Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
0
Helpful
12
Replies

Errors after Pix to ASA migration

Go to solution
Thiago Cella
Level 1
Level 1

‎01-06-2011 02:42 PM - edited ‎03-11-2019 12:31 PM

Hi people,

I have the follow scenario, in my network i have a PIX,  and the 2 VPN configured, and all works fine, no errors. But 2 weeks ago, we changed the PIX to Asa 5505, with same configs, and the one of the VPN is generating intermittence, lose packets periodically , some times after 20 seconds that VPN formed, some times 40 seconds , some times 1 minute. If i put the command "show crypto isakmp sa" the VPN keep active, enabling the "debug crypto isakmp 150"  :


Jan 01 07:10:38 [IKEv1]: Group =201.77.XXX.XX, IP =201.77.XXX.XX, QM IsRekeyed old sa not found by addr
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XX, IP = 201.77.XXX.XX, Static Crypto Map check, checking map = biomap, seq = 1...
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XX, IP = 201.77.XXX.XX, Static Crypto Map check, map = biomap, seq = 1, ACL does not match proxy IDs src:201.77.XXX.XXX dst:172.20.3.32

Is  there any feature in ASA that can causing this issue? Why if i return to the PIX the VPN dont lose packets?

The PIX and ASA are with same configs

Tks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Thiago Cella

‎01-07-2011 03:24 PM

What version is your ASA firewall?

Also, instead of using tcp and icmp protocol and ports in the crypto ACL, would you be able to change it to just IP?

On ASA:

access-list VPNIFS extended permit ip 172.20.3.32 255.255.255.248 201.77.XXX.XXX  255.255.255.248

On Router:

access-list 159 permit ip 201.77.XXX.XXX 0.0.0.7 172.20.3.32 0.0.0.7

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-06-2011 06:43 PM

Base on the following error message:

Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XX, IP = 201.77.XXX.XX, Static Crypto Map check, map = biomap, seq = 1, ACL does not match proxy IDs src:201.77.XXX.XXX dst:172.20.3.32

The crypto ACL is not mirror image between the 2 sides.

Can you please share the config from both sides of the tunnel. Thanks.

0 Helpful

Go to solution
Thiago Cella
Level 1
Level 1
In response to Jennifer Halim

‎01-07-2011 02:58 AM

Tks Jennifer,

Follow the config, but if return to PIX the VPN works no errors.Administration of the another side is the other company.


crypto map biomap 1 match address VPN2
crypto map biomap 1 set peer 201.77.XXX.XXX
crypto map biomap 1 set transform-set bioset
crypto map biomap 1 set security-association lifetime seconds 28800
crypto map biomap 1 set security-association lifetime kilobytes 2147483647

tunnel-group 201.77.XXX.XXX type ipsec-l2l
tunnel-group 201.77.XXX.XXX ipsec-attributes
pre-shared-key pass


global (outside) 1 172.20.3.33
nat (inside) 1 access-list NATIFS

static (inside,outside) 172.20.3.37 192.168.1.101 netmask 255.255.255.255
static (inside,outside) 172.20.3.38 192.168.1.102 netmask 255.255.255.255
static (inside,outside) 172.20.3.36 192.168.1.100 netmask 255.255.255.255

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800

isakmp policy 200 authentication pre-share
isakmp policy 200 encryption 3des
isakmp policy 200 hash sha
isakmp policy 200 group 2
isakmp policy 200 lifetime 86400

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Thiago Cella

‎01-07-2011 04:13 AM

Can you please share the output of access-list VPN2?

PIX might be a little bit lax in regards to matching or have mirror image access-list with the remote end. You would definitely need to have mirror image ACL with the remote VPN device. If you could get the crypto ACL on the remote end so you can match it on your end (configure mirror image ACL), that would resolve the issue.

0 Helpful

Go to solution
Thiago Cella
Level 1
Level 1
In response to Jennifer Halim

‎01-07-2011 04:33 AM

Sorry, i forgot the ACLs :

access-list NATIFS extended permit icmp 192.168.1.0 255.255.255.0 201.77.XXX.XXX 255.255.255.248


access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX  255.255.255.248 eq lpd
access-list VPNIFS extended permit icmp host 172.20.3.33 201.77.XXX.XXX  255.255.255.248
access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX  255.255.255.248 eq 3389

The ACL the another side is that,(one detail, the other side is a  router)  :

access-list 159 permit tcp 201.77.XXX.XXX 0.0.0.7 eq 3389 172.20.3.32 0.0.0.7
access-list 159 permit tcp 201.77.XXX.XXX 0.0.0.7 172.20.3.32 0.0.0.7 eq lpd
access-list 159 permit icmp 201.77.XXX.XXX 0.0.0.7 172.20.3.32 0.0.0.7

Tks

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Thiago Cella

‎01-07-2011 02:34 PM

Doesn't seem to be mirror image to me.

The ASA end has "host 172.20.3.33" while the router end has "172.20.3.32 0.0.0.7"

since you have access to the ASA end, you would need to change the VPNIF ACL:

FROM:

access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX  255.255.255.248 eq lpd
access-list VPNIFS extended permit icmp host 172.20.3.33 201.77.XXX.XXX  255.255.255.248
access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX  255.255.255.248 eq 3389

TO:

access-list VPNIFS extended permit tcp 172.20.3.32 255.255.255.248 201.77.XXX.XXX  255.255.255.248 eq lpd
access-list VPNIFS extended permit icmp 172.20.3.32 255.255.255.248 201.77.XXX.XXX  255.255.255.248
access-list VPNIFS extended permit tcp 172.20.3.32 255.255.255.248 201.77.XXX.XXX  255.255.255.248 eq 3389

Clear the tunnel: "clear cry isa sa" and "clear cry ipsec sa", and reestablish the tunnel.

It should work after that.

Hope that helps.

0 Helpful

Go to solution
Thiago Cella
Level 1
Level 1
In response to Jennifer Halim

‎01-07-2011 03:00 PM

Hi Jennifer tks again,

But didnt work on ASA, but on PIX worked .

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Thiago Cella

‎01-07-2011 03:02 PM

Pls kindly share the latest configuration, and also debug output. Thanks.

0 Helpful

Go to solution
Thiago Cella
Level 1
Level 1
In response to Jennifer Halim

‎01-07-2011 03:11 PM

config:

crypto map biomap 1 match address VPN2

crypto map biomap 1 set peer 201.77.XXX.XXX

crypto map biomap 1 set transform-set bioset

crypto map biomap 1 set security-association lifetime seconds 28800

crypto map biomap 1 set security-association lifetime kilobytes 2147483647

tunnel-group 201.77.XXX.XXX type ipsec-l2l

tunnel-group 201.77.XXX.XXX ipsec-attributes

pre-shared-key pass

global (outside) 1 172.20.3.33

nat (inside) 1 access-list NATIFS

static (inside,outside) 172.20.3.37 192.168.1.101 netmask 255.255.255.255

static (inside,outside) 172.20.3.38 192.168.1.102 netmask 255.255.255.255

static (inside,outside) 172.20.3.36 192.168.1.100 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

isakmp policy 200 authentication pre-share

isakmp policy 200 encryption 3des

isakmp policy 200 hash sha

isakmp policy 200 group 2

isakmp policy 200 lifetime 86400

access-list VPNIFS extended permit tcp 172.20.3.32 255.255.255.248 201.77.XXX.XXX  255.255.255.248 eq lpd

access-list VPNIFS extended permit icmp 172.20.3.32 255.255.255.248 201.77.XXX.XXX  255.255.255.248

access-list VPNIFS extended permit tcp 172.20.3.32 255.255.255.248 201.77.XXX.XXX  255.255.255.248 eq 3389

Debug :

Jan 01 07:10:38 [IKEv1 DECODE]: IP = 201.77.XXX.XXX, IKE Responder starting QM: msg id = 92579587
Jan 01 07:10:38 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=92579587) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing hash payload
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing SA payload
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing nonce payload
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing ID payload
Jan 01 07:10:38 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--201.77.217.104--255.255.255.248
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Received remote IP Proxy Subnet data in ID Payload:   Address 201.77.217.104, Mask 255.255.255.248, Protocol 6, Port 0
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing ID payload
Jan 01 07:10:38 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, ID_IPV4_ADDR_SUBNET ID received--172.20.3.32--255.255.255.248
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Received local IP Proxy Subnet data in ID Payload:   Address 172.20.3.32, Mask 255.255.255.248, Protocol 6, Port 515
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, QM IsRekeyed old sa not found by addr
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Static Crypto Map check, checking map = biomap, seq = 1...
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Static Crypto Map check, map = biomap, seq = 1, ACL does not match proxy IDs src:201.77.217.104 dst:172.20.3.32
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Static Crypto Map check, checking map = biomap, seq = 10...
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Static Crypto Map check, map = biomap, seq = 10, ACL does not match proxy IDs src:201.77.217.104 dst:172.20.3.32
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 201.77.217.104/255.255.255.248/6/0 local proxy 172.20.3.32/255.255.255.248/6/515 on interface outside
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, sending notify message
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing blank hash payload
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing qm hash payload
Jan 01 07:10:38 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=9e59db25) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 224
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, QM FSM error (P2 struct &0xc6ed9718, mess id 0x92579587)!
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE QM Responder FSM error history (struct &0xc6ed9718)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, sending delete/delete with reason message
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Removing peer from correlator table failed, no match!
Jan 01 07:10:38 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=c8902920) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing hash payload
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing delete
Jan 01 07:10:38 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Connection terminated for peer 201.77.XXX.XXX.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, sending delete/delete with reason message
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing blank hash payload
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing IPSec delete payload
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing qm hash payload
Jan 01 07:10:38 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=3cd3241c) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Active unit receives a delete event for remote peer 201.77.XXX.XXX.

Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE Deleting SA: Remote Proxy 201.77.217.104, Local Proxy 172.20.3.33
Jan 01 07:10:38 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE SA MM:23cef9a3 terminating:  flags 0x01000822, refcnt 0, tuncnt 0
Jan 01 07:10:38 [IKEv1]: Ignoring msg to mark SA with dsID 3764224 dead because SA deleted
Jan 01 07:10:38 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x431730e0
Jan 01 07:10:38 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x431730e0
Jan 01 07:10:38 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xadea2864
Jan 01 07:10:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE Initiator: New Phase 1, Intf inside, IKE Peer 201.77.XXX.XXX  local Proxy Address 172.20.3.33, remote Proxy Address 201.77.217.104,  Crypto map (biomap)
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing ISAKMP SA payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing Fragmentation VID + extended capabilities payload
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 144
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing SA payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Oakley proposal is acceptable
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing ke payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing nonce payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing Cisco Unity VID payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing xauth V6 VID payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Send IOS VID
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, constructing VID payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NONE (0) total length : 204
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing ke payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing ISA_KE payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing nonce payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, processing VID payload
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000000f)
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, Connection landed on tunnel_group 201.77.XXX.XXX
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Generating keys for Initiator...
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing ID payload
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing hash payload
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Computing hash for ISAKMP
Jan 01 07:10:45 [IKEv1 DEBUG]: IP = 201.77.XXX.XXX, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing dpd vid payload
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing ID payload
Jan 01 07:10:45 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, ID_IPV4_ADDR ID received
201.77.XXX.XXX
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, processing hash payload
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Computing hash for ISAKMP
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, Connection landed on tunnel_group 201.77.XXX.XXX
Jan 01 07:10:45 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Freeing previously allocated memory for authorization-dn-attributes
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Oakley begin quick mode
Jan 01 07:10:45 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE Initiator starting QM: msg id = fa5a0899
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Delete with reason code capability is negotiated
Jan 01 07:10:45 [IKEv1]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, PHASE 1 COMPLETED
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, Keep-alive type for this connection: IOS
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Starting P1 rekey timer: 21600 seconds.
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE got SPI from key engine: SPI = 0x1c985b0f
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, oakley constucting quick mode
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing blank hash payload
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing IPSec SA payload
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing IPSec nonce payload
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing proxy ID
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, Transmitting Proxy Id:
  Local host:  172.20.3.33  Protocol 1  Port 0
  Remote subnet: 201.77.217.104  Mask 255.255.255.248 Protocol 1  Port 0
Jan 01 07:10:45 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE Initiator sending Initial Contact
Jan 01 07:10:45 [IKEv1 DEBUG]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, constructing qm hash payload
Jan 01 07:10:45 [IKEv1 DECODE]: Group = 201.77.XXX.XXX, IP = 201.77.XXX.XXX, IKE Initiator sending 1st QM pkt: msg id = fa5a0899
Jan 01 07:10:45 [IKEv1]: IP = 201.77.XXX.XXX, IKE_DECODE SENDING Message (msgid=fa5a0899) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) +

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Thiago Cella

‎01-07-2011 03:24 PM

What version is your ASA firewall?

Also, instead of using tcp and icmp protocol and ports in the crypto ACL, would you be able to change it to just IP?

On ASA:

access-list VPNIFS extended permit ip 172.20.3.32 255.255.255.248 201.77.XXX.XXX  255.255.255.248

On Router:

access-list 159 permit ip 201.77.XXX.XXX 0.0.0.7 172.20.3.32 0.0.0.7

0 Helpful

Go to solution
Thiago Cella
Level 1
Level 1
In response to Jennifer Halim

‎01-07-2011 03:38 PM

I cant test now this ACL, but tomorrow i will try.  The ASA is a 5505 with version 8.0(4)

TKS!!!

0 Helpful

Go to solution
Thiago Cella
Level 1
Level 1
In response to Thiago Cella

‎01-08-2011 04:05 PM

Hi Jennifer,

Your suggestion worked!!!!!

TKS!!

But i have a doubt, why if this ACL :

access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX  255.255.255.248 eq lpd
access-list VPNIFS extended permit icmp host 172.20.3.33 201.77.XXX.XXX  255.255.255.248
access-list VPNIFS extended permit tcp host 172.20.3.33 201.77.XXX.XXX  255.255.255.248 eq 3389

works in PIX and the ASA not?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Thiago Cella

‎01-09-2011 02:50 AM

Great to hear.

It is typically recommended to use "ip" for crypto ACL rather than protocol and port specific. If you would like to restrict traffic, you can use ACL and applied that to the interface to restrict traffic.

There might be bug on the ASA version that you are running, that's why it's failing.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card