troubleshooting l2l phase1

Keith Craycraft · ‎12-21-2010

Dec 21 02:08:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Dec 21 02:08:38 [IKEv1]: IP = 1xx.1xx.1xx.xx, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Dec 21 02:08:39 [IKEv1 DEBUG]: IP = 1xx.1xx.1xx.xx, IKE MM Initiator FSM error history (struct &0xc6da6940) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Dec 21 02:08:39 [IKEv1 DEBUG]: IP = 1xx.1xx.1xx.xx, IKE SA MM:0594db04 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Dec 21 02:08:39 [IKEv1 DEBUG]: IP = 1xx.1xx.1xx.xx, sending delete/delete with reason message

Dec 21 02:08:39 [IKEv1]: IP = 1xx.1xx.1xx.xx, Removing peer from peer table failed, no match!

Dec 21 02:08:39 [IKEv1]: IP = 1xx.1xx.1xx.xx, Error: Unable to remove PeerTblEntry

When i bring up new ASA5505 8.2(1) and try to bring up the tunnel it will not come up.

the las two line of above will show up on console and i get the rest if i debug crypto isakmp 50

i have triple check my isakmp settings and they match on both sides, i have even re-entered pre-shared key and it matches on both sides.

any suggests will be helpful.

thank you,

keith

Kimberly Adams · ‎12-21-2010

Keith,

Can you please post your configuration of both sides, removing any sensitive info, for us to review? This will help us to find anything to make this work.

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

Keith Craycraft · ‎12-21-2010

hub site tz170

name Ohio

gateway 7x.2xx.1xx.1xx

ike using preshared keys

phase 1

ike

exchange mainmode

group 2

encryption 3des

authentication SHA1

lifetime 2880

phase 2

protocol ESP

encryption 3des

authentication SHA1

lifetime 28800

asa

access-list outside_cryptomap_2 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

!

router rip

version 1

!

route outside 0.0.0.0 0.0.0.0 7x.2xx.1xx.1xz 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_cryptomap_2

crypto map outside_map 2 set peer 1xx.1xx.1xx.5x

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

group-delimiter !

tunnel-group 1xx.1xx.1xx.5x type ipsec-l2l

tunnel-group 1xx.1xx.1xx.5x ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

Yudong Wu · ‎12-21-2010

Based on the debug, your side sent the first message for setting up phase 1 but did not receive the response from the other end.

You probably need to investigate if there is something such as FW in the middle to block udp port 500.

Keith Craycraft · ‎12-21-2010

reset the preshared key on both ends, and resetart the asa on remote, solved issue...