11-25-2011 08:58 AM - edited 03-11-2019 02:55 PM
I am really new at this, so please forgive my ignorace. I've configured, to the best of my ability, a tunnel between my asa5505 and a firebox X using this guide, I had to feel my way through it since the ASDM in the guide is an older version:
When I attempt to bring the tunnel up using Ping Inside on the ASA to one of the machines on the watchguard subnet I get the following error messages, even though the ping states 100% success. I cannot ping, rdp or anything out from any of the hosts on my 192.168.240.0/24 network to the 192.168.254.0/24 network whatseover.
Can anyone point me in the right direction?
Nov 25 11:49:54 [IKEv1 DECODE]: IP = 204.116.253.76, IKE Responder starting QM: msg id = 108a9682
Nov 25 11:49:54 [IKEv1]: Group = 204.116.253.76, IP = 204.116.253.76, Received encrypted Oakley Quick Mode packet with invalid payloads, MessID = 277517954
Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, sending notify message
Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, Can't send p2 'Payload malformed' notify message: no SPIs (msg id 108a9682)!
Nov 25 11:49:54 [IKEv1]: Group = 204.116.253.76, IP = 204.116.253.76, QM FSM error (P2 struct &0xc9d588b0, mess id 0x108a9682)!
Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, IKE QM Responder FSM error history (struct &0xc9d588b0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_VALIDATE_FAIL-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_DECRYPT_MSG-->QM_BLD_MSG2, EV_INIT_RESPONDER-->QM_START, EV_RCV_MSG
Nov 25 11:49:54 [IKEv1 DEBUG]: Group = 204.116.253.76, IP = 204.116.253.76, sending delete/delete with reason message
Nov 25 11:49:54 [IKEv1]: Group = 204.116.253.76, IP = 204.116.253.76, Removing peer from correlator table failed, no match!
11-25-2011 09:37 AM
Hmmm I can ping\rdp\whatever from the 192.168.254.0/24 (firebox) side of the tunnel into the 192.168.240.0/24(ASA) side, but not the other way around.
11-25-2011 01:40 PM
hi,
verify your crypto ACLs are mirrored on both tunnel endpoints.
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide