02-12-2007 01:18 PM - edited 02-21-2020 01:24 AM
I've combed through the configs on both sides of this tunnel 4x now and the policies look like they match. I followd the note http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
My crypto access lsits are good and my nat on the IOS side are bundled with a route map and look good. On the ASA side traffic from the ASA side to the remote tunnel is exempt from NAT. Each side already has a site to site tunnel setup, so i've added the appropriate lines to the existing crypto maps that include peer, transform set, and match address "access-list". The crypto isakmp polcies on both ends are compatible. I've attached some configs and debugs(from IOS router), but essentially the log on the ASA starts out with phase 1 completed, and then reads received non routing notify message, no proposal chosen and then it goes to IKE lost connection to remote peer, deleting connection, removing peer from correlator table failed, no match, and finally session disconnected, reason lost service.
Connection is good, their other tunnel stays up along with the remote access vpn config.
I found a note that recommends checking any security access-list, so I removed them, but no luck, and one from cisco related to a concentrator, but had some sound logic to it,
Normally appears with the
corresponding Cisco VPN 3000
concentrator message: No proposal
chosen(14). This is a result of the
connections being host-to-host.
The router configuration had the
IPSec proposals ordered so that the
proposal chosen for the router
matched the access-list, but not the
peer. The access-list had a larger
network that included the host that
was intersecting traffic.
Make the router proposal for this
concentrator-to-router connection
first in line, so that it matches the
specific host first.
however it didn't work either.
thank you,
Bill
Solved! Go to Solution.
02-13-2007 12:34 PM
Bill,
Take a look at this
000610: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Need XAUTH
000611: *Sep 27 10:42:15.094 PCTime: ISAKMP: set new node 920927400 to CONF_XAUTH
000612: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
000613: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
000614: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): initiating peer config to 74.92.97.166. ID = 920927400
000615: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): sending packet to 74.92.97.166 my_port 4500 peer_port 4500 (R) CONF_XAUTH
--More-- 000616: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000617: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
It should not be going for Extended Authentication. Since you have the client and the L2L on the same router and the clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the command "no-xauth" after the pre-shared key
Please implement the command:
crypto isakmp key cleartext address 74.92.97.166 no-xauth
Thanks
Gilbert
02-12-2007 01:47 PM
02-12-2007 02:27 PM
Bill,
I looked at the PIX config and seems like there is a mismatch on the peer statements.
Please take a look at the tunnel-group IP address and the IP address on the set peer commands on the crypto map section.
Which one is correct?
Cheers
Gilbert
02-12-2007 02:47 PM
sorry, I was trying to remove the real IP addresses but missed them in the group attribute statements. The remote peer from the pix is 71.33.245.25 (the tunnel I'm trying to create now) and another tunnel 65.202.177.130 (already established). It looks like I attached the IOS debug twice instead of the running config. I don't have access to that file right now, but will again in a few hours.
02-12-2007 05:47 PM
02-13-2007 07:01 AM
The config of ASA looks good.
The policies on the ASA and the router should match.
Can you please enable debugs on the router
deb cry isa
deb cry ipsec
Enable debugs on the ASA
deb cry isa 129
deb cry ipsec 129
Do "cle cry isa" and "cle cry sa" on the router and then initiate the tunnel.
Capture the debugs on the router and the ASA - Send them to me.
Let me take a look.
Cheers
Gilbert
02-13-2007 07:43 AM
02-13-2007 09:38 AM
Looking at the config on the IOS router, I do see that you are doing NAT. Please implement the following commands
conf t
ip access-list ext 102
1 deny ip 192.168.100.0 0.0.0.255 10.4.1.0 0.0.0.255
On the ASA, look at the statement
crypto map outside_map 15 set transform-set CO ESP-3DES-SHA
Can you please make sure that you have only
crypto map outside_map 15 set transform-set CO
Let me know if this fixes the problem.
Thanks
Gilbert
Rate it, if this helps.
02-13-2007 10:10 AM
ok, added the deny ip line to the access-list 102 with a log on the end. When pinging though nothing shows up for 10.4.1.100, however the logs do reflect a test ping to the working tunnel. Not sure if they should be showing up regardless of the tunnel's condition. I mean should a failed attempt still show up if deny ip 192.168.100.0 0.0.0.255 10.4.1.0 0.0.0.255 log exists?
I've also removed the 2nd transform-set ESP-3DES-SHA, but still get the same behaviour and errors. "received non-routine notify message. No proposal chosen"
02-13-2007 10:15 AM
What is your email address?
02-13-2007 10:16 AM
02-13-2007 12:30 PM
Bill,
According to the logs
001262: *Sep 26 11:00:21.467 PCTime: ISAKMP (0:2009): NAT found, the node outside NAT
001263: *Sep 26 11:00:21.467 PCTime: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
It stops after NAT detection.
Send me the full logs by clearing the tunnel and initiating from the router side.
Thanks
Gilbert
02-13-2007 12:30 PM
02-13-2007 12:34 PM
Bill,
Take a look at this
000610: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Need XAUTH
000611: *Sep 27 10:42:15.094 PCTime: ISAKMP: set new node 920927400 to CONF_XAUTH
000612: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
000613: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
000614: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): initiating peer config to 74.92.97.166. ID = 920927400
000615: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): sending packet to 74.92.97.166 my_port 4500 peer_port 4500 (R) CONF_XAUTH
--More-- 000616: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000617: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
It should not be going for Extended Authentication. Since you have the client and the L2L on the same router and the clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the command "no-xauth" after the pre-shared key
Please implement the command:
crypto isakmp key cleartext address 74.92.97.166 no-xauth
Thanks
Gilbert
02-13-2007 12:37 PM
Bill,
Let me know if that works.
Take care
Gilbert
Rate it, if this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide