Hi Guys,

I've setup a VPN between an ASA 5510 running OS 7.2 (Base) and a Concentrator 3005.

The VPN comes up perfectly if initiated from the ASA but fails at Phase2 when initiated from the 3005 (1.1.1.5). Upon failing, the ASA throughs the following errors:

Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, PHASE 1 COMPLETED
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing ID payload
Dec 07 00:54:20 [IKEv1 DECODE]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received--172.19.0.0--255.255.0.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, Received remote IP Proxy Subnet data in ID Payload:   Address 172.19.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing ID payload
Dec 07 00:54:20 [IKEv1 DECODE]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received--192.168.2.0--255.255.255.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.2.0, Mask 255.255.255.0, Protocol 0, Port 0
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing notify payload
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, QM IsRekeyed old sa not found by addr
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, Static Crypto Map check, checking map = mymap, seq = 9...
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, Static Crypto Map check, map = mymap, seq = 9, ACL does not match proxy IDs src:172.19.0.0 dst:192.168.2.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, IKE Remote Peer configured for crypto map: dynmap
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing IPSec SA payload
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, All IPSec SA proposals found unacceptable!
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, sending notify message

What I gather from the above output is that seq 9 of the Crypto Map mymap does not match the proposal offered by the 3005. And guess what, it doesn't - so no suprise there - however Seq 12 does match. SO I'm assuming the ASA isn't checking the proposal from the 3005 against the entie Crypto Map. Fair assumption? And if so, does anyone know why not?

TIA

Cheers

Scott