Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
73
Views
0
Helpful
0
Comments

RV120W and ASA5510 VPN problem

salen2011
Community Member

on ‎09-25-2011 03:29 AM

Sep 25 10:26:51 [IKEv1]: Group = 10.1.1.1, IP = 10.1.1.1, QM FSM error (P2 struc

t &0xad1df968, mess id 0xa2433a87)!

Sep 25 10:26:51 [IKEv1]: Group = 10.1.1.1, IP = 10.1.1.1, Removing peer from cor

relator table failed, no match!

Sep 25 10:26:51 [IKEv1]: Group = 10.1.1.1, IP = 10.1.1.1, Session is being torn

down. Reason: Phase 2 Mismatch

ASA5510# show ip address

System IP Addresses:

Interface               Name                   IP address     Subnet mask

Method

Ethernet0/1             inside                 10.1.2.1       255.255.255.0

CONFIG

Ethernet0/2             outside               10.1.1.2       255.255.255.0

CONFIG

Management0/0           Management             192.168.1.1     255.255.255.0

CONFIG

Current IP Addresses:

Interface               Name                   IP address     Subnet mask

Method

Ethernet0/1             inside                 10.1.2.1       255.255.255.0

CONFIG

Ethernet0/2             outside               10.1.1.2       255.255.255.0

CONFIG

Management0/0           Management             192.168.1.1     255.255.255.0

CONFIG

ASA5510#

ASA5510# show conf

ASA5510# show configuration

: Saved

: Written by enable_15 at 05:21:31.339 UTC Sun Sep 25 2011

!

ASA Version 8.2(2)

!

hostname ASA5510

domain-name cisco.com

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.2.1 255.255.255.0

!

interface Ethernet0/2

nameif outside

security-level 0

ip address 10.1.1.2 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif Management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name cisco.com

access-list 100 extended permit ip any any

access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192

.168.30.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

mtu Management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

static (inside,outside) 192.168.10.0 192.168.10.0 netmask 255.255.255.0

static (inside,outside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0

access-group 100 in interface outside

route inside 192.168.10.0 255.255.255.0 10.1.2.2 1

route inside 192.168.20.0 255.255.255.0 10.1.2.2 1

route outside 192.168.30.0 255.255.255.0 10.1.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.1 255.255.255.255 inside

http 192.168.1.0 255.255.255.0 Management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP_DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 10.1.1.1

crypto map outside_map 1 set transform-set ESP_DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

group-policy franchise internal

group-policy franchise attributes

vpn-tunnel-protocol webvpn

webvpn

url-list none

username franchise password Xa01d5ksWx/8sm8t encrypted privilege 0

username franchise attributes

vpn-group-policy franchise

username cisco password 3USUcOPFUiMCO4Jk encrypted

tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 ipsec-attributes

pre-shared-key *

tunnel-group franchise type remote-access

tunnel-group franchise general-attributes

default-group-policy franchise

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:8065937fff81634e958850d7eeb2a6be

ASA5510#

RV120W的配置

IPsec Policies

IKE Policies Table

Name Mode Local IP Remote IP Encryption Authentication DH  

Franchise Main 10.1.1.1 10.1.1.2 DES SHA-1 Group 2 (1024 bit)  

  

VPN Policies Table

Status Name Type Local Remote Authentication Encryption

Enabled Franchise Auto Policy 192.168.30.0 / 255.255.255.0 192.168.0.0 / 255.255.255.0 SHA-1 DES  

      

Selected IKE Policy View

General

Policy Name: Franchise    

Direction / Type Both  

Exchange Mode: Main  

Enable XAUTH Client: None  

Local Identification

Identifier Type: Local Wan IP  

Local Wan IP: 10.1.1.1  

Peer IKE Identification

Identifier Type: Remote Wan IP  

Local Wan IP: 10.1.1.2  

IKE SA Parameters

Encryption Algorithm: DES  

Authentication Algorithm: SHA-1  

Authentication Method: Pre-shared key  

Pre-Shared Key: franchise  

Diffie-Hellman (DH) Group: 2  

SA-Lifetime: 28800 Seconds

Sep 25 10:26:51 [IKEv1]: Group = 10.1.1.1, IP = 10.1.1.1, QM FSM error (P2 struc

t &0xad1df968, mess id 0xa2433a87)!

Sep 25 10:26:51 [IKEv1]: Group = 10.1.1.1, IP = 10.1.1.1, Removing peer from cor

relator table failed, no match!

Sep 25 10:26:51 [IKEv1]: Group = 10.1.1.1, IP = 10.1.1.1, Session is being torn

down. Reason: Phase 2 Mismatch

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents