Solved: ERROR: VPN NOT WORKING YET ACTIVE (Removing peer from correlator table failed, no match)

Jesutofunmi O · ‎01-30-2018

Hey Techies,

I am trying to set up an L2L VPN between a Cisco iOS rtr and ASA firewall. I can't seem to figure out what's wrong. Here's config below;

Here is the error message:

Removing peer from correlator table failed, no match!

QM FSM error (P2 struct &0x00007fff2b819090, mess id 0xfda7a478)!

And config on both routers

ASA CONFIG

Removing peer from correlator table failed, no match!

object-group network BWL-VI-TO-ABUJA
network-object object BWL-VI2
network-object object BWL-VI3

PHASE 1
crypto ikev1 policy 20
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 86400

crypto isakmp enable outside

tunnel-group 81.x.x.x type ipsec-l2l
tunnel-group 81.x.x.x ipsec-attributes
pre-shared-key xxxx

object network Abuja
subnet 172.16.130.0 255.255.255.128

PHASE 2

Access-list VI-to-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
Access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128

crypto ipsec transform-set VI-TO-ABUJA esp-aes esp-sha-hmac
crypto map outside-map 3 set peer 81.x.x.x
crypto map outside-map 3 match address VI-to-Abuja
crypto map outside-map 3 set transform-set VI-TO-ABUJA
crypto map outside-map interface outside

nat (INSIDE,outside) source static BWL-VI-TO-ABUJA BWL-VI-TO-ABUJA destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN

iOS

PHASE 1

ip route 0.0.0.0 0.0.0.0 91.x.x.2 (gateway)

crypto isakmp policy xx
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key xxx address 41.x.x.x

PHASE 2
ip access-list extended Abuja-to-VI
permit ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255

crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel

crypto map ABJ2ILPJ 30 ipsec-isakmp
set peer 41.x.x.x
set transform-set LAGOSSET
macth address Abuja-to-VI

int vlan1
crypto map ABJ2ILPJ
ip nat outside

ROUTES AND NONATS

ip route 172.16.120.0 255.255.248.0 91.x.x.2

ip access-list extended NONAT-VPN-TRAFFIC
deny ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
deny ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255
permit ip any any
ip nat inside source list NONAT-VPN-TRAFFIC interface vlan1 overload

PLEASE HELP

sh crypto isakmp sa

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: x.x.x.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

Deepak Kumar · ‎01-31-2018

Hi,

I can see the three different name of the crypto map on the router. Please keep the same name of all crypto map. You have changed only Crypto map number.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

Jesutofunmi O · ‎02-07-2018

Hello Guys,

So I somewhat sorted it out someway;

1. There is already an existing crypto map on the router before the one I configured. The new one I did had a misspelled crypto map name. It is ABJ2ILPJ not ABJ2IPJ. So I corrected that.

2. Secondly, since the traffic is not to be NAT'ed, as it is a LAN-TO-LAN VPN, I did a route map.

access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any

ip nat inside source list 110 interface Vlan1 overload

route-map nonat permit 10
Match ip address 110

The tunnel came up but i encountered another challenge. I may put that up on another post.

Thank you Deepak and everyone who assisted in some way. Deeply appreciate.

This forum is helpful.

View solution in original post

Rahul Govindan · ‎01-30-2018

Collect the following debugs from the ASA and IOS router at the same time and paste it here after removing senstive ip addresses etc.

Router:

debug crypto isakmp
debug crypto ipsec

ASA

debug crypto isakmp 127
debug crypto ipsec 127

The error that you have pasted is one of the many generic messages that come up during tunnel establishment failure.

Jesutofunmi O · ‎01-30-2018

FROM ASA

Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x0e33f258
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, oakley constucting quick mode
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec SA payload
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec nonce payload
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing proxy ID
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Transmitting Proxy Id:
Local subnet: 192.168.0.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 172.16.130.0 Mask 255.255.255.128 Protocol 0 Port 0
Jan 30 07:02:36 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending Initial Contact
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 07:02:36 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending 1st QM pkt: msg id = d874a38d
Jan 30 07:02:36 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=d874a38d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 30 07:02:37 [IKEv1]IKE Receiver: Packet received on x.x.x.x:500 from x.x.x.x:500
Jan 30 07:02:37 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=f2300b63) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 30 07:02:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 07:02:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 07:02:37 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.114, sport=59874, daddr=172.16.130.55, dport=41216.
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195.
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC WARNING: Failed to get last received info for SessionID: 0x00AEE000
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x5e4f0a54)
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 07:02:47 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=a25b99d2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 07:02:47 [IKEv1]IKE Receiver: Packet received on x.x.x.x:500 from x.x.x.x:500
Jan 30 07:02:47 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=eb903807) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x5e4f0a54)
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195

IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195

IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.114, sport=59874, daddr=172.16.130.55, dport=41216

IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC WARNING: Failed to get last received info for SessionID: 0x00AEE000
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x5e4f0a55)
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 07:02:57 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=aeed7b4b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 07:02:57 [IKEv1]IKE Receiver: Packet received on x.x.x.x:500 from x.x.x.x:500
Jan 30 07:02:57 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=226b1659) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x5e4f0a55)
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195

IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.114, sport=59874, daddr=172.16.130.55, dport=41216

IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.

Deepak Kumar · ‎01-30-2018

Hi,

Please check the Crypto MAP and ACL configuration.

IPSEC WARNING: Failed to get last received info for SessionID: 0x00AEE000

Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)

Kindly check both sites debugging and Crypto MAP settings.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Rahul Govindan · ‎01-30-2018

Jan 30 07:02:37 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)

Router and ASA may not have the right proposal.

Looking at your config, I see that your wildcard/subnetmask is wrong.

on Router:
permit ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255

on ASA:
Access-list VI-to-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
Access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128

Your wildcard mask for 172.16.130.0 255.255.255.128 should have been 0.0.0.127 not 0.0.0.7.

Jesutofunmi O · ‎01-31-2018

So I removed the former config and reconfigured it. Please see config below;

ASA 5515x Version 9.2

crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

crypto ipsec ikev1 transform-set ABUJASET esp-aes esp-sha-hmac

access-list VI-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
access-list VI-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *******

crypto map outside-map 3 match address VI-Abuja
crypto map outside-map 3 set peer x.x.x.x
crypto map outside-map 3 set pfs group5
crypto map outside-map 3 set transform-set ABUJASET
crypto map outside-map 3 set reverse-route
crypto map outside-map interface outside

crypto isakmp enable outside
nat (INSIDE,outside) source static BWL-VI BWL-VIdestination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN

Cisco router iOS (2900 series, Version 15.2)

crypto isakmp policy 30
encryption aes
hash sha
authentication pre-share
group 2

crypto isakmp key ******** address X.X.X.X

ip access-list extended Abuja-VI
permit ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255

crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel

crypto map ABJ2IPJ 3 ipsec-isakmp
set peer X.X.X.X
set transform-set LAGOSSET
match address Abuja-VI
set pfs group5

SEE BELOW SHOW COMMAND OUTPUT

sh crypto isakmp sa

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

1. Please find attached the complete configuration on both ASA and router 2900.

2. I configured route map with an overload on the outside interface (vlan1) so that LAN traffic on 2900 is not NAT'ed but it stops the other VPN from working, so i removed it from the configuration.

FROM ASA

sh crypto isakmp sa

IKEv1 SAs:

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

KINDLY ASSIST!!!

Deepak Kumar · ‎01-31-2018

Hi,

I can see the three different name of the crypto map on the router. Please keep the same name of all crypto map. You have changed only Crypto map number.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Jesutofunmi O · ‎02-01-2018

Hello Deepak,

Thanks for your response.

The crypto map name is not the problem. They are consistent throughout the configuration.

The tunnel is formed and link status is active. But traffic is not passing through the tunnel from either of the locations. That's the issue currently.

Deepak Kumar · ‎02-01-2018

@Jesutofunmi O wrote:

Hello Deepak,

Thanks for your response.

The crypto map name is not the problem. They are consistent throughout the configuration.

The tunnel is formed and link status is active. But traffic is not passing through the tunnel from either of the locations. That's the issue currently.

hi,

Please check my last comment:

"

Hi,

I can see that packets are going to another site (encrypted) but there is no packet from another site.

#pkts encaps: 1358, #pkts encrypt: 1358, #pkts digest: 1358
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Please check ACL on another site. specially NONAT and interested packet ACL to the tunnel.

Regards,

Deepak Kumar"

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Deepak Kumar · ‎01-30-2018

Yes, Please check your ACL configuration on both locations:

ASA)

Access-list VI-to-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
Access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128

Router)
permit ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Jesutofunmi O · ‎01-30-2018

Thanks Guys. Really don't know where i got that 'funny' wildcard from. Its been corrected. I have set proposals too.

Please see below results from ASA;

BW-VI-ASA-NGFW(config)# debug crypto ipsec 127
BW-VI-ASA-NGFW(config)# Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a9daa02)
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 11:56:37 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=fd087905) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:37 [IKEv1]IKE Receiver: Packet received on x.x.x.20:500 from x.x.x.x:500
Jan 30 11:56:37 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=2e0c1c9a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a9daa02)
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a9daa03)
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 11:56:47 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=31fc37ab) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:47 [IKEv1]IKE Receiver: Packet received on x.x.x.20:500 from x.x.x.x:500
Jan 30 11:56:47 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=51ad0d0f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a9daa03)
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a9daa04)
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 11:56:57 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=48891ba1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:57 [IKEv1]IKE Receiver: Packet received on x.x.x.20:500 from x.x.x.x:500
Jan 30 11:56:57 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=fb7447fd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a9daa04)
Jan 30 11:57:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a9daa05)
Jan 30 11:57:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 11:57:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload

Jesutofunmi O · ‎01-30-2018

sh crypto ipsec sa
interface: outside
Crypto map tag: outside-map, seq num: 3, local addr: x.x.x.20

access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.130.0/255.255.255.128/0/0)
current_peer: x.x.x.x

#pkts encaps: 1358, #pkts encrypt: 1358, #pkts digest: 1358
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1358, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.20/0, remote crypto endpt.: x.x.x.x/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6FB11CC3
current inbound spi : 9524EFFA

inbound esp sas:
spi: 0x9524EFFA (2502225914)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 11669504, crypto-map: outside-map
sa timing: remaining key lifetime (kB/sec): (4374000/762)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6FB11CC3 (1873878211)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 11669504, crypto-map: outside-map
sa timing: remaining key lifetime (kB/sec): (4373450/762)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Deepak Kumar · ‎01-30-2018

Hi,

I can see that packets are going to another site (encrypted) but there is no packet from another site.

#pkts encaps: 1358, #pkts encrypt: 1358, #pkts digest: 1358
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Please check ACL on another site. specially NONAT and interested packet ACL to tunnel.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Jesutofunmi O · ‎02-02-2018

I have adjusted the ACL and NONAT but for some reason, I noticed that they are no longer forming ipSec SA. They were forming SA before even though traffic was passing through. Isakmp sa is showing "Active" though.

see debug error from 2900 rtr below;

debug crypto ipsec error
Crypto IPSEC Error debugging is on

*Feb 2 09:25:36.439: map_db_find_best did not find matching map
*Feb 2 09:25:36.439: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:26:18.431: map_db_find_best did not find matching map
*Feb 2 09:26:18.431: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:26:58.111: map_db_find_best did not find matching map
*Feb 2 09:26:58.111: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:27:30.435: map_db_find_best did not find matching map
*Feb 2 09:27:30.435: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:28:07.275: map_db_find_best did not find matching map
*Feb 2 09:28:07.275: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:28:39.411: map_db_find_best did not find matching map
*Feb 2 09:28:39.411: IPSEC(ipsec_process_proposal): proxy identities not supported

Deepak Kumar · ‎02-02-2018

Hi,

Proxy Identities Not Supported
This message appears in debugs if the access list for IPsec traffic does not match.

1d00h: IPSec(validate_transform_proposal): proxy identities not supported
1d00h: ISAKMP: IPSec policy invalidated proposal
1d00h: ISAKMP (0:2): SA not acceptable!

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#proxy

Regards,

Deepak Kumatr

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!