The Peer IP you set in crypto

BHconsultants88 · ‎05-05-2017

Hi guys

I'm changing the WAN IP on a remote site ASA. I've also applied the change on the VPN Concentrator at HQ

Concentrator HQ - Cisco 2800

Remote Office - Cisco ASA 5505

Concentrator config:

crypto isakmp key ******** address

Crypto Map "SDM_CMAP_1" 259 ipsec-isakmp
Description: Tunnel to RemoteSite
Peer = 212.26.211.244
Extended IP access list 2430
access-list 2430 permit ip 10.56.0.0 0.0.255.255 10.14.68.0 0.0.0.255
access-list 2430 permit ip 165.2.58.0 0.0.0.255 10.14.68.0 0.0.0.255
access-list 2430 permit ip 165.2.60.0 0.0.0.255 10.14.68.0 0.0.0.255
Current peer: 212.26.211.244
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
SDM_3DES,
}

ASA Config

crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 91.144.123.94
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set nat-t-disable

crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 91.144.123.94 ipsec-attributes
pre-shared-key ********

I've run the debug and I'm seeing the following:

May 05 04:13:35 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Removing peer from correlator table failed, no match!
May 05 04:13:35 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Session is being torn down. Reason: Lost Service
May 05 04:13:44 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, QM FSM error (P2 struct &0xc930f018, mess id 0x6d5b00f1)!
May 05 04:13:44 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Removing peer from correlator table failed, no match!
May 05 04:13:44 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Session is being torn down. Reason: Phase 2 Mismatch
May 05 04:14:14 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, QM FSM error (P2 struct &0xca094e10, mess id 0x5af80a24)!
May 05 04:14:14 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Removing peer from correlator table failed, no match!
May 05 04:14:24 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, QM FSM error (P2 struct &0xca094e10, mess id 0x5af80a24)!
May 05 04:14:24 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Removing peer from correlator table failed, no match!
May 05 04:14:33 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, QM FSM error (P2 struct &0xc930f018, mess id 0xec1ad49c)!

I've checked both sides and authentication, encryption, PSK matches up. I'm not sure what else it could be. I'd really appreciate some help.

Thank you :-)

singhkulbir29881 · ‎05-05-2017

The Peer IP you set in crypto map and tunnel group has IP 91.144.123.94.

crypto map Outside_map 20 set peer 91.144.123.94

tunnel-group 91.144.123.94 ipsec-attributes

But in debugs it is showing the IP 81.144.203.94.

Also please post the the ACL Outside_20_cryptomap

Have you added the following configuration on ASA?

crypto map Outside_map enable outside

crypto ikev1 enable outside

BHconsultants88 · ‎05-05-2017

Hi singhkulbir29881

Thanks very much for your reply. The correct IP is 81

crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 81.144.203.94
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set nat-t-disable

I'm at a loss as to what this could be. Any help would be really appreciated!

singhkulbir29881 · ‎05-05-2017

Hi BHconsultants88@,

Have you changed the IP in tunnel group too?

Also post the ACL configuration of Outside_20_cryptomap

Richard Burts · ‎05-05-2017

I notice this message in what you posted

May 05 04:13:44 [IKEv1]: Group = 81.144.203.94, IP = 81.144.203.94, Session is being torn down. Reason: Phase 2 Mismatch

This suggests that the phase 1 negotiation was successful but the phase 2 negotiation was not successful. Perhaps more detail about how they are configured would be helpful.

HTH

Rick

HTH

Rick

BHconsultants88 · ‎05-06-2017

HI Rick, thanks for your reply. Here's the config on Concentrator and ASA

CONCENTRATOR

Crypto Map "SDM_CMAP_1" 259 ipsec-isakmp
Description: Tunnel to RemoteSite
Peer = 212.26.211.244
Extended IP access list 2430
access-list 2430 permit ip 10.56.0.0 0.0.255.255 10.14.68.0 0.0.0.255
access-list 2430 permit ip 165.2.58.0 0.0.0.255 10.14.68.0 0.0.0.255
access-list 2430 permit ip 165.2.60.0 0.0.0.255 10.14.68.0 0.0.0.255
Current peer: 212.26.211.244
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
SDM_3DES,
}

crypto isakmp key ******** address 212.26.211.244
ip route 10.14.68.0 255.255.255.0 212.26.211.244

ASA

crypto map Outside_map 20 match address Outside_20_cryptomap
crypto map Outside_map 20 set peer 81.144.203.94
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 set nat-t-disable

crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 81.144.203.94 ipsec-attributes
pre-shared-key ********

Would really appreciate any assistance, this has really flummoxed me!

singhkulbir29881 · ‎05-06-2017

Hi BHconsultants88@,

On ASA, your acl must match the following and set pfs under crypto map.

access-list Outside_20_cryptomap permit ip 10.14.68.0 0.0.0.255 10.56.0.0 0.0.255.255

access-list Outside_20_cryptomap permit ip 10.14.68.0 0.0.0.255 165.2.58.0 0.0.0.255

access-list Outside_20_cryptomap permit ip 10.14.68.0 0.0.0.255 165.2.60.0 0.0.0.255

crypto map Outside_map 20 set pfs group 2

johnlloyd_13 · ‎05-05-2017

hi,

you got PFS configured on the 2800. make sure you also have this configured on the ASA.

or alternatively, you could remove it on 2800 to have successful IPSec SA.

PFS (Y/N): Y
DH group: group2

2800

crypto map SDM_CMAP_1 ipsec-isakmp
set pfs group2

ASA
crypto map Outside_map 20 set pfs group2

Concentrator - ASA VPN