Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1060
Views
0
Helpful
1
Replies

RV042 to Cisco ASA VPN not coming up

ahmad82pkn
Level 2
Level 2

‎04-25-2013 05:00 PM

Hi i am trying to make a simple Site to SiteVPN between two offices, one has Cisco ASA and one has RV042 router.

when traffic initiated from ASA side, i keep getting this message in Debug and tunnel wont come up

.

[IKEv1]: Group = A.A.A.139, IP = A.A.A.139, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 26 00:15:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

whereas if traffic initiated from RV042 side, i keep getting this message in debug and tunnel wont come up.

Apr 26 00:43:44 [IKEv1 DEBUG]: IP = RV.RV.RV.139, Oakley proposal is acceptable
Apr 26 00:43:44 [IKEv1 DEBUG]: IP = RV.RV.RV.139, IKE SA Proposal # 1, Transform # 0 acceptable Matches global IKE entry # 6
Apr 26 00:43:44 [IKEv1]: IP = RV.RV.RV.139, Connection landed on tunnel_group RV.RV.RV.139
Apr 26 00:43:45 [IKEv1]: IP = RV.RV.RV.139, Connection landed on tunnel_group RV.RV.RV.139
Apr 26 00:43:45 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Freeing previously allocated memory for authorization-dn-attributes
Apr 26 00:43:45 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, PHASE 1 COMPLETED
Apr 26 00:43:45 [IKEv1]: IP =RV.RV.RV.139, Keep-alive type for this connection: DPD
Apr 26 00:43:45 [IKEv1 DEBUG]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Starting phase 1 rekey timer: 64800000 (ms)
Apr 26 00:43:45 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Received non-routine Notify message: Invalid ID info (18)
Apr 26 00:43:54 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Duplicate Phase 1 packet detected. Retransmitting last packet.
Apr 26 00:43:54 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, P1 Retransmit msg dispatched to MM FSM
Apr 26 00:43:54 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Responder resending last msg
Apr 26 00:43:55 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Received non-routine Notify message: Invalid ID info (18)
Apr 26 00:44:06 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Apr 26 00:44:15 [IKEv1]: IP = RV.RV.RV.139, Received encrypted packet with no matching SA, dropping

attached is my configuration for ASA and RV042, do you guys see any mismatch ? :-s any help would be appreciated.

RV042 Config site to site VPN

RV042 Config

Image 26 04 2013 04 04 37 000.png

Image 26 04 2013 04 04 09 000.png

ASA CONFIG

access-list IRELAND2PK extended permit ip 192.168.168.0 255.255.255.0 192.168.10.0 255.255.255.0

crypto ipsec transform-set IRELAND-PK esp-3des esp-md5-hmac

crypto map test-map 20 match address IRELAND2PK

crypto map test-map 20 set pfs

crypto map test-map 20 set peer RV.RV.RV.139

crypto map test-map 20 set transform-set IRELAND-PK IRELAND-PK1 IRELAND-PK2 IRELAND-PK3

crypto map test-map 20 set security-association lifetime seconds 86400

crypto map test-map 20 set security-association lifetime kilobytes 460800

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption 3des

isakmp policy 21 hash md5

isakmp policy 21 group 2

isakmp policy 21 lifetime 86400

tunnel-group RV.RV.RV.139 type ipsec-l2l

tunnel-group RV.RV.RV..139 ipsec-attributes

pre-shared-key *

Labels:
0 Helpful
1 Reply 1

jonatrod
Level 7
Level 7

‎05-08-2013 01:54 PM

Hi ahmad82pkn , thanks for using our forum, my name is Johnnatan and I am part of the Small business Support community. This is the small business section so I could help you with the RV042, if you want to have more feedback about your device you can post your question in the VPN section.


I recommend go to the Rv042 to the VPN configuration section and disable the PFS feature (you could also disable in both devices), also try configuring your devices using different security attributes (authentication, DH and encryption), I will share with you some documents about it:

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=568

http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3004

I hope you find this answer useful,

“Please rate useful posts so other users can benefit from it”

Greetings, 
Johnnatan Rodriguez Miranda.
Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
0 Helpful
Customers Also Viewed These Support Documents