cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2822
Views
0
Helpful
2
Replies

IPsec VPN RA - IKE TM V6 FSM error history

jlucero2424
Level 1
Level 1

Hi Guys,

I have setup a VPN RA on my asa however when I use my PDA or mobile via 3g or 4g connection over the Internet to connect on my vpn gateway, I'm not able to connect. I'm Having this  error from the debug on my ASA fw  "IKE TM V6 FSM error History" not sure what this is. But when I try on other service provider with 3g or 4g it works, so might be an issue with the ISP. However I want to understand why I get this error? is it an issue about NAT-T from my service provider using my pda or mobile? . below are the logs and config on the ASA 5510

Config

interface Ethernet0/0
nameif outside
security-level 0
ip address 111.109.34.209 255.255.255.240

interface Ethernet0/1
nameif inside
security-level 100
ip address 10.98.216.58 255.255.255.224

object network vpnclient-network
subnet 172.21.200.16 255.255.255.240
description VPN Client IP Address Range

access-list Split_Tunnel_List standard permit 10.98.216.0 255.255.255.0
nat (inside,outside) source static any any destination static vpnclient-network vpnclient-network no-proxy-arp route-lookup

route outside 0.0.0.0 0.0.0.0 111.109.34.210 1
route inside 10.98.216.0 255.255.255.0 10.98.216.33 1
route inside 172.21.200.0 255.255.248.0 10.98.216.33 1

aaa-server Radius protocol radius
aaa-server Radius (inside) host 10.98.216.69
key *****
aaa-server Radius (inside) host 10.98.216.197
key *****

crypto dynamic-map REMOTE-ACCESS-DYNMAP 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map REMOTE-ACCESS-DYNMAP 10 set reverse-route
crypto map REMOTE-ACCESS-MAP 10 ipsec-isakmp dynamic REMOTE-ACCESS-DYNMAP
crypto map REMOTE-ACCESS-MAP interface outside

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-des esp-md5-hmac


group-policy REMOTE_ACCESS_GROUP internal
group-policy REMOTE_ACCESS_GROUP attributes
dns-server value 10.98.216.52 10.98.216.192
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mylab.local

tunnel-group REMOTE_ACCESS_GROUP type remote-access
tunnel-group REMOTE_ACCESS_GROUP general-attributes
address-pool vpnclient
authentication-server-group Radius
default-group-policy REMOTE_ACCESS_GROUP
password-management
tunnel-group REMOTE_ACCESS_GROUP ipsec-attributes
ikev1 pre-shared-key *****

DEBUG LOGS

debug cry ikev1 127

debug cry ips 127

Dec 17 18:49:52 [IKEv1]IP = 180.255.248.82, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 867
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing SA payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing ke payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing ISA_KE payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing nonce payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing ID payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, Received xauth V6 VID
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, Received DPD VID
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, Received Fragmentation VID
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, Received NAT-Traversal ver 02 VID
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, processing VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]IP = 180.255.248.82, Received Cisco Unity client VID
Dec 17 18:49:52 [IKEv1]IP = 180.255.248.82, Connection landed on tunnel_group REMOTE_ACCESS_GROUP
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, processing IKE SA payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, IKE SA Proposal # 1, Transform # 13 acceptable  Matches global IKE entry # 1
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing ISAKMP SA payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing ke payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing nonce payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, Generating keys for Responder...
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing ID payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing hash payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, Computing hash for ISAKMP
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing Cisco Unity VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing xauth V6 VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing dpd vid payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing NAT-Traversal VID ver 02 payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing NAT-Discovery payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, computing NAT Discovery hash
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing NAT-Discovery payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, computing NAT Discovery hash
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing Fragmentation VID + extended capabilities payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 17 18:49:52 [IKEv1]IP = 180.255.248.82, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428
Dec 17 18:49:52 [IKEv1]IP = 180.255.248.82, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 156
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, processing hash payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, Computing hash for ISAKMP
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, processing notify payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, processing NAT-Discovery payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, computing NAT Discovery hash
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, processing NAT-Discovery payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, computing NAT Discovery hash
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, processing VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, processing VID payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, Received Cisco Unity client VID
Dec 17 18:49:52 [IKEv1]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing blank hash payload
Dec 17 18:49:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing qm hash payload
Dec 17 18:49:52 [IKEv1]IP = 180.255.248.82, IKE_DECODE SENDING Message (msgid=10c80f5) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 112


Dec 17 18:51:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, IKE TM V6 FSM error history (struct &0xa9394ee8)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_WAIT_REPLY, EV_TIMEOUT-->TM_WAIT_REPLY, NullEvent-->TM_SND_REQ, EV_SND_MSG-->TM_SND_REQ, EV_START_TMR-->TM_SND_REQ, EV_RESEND_MSG-->TM_WAIT_REPLY, EV_TIMEOUT-->TM_WAIT_REPLY, NullEvent
Dec 17 18:51:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, IKE AM Responder FSM error history (struct &0xae237540)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
Dec 17 18:51:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, IKE SA AM:ed91976f terminating:  flags 0x0105c001, refcnt 0, tuncnt 0
Dec 17 18:51:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, sending delete/delete with reason message
Dec 17 18:51:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing blank hash payload
Dec 17 18:51:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing IKE delete payload
Dec 17 18:51:52 [IKEv1 DEBUG]Group = REMOTE_ACCESS_GROUP, IP = 180.255.248.82, constructing qm hash payload
Dec 17 18:51:52 [IKEv1]IP = 180.255.248.82, IKE_DECODE SENDING Message (msgid=245811a3) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Dec 17 18:54:53 [IKEv1]IP = 180.255.248.92, Received encrypted packet with no matching SA, dropping

2 Replies 2

CSCO11506113
Level 1
Level 1

Similar problem was resolved by removing (or adjusting)

    hostname(config)# fragment chain 1 [interface_name]

By default, the ASA allows up to 24 fragments per IP packet ...  Fragmented packets are often used as DoS attacks.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_protect.html

"Configuring the Fragment Size" section

Change the encryption method in your isakmp policy to 3des

crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 1000

IPsec client does not support des.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card