04-25-2013 05:00 PM
Hi i am trying to make a simple Site to SiteVPN between two offices, one has Cisco ASA and one has RV042 router.
when traffic initiated from ASA side, i keep getting this message in Debug and tunnel wont come up
.
[IKEv1]: Group = A.A.A.139, IP = A.A.A.139, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 26 00:15:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
whereas if traffic initiated from RV042 side, i keep getting this message in debug and tunnel wont come up.
Apr 26 00:43:44 [IKEv1 DEBUG]: IP = RV.RV.RV.139, Oakley proposal is acceptable
Apr 26 00:43:44 [IKEv1 DEBUG]: IP = RV.RV.RV.139, IKE SA Proposal # 1, Transform # 0 acceptable Matches global IKE entry # 6
Apr 26 00:43:44 [IKEv1]: IP = RV.RV.RV.139, Connection landed on tunnel_group RV.RV.RV.139
Apr 26 00:43:45 [IKEv1]: IP = RV.RV.RV.139, Connection landed on tunnel_group RV.RV.RV.139
Apr 26 00:43:45 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Freeing previously allocated memory for authorization-dn-attributes
Apr 26 00:43:45 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, PHASE 1 COMPLETED
Apr 26 00:43:45 [IKEv1]: IP =RV.RV.RV.139, Keep-alive type for this connection: DPD
Apr 26 00:43:45 [IKEv1 DEBUG]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Starting phase 1 rekey timer: 64800000 (ms)
Apr 26 00:43:45 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Received non-routine Notify message: Invalid ID info (18)
Apr 26 00:43:54 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Duplicate Phase 1 packet detected. Retransmitting last packet.
Apr 26 00:43:54 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, P1 Retransmit msg dispatched to MM FSM
Apr 26 00:43:54 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Responder resending last msg
Apr 26 00:43:55 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, Received non-routine Notify message: Invalid ID info (18)
Apr 26 00:44:06 [IKEv1]: Group = RV.RV.RV.139, IP = RV.RV.RV.139, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Apr 26 00:44:15 [IKEv1]: IP = RV.RV.RV.139, Received encrypted packet with no matching SA, dropping
attached is my configuration for ASA and RV042, do you guys see any mismatch ? :-s any help would be appreciated.
RV042 Config site to site VPN
RV042 Config
ASA CONFIG
access-list IRELAND2PK extended permit ip 192.168.168.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto ipsec transform-set IRELAND-PK esp-3des esp-md5-hmac
crypto map test-map 20 match address IRELAND2PK
crypto map test-map 20 set pfs
crypto map test-map 20 set peer RV.RV.RV.139
crypto map test-map 20 set transform-set IRELAND-PK IRELAND-PK1 IRELAND-PK2 IRELAND-PK3
crypto map test-map 20 set security-association lifetime seconds 86400
crypto map test-map 20 set security-association lifetime kilobytes 460800
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
tunnel-group RV.RV.RV.139 type ipsec-l2l
tunnel-group RV.RV.RV..139 ipsec-attributes
pre-shared-key *
05-08-2013 01:54 PM
Hi ahmad82pkn , thanks for using our forum, my name is Johnnatan and I am part of the Small business Support community. This is the small business section so I could help you with the RV042, if you want to have more feedback about your device you can post your question in the VPN section.
I recommend go to the Rv042 to the VPN configuration section and disable the PFS feature (you could also disable in both devices), also try configuring your devices using different security attributes (authentication, DH and encryption), I will share with you some documents about it:
http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=568
http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=3004
I hope you find this answer useful,
“Please rate useful posts so other users can benefit from it”
Greetings,
Johnnatan Rodriguez Miranda.
Cisco Network Support Engineer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide