cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1541
Views
0
Helpful
3
Replies

Ipsec tunnel Between Juniper and ASA

ciscoavinash
Level 1
Level 1

Hi Team,

I have tunnel configured between cisco ASA and Juniper.

Cisco ASA is at my end. Customer complains that ipsec tunnel is getting disconnected in between. Client team have checked with juniper team and they informed that cisco ASA sending the delete SA request that is the reason tunnel is getting disconnected.

Later they suggested to remove the crypto lifetime kilobytes from the configuration . But i am not able to remove that . I can change only the size .

Did any of you faced this issue.

Please suggest if anything can be done on this.

Note:- crypto map VPN 20 set security-association lifetime kilobytes 214748364.

I changed the kilobytes value and frequency of disconnection is reduced.

Please check and suggest me on this.

3 Replies 3

ciscoavinash
Level 1
Level 1

WR ASA debug crypto isakmp 127

Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing SA payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, Oakley proposal is acceptable
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, Received DPD VID
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, Received NAT Traversal ver 02 VID
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, Received NAT Traversal ver 03 VID
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, Received NAT Traversal RFC VID
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing IKE SA payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, IKE SA Proposal 1, Transform 0 acceptable Matches global IKE entry 5
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing ISAKMP SA payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing NAT Traversal VID ver 02 payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing Fragmentation VID extended capabilities payload
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, IKE DECODE SENDING Message msgid 0 with payloads HDR SA 1 VENDOR 13 VENDOR 13 NONE 0 total length 128
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, IKE DECODE RECEIVED Message msgid 0 with payloads HDR KE 4 NONCE 10 NAT D 130 NAT D 130 NONE 0 total length 284
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing ke payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing ISA KE payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing nonce payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing NAT Discovery payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, computing NAT Discovery hash
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, processing NAT Discovery payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, computing NAT Discovery hash
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing ke payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing nonce payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing Cisco Unity VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing xauth V6 VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, Send IOS VID
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, Constructing ASA spoofing IOS Vendor ID payload version 1.0.0, capabilities 20000001
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing VID payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing NAT Discovery payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, computing NAT Discovery hash
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, constructing NAT Discovery payload
Apr 27 11 36 19 IKEv1 DEBUG IP 127.1.1.1, computing NAT Discovery hash
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, Connection landed on tunnel group 127.1.1.1
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, Generating keys for Responder...
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, IKE DECODE SENDING Message msgid 0 with payloads HDR KE 4 NONCE 10 VENDOR 13 VENDOR 13 VENDOR 13 VENDOR 13 NAT D 130 NAT D 130 NONE 0 total length 360
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, IKE DECODE RECEIVED Message msgid 0 with payloads HDR ID 5 HASH 8 NONE 0 total length 60
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, processing ID payload
Apr 27 11 36 19 IKEv1 DECODE Group 127.1.1.1, IP 127.1.1.1, ID IPV4 ADDR ID received
127.1.1.1
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, processing hash payload
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, Computing hash for ISAKMP
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Automatic NAT Detection Status Remote end IS behind a NAT device This end is NOT behind a NAT device
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, Connection landed on tunnel group 127.1.1.1
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Freeing previously allocated memory for authorization dn attributes
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, constructing ID payload
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, constructing hash payload
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, Computing hash for ISAKMP
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, constructing dpd vid payload
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, IKE DECODE SENDING Message msgid 0 with payloads HDR ID 5 HASH 8 VENDOR 13 NONE 0 total length 80
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, Peer negotiated phase 1 rekey
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, PHASE 1 COMPLETED
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, Keep alive type for this connection DPD
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, Starting P1 rekey timer 64800 seconds.
Apr 27 11 36 19 IKEv1 DECODE IP 127.1.1.1, IKE Responder starting QM msg id b3d9498f
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, IKE SA MM fdfbbc73 terminating flags 0x01000006, refcnt 0, tuncnt 0
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, sending delete/delete with reason message
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, constructing blank hash payload
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, constructing IKE delete payload
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, constructing qm hash payload
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, IKE DECODE SENDING Message msgid bd603e6c with payloads HDR HASH 8 DELETE 12 NONE 0 total length 76
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, IKE DECODE RECEIVED Message msgid b3d9498f with payloads HDR HASH 8 SA 1 NONCE 10 ID 5 ID 5 NONE 0 total length 152
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, processing hash payload
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, processing SA payload
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, processing nonce payload
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, processing ID payload
Apr 27 11 36 19 IKEv1 DECODE Group 127.1.1.1, IP 127.1.1.1, ID IPV4 ADDR SUBNET ID received 0.0.0.0 0.0.0.0
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Received remote IP Proxy Subnet data in ID Payload Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, processing ID payload
Apr 27 11 36 19 IKEv1 DECODE Group 127.1.1.1, IP 127.1.1.1, ID IPV4 ADDR SUBNET ID received 10.25.210.0 255.255.255.192
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Received local IP Proxy Subnet data in ID Payload Address 10.25.210.0, Mask 255.255.255.192, Protocol 0, Port 0
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, QM IsRekeyed old sa not found by addr
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, checking map VPN, seq 10...
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 10, no ACL configured
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, checking map VPN, seq 20...
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 20, ACL does not match proxy IDs src 0.0.0.0 dst 10.25.210.0
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, checking map VPN, seq 50...
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 50, ACL does not match proxy IDs src 0.0.0.0 dst 10.25.210.0
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, checking map VPN, seq 51...
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 51, no ACL configured
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, checking map VPN, seq 52...
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 52, no ACL configured
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, checking map VPN, seq 55...
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 55, no ACL configured
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, checking map VPN, seq 99...
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 99, no ACL configured
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, checking map VPN, seq 100...
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 100, no ACL configured
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, checking map VPN, seq 200...
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 200, no ACL configured
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Rejecting IPSec tunnel no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.25.210.0/255.255.255.192/0/0 on interface outside
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, sending notify message
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, constructing blank hash payload
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, constructing qm hash payload
Apr 27 11 36 19 IKEv1 IP 127.1.1.1, IKE DECODE SENDING Message msgid f3a49b3b with payloads HDR HASH 8 NOTIFY 11 NONE 0 total length 204
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, QM FSM error P2 struct &0x6ca07650, mess id 0xb3d9498f!
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, IKE QM Responder FSM error history struct &0x6ca07650 state , event QM DONE, EV ERROR QM BLD MSG2, EV NEGO SA QM BLD MSG2, EV IS REKEY QM BLD MSG2, EV CONFIRM SA QM BLD MSG2, EV PROC MSG QM BLD MSG2, EV HASH OK QM BLD MSG2, NullEvent QM BLD MSG2, EV COMP HASH
Apr 27 11 36 19 IKEv1 DEBUG Group 127.1.1.1, IP 127.1.1.1, sending delete/delete with reason message
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Removing peer from correlator table failed, no match!

It seems an issue with the interesting traffic ACL: 

Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Rejecting IPSec tunnel no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.25.210.0/255.255.255.192/0/0 on interface outside

It is expecting an any to 10.25.210.0, do you have an entry like that? You need to make sure that the ACL for interesting traffic is mirrored on the other side. 

Mike. 

Mike

johnlloyd_13
Level 9
Level 9

hi,

the lifetime either in seconds or kb won't really matter since the lower value will be negotiated between an SA.

check the IKE Phase 2 policy (i.e transform set and crypto ACL) and if a crypto map is applied on the outside interface.

Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Static Crypto Map check, map VPN, seq 200, no ACL configured
Apr 27 11 36 19 IKEv1 Group 127.1.1.1, IP 127.1.1.1, Rejecting IPSec tunnel no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.25.210.0/255.255.255.192/0/0 on interface outside

Review Cisco Networking for a $25 gift card