Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2849
Views
0
Helpful
1
Replies

Site-to-Site VPN: PIX - SA540 Phase2 handle not found

christoph.schulte
Level 1
Level 1

‎08-26-2013 05:10 AM

Hello everybody,

We currently want to build a Site-to-Site VPN between a PIX and a Small-Business SA540, but the

Phase 2 negotiation fails with "No Phase2 handle found":

Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] INFO:  accept a request to establish IKE-SA: XXX.XXX.XXX.XX1

Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] INFO:  Configuration found for XXX.XXX.XXX.XX1.

Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] INFO:  Configuration found for XXX.XXX.XXX.XX1.

Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] INFO:  Initiating new phase 2 negotiation: XXX.XXX.XXX.XX2[500]<=>XXX.XXX.XXX.XX1[0]

Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] ERROR:  Unknown notify message from XXX.XXX.XXX.XX1[500].No phase2 handle found.

Mon Aug 26 09:24:47 2013 (GMT +0100): [Cisco] [IKE] ERROR:  packet shorter than isakmp header size.

Mon Aug 26 09:24:47 2013 (GMT +0100): [Cisco] [IKE] ERROR:  packet shorter than isakmp header size.

Config PIX:

crypto map OUTSIDE_MAP 60 ipsec-isakmp

crypto map OUTSIDE_MAP 60 match address TSM2ABC

crypto map OUTSIDE_MAP 60 set peer XXXXXXXXX

crypto map OUTSIDE_MAP 60 set transform-set ESP-3DES-SHA

crypto map OUTSIDE_MAP 60 set security-association lifetime seconds 7200 kilobytes 4608000

!

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

!

If have also checked the Pre-Shared Key...

The settings on the SA540 can be found in the attachments.

I have the latest firmware:

Primary Firmware Version:2.2.0.7


Has anybody tried a VPN between a PIX and SA540?

Labels:
Preview file
8 KB
Preview file
8 KB
0 Helpful
1 Reply 1

lariasqu
Level 1
Level 1

‎08-29-2013 07:07 AM

Hi Christoph, thank you for using our forum, my name is Luis I am part of the Small business Support community. In this case I could share to you an article from the SA540 in order to guide you with your VPN configuration, you could check the link below.

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=2946

However, you can get more feedback about your VPN configuration, if you move your post using the actions panel on the right. You can move it to the link below.

https://supportforums.cisco.com/community/netpro/security/vpn

I hope you find this answer useful

Greetings,

Luis Arias.

Cisco Network Support Engineer.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents