Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site to Site ASA Problems - Wrong group used?

Hi,

I am having problems with this tunnel. It is configured on a second wan interface that uses SLA monitoring. The idea is that when there is a problem with the primary ISP, the backup connection is enabled and establishes the tunnel. In testing, the sla portion works normally, the backup becomes the primary route, but the tunnel is not established. All config was done using ASDM. Here is the log I got on the local side with public ip of the backup isp connection stripped:

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 368

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing SA payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing ke payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing ISA_KE payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing nonce payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing ID payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-714011: IP = 1.1.1.1, ID_IPV4_ADDR ID received

1.1.1.1

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received Cisco Unity client VID

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received xauth V6 VID

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal ver 02 VID

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal ver 03 VID

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received NAT-Traversal RFC VID

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: IP = 1.1.1.1, processing VID payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715049: IP = 1.1.1.1, Received Fragmentation VID

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715064: IP = 1.1.1.1, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True

2011-11-04 00:05:37    Local4.Warning    192.168.50.30    Nov 04 2011 00:05:38: %ASA-4-713255: IP = 1.1.1.1, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name '1.1.1.1'.

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715047: Group = DefaultRAGroup, IP = 1.1.1.1, processing IKE SA payload

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-713906: Group = DefaultRAGroup, IP = 1.1.1.1, All SA proposals found unacceptable

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-713906: IP = 1.1.1.1, All IKE SA proposals found unacceptable!

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-715065: Group = DefaultRAGroup, IP = 1.1.1.1, IKE AM Responder FSM error history (struct &0xd937a248)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-713906: Group = DefaultRAGroup, IP = 1.1.1.1, IKE SA AM:97ffd215 terminating:  flags 0x0100c001, refcnt 0, tuncnt 0

2011-11-04 00:05:37    Local4.Debug    192.168.50.30    Nov 04 2011 00:05:38: %ASA-7-713906: Group = DefaultRAGroup, IP = 1.1.1.1, sending delete/delete with reason message

2011-11-04 00:05:37    Local4.Error    192.168.50.30    Nov 04 2011 00:05:38: %ASA-3-713902: Group = DefaultRAGroup, IP = 1.1.1.1, Removing peer from peer table failed, no match!

2011-11-04 00:05:37    Local4.Warning    192.168.50.30    Nov 04 2011 00:05:38: %ASA-4-713903: Group = DefaultRAGroup, IP = 1.1.1.1, Error: Unable to remove PeerTblEntry

Everyone's tags (1)
7 REPLIES
Hall of Fame Super Gold

Site to Site ASA Problems - Wrong group used?

Looking at the debug output I wonder about this message

%ASA-4-713255: IP = 1.1.1.1, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name '1.1.1.1'.

and it leads me to wonder what tunnel group(s) you do have configured?

Do you have a crypto map entry for this peer? Perhaps it would be helpful if you would post the config (or at least the crypto part of the config).

HTH

Rick

Site to Site ASA Problems - Wrong group used?

Hi,

Looks like its failing the group and when its trying to match the default group its failing the isakmp polices(group,encryption,authentication) etc..

You probably dont have the following in your config.

tunnel-group 1.1.1.1  type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

As rick suggested if you can post your config sans IP that would great.

HTH

Kishore

Community Member

Site to Site ASA Problems - Wrong group used?

Below is some of the configuration from the local side, configured by ASDM. Could the fact the the remote ASA has two tunnels configured for the same local IP address be causing the problem? The normal (working) tunnel is Main Mode PSK, using the remote IP address as the tunnel-group name.

crypto map VPNMAP 12 match address outside_12_cryptomap

crypto map VPNMAP 12 set pfs

crypto map VPNMAP 12 set peer 1.1.1.1

crypto map VPNMAP 12 set transform-set ESP-3DES-SHA

crypto map VPNMAP 12 set security-association lifetime seconds 28800

crypto map VPNMAP 12 set security-association lifetime kilobytes 4608000

crypto map VPNMAP 12 set phase1-mode aggressive

tunnel-group GL-Backup type ipsec-l2l

tunnel-group GL-Backup ipsec-attributes

pre-shared-key *

Hall of Fame Super Gold

Site to Site ASA Problems - Wrong group used?

Dustin

Am I understanding correctly that this ASA has a single crypto map, and a single entry for the remote peer, and is using the same crypto map on 2 interfaces. And am I correct in understanding that the remote ASA has a single crypto map and that map has 2 instances (2 sequence numbers) one for each of the interfaces on this ASA?

If those understandings are correct then I believe that this is the underlying problem. I do not believe that it is possible to have 2 working tunnels which have the same source device and the same destination device.

HTH

Rick

Community Member

Site to Site ASA Problems - Wrong group used?

I am actually trying to use seperate crypto maps and  tunnel groups on both devices. The log I posted above is from the 5510  showing the attempts of the 5505 connecting via the backup ISP after  failing over.

Going into this I thought it would be relatively simple, seeing as the security plus license on the ASA allows a backup ISP. Basic outline below, the fake IP addresses match with the ones in the log. Is there a better way to do this?

asa_tunnel.png

Hall of Fame Super Gold

Site to Site ASA Problems - Wrong group used?

Dustin

How are you using separate cyrpto maps on the 5510? You show only one interface to the Internet and I believe that an interface can have only a single crypto map.

Perhaps someone from Cisco who is more authoritative than me can speak to this. But I do not believe that it is supported to have 2 separate tunnels from the same single source device to the same single destination device.

HTH

Rick

Community Member

Re: Site to Site ASA Problems - Wrong group used?

I found this article that seems to address what I'm looking for:

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2011/04/25/ipsec-vpn-redundancy-failover-over-redundant-isp-links

I haven't gotten it working yet, I'm guessing there is some other config in the local asa that is causing problems.

*Edit*

I was able to get it up and running using the link above. I removed and then re-added the config and all was well, I probably just mis-typed something. I can't mark the question answered so if anyone wants to reply with the link above...

2677
Views
8
Helpful
7
Replies
CreatePlease to create content