Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
288
Views
0
Helpful
2
Replies

ASA5510 to 2951 - Phase 2 Failures with 10.x subnets

adamtodd16
Level 3
Level 3

‎04-25-2013 04:39 PM

I have a bit of a strange one - well stange to me at least.

I have a site to site ipsec tunnel setup between an ASA5510 and a 2951 Router. The ASA 5510 is on a 10.x subnet with a few vlans behind it. There are also 7 other ASA5505 that connect to this box with ipsec.

The 2951 is on a 10.x subnet with multiple vlans behind it (10.x and 192.x subnets).

When I had ACL to allow traffic from 10.20.0.0 (ASA) to 192.168.111.0 (2951 - voice vlan) the connection comes online and is stable.

The minute I add any of the following, the connection drops off with Phase 2 errors:

10.20.0.0 to 10.1.200.0

10.20.1.0 to 10.1.1.0

I can add a second 10.20.0.0 to 192.168.10.0 with no problem at all. The issue only seems to occur when attempting to add traffic from 10 to 10 on the tunnel.

Any thoughts or ideas?

Labels:
0 Helpful
2 Replies 2

Rudy Sanjoko
Level 4
Level 4

‎04-26-2013 12:57 AM

do you have any logs? try to post the output that gives error meesage regarding phase 2 from debug command. try to nat it and see if that helps, it looks something like this: 10.20.0.0 - x.x.x.x - 10.1.200.0

0 Helpful

adamtodd16
Level 3
Level 3
In response to Rudy Sanjoko

‎04-26-2013 03:34 AM

Thanks for the reply. I have tried it with and without NAT.  I've gone through the ACL config 1,000 times, so its not a mismatch there and both are set to 3DES-MD5

326612: Apr 25 16:58:51.793: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.20.255.106, prot=50, spi=0x6779E85B(1736042587), srcaddr=10.20.120.46

326613: Apr 25 16:58:51.801: ISAKMP (0): received packet from 44.33.11.74 dport 500 sport 500 Global (I) MM_SA_SETUP

326614: Apr 25 16:58:51.801: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

326615: Apr 25 16:58:51.801: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

326616: Apr 25 16:58:51.805: ISAKMP:(0): processing KE payload. message ID = 0

326617: Apr 25 16:58:51.833: ISAKMP:(0): processing NONCE payload. message ID = 0

326618: Apr 25 16:58:51.833: ISAKMP:(0):found peer pre-shared key matching 44.33.11.74

326619: Apr 25 16:58:51.833: ISAKMP:(16314): processing vendor id payload

326620: Apr 25 16:58:51.833: ISAKMP:(16314): vendor ID is Unity

326621: Apr 25 16:58:51.833: ISAKMP:(16314): processing vendor id payload

326622: Apr 25 16:58:51.833: ISAKMP:(16314): vendor ID seems Unity/DPD but major 167 mismatch

326623: Apr 25 16:58:51.833: ISAKMP:(16314): vendor ID is XAUTH

326624: Apr 25 16:58:51.833: ISAKMP:(16314): processing vendor id payload

326625: Apr 25 16:58:51.833: ISAKMP:(16314): speaking to another IOS box!

326626: Apr 25 16:58:51.833: ISAKMP:(16314): processing vendor id payload

326627: Apr 25 16:58:51.833: ISAKMP:(16314):vendor ID seems Unity/DPD but hash mismatch

326628: Apr 25 16:58:51.833: ISAKMP:(16314):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

326629: Apr 25 16:58:51.833: ISAKMP:(16314):Old State = IKE_I_MM4  New State = IKE_I_MM4

326630: Apr 25 16:58:51.837: ISAKMP:(16314):Send initial contact

326631: Apr 25 16:58:51.837: ISAKMP:(16314):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

326632: Apr 25 16:58:51.837: ISAKMP (16314): ID payload

    next-payload : 8

    type         : 1

    address      : 10.20.255.106

    protocol     : 17

    port         : 500

    length       : 12

326633: Apr 25 16:58:51.837: ISAKMP:(16314):Total payload length: 12

326634: Apr 25 16:58:51.837: ISAKMP:(16314): sending packet to 44.33.11.74 my_port 500 peer_port 500 (I) MM_KEY_EXCH

326635: Apr 25 16:58:51.837: ISAKMP:(16314):Sending an IKE IPv4 Packet.

326636: Apr 25 16:58:51.837: ISAKMP:(16314):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

326637: Apr 25 16:58:51.837: ISAKMP:(16314):Old State = IKE_I_MM4  New State = IKE_I_MM5

326638: Apr 25 16:58:52.049: ISAKMP (16314): received packet from 44.33.11.74 dport 500 sport 500 Global (I) MM_KEY_EXCH

326639: Apr 25 16:58:52.049: ISAKMP:(16314): processing ID payload. message ID = 0

326640: Apr 25 16:58:52.049: ISAKMP (16314): ID payload

    next-payload : 8

    type         : 2

    FQDN name    : ASA5510central.culmarex.local

    protocol     : 0

    port         : 0

    length       : 37

326641: Apr 25 16:58:52.049: ISAKMP:(0):: peer matches *none* of the profiles

326642: Apr 25 16:58:52.053: ISAKMP:(16314): processing HASH payload. message ID = 0

326643: Apr 25 16:58:52.053: ISAKMP:received payload type 17

326644: Apr 25 16:58:52.053: ISAKMP:(16314): processing keep alive: proposal=32767/32767 sec., actual=10/2 sec.

326645: Apr 25 16:58:52.053: ISAKMP:(16314): processing vendor id payload

326646: Apr 25 16:58:52.053: ISAKMP:(16314): vendor ID is DPD

326647: Apr 25 16:58:52.053: ISAKMP:(16314):SA authentication status:

    authenticated

326648: Apr 25 16:58:52.053: ISAKMP:(16314):SA has been authenticated with 44.33.11.74

326649: Apr 25 16:58:52.053: ISAKMP:(16314):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

326650: Apr 25 16:58:52.053: ISAKMP:(16314):Old State = IKE_I_MM5  New State = IKE_I_MM6

326651: Apr 25 16:58:52.053: ISAKMP:(16314):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

326652: Apr 25 16:58:52.053: ISAKMP:(16314):Old State = IKE_I_MM6  New State = IKE_I_MM6

326653: Apr 25 16:58:52.053: ISAKMP:(16314):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

326654: Apr 25 16:58:52.053: ISAKMP:(16314):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

326655: Apr 25 16:58:52.053: ISAKMP:(16314):IKE_DPD is enabled, initializing timers

326656: Apr 25 16:58:52.053: ISAKMP:(16314):beginning Quick Mode exchange, M-ID of -29212622

326657: Apr 25 16:58:52.053: ISAKMP:(16314):QM Initiator gets spi

326658: Apr 25 16:58:52.053: ISAKMP:(16314): sending packet to 44.33.11.74 my_port 500 peer_port 500 (I) QM_IDLE    

326659: Apr 25 16:58:52.053: ISAKMP:(16314):Sending an IKE IPv4 Packet.

326660: Apr 25 16:58:52.057: ISAKMP:(16314):Node -29212622, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

326661: Apr 25 16:58:52.057: ISAKMP:(16314):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

326662: Apr 25 16:58:52.057: ISAKMP:(16314):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

326663: Apr 25 16:58:52.057: ISAKMP:(16314):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

326664: Apr 25 16:58:52.169: ISAKMP:(15603):purging node 2088028010

326665: Apr 25 16:58:52.269: ISAKMP (16314): received packet from 44.33.11.74 dport 500 sport 500 Global (I) QM_IDLE    

326666: Apr 25 16:58:52.269: ISAKMP: set new node -533571565 to QM_IDLE    

326667: Apr 25 16:58:52.273: ISAKMP:(16314): processing HASH payload. message ID = -533571565

326668: Apr 25 16:58:52.273: ISAKMP:(16314): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

    spi 0, message ID = -533571565, sa = B3492C4

326669: Apr 25 16:58:52.273: ISAKMP:(16314):deleting node -533571565 error FALSE reason "Informational (in) state 1"

326670: Apr 25 16:58:52.273: ISAKMP:(16314):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

326671: Apr 25 16:58:52.273: ISAKMP:(16314):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

326672: Apr 25 16:58:52.273: ISAKMP (16314): received packet from 44.33.11.74 dport 500 sport 500 Global (I) QM_IDLE    

326673: Apr 25 16:58:52.273: ISAKMP: set new node -322332923 to QM_IDLE    

326674: Apr 25 16:58:52.273: ISAKMP:(16314): processing HASH payload. message ID = -322332923

326675: Apr 25 16:58:52.273: ISAKMP:(16314): processing DELETE payload. message ID = -322332923

326676: Apr 25 16:58:52.273: ISAKMP:(16314):peer does not do paranoid keepalives.

326677: Apr 25 16:58:52.273: ISAKMP:(16314):deleting SA reason "No reason" state (I) QM_IDLE       (peer 44.33.11.74)

326678: Apr 25 16:58:52.273: ISAKMP:(16314):deleting node -322332923 error FALSE reason "Informational (in) state 1"

326679: Apr 25 16:58:52.273: ISAKMP: set new node 476062227 to QM_IDLE    

326680: Apr 25 16:58:52.273: ISAKMP:(16314): sending packet to 44.33.11.74 my_port 500 peer_port 500 (I) QM_IDLE    

326681: Apr 25 16:58:52.273: ISAKMP:(16314):Sending an IKE IPv4 Packet.

326682: Apr 25 16:58:52.273: ISAKMP:(16314):purging node 476062227

326683: Apr 25 16:58:52.273: ISAKMP:(16314):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

326684: Apr 25 16:58:52.273: ISAKMP:(16314):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

326685: Apr 25 16:58:52.273: ISAKMP:(16314):deleting SA reason "No reason" state (I) QM_IDLE       (peer 44.33.11.74)

326686: Apr 25 16:58:52.273: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.

326687: Apr 25 16:58:52.273: ISAKMP: Unlocking peer struct 0x1D75AB8 for isadb_mark_sa_deleted(), count 1

326688: Apr 25 16:58:52.277: ISAKMP:(16314):deleting node -29212622 error FALSE reason "IKE deleted"

326689: Apr 25 16:58:52.277: ISAKMP:(16314):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

326690: Apr 25 16:58:52.277: ISAKMP:(16314):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

0 Helpful
Customers Also Viewed These Support Documents