Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn logs

I'm having an issue with a customer vpn. It's a fortinet appliance on the other side, but it seems like it's not even trying to connect to me. I was hoping to get a second set of eyes on the logs. From what I'm seeing, we are trying to establish a connection, and are getting no response from his firewall. Is this accurate?

The peer state is:

IKE Peer: 75.109.209.123

    Type    : user            Role    : initiator

    Rekey   : no              State   : AM_WAIT_MSG2

 

The logs (debug crypto isakmp 127 AND debug crypto ipsec 127) are as follows:

pto iSep 30 16:19:50 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
psec 12Sep 30 16:19:52 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
7
Sep 30 16:19:57 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.                      
Sep 30 16:19:58 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564

Sep 30 16:20:02 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:20:06 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Sep 30 16:20:07 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:20:12 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:20:14 [IKEv1 DEBUG]: IP = x.x.x.x, IKE AM Initiator FSM error history (struct &0xd8ae6448)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG2, EV_RETRY-->AM_WAIT_MSG2, EV_TIMEOUT-->AM_WAIT_MSG2, NullEvent-->AM_SND_MSG1, EV_SND_MSG-->AM_SND_MSG1, EV_START_TMR-->AM_SND_MSG1, EV_RESEND_MSG-->AM_WAIT_MSG2, EV_RETRY
Sep 30 16:20:14 [IKEv1 DEBUG]: IP = x.x.x.x, IKE SA AM:e851b91a terminating:  flags 0x01000021, refcnt 0, tuncnt 0
Sep 30 16:20:14 [IKEv1 DEBUG]: IP = x.x.x.x, sending delete/delete with reason message
Sep 30 16:20:14 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!
Sep 30 16:20:14 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
Sep 30 16:20:17 [IKEv1]: IP = x.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer x.x.x.x  local Proxy Address 10.12.0.0, remote Proxy Address 10.186.17.0,  Crypto map (mymap)
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ISAKMP SA payload
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ke payload
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing nonce payload
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ID payload
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Cisco Unity VID payload
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing xauth V6 VID payload
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Traversal VID ver 03 payload
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Traversal VID ver RFC payload
Sep 30 16:20:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Sep 30 16:20:17 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Sep 30 16:20:22 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:20:25 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Sep 30 16:20:27 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:20:32 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:20:33 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Sep 30 16:20:37 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:20:41 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Sep 30 16:20:42 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:20:47 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:20:49 [IKEv1 DEBUG]: IP = x.x.x.x, IKE AM Initiator FSM error history (struct &0xd8aef3b0)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG2, EV_RETRY-->AM_WAIT_MSG2, EV_TIMEOUT-->AM_WAIT_MSG2, NullEvent-->AM_SND_MSG1, EV_SND_MSG-->AM_SND_MSG1, EV_START_TMR-->AM_SND_MSG1, EV_RESEND_MSG-->AM_WAIT_MSG2, EV_RETRY
Sep 30 16:20:49 [IKEv1 DEBUG]: IP = x.x.x.x, IKE SA AM:7d86ef8f terminating:  flags 0x01000021, refcnt 0, tuncnt 0
Sep 30 16:20:49 [IKEv1 DEBUG]: IP = x.x.x.x, sending delete/delete with reason message
Sep 30 16:20:49 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!
Sep 30 16:20:49 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
Sep 30 16:20:52 [IKEv1]: IP = x.x.x.x, IKE 
 inside, IKE Peer x.x.x.x  local Proxy Address 10.12.0.0, remote Proxy Address 10.186.17.0,  Crypto map (mymap)
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ISAKMP SA payload
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ke payload
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing nonce payload
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ID payload
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Cisco Unity VID payload
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing xauth V6 VID payload
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Traversal VID ver 03 payload
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing NAT-Traversal VID ver RFC payload
Sep 30 16:20:52 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Sep 30 16:20:52 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Sep 30 16:20:57 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:21:00 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564
Sep 30 16:21:02 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:21:07 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Sep 30 16:21:08 [IKEv1]: IP = x.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 564

Sep 30 16:21:12 [IKEv1]: IP = x.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

AM_WAIT_MSG2Means you have

AM_WAIT_MSG2

Means you have sent phase 1 proposal to the remote site and now waiting for the reply.  the problem could be that you are running in agressive mode (AM) and the remote site is in main mode (MM).  Check this out first with the remote sited.

If you are both in the same mode then the Fortigate is not matching any of the parameters presented in phase 1: ie. encryption, Hash, Diffie Hellman group, key

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
8 REPLIES
VIP Green

AM_WAIT_MSG2Means you have

AM_WAIT_MSG2

Means you have sent phase 1 proposal to the remote site and now waiting for the reply.  the problem could be that you are running in agressive mode (AM) and the remote site is in main mode (MM).  Check this out first with the remote sited.

If you are both in the same mode then the Fortigate is not matching any of the parameters presented in phase 1: ie. encryption, Hash, Diffie Hellman group, key

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

This screenshot was sent to

This screenshot was sent to me this morning for the fortinet side, the areas filled in are the subnets and are correct. http://imgur.com/aMZw4pt

On our side we have:

crypto map mymap 5 match address outside_cryptomap_4

crypto map mymap 5 set pfs group5

crypto map mymap 5 set peer x.x.x.x

crypto map mymap 5 set transform-set fset ESP-AES-256-SHA

crypto map mymap 5 set phase1-mode aggressive

crypto map mymap 5 set security-association lifetime seconds 28800

 

these two transform sets are:

crypto ipsec transform-set fset esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

 

the outside_cryptomap_4 lists the correct subnets.

 

I have 5 isakmp policies on my 5510, but one of them is:

crypto isakmp policy 45

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

Do I have to specify this policy for this tunnel? This policy looks correct to me, however the other unlisted policies are used for other tunnels.

My other question is, if I have him try to initiate a connection, would I get an error that I could see and troubleshoot within the logs?

Thanks again the help.

 

VIP Green

Do I have to specify this

Do I have to specify this policy for this tunnel?

No, the ASA checks each policy top down until it finds a match or reaches the end of the list with no match.  Yes, the policy looks correct.

My other question is, if I have him try to initiate a connection, would I get an error that I could see and troubleshoot within the logs?

What version ASA are you running?

You could run a debug crypto ipsec sa and a debug crypto ikev1 isakmp while you try to initiate traffic, and also when he tries to initiate traffic.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Thanks for the clarification

Thanks for the clarification on the isakmp policy.

What version ASA are you running?

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders

You could run a debug crypto ipsec sa 

This doesn't work:

asa# debug crypto  ipsec ?

  <1-255>  Specify an optional debug level (default is 1)
  <cr>
asa# debug crypto  ipsec

smithdq-asa# debug crypto ?

  ca         Set PKI debug levels
  condition  Set IPSec/ISAKMP debug filters
  engine     Set crypto engine debug levels
  ipsec      Set IPSec debug levels
  isakmp     Set ISAKMP debug levels
  vpnclient  Set EasyVPN client debug levels
smithdq-asa# debug crypto ikev1
                           
ERROR: % Invalid input detected at '^' marker.    #marker is at the 'i' in ikev1, but I couldn't get the formatting right for this post. 
asa#

The logs posted above come from debug crypto  ipsec 127 and debug crypto isakmp 127

I'm unaware if this client has a valid smartnet contract and have sales looking into this currently.

 

 

 

 

VIP Green

do you have the command

do you have the command crypto isakmp enable outside configured?

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I do indeed, It's right after

I do indeed, It's right after my commands defining my crypto maps and just before the isakmp policies. I also have the crypto map <name> enable outside in there as well.  I guess I should have mentioned, I have other site to site vpn's up and working on this ASA. It's just this one that isn't up. From what I can see if the screenshots posted of the fortinet are accurate, then we *should* have matching ends, and *should* be able to establish a tunnel.

The reasoning for my post initially is that what I was seeing in the logs seemed to indicate an issue on the fortinet side. Basically I was of the opinion that the fortinet wasn't responding to our requests. I wanted to make sure that I wasn't missing something, and to verify some things that I didn't have a full understanding on. you've been an absolutely great help with all of this. I you are willing to keep looking at this any other idea's you have, or if there is a part of the config you want to verify, just let me know. 

VIP Green

Well, as I mentioned in my

Well, as I mentioned in my first post, your ASA is sending the initial phase1 proposal but you are not getting a reply from the remote site. 

Have you made sure that the preshared keys are entered correctly?

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

I want to thank you. I've

I want to thank you. I've been working with a tech via email, it's been very slow going. He made a correction on his end concerning the way his endpoint routed (Retrieve default gateway from server. Was not "on", I;m not familiar with fortinet, i'm not sure what this does) But no configuration change was needed on my end. I'm marking your first response as correct, and thanks again.

393
Views
15
Helpful
8
Replies