https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634354#M595029 <HTML><HEAD></HEAD><BODY><P>Great to hear.</P><P>It is typically recommended to use "ip" for crypto ACL rather than protocol and port specific. If you would like to restrict traffic, you can use ACL and applied that to the interface to restrict traffic.</P><P>There might be bug on the ASA version that you are running, that's why it's failing.</P></BODY></HTML> Sun, 09 Jan 2011 10:50:32 GMT Jennifer Halim 2011-01-09T10:50:32Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634342#M595016 <P>Hi people,</P><P></P><P>I have the follow scenario, in my network i have a PIX,&nbsp; and the 2 VPN configured, and all works fine, no errors. But 2 weeks ago, we changed the PIX to Asa 5505, with same configs, and the one of the VPN is generating <SPAN class="short_text" id="result_box" lang="en"><SPAN class="hps" title="Clique para mostrar traduções alternativas">intermittence</SPAN></SPAN>, lose packets periodically , some times after 20 seconds that VPN formed, some times 40 seconds , some times 1 minute. If i put the command "show crypto isakmp sa" the VPN keep active, enabling the "debug crypto isakmp 150"&nbsp; :</P><P><STRONG><BR />Jan 01 07:10:38 [IKEv1]: Group =</STRONG><STRONG>201.77.XXX.XX</STRONG><STRONG>, IP =</STRONG><STRONG>201.77.XXX.XX</STRONG><STRONG>, QM IsRekeyed old sa not found by addr<BR />Jan 01 07:10:38 [IKEv1]: Group = </STRONG><STRONG>201.77.XXX.XX</STRONG><STRONG>, IP = </STRONG><STRONG>201.77.XXX.XX</STRONG><STRONG>, Static Crypto Map check, checking map = biomap, seq = 1...<BR />Jan 01 07:10:38 [IKEv1]: Group = </STRONG><STRONG>201.77.XXX.XX</STRONG><STRONG>, IP = </STRONG><STRONG>201.77.XXX.XX</STRONG><STRONG>, Static Crypto Map check, map = biomap, seq = 1, ACL does not match proxy IDs src:201.77.XXX.XXX dst:172.20.3.32</STRONG></P><P></P><P>Is&nbsp; there any feature in ASA that can causing this issue? Why if i return to the PIX the VPN dont lose packets?</P><P></P><P>The PIX and ASA are with same configs</P><P></P><P>Tks</P> Mon, 11 Mar 2019 19:31:24 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634342#M595016 Thiago Cella 2019-03-11T19:31:24Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634343#M595018 <HTML><HEAD></HEAD><BODY><P>Base on the following error message:</P><P><STRONG>Jan 01 07:10:38 [IKEv1]: Group = </STRONG><STRONG>201.77.XXX.XX</STRONG><STRONG>, IP = </STRONG><STRONG>201.77.XXX.XX</STRONG><STRONG>, Static Crypto Map check, map = biomap, seq = 1, ACL does not match proxy IDs src:201.77.XXX.XXX dst:172.20.3.32</STRONG></P><P></P><P>The crypto ACL is not mirror image between the 2 sides.</P><P></P><P>Can you please share the config from both sides of the tunnel. Thanks.</P></BODY></HTML> Fri, 07 Jan 2011 02:43:14 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634343#M595018 Jennifer Halim 2011-01-07T02:43:14Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634344#M595019 <HTML><HEAD></HEAD><BODY><P>Tks Jennifer,</P><P></P><P>Follow the config, but if return to PIX the VPN works no errors.Administration of the another side is the other company.</P><P><BR />crypto map biomap 1 match address VPN2<BR />crypto map biomap 1 set peer 201.77.XXX.XXX<BR />crypto map biomap 1 set transform-set bioset<BR />crypto map biomap 1 set security-association lifetime seconds 28800<BR />crypto map biomap 1 set security-association lifetime kilobytes 2147483647</P><P></P><P></P><P>tunnel-group 201.77.XXX.XXX type ipsec-l2l<BR />tunnel-group 201.77.XXX.XXX ipsec-attributes<BR /> pre-shared-key pass</P><P></P><P><BR />global (outside) 1 172.20.3.33<BR />nat (inside) 1 access-list NATIFS</P><P></P><P>static (inside,outside) 172.20.3.37 192.168.1.101 netmask 255.255.255.255<BR />static (inside,outside) 172.20.3.38 192.168.1.102 netmask 255.255.255.255<BR />static (inside,outside) 172.20.3.36 192.168.1.100 netmask 255.255.255.255</P><P></P><P>isakmp identity address<BR />isakmp policy 10 authentication pre-share<BR />isakmp policy 10 encryption des<BR />isakmp policy 10 hash md5<BR />isakmp policy 10 group 2<BR />isakmp policy 10 lifetime 28800</P><P></P><P>isakmp policy 200 authentication pre-share<BR />isakmp policy 200 encryption 3des<BR />isakmp policy 200 hash sha<BR />isakmp policy 200 group 2<BR />isakmp policy 200 lifetime 86400</P></BODY></HTML> Fri, 07 Jan 2011 10:58:18 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634344#M595019 Thiago Cella 2011-01-07T10:58:18Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634345#M595020 <HTML><HEAD></HEAD><BODY><P>Can you please share the output of access-list VPN2?</P><P></P><P>PIX might be a little bit lax in regards to matching or have mirror image access-list with the remote end. You would definitely need to have mirror image ACL with the remote VPN device. If you could get the crypto ACL on the remote end so you can match it on your end (configure mirror image ACL), that would resolve the issue.</P></BODY></HTML> Fri, 07 Jan 2011 12:13:29 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634345#M595020 Jennifer Halim 2011-01-07T12:13:29Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634346#M595021 <HTML><HEAD></HEAD><BODY><P>Sorry, i forgot the ACLs :</P><P></P><P>access-list NATIFS extended permit icmp 192.168.1.0 255.255.255.0 201.77.XXX.XXX 255.255.255.248</P><P><BR />access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX&nbsp; 255.255.255.248 eq lpd <BR />access-list VPNIFS extended permit icmp host 172.20.3.33 201.77.XXX.XXX&nbsp; 255.255.255.248 <BR />access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX&nbsp; 255.255.255.248 eq 3389</P><P></P><P></P><P>The ACL the another side is that,(one detail, the other side is a&nbsp; router)&nbsp; :</P><P></P><P></P><P>access-list 159 permit tcp 201.77.XXX.XXX 0.0.0.7 eq 3389 172.20.3.32 0.0.0.7<BR />access-list 159 permit tcp 201.77.XXX.XXX 0.0.0.7 172.20.3.32 0.0.0.7 eq lpd<BR />access-list 159 permit icmp 201.77.XXX.XXX 0.0.0.7 172.20.3.32 0.0.0.7</P><P></P><P></P><P>Tks</P></BODY></HTML> Fri, 07 Jan 2011 12:33:52 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634346#M595021 Thiago Cella 2011-01-07T12:33:52Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634347#M595022 <HTML><HEAD></HEAD><BODY><P>Doesn't seem to be mirror image to me.</P><P></P><P>The ASA end has "host 172.20.3.33" while the router end has "172.20.3.32 0.0.0.7"</P><P></P><P>since you have access to the ASA end, you would need to change the VPNIF ACL:</P><P><SPAN style="text-decoration: underline;"><STRONG>FROM</STRONG></SPAN>:</P><P>access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX&nbsp; 255.255.255.248 eq lpd <BR />access-list VPNIFS extended permit icmp host 172.20.3.33 201.77.XXX.XXX&nbsp; 255.255.255.248 <BR />access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX&nbsp; 255.255.255.248 eq 3389</P><P></P><P><SPAN style="text-decoration: underline;"><STRONG>TO</STRONG></SPAN>:</P><P>access-list VPNIFS extended permit tcp 172.20.3.32 255.255.255.248 201.77.XXX.XXX&nbsp; 255.255.255.248 eq lpd <BR />access-list VPNIFS extended permit icmp 172.20.3.32 255.255.255.248 201.77.XXX.XXX&nbsp; 255.255.255.248 <BR />access-list VPNIFS extended permit tcp 172.20.3.32 255.255.255.248 201.77.XXX.XXX&nbsp; 255.255.255.248 eq 3389</P><P></P><P>Clear the tunnel: "clear cry isa sa" and "clear cry ipsec sa", and reestablish the tunnel.</P><P>It should work after that.</P><P></P><P>Hope that helps.</P></BODY></HTML> Fri, 07 Jan 2011 22:34:37 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634347#M595022 Jennifer Halim 2011-01-07T22:34:37Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634348#M595023 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer tks again,</P><P></P><P></P><P>But didnt work on ASA, but on PIX worked .</P></BODY></HTML> Fri, 07 Jan 2011 23:00:25 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634348#M595023 Thiago Cella 2011-01-07T23:00:25Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634349#M595024 <HTML><HEAD></HEAD><BODY><P>Pls kindly share the latest configuration, and also debug output. Thanks.</P></BODY></HTML> Fri, 07 Jan 2011 23:02:00 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634349#M595024 Jennifer Halim 2011-01-07T23:02:00Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634350#M595025 <HTML><HEAD></HEAD><BODY><P>config:</P><P></P><P>crypto map biomap 1 match address VPN2</P><P>crypto map biomap 1 set peer 201.77.XXX.XXX</P><P>crypto map biomap 1 set transform-set bioset</P><P>crypto map biomap 1 set security-association lifetime seconds 28800</P><P>crypto map biomap 1 set security-association lifetime kilobytes 2147483647</P><P></P><P>tunnel-group 201.77.XXX.XXX type ipsec-l2l</P><P>tunnel-group 201.77.XXX.XXX ipsec-attributes</P><P>pre-shared-key pass</P><P></P><P></P><P>global (outside) 1 172.20.3.33</P><P>nat (inside) 1 access-list NATIFS</P><P></P><P></P><P>static (inside,outside) 172.20.3.37 192.168.1.101 netmask 255.255.255.255</P><P>static (inside,outside) 172.20.3.38 192.168.1.102 netmask 255.255.255.255</P><P>static (inside,outside) 172.20.3.36 192.168.1.100 netmask 255.255.255.255</P><P></P><P></P><P>isakmp identity address</P><P></P><P>isakmp policy 10 authentication pre-share</P><P>isakmp policy 10 encryption des</P><P>isakmp policy 10 hash md5</P><P>isakmp policy 10 group 2</P><P></P><P>isakmp policy 10 lifetime 28800</P><P>isakmp policy 200 authentication pre-share</P><P>isakmp policy 200 encryption 3des</P><P>isakmp policy 200 hash sha</P><P>isakmp policy 200 group 2</P><P>isakmp policy 200 lifetime 86400</P><P></P><P></P><P>access-list VPNIFS extended permit tcp 172.20.3.32 255.255.255.248 201.77.XXX.XXX&nbsp; 255.255.255.248 eq lpd</P><P>access-list VPNIFS extended permit icmp 172.20.3.32 255.255.255.248 201.77.XXX.XXX&nbsp; 255.255.255.248</P><P>access-list VPNIFS extended permit tcp 172.20.3.32 255.255.255.248 201.77.XXX.XXX&nbsp; 255.255.255.248 eq 3389</P><P></P><P></P><P>Debug :</P><P></P><P>Jan 01 07:10:38 [IKEv1 DECODE]: IP = 201.77.XXX.XXX, IKE Responder starting QM: msg id = 92579587<BR />Jan 01 07:10:38 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=92579587) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing hash payload<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing SA payload<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing nonce payload<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing ID payload<BR />Jan 01 07:10:38 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--201.77.217.104--255.255.255.248<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Received remote IP Proxy Subnet data in ID Payload:&nbsp;&nbsp; Address 201.77.217.104, Mask 255.255.255.248, Protocol 6, Port 0<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing ID payload<BR />Jan 01 07:10:38 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--172.20.3.32--255.255.255.248<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Received local IP Proxy Subnet data in ID Payload:&nbsp;&nbsp; Address 172.20.3.32, Mask 255.255.255.248, Protocol 6, Port 515<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, QM IsRekeyed old sa not found by addr<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Static Crypto Map check, checking map = biomap, seq = 1...<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Static Crypto Map check, map = biomap, seq = 1, ACL does not match proxy IDs src:201.77.217.104 dst:172.20.3.32<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Static Crypto Map check, checking map = biomap, seq = 10...<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Static Crypto Map check, map = biomap, seq = 10, ACL does not match proxy IDs src:201.77.217.104 dst:172.20.3.32<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 201.77.217.104/255.255.255.248/6/0 local proxy 172.20.3.32/255.255.255.248/6/515 on interface outside<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, sending notify message<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing blank hash payload<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing qm hash payload<BR />Jan 01 07:10:38 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=9e59db25) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 224<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, QM FSM error (P2 struct &amp;0xc6ed9718, mess id 0x92579587)!<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE QM Responder FSM error history (struct &amp;0xc6ed9718)&nbsp; <STATE>, <EVENT>:&nbsp; QM_DONE, EV_ERROR--&gt;QM_BLD_MSG2, EV_NEGO_SA--&gt;QM_BLD_MSG2, EV_IS_REKEY--&gt;QM_BLD_MSG2, EV_CONFIRM_SA--&gt;QM_BLD_MSG2, EV_PROC_MSG--&gt;QM_BLD_MSG2, EV_HASH_OK--&gt;QM_BLD_MSG2, NullEvent--&gt;QM_BLD_MSG2, EV_COMP_HASH<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, sending delete/delete with reason message<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Removing peer from correlator table failed, no match!<BR />Jan 01 07:10:38 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=c8902920) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing hash payload<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing delete<BR />Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Connection terminated for peer 201.77.XXX.XXX.&nbsp; Reason: Peer Terminate&nbsp; Remote Proxy N/A, Local Proxy N/A<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, sending delete/delete with reason message<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing blank hash payload<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing IPSec delete payload<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing qm hash payload<BR />Jan 01 07:10:38 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=3cd3241c) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Active unit receives a delete event for remote peer 201.77.XXX.XXX.</EVENT></STATE></P><P></P><P>Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE Deleting SA: Remote Proxy 201.77.217.104, Local Proxy 172.20.3.33<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE SA MM:23cef9a3 terminating:&nbsp; flags 0x01000822, refcnt 0, tuncnt 0<BR />Jan 01 07:10:38 [IKEv1]: Ignoring msg to mark SA with dsID 3764224 dead because SA deleted<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x431730e0<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x431730e0<BR />Jan 01 07:10:38 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xadea2864<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE Initiator: New Phase 1, Intf inside, IKE Peer 201.77.XXX.XXX&nbsp; local Proxy Address 172.20.3.33, remote Proxy Address 201.77.217.104,&nbsp; Crypto map (biomap)<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing ISAKMP SA payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing Fragmentation VID + extended capabilities payload<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 144<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing SA payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Oakley proposal is acceptable<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing ke payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing nonce payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing Cisco Unity VID payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing xauth V6 VID payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Send IOS VID<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing VID payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Send Altiga/Cisco VPN3000/Cisco ASA GW VID<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NONE (0) total length : 204<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing ke payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing ISA_KE payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing nonce payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing VID payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000000f)<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, Connection landed on tunnel_group 201.77.XXX.XXX<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Generating keys for Initiator...<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing ID payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing hash payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Computing hash for ISAKMP<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Constructing IOS keep alive payload: proposal=32767/32767 sec.<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing dpd vid payload<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing ID payload<BR />Jan 01 07:10:45 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, ID_IPV4_ADDR ID received<BR />201.77.XXX.XXX<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing hash payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Computing hash for ISAKMP<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, Connection landed on tunnel_group 201.77.XXX.XXX<BR />Jan 01 07:10:45 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Freeing previously allocated memory for authorization-dn-attributes<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Oakley begin quick mode<BR />Jan 01 07:10:45 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE Initiator starting QM: msg id = fa5a0899<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Delete with reason code capability is negotiated<BR />Jan 01 07:10:45 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, PHASE 1 COMPLETED<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, Keep-alive type for this connection: IOS<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Starting P1 rekey timer: 21600 seconds.<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE got SPI from key engine: SPI = 0x1c985b0f<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, oakley constucting quick mode<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing blank hash payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing IPSec SA payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing IPSec nonce payload<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing proxy ID<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Transmitting Proxy Id:<BR />&nbsp; Local host:&nbsp; 172.20.3.33&nbsp; Protocol 1&nbsp; Port 0<BR />&nbsp; Remote subnet: 201.77.217.104&nbsp; Mask 255.255.255.248 Protocol 1&nbsp; Port 0<BR />Jan 01 07:10:45 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE Initiator sending Initial Contact<BR />Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing qm hash payload<BR />Jan 01 07:10:45 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE Initiator sending 1st QM pkt: msg id = fa5a0899<BR />Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=fa5a0899) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +</P></BODY></HTML> Fri, 07 Jan 2011 23:11:12 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634350#M595025 Thiago Cella 2011-01-07T23:11:12Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634351#M595026 <HTML><HEAD></HEAD><BODY><P>What version is your ASA firewall?</P><P></P><P>Also, instead of using tcp and icmp protocol and ports in the crypto ACL, would you be able to change it to just IP?</P><P></P><P>On ASA:</P><P>access-list VPNIFS extended permit ip 172.20.3.32 255.255.255.248 201.77.XXX.XXX&nbsp; 255.255.255.248</P><P></P><P>On Router:</P><P>access-list 159 permit ip 201.77.XXX.XXX 0.0.0.7 172.20.3.32 0.0.0.7</P></BODY></HTML> Fri, 07 Jan 2011 23:24:31 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634351#M595026 Jennifer Halim 2011-01-07T23:24:31Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634352#M595027 <HTML><HEAD></HEAD><BODY><P>I cant test now this ACL, but tomorrow i will try.&nbsp; The ASA is a 5505 with version 8.0(4)</P><P></P><P>TKS!!!<SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Fri, 07 Jan 2011 23:38:23 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634352#M595027 Thiago Cella 2011-01-07T23:38:23Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634353#M595028 <HTML><HEAD></HEAD><BODY><P>Hi Jennifer,</P><P></P><P>Your suggestion worked!!!!!</P><P></P><P>TKS!!</P><P></P><P>But i have a doubt, why if this ACL :</P><P></P><P>access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX&nbsp; 255.255.255.248 eq lpd <BR />access-list VPNIFS extended permit icmp host 172.20.3.33 201.77.XXX.XXX&nbsp; 255.255.255.248 <BR />access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX&nbsp; 255.255.255.248 eq 3389</P><P></P><P>works in PIX and the ASA not?</P></BODY></HTML> Sun, 09 Jan 2011 00:05:22 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634353#M595028 Thiago Cella 2011-01-09T00:05:22Z https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634354#M595029 <HTML><HEAD></HEAD><BODY><P>Great to hear.</P><P>It is typically recommended to use "ip" for crypto ACL rather than protocol and port specific. If you would like to restrict traffic, you can use ACL and applied that to the interface to restrict traffic.</P><P>There might be bug on the ASA version that you are running, that's why it's failing.</P></BODY></HTML> Sun, 09 Jan 2011 10:50:32 GMT https://community.cisco.com/t5/network-security/errors-after-pix-to-asa-migration/m-p/1634354#M595029 Jennifer Halim 2011-01-09T10:50:32Z