any update?

Amr Ibrahim Ali Henedi · ‎04-24-2016

Dear Cisco Team,

I have FortiNet without Real static IP and need to Dial UP VPN to our Cisco ASA 5525 V9 with Real Static IP so How can we do that?

Amr Ibrahim Ali Henedi · ‎04-24-2016

any update?

it's very urgent case and should be solved quickly so please your usual support is highly appreciated.

Aditya Ganjoo · ‎04-24-2016

Hi,

Please check the following links to configure dynamic L2l Vpn on Cisco ASA:

https://supportforums.cisco.com/discussion/11084776/cisco-asa-and-fortigate-dynamic-l2l-vpn-setup

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Amr Ibrahim Ali Henedi · ‎04-24-2016

dear Aditya,

thank you for your support , I need configuration of the ASA V9 not Pix so please advise.

Amr Ibrahim Ali Henedi · ‎04-24-2016

Any update?

it's critical case for me so please support me.

Amr Ibrahim Ali Henedi · ‎04-24-2016

Dear Cisco Team,

I tried this configuration

crypto map outsideBGP_map 500 ipsec-isakmp dynamic Talabatvpn

crypto dynamic-map Talbatvpn 1 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map Talbatvpn 1 set reverse-route

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
object-group network Talbat2
network-object 192.168.4.0 255.255.255.0

object-group network RCCTalbat
network-object 10.13.1.0 255.255.255.0

access-list acl_inside extended permit ip object-group RCCTalbat object-group Talbat2
nat (Inside,outsideBGP) source static RCCTalbat RCCTalbat destination static Talbat2 Talbat2
access-list 500 extended permit ip object-group RCCTalbat object-group Talbat2

but give me these logs

Apr 24 17:25:54 [IKEv1]Group = DefaultL2LGroup, IP = 62.215.108.121, Duplicate Phase 1 packet detected. Retransmitting last packet.
Apr 24 17:25:54 [IKEv1]Group = DefaultL2LGroup, IP = 62.215.108.121, P1 Retransmit msg dispatched to MM FSM

Apr 24 17:26:02 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 62.215.108.121, IKE MM Responder FSM error history (struct &0x00007fff75625d90) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG
Apr 24 17:26:02 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 62.215.108.121, IKE SA MM:d52b7673 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Apr 24 17:26:02 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 62.215.108.121, sending delete/delete with reason message
Apr 24 17:26:02 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 62.215.108.121, constructing blank hash payload
Apr 24 17:26:02 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 62.215.108.121, constructing IKE delete payload
Apr 24 17:26:02 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 62.215.108.121, constructing qm hash payload
Apr 24 17:26:02 [IKEv1]IP = 62.215.108.121, IKE_DECODE SENDING Message (msgid=872680aa) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

please advise?

Aditya Ganjoo · ‎04-24-2016

Hi,

What is the status of the sh crypto ikev1 sa for this tunnel ?

Is is stuck at MM_WAIT_MSG5 ?

If yes then check the pre-shared key on both the devices and also make sure if udp 4500 is not blocked in the path ?

Regards,

Aditya

Please rate helpful posts.

Cisco ASA Tunnel with FortiNet Dial UP