:

no crypto map OUTSIDE_map 4 set pfs <-- this will disable PFS on ASA side.

Then try initiate tunnel again.

Regards,

Jan

View solution in original post

Jan Rolny · ‎05-09-2014

Hello,

in case you have router behind ISP device it is recommended to switch ISP router to bridge mode. Then you can use public IP address on your 2911.

Regarding port forwarding you have it correct. You need UPD/500, UDP/4500 and enable ESP protocol.

Especially UDP/4500 is importtant because your router is behind another on wich is probably performing NAT.

Regarding ASA side you have to configure peer IP to z.z.z.z because it is public IP reachable from your ASA. You can't confgure it with your inside ip of 2911.

Whe you attempt to initiate VPN do you see anything in log? Can you please post whole configr of router and output of sh crypto isakmp sa and sh crypto ipsec sa?

Regards,

Jan

Poonam Garg · ‎05-09-2014

configuration seems correct, where you got stuck ?? Try to debug crypto isakmp and see up to which message isakmp is negotiating as weel as see output of sh crypto isakmp sa and sh crypto ipsec sa

HTH

shine pothen · ‎05-09-2014

hello

try to give the Z.Z.Z.Z to ur other device and see if site to site comes up. if their is issue then try to use crypto dynamic.

more details and configuration avaliable on

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14131-ios-804.html

michalstaporek · ‎05-11-2014

Thanks a lot guys, I have pasted the output from the CISCO2911 below, also here is the config from the ASA. I can see that the tunnel is trying to establish and something goes wrong but not sure what...

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

access-list OUTSIDE_4_cryptomap extended permit ip 10.0.0.0 255.0.0.0 object-group CISCO2911

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map OUTSIDE_map 4 match address OUTSIDE_4_cryptomap

crypto map OUTSIDE_map 4 set pfs

crypto map OUTSIDE_map 4 set peer z.z.z.z

crypto map OUTSIDE_map 4 set transform-set ESP-3DES-SHA

tunnel-group z.z.z.z type ipsec-l2l

tunnel-group z.z.z.z ipsec-attributes

pre-shared-key **********

David_Che · ‎05-11-2014

You configured the static crypto map on ASA, ASA try to authenticate its peer 29xx by identity 'z.z.z.z ', however the identity of 29xx is '10.1.17.2', so it will caused authentication failure on ASA.

2 options to resolve this issue.

option 1: dynamic crypto map on ASA

crypto isakmp key ***** address 0.0.0.0 0.0.0.0

In this way, any peer with any address will be authenticated successfully if only the pre-shared key is same on both sides.

option 2: use hostname or FQDN rather than IP address as IKE authentication identity on both sides

michalstaporek · ‎05-11-2014

Tunnel came up after disabling pfs on the ASA's side. Thank you very much for all your help!

michalstaporek · ‎05-11-2014

CISCO2911#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

y.y.y.y 10.1.17.2 MM_NO_STATE 1312 ACTIVE (deleted)

y.y.y.y 10.1.17.2 MM_NO_STATE 1311 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

CISCO2911#show crypto ipsec sa

interface: GigabitEthernet0/2

Crypto map tag: VPN-TUNNEL, local addr 10.1.17.2

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.15.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer y.y.y.y port 500

PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1087, #recv errors 0

local crypto endpt.: 10.1.17.2, remote crypto endpt.: y.y.y.y

plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.18.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer y.y.y.y port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.1.17.2, remote crypto endpt.: y.y.y.y

plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.16.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer y.y.y.y port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.1.17.2, remote crypto endpt.: y.y.y.y

plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (10.1.17.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer y.y.y.y port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 69, #recv errors 0

local crypto endpt.: 10.1.17.2, remote crypto endpt.: y.y.y.y

plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

*May 11 15:33:07.851: ISAKMP:(1312):purging SA., sa=3C82B56C, delme=3C82B56C

*May 11 15:33:11.475: ISAKMP:(0): SA request profile is (NULL)

*May 11 15:33:11.475: ISAKMP: Created a peer struct for y.y.y.y, peer port 500

*May 11 15:33:11.475: ISAKMP: New peer created peer = 0x3E59A85C peer_handle = 0x8000013B

*May 11 15:33:11.475: ISAKMP: Locking peer struct 0x3E59A85C, refcount 1 for isakmp_initiator

*May 11 15:33:11.475: ISAKMP: local port 500, remote port 500

*May 11 15:33:11.475: ISAKMP: set new node 0 to QM_IDLE

*May 11 15:33:11.475: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 3964AFEC

*May 11 15:33:11.475: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*May 11 15:33:11.475: ISAKMP:(0):found peer pre-shared key matching y.y.y.y

*May 11 15:33:11.475: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*May 11 15:33:11.475: ISAKMP:(0): constructed NAT-T vendor-07 ID

*May 11 15:33:11.475: ISAKMP:(0): constructed NAT-T vendor-03 ID

*May 11 15:33:11.475: ISAKMP:(0): constructed NAT-T vendor-02 ID

*May 11 15:33:11.475: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*May 11 15:33:11.475: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*May 11 15:33:11.475: ISAKMP:(0): beginning Main Mode exchange

*May 11 15:33:11.475: ISAKMP:(0): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_NO_STATE

*May 11 15:33:11.475: ISAKMP:(0):Sending an IKE IPv4 Packet.

*May 11 15:33:11.495: ISAKMP (0): received packet from y.y.y.y dport 500 sport 500 Global (I) MM_NO_STATE

*May 11 15:33:11.495: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 11 15:33:11.495: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*May 11 15:33:11.495: ISAKMP:(0): processing SA payload. message ID = 0

*May 11 15:33:11.495: ISAKMP:(0): processing vendor id payload

*May 11 15:33:11.495: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*May 11 15:33:11.495: ISAKMP:(0): vendor ID is NAT-T v2

*May 11 15:33:11.495: ISAKMP:(0): processing vendor id payload

*May 11 15:33:11.495: ISAKMP:(0): processing IKE frag vendor id payload

*May 11 15:33:11.495: ISAKMP:(0):Support for IKE Fragmentation not enabled

*May 11 15:33:11.495: ISAKMP:(0):found peer pre-shared key matching y.y.y.y

*May 11 15:33:11.495: ISAKMP:(0): local preshared key found

*May 11 15:33:11.495: ISAKMP : Scanning profiles for xauth ...

*May 11 15:33:11.495: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy

*May 11 15:33:11.495: ISAKMP: encryption 3DES-CBC

*May 11 15:33:11.495: ISAKMP: hash MD5

*May 11 15:33:11.495: ISAKMP: default group 2

*May 11 15:33:11.495: ISAKMP: auth pre-share

*May 11 15:33:11.495: ISAKMP: life type in seconds

*May 11 15:33:11.495: ISAKMP: life duration (basic) of 28800

*May 11 15:33:11.495: ISAKMP:(0):atts are acceptable. Next payload is 0

*May 11 15:33:11.495: ISAKMP:(0):Acceptable atts:actual life: 0

*May 11 15:33:11.495: ISAKMP:(0):Acceptable atts:life: 0

*May 11 15:33:11.495: ISAKMP:(0):Basic life_in_seconds:28800

*May 11 15:33:11.495: ISAKMP:(0):Returning Actual lifetime: 28800

*May 11 15:33:11.495: ISAKMP:(0)::Started lifetime timer: 28800.

*May 11 15:33:11.495: ISAKMP:(0): processing vendor id payload

*May 11 15:33:11.495: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*May 11 15:33:11.495: ISAKMP:(0): vendor ID is NAT-T v2

*May 11 15:33:11.495: ISAKMP:(0): processing vendor id payload

*May 11 15:33:11.495: ISAKMP:(0): processing IKE frag vendor id payload

*May 11 15:33:11.495: ISAKMP:(0):Support for IKE Fragmentation not enabled

*May 11 15:33:11.495: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 11 15:33:11.495: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*May 11 15:33:11.495: ISAKMP:(0): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_SA_SETUP

*May 11 15:33:11.495: ISAKMP:(0):Sending an IKE IPv4 Packet.

*May 11 15:33:11.495: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May 11 15:33:11.495: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*May 11 15:33:11.515: ISAKMP (0): received packet from y.y.y.y dport 500 sport 500 Global (I) MM_SA_SETUP

*May 11 15:33:11.515: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 11 15:33:11.515: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*May 11 15:33:11.515: ISAKMP:(0): processing KE payload. message ID = 0

*May 11 15:33:11.543: ISAKMP:(0): processing NONCE payload. message ID = 0

*May 11 15:33:11.543: ISAKMP:(0):found peer pre-shared key matching y.y.y.y

*May 11 15:33:11.543: ISAKMP:(1314): processing vendor id payload

*May 11 15:33:11.543: ISAKMP:(1314): vendor ID is Unity

*May 11 15:33:11.543: ISAKMP:(1314): processing vendor id payload

*May 11 15:33:11.543: ISAKMP:(1314): vendor ID seems Unity/DPD but major 119 mismatch

*May 11 15:33:11.543: ISAKMP:(1314): vendor ID is XAUTH

*May 11 15:33:11.543: ISAKMP:(1314): processing vendor id payload

*May 11 15:33:11.543: ISAKMP:(1314): speaking to another IOS box!

*May 11 15:33:11.543: ISAKMP:(1314): processing vendor id payload

*May 11 15:33:11.543: ISAKMP:(1314):vendor ID seems Unity/DPD but hash mismatch

*May 11 15:33:11.543: ISAKMP:received payload type 20

*May 11 15:33:11.543: ISAKMP (1314): NAT found, both nodes inside NAT

*May 11 15:33:11.543: ISAKMP:received payload type 20

*May 11 15:33:11.543: ISAKMP (1314): My hash no match - this node inside NAT

*May 11 15:33:11.543: ISAKMP:(1314):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 11 15:33:11.543: ISAKMP:(1314):Old State = IKE_I_MM4 New State = IKE_I_MM4

*May 11 15:33:11.543: ISAKMP:(1314):Send initial contact

*May 11 15:33:11.543: ISAKMP:(1314):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*May 11 15:33:11.543: ISAKMP (1314): ID payload

next-payload : 8

type : 1

address : 10.1.17.2

protocol : 17

port : 0

length : 12

*May 11 15:33:11.543: ISAKMP:(1314):Total payload length: 12

*May 11 15:33:11.543: ISAKMP:(1314): sending packet to y.y.y.y my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*May 11 15:33:11.543: ISAKMP:(1314):Sending an IKE IPv4 Packet.

*May 11 15:33:11.543: ISAKMP:(1314):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May 11 15:33:11.543: ISAKMP:(1314):Old State = IKE_I_MM4 New State = IKE_I_MM5

*May 11 15:33:11.563: ISAKMP (1314): received packet from y.y.y.y dport 4500 sport 4500 Global (I) MM_KEY_EXCH

*May 11 15:33:11.563: ISAKMP:(1314): processing ID payload. message ID = 0

*May 11 15:33:11.563: ISAKMP (1314): ID payload

next-payload : 8

type : 1

address : y.y.y.y

protocol : 17

port : 0

length : 12

*May 11 15:33:11.563: ISAKMP:(0):: peer matches *none* of the profiles

*May 11 15:33:11.563: ISAKMP:(1314): processing HASH payload. message ID = 0

*May 11 15:33:11.563: ISAKMP:received payload type 17

*May 11 15:33:11.563: ISAKMP:(1314): processing vendor id payload

*May 11 15:33:11.563: ISAKMP:(1314): vendor ID is DPD

*May 11 15:33:11.563: ISAKMP:(1314):SA authentication status:

authenticated

*May 11 15:33:11.563: ISAKMP:(1314):SA has been authenticated with y.y.y.y

*May 11 15:33:11.563: ISAKMP:(1314):Setting UDP ENC peer struct 0x3E56F91C sa= 0x3964AFEC

*May 11 15:33:11.563: ISAKMP: Trying to insert a peer 10.1.17.2/y.y.y.y/4500/, and inserted successfully 3E59A85C.

*May 11 15:33:11.563: ISAKMP:(1314):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 11 15:33:11.563: ISAKMP:(1314):Old State = IKE_I_MM5 New State = IKE_I_MM6

*May 11 15:33:11.563: ISAKMP:(1314):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May 11 15:33:11.563: ISAKMP:(1314):Old State = IKE_I_MM6 New State = IKE_I_MM6

*May 11 15:33:11.563: ISAKMP:(1314):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May 11 15:33:11.563: ISAKMP:(1314):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*May 11 15:33:11.563: ISAKMP:(1314):beginning Quick Mode exchange, M-ID of 2994765981

*May 11 15:33:11.567: ISAKMP:(1314):QM Initiator gets spi

*May 11 15:33:11.567: ISAKMP:(1314): sending packet to y.y.y.y my_port 4500 peer_port 4500 (I) QM_IDLE

*May 11 15:33:11.567: ISAKMP:(1314):Sending an IKE IPv4 Packet.

*May 11 15:33:11.567: ISAKMP:(1314):Node 2994765981, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*May 11 15:33:11.567: ISAKMP:(1314):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

*May 11 15:33:11.567: ISAKMP:(1314):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*May 11 15:33:11.567: ISAKMP:(1314):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 11 15:33:11.587: ISAKMP (1314): received packet from y.y.y.y dport 4500 sport 4500 Global (I) QM_IDLE

*May 11 15:33:11.587: ISAKMP: set new node -1088799076 to QM_IDLE

*May 11 15:33:11.587: ISAKMP:(1314): processing HASH payload. message ID = 3206168220

*May 11 15:33:11.587: ISAKMP:(1314): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 0, message ID = 3206168220, sa = 0x3964AFEC

*May 11 15:33:11.587: ISAKMP:(1314):deleting node -1088799076 error FALSE reason "Informational (in) state 1"

*May 11 15:33:11.587: ISAKMP:(1314):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*May 11 15:33:11.591: ISAKMP:(1314):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*May 11 15:33:11.591: ISAKMP (1314): received packet from y.y.y.y dport 4500 sport 4500 Global (I) QM_IDLE

*May 11 15:33:11.591: ISAKMP: set new node 773118024 to QM_IDLE

*May 11 15:33:11.591: ISAKMP:(1314): processing HASH payload. message ID = 773118024

*May 11 15:33:11.591: ISAKMP:(1314): processing DELETE payload. message ID = 773118024

*May 11 15:33:11.591: ISAKMP:(1314):peer does not do paranoid keepalives.

*May 11 15:33:11.591: ISAKMP:(1314):deleting SA reason "No reason" state (I) QM_IDLE (peer y.y.y.y)

*May 11 15:33:11.591: ISAKMP:(1314):deleting node 773118024 error FALSE reason "Informational (in) state 1"

*May 11 15:33:11.591: ISAKMP: set new node -299281679 to QM_IDLE

*May 11 15:33:11.591: ISAKMP:(1314): sending packet to y.y.y.y my_port 4500 peer_port 4500 (I) QM_IDLE

*May 11 15:33:11.591: ISAKMP:(1314):Sending an IKE IPv4 Packet.

*May 11 15:33:11.591: ISAKMP:(1314):purging node -299281679

*May 11 15:33:11.591: ISAKMP:(1314):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*May 11 15:33:11.591: ISAKMP:(1314):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*May 11 15:33:11.591: ISAKMP:(1314):deleting SA reason "No reason" state (I) QM_IDLE (peer y.y.y.y)

*May 11 15:33:11.591: ISAKMP: Unlocking peer struct 0x3E59A85C for isadb_mark_sa_deleted(), count 0

*May 11 15:33:11.591: ISAKMP: Deleting peer node by peer_reap for y.y.y.y: 3E59A85C

*May 11 15:33:11.591: ISAKMP:(1314):deleting node -1300201315 error FALSE reason "IKE deleted"

*May 11 15:33:11.591: ISAKMP:(1314):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May 11 15:33:11.591: ISAKMP:(1314):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*May 11 15:33:31.591: ISAKMP:(1313):purging node 1097808315

*May 11 15:33:31.595: ISAKMP:(1313):purging node 1286467093

*May 11 15:33:31.595: ISAKMP:(1313):purging node 1763054281

Jan Rolny · ‎05-11-2014

Hi,

from debug output it seems that it goes over all IPSEC states to final QM_IDLE bud tunnel don't go up.

What I noticed in your configuration of ASA box is that you are usig PFS but not on router 2911.

So I would suggest you:

no crypto map OUTSIDE_map 4 set pfs <-- this will disable PFS on ASA side.

Then try initiate tunnel again.

Regards,

Jan

michalstaporek · ‎05-12-2014

Removing the PFS has worked, thank you very much for pointing it out!

Answer marked as correct and rated.