Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

site-to-site between 2 ASA 5505s: "received non-routine Notify message: No proposal chosen"

Hello everyone,

Trying to set up a site-to-site VPN tunnel for a new building.

At our central site we have KSIASA01, which has been running as a remote access VPN server with a static IP address, no NAT.

At our new site we have KSIASA03, brand new ASA, outside address is DHCP, no NAT.

Attempts to build a tunnel are failing with "received non-routine Notify message: No proposal chosen." ISAKMP policies look like they match, but I'm thinking there's something involving the remote access VPN setup on KSIASA01 that is confusing things. Not sure what, though.

I have attached sanitized configs for both ASAs. Also, a debug from KSIASA03 taken as I tried to send traffic from that site to the central site. Thanks in advance for your help!

Everyone's tags (3)
2 REPLIES
Bronze

site-to-site between 2 ASA 5505s: "received non-routine Notify m

Hi,

I tried to go through your config and it seems that hosts or list of addresses are not same in crypto map.

On ksiasa01 you are using outside_cryptomap_20.100 and for this you are using following rule

access-list outside_cryptomap_20.100 extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0

Please notice that in Plant1-Plant2-MOS you have much more networks(about 8 subnets) included than on ksiasa03(just 3 subnets).

Also for ksiasa03 you have two access lists for outside_1_cryptomap. One permits ip and second permits icmp.

So probably this does not match on both sides and IPSEC will not form.

Regards,

Jan

New Member

site-to-site between 2 ASA 5505s: "received non-routine Notify m

Hi Jan,

Thanks for the tip. I changed the network group Plant1-Plant2-MOS on ksiasa01 to match the one on ksiasa03. Also, I removed the ACL for icmp on outside_1_cryptomap. Still no luck, unfortunately.

1575
Views
0
Helpful
2
Replies
CreatePlease to create content