08-12-2013 07:11 AM - edited 03-11-2019 07:24 PM
Hello,
I have created a new context in cisco ASA5525 and configured site to site VPN in context. Phase -1 is not coming up and i am getting the below messages while running debug. We have a tunnel configured to same peer IP from a diffrent location however the tunnel has come up in that ASA.
%ASA-7-715047: IP = 212.9.5.245, processing VID payload
%ASA-7-715049: IP = 212.9.5.245, Received DPD VID
%ASA-7-715047: IP = 212.9.5.245, processing VID payload
%ASA-7-715038: IP = 212.9.5.245, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f)
%ASA-7-715047: IP = 212.9.5.245, processing VID payload
%ASA-7-715049: IP = 212.9.5.245, Received xauth V6 VID
%ASA-7-715047: IP = 212.9.5.245, processing NAT-Discovery payload
%ASA-7-713906: IP = 212.9.5.245, computing NAT Discovery hash
%ASA-7-715047: IP = 212.9.5.245, processing NAT-Discovery payload
%ASA-7-713906: IP = 212.9.5.245, computing NAT Discovery hash
%ASA-7-713906: IP = 212.9.5.245, Connection landed on tunnel_group 212.9.5.245
%ASA-7-713906: Group = 212.9.5.245, IP = 212.9.5.245, Generating keys for Initiator...
%ASA-7-715046: Group = 212.9.5.245, IP = 212.9.5.245, constructing ID payload
%ASA-7-715046: Group = 212.9.5.245, IP = 212.9.5.245, constructing hash payload
%ASA-7-715076: Group = 212.9.5.245, IP = 212.9.5.245, Computing hash for ISAKMP
%ASA-7-715034: IP = 212.9.5.245, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: Group = 212.9.5.245, IP = 212.9.5.245, constructing dpd vid payload
%ASA-7-713236: IP = 212.9.5.245, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
%ASA-6-713172: Group = 212.9.5.245, IP = 212.9.5.245, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
%ASA-7-713236: IP = 212.9.5.245, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
%ASA-7-715047: Group = 212.9.5.245, IP = 212.9.5.245, processing ID payload
%ASA-7-714011: Group = 212.9.5.245, IP = 212.9.5.245, ID_IPV4_ADDR ID received
192.168.91.50
%ASA-7-715047: Group = 212.9.5.245, IP = 212.9.5.245, processing hash payload
%ASA-7-715076: Group = 212.9.5.245, IP = 212.9.5.245, Computing hash for ISAKMP
%ASA-7-713906: IP = 212.9.5.245, Connection landed on tunnel_group 212.9.5.245
%ASA-7-715059: Group = 212.9.5.245, IP = 212.9.5.245, Proposing only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
%ASA-5-713239: Group = 212.9.5.245, IP = 212.9.5.245, Tunnel Rejected: The maximum tunnel count allowed has been reached
%ASA-7-715065: Group = 212.9.5.245, IP = 212.9.5.245, IKE MM Initiator FSM error history (struct &0x00007fff3c246df0) <state>, <event>: MM_DONE, EV_ERROR-->MM_I_DONE_H, EV_GET_DSID-->MM_I_DONE_H, EV_IS_REKEYED-->MM_I_DONE_H, EV_TEST_CERT-->MM_I_DONE_H, EV_CHECK_NAT_T-->MM_I_DONE_H, EV_GROUP_LOOKUP-->MM_I_DONE, EV_GROUP_LOOKUP-->MM_WAIT_MSG6, EV_PROCESS_MSG
%ASA-7-713906: Group = 212.9.5.245, IP = 212.9.5.245, IKE SA MM:7064b326 terminating: flags 0x0100c022, refcnt 0, tuncnt 0
%ASA-7-713906: Group = 212.9.5.245, IP = 212.9.5.245, sending delete/delete with reason message
%ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = FW1. Map Sequence Number = 20.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= FW1. Map Sequence Number = 20.
%ASA-7-752002: Tunnel Manager Removed entry. Map Tag = FW1. Map Sequence Number = 20.
%ASA-7-715046: Group = 212.9.5.245, IP = 212.9.5.245, constructing blank hash payload
%ASA-7-715046: Group = 212.9.5.245, IP = 212.9.5.245, constructing IKE delete payload
%ASA-7-715046: Group = 212.9.5.245, IP = 212.9.5.245, constructing qm hash payload
%ASA-7-713236: IP = 212.9.5.245, IKE_DECODE SENDING Message (msgid=ed6f74d2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-5-713904: IP = 212.9.5.245, Received encrypted packet with no matching SA, dropping
%ASA-5-111008: User 'admin' executed the 'packet-tracer input inside tcp 10.155.36.132 13456 10.10.63.1 3389' command.
%ASA-5-111010: User 'admin', running 'CLI' from IP 10.224.45.30, executed 'packet-tracer input inside tcp 10.155.36.132 13456 10.10.63.1 3389'
Thanks
Soumya
Solved! Go to Solution.
08-12-2013 09:15 AM
Hello Soumya,
It's on your device.
Here is the thing:
When we talk about VPN support on multiple-context mode we will split the license that the ASA has between the multiple contexts.
So you must manually define how many licenses will be used by each context (default is 0).
Let's say you want to add 10 VPN license peers to the context where you are having the issue.
You must create a class where you set the VPN resources assigned to the class so then you can add it to a specific context.
ciscoasa(config)# class vpn
ciscoasa(config-class)# limit-resource vpn other 10
Then get into the system context and add
ciscoasa(config)# context California
ciscoasa(config-ctx)# member vpn
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-12-2013 07:33 AM
Hello Soumya,
Looks like the configuration is good but there is a problem with licensing :
Tunnel Rejected: The maximum tunnel count allowed has been reached
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-12-2013 07:38 AM
Hello Julio,
Is this an issue from peer end or with my device?
Thanks
Soumya
08-12-2013 09:15 AM
Hello Soumya,
It's on your device.
Here is the thing:
When we talk about VPN support on multiple-context mode we will split the license that the ASA has between the multiple contexts.
So you must manually define how many licenses will be used by each context (default is 0).
Let's say you want to add 10 VPN license peers to the context where you are having the issue.
You must create a class where you set the VPN resources assigned to the class so then you can add it to a specific context.
ciscoasa(config)# class vpn
ciscoasa(config-class)# limit-resource vpn other 10
Then get into the system context and add
ciscoasa(config)# context California
ciscoasa(config-ctx)# member vpn
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
08-13-2013 10:04 AM
Thank you Julio, This works
08-13-2013 10:46 AM
Hey Soumya,
My pleasure to help
Check my blog at http:laguiadelnetworking.com for further information.
Cheers,
Julio Carvajal Segura
05-26-2020 10:33 AM
i have the same error but on single mode ! what i should do ?
thanks
Regards,
08-12-2013 07:39 AM
Hi,
Wouldnt the license limit mean that there was 750 existing VPN Client or L2L VPN connections already active when we consider the model? And since its in multiple context mode it could only be 750 L2L VPN connections since it doesnt support Client VPN.
Could there be any possibility of some configuration limiting the amount of VPN connections? Could some Group Policy do this?
- Jouni
08-19-2015 06:44 AM
hi julio,
you're a lifesaver!
been scratching my head the whole day and i didn't know i would need this line on system context.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: