Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN - No Proposal Chosen

We had a working IPSec connection with another location.  On our end, we replaced an old Pix 515 with a new ASA 5520 and since then, the tunnel will not come up with the following in the log:

IP = x.x.75.65, Information Exchange processing failed

IP = x.x.75.65, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

IP = x.x.75.65, IKE_DECODE RECEIVED Message (msgid=9e681315) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102

IP = x.x.75.65, IKE_DECODE RECEIVED Message (msgid=9e681315) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102

IP = x.x.75.65, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

IP = x.x.75.65, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

I have poured over the old Pix config vs. the new ASA config but cannot find the mis-config.  Can anyone see what I'm missing??

Old Pix 515 (tunnel working)

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

names

name 192.168.200.0 IGOC_LAN

name 172.16.24.0 FLO_LAN

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-list inside_outbound_nat0_acl permit ip IGOC_LAN 255.255.255.0 192.168.201.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip IGOC_LAN 255.255.252.0 FLO_LAN 255.255.252.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.201.0 255.255.255.0

access-list igoc_splitTunnelAcl permit ip IGOC_LAN 255.255.252.0 any

access-list outside_cryptomap_40 permit ip IGOC_LAN 255.255.252.0 FLO_LAN 255.255.252.0

pager lines 24

logging on

logging standby

icmp permit FLO_LAN 255.255.252.0 inside

mtu outside 1500

mtu inside 1500

ip address outside x.x.246.132 255.255.255.0

ip address inside 192.168.200.1 255.255.252.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn 192.168.202.200-192.168.202.250

pdm location IGOC_LAN 255.255.255.255 inside

pdm location 0.0.0.0 255.255.255.0 inside

pdm location IGOC_LAN 255.255.255.0 inside

pdm location FLO_LAN 255.255.252.0 outside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.246.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection tcpmss 1250

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set peer x.x.75.65

crypto map outside_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address x.x.75.65 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup igoc address-pool vpn

vpngroup igoc dns-server 8.8.8.8 8.8.4.4

vpngroup igoc default-domain igoc.com

vpngroup igoc split-tunnel igoc_splitTunnelAcl

vpngroup igoc idle-time 1800

vpngroup igoc password ********

: end

[OK]

New ASA 5520 config (Tunnel will not come up):

ASA Version 8.2(5)

!

names

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address x.x.246.132 255.255.255.0 standby x.x.246.134

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1.2

vlan 2

nameif Inside

security-level 100

ip address 192.168.2.1 255.255.255.0 standby 192.168.2.10

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

same-security-traffic permit inter-interface

access-list Outside_cryptomap extended permit ip 192.168.200.0 255.255.252.0 172.16.24.0 255.255.252.0

access-list Outside_access_in extended permit icmp any any

access-list Inside_nat0_outbound extended permit ip 192.168.200.0 255.255.252.0 172.16.24.0 255.255.252.0

access-list Outside_1_cryptomap extended permit ip 192.168.200.0 255.255.252.0 172.16.24.0 255.255.252.0

pager lines 24

logging enable

logging asdm debugging

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool RemoteAccessPool 192.168.203.100-192.168.203.199 mask 255.255.252.0

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/3

failover polltime interface 10 holdtime 50

failover key *****

failover link Failover GigabitEthernet0/3

failover interface ip Failover 10.0.0.1 255.255.255.0 standby 10.0.0.2

monitor-interface Inside

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 0.0.0.0 0.0.0.0

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 x.x.246.1 1

route Inside 192.168.1.0 255.255.255.0 192.168.2.3 1

route Inside 192.168.100.0 255.255.252.0 192.168.2.3 1

route Inside 192.168.200.0 255.255.252.0 192.168.2.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.0.0 management

http 192.168.0.0 255.255.0.0 Inside

no snmp-server location

no snmp-server contact

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set peer x.x.75.65

crypto map Outside_map 1 set transform-set ESP-3DES-MD5

crypto map Outside_map interface Outside

crypto isakmp identity address

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable Outside

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

vpn-tunnel-protocol svc

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

address-pool RemoteAccessPool

default-group-policy RemoteAccess

tunnel-group RemoteAccess webvpn-attributes

group-alias ifagoc enable

group-url https://x.x.246.132/ifagoc enable

tunnel-group x.x.75.65 type ipsec-l2l

tunnel-group x.x.75.65 ipsec-attributes

pre-shared-key *****

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

: end

4 REPLIES
Super Bronze

Re: Site-to-Site VPN - No Proposal Chosen

Hi,

Not really sure what the messages mean exactly.

Configurations seems to match.

Though the message would let you believe that it fails straight at Phase1.

Have you used

debug crypto isakmp

and

debug crypto ipsec

And seen what they give when trying to bring up the L2L VPN?

What does show crypto isakmp sa show when you are trying to bring up the connection?

- Jouni

New Member

Site-to-Site VPN - No Proposal Chosen

debug crypto isakmp returns:

Apr 18 18:03:00 [IKEv1]: IP = x.x.75.65, Information Exchange processing failed

So yes, this seems to be phase one where the issue is.  But it looks like all the phase one parameters match?

show crypto isakmp sa returns:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: x.x.75.65

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

Super Bronze

Site-to-Site VPN - No Proposal Chosen

Hi,

Yeah they do seem to match.

One source states this for the state MM_WAIT_MSG2

MM_WAIT_MSG2

Initial DH public key sent to responder. Awaiting initial contact reply from other side.

If stuck here it usually means the other end is not responding. This  could be due to no route to the far end or the far end does not have  ISAKMP enabled on the outside or the far end is down.

- Jouni

Super Bronze

Site-to-Site VPN - No Proposal Chosen

Also,

Reasons for Phase1 failing

Verify  ISAKMP parameters match exactly.

  • Verify  ISAKMP parameters match exactly.
  • Verify pre-shared-keys match  exactly.
  • Check that each side has a route to the peer address  that you are trying to form a tunnel with.
  • Verify ISAKMP is  enabled on the outside interfaces.

- Jouni

34982
Views
0
Helpful
4
Replies
CreatePlease login to create content