01-30-2018 05:38 AM - edited 03-12-2019 04:58 AM
Hey Techies,
I am trying to set up an L2L VPN between a Cisco iOS rtr and ASA firewall. I can't seem to figure out what's wrong. Here's config below;
Here is the error message:
Removing peer from correlator table failed, no match!
QM FSM error (P2 struct &0x00007fff2b819090, mess id 0xfda7a478)!
And config on both routers
ASA CONFIG
Removing peer from correlator table failed, no match!
object-group network BWL-VI-TO-ABUJA
network-object object BWL-VI2
network-object object BWL-VI3
PHASE 1
crypto ikev1 policy 20
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 86400
crypto isakmp enable outside
tunnel-group 81.x.x.x type ipsec-l2l
tunnel-group 81.x.x.x ipsec-attributes
pre-shared-key xxxx
object network Abuja
subnet 172.16.130.0 255.255.255.128
PHASE 2
Access-list VI-to-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
Access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
crypto ipsec transform-set VI-TO-ABUJA esp-aes esp-sha-hmac
crypto map outside-map 3 set peer 81.x.x.x
crypto map outside-map 3 match address VI-to-Abuja
crypto map outside-map 3 set transform-set VI-TO-ABUJA
crypto map outside-map interface outside
nat (INSIDE,outside) source static BWL-VI-TO-ABUJA BWL-VI-TO-ABUJA destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN
iOS
PHASE 1
ip route 0.0.0.0 0.0.0.0 91.x.x.2 (gateway)
crypto isakmp policy xx
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key xxx address 41.x.x.x
PHASE 2
ip access-list extended Abuja-to-VI
permit ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255
crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel
crypto map ABJ2ILPJ 30 ipsec-isakmp
set peer 41.x.x.x
set transform-set LAGOSSET
macth address Abuja-to-VI
int vlan1
crypto map ABJ2ILPJ
ip nat outside
ROUTES AND NONATS
ip route 172.16.120.0 255.255.248.0 91.x.x.2
ip access-list extended NONAT-VPN-TRAFFIC
deny ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
deny ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255
permit ip any any
ip nat inside source list NONAT-VPN-TRAFFIC interface vlan1 overload
PLEASE HELP
sh crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Solved! Go to Solution.
01-31-2018 09:20 PM
Hi,
I can see the three different name of the crypto map on the router. Please keep the same name of all crypto map. You have changed only Crypto map number.
Regards,
Deepak Kumar
02-07-2018 12:20 AM
Hello Guys,
So I somewhat sorted it out someway;
1. There is already an existing crypto map on the router before the one I configured. The new one I did had a misspelled crypto map name. It is ABJ2ILPJ not ABJ2IPJ. So I corrected that.
2. Secondly, since the traffic is not to be NAT'ed, as it is a LAN-TO-LAN VPN, I did a route map.
access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any
ip nat inside source list 110 interface Vlan1 overload
route-map nonat permit 10
Match ip address 110
The tunnel came up but i encountered another challenge. I may put that up on another post.
Thank you Deepak and everyone who assisted in some way. Deeply appreciate.
This forum is helpful.
01-30-2018 06:01 AM
01-30-2018 06:11 AM
FROM ASA
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x0e33f258
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, oakley constucting quick mode
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec SA payload
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec nonce payload
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing proxy ID
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Transmitting Proxy Id:
Local subnet: 192.168.0.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 172.16.130.0 Mask 255.255.255.128 Protocol 0 Port 0
Jan 30 07:02:36 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending Initial Contact
Jan 30 07:02:36 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 07:02:36 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending 1st QM pkt: msg id = d874a38d
Jan 30 07:02:36 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=d874a38d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 30 07:02:37 [IKEv1]IKE Receiver: Packet received on x.x.x.x:500 from x.x.x.x:500
Jan 30 07:02:37 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=f2300b63) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 30 07:02:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 07:02:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 07:02:37 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.114, sport=59874, daddr=172.16.130.55, dport=41216.
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195.
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC WARNING: Failed to get last received info for SessionID: 0x00AEE000
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x5e4f0a54)
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 07:02:47 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=a25b99d2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 07:02:47 [IKEv1]IKE Receiver: Packet received on x.x.x.x:500 from x.x.x.x:500
Jan 30 07:02:47 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=eb903807) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 07:02:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x5e4f0a54)
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.114, sport=59874, daddr=172.16.130.55, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC WARNING: Failed to get last received info for SessionID: 0x00AEE000
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x5e4f0a55)
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 07:02:57 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=aeed7b4b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 07:02:57 [IKEv1]IKE Receiver: Packet received on x.x.x.x:500 from x.x.x.x:500
Jan 30 07:02:57 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=226b1659) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 07:02:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x5e4f0a55)
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.114, sport=59874, daddr=172.16.130.55, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
01-30-2018 06:19 AM - edited 01-30-2018 06:48 AM
Hi,
Please check the Crypto MAP and ACL configuration.
IPSEC WARNING: Failed to get last received info for SessionID: 0x00AEE000
Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)
Kindly check both sites debugging and Crypto MAP settings.
Regards,
Deepak Kumar
01-30-2018 06:24 AM
01-31-2018 08:54 AM
So I removed the former config and reconfigured it. Please see config below;
ASA 5515x Version 9.2
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set ABUJASET esp-aes esp-sha-hmac
access-list VI-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
access-list VI-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *******
crypto map outside-map 3 match address VI-Abuja
crypto map outside-map 3 set peer x.x.x.x
crypto map outside-map 3 set pfs group5
crypto map outside-map 3 set transform-set ABUJASET
crypto map outside-map 3 set reverse-route
crypto map outside-map interface outside
crypto isakmp enable outside
nat (INSIDE,outside) source static BWL-VI BWL-VIdestination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN
Cisco router iOS (2900 series, Version 15.2)
crypto isakmp policy 30
encryption aes
hash sha
authentication pre-share
group 2
crypto isakmp key ******** address X.X.X.X
ip access-list extended Abuja-VI
permit ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel
crypto map ABJ2IPJ 3 ipsec-isakmp
set peer X.X.X.X
set transform-set LAGOSSET
match address Abuja-VI
set pfs group5
SEE BELOW SHOW COMMAND OUTPUT
sh crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
1. Please find attached the complete configuration on both ASA and router 2900.
2. I configured route map with an overload on the outside interface (vlan1) so that LAN traffic on 2900 is not NAT'ed but it stops the other VPN from working, so i removed it from the configuration.
FROM ASA
sh crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
KINDLY ASSIST!!!
01-31-2018 09:20 PM
Hi,
I can see the three different name of the crypto map on the router. Please keep the same name of all crypto map. You have changed only Crypto map number.
Regards,
Deepak Kumar
02-01-2018 05:27 AM
Hello Deepak,
Thanks for your response.
The crypto map name is not the problem. They are consistent throughout the configuration.
The tunnel is formed and link status is active. But traffic is not passing through the tunnel from either of the locations. That's the issue currently.
02-01-2018 10:23 AM
@Jesutofunmi O wrote:
Hello Deepak,
Thanks for your response.
The crypto map name is not the problem. They are consistent throughout the configuration.
The tunnel is formed and link status is active. But traffic is not passing through the tunnel from either of the locations. That's the issue currently.
hi,
Please check my last comment:
"
Hi,
I can see that packets are going to another site (encrypted) but there is no packet from another site.
#pkts encaps: 1358, #pkts encrypt: 1358, #pkts digest: 1358
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Please check ACL on another site. specially NONAT and interested packet ACL to the tunnel.
Regards,
Deepak Kumar"
01-30-2018 06:59 AM
Yes, Please check your ACL configuration on both locations:
ASA)
Access-list VI-to-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
Access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
Router)
permit ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
Regards,
Deepak Kumar
01-30-2018 11:09 AM
Thanks Guys. Really don't know where i got that 'funny' wildcard from. Its been corrected. I have set proposals too.
Please see below results from ASA;
BW-VI-ASA-NGFW(config)# debug crypto ipsec 127
BW-VI-ASA-NGFW(config)# Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a9daa02)
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 11:56:37 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=fd087905) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:37 [IKEv1]IKE Receiver: Packet received on x.x.x.20:500 from x.x.x.x:500
Jan 30 11:56:37 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=2e0c1c9a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 11:56:37 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a9daa02)
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a9daa03)
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 11:56:47 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=31fc37ab) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:47 [IKEv1]IKE Receiver: Packet received on x.x.x.20:500 from x.x.x.x:500
Jan 30 11:56:47 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=51ad0d0f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 11:56:47 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a9daa03)
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a9daa04)
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Jan 30 11:56:57 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=48891ba1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:57 [IKEv1]IKE Receiver: Packet received on x.x.x.20:500 from x.x.x.x:500
Jan 30 11:56:57 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=fb7447fd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Jan 30 11:56:57 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1a9daa04)
Jan 30 11:57:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x1a9daa05)
Jan 30 11:57:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Jan 30 11:57:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
01-30-2018 11:18 AM
sh crypto ipsec sa
interface: outside
Crypto map tag: outside-map, seq num: 3, local addr: x.x.x.20
access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.130.0/255.255.255.128/0/0)
current_peer: x.x.x.x
#pkts encaps: 1358, #pkts encrypt: 1358, #pkts digest: 1358
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1358, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.20/0, remote crypto endpt.: x.x.x.x/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6FB11CC3
current inbound spi : 9524EFFA
inbound esp sas:
spi: 0x9524EFFA (2502225914)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 11669504, crypto-map: outside-map
sa timing: remaining key lifetime (kB/sec): (4374000/762)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6FB11CC3 (1873878211)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 11669504, crypto-map: outside-map
sa timing: remaining key lifetime (kB/sec): (4373450/762)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
01-30-2018 11:25 AM
Hi,
I can see that packets are going to another site (encrypted) but there is no packet from another site.
#pkts encaps: 1358, #pkts encrypt: 1358, #pkts digest: 1358
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Please check ACL on another site. specially NONAT and interested packet ACL to tunnel.
Regards,
Deepak Kumar
02-02-2018 01:47 AM - edited 02-02-2018 01:48 AM
I have adjusted the ACL and NONAT but for some reason, I noticed that they are no longer forming ipSec SA. They were forming SA before even though traffic was passing through. Isakmp sa is showing "Active" though.
see debug error from 2900 rtr below;
debug crypto ipsec error
Crypto IPSEC Error debugging is on
*Feb 2 09:25:36.439: map_db_find_best did not find matching map
*Feb 2 09:25:36.439: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:26:18.431: map_db_find_best did not find matching map
*Feb 2 09:26:18.431: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:26:58.111: map_db_find_best did not find matching map
*Feb 2 09:26:58.111: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:27:30.435: map_db_find_best did not find matching map
*Feb 2 09:27:30.435: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:28:07.275: map_db_find_best did not find matching map
*Feb 2 09:28:07.275: IPSEC(ipsec_process_proposal): proxy identities not supported
*Feb 2 09:28:39.411: map_db_find_best did not find matching map
*Feb 2 09:28:39.411: IPSEC(ipsec_process_proposal): proxy identities not supported
02-02-2018 05:01 AM
Hi,
Proxy Identities Not Supported
This message appears in debugs if the access list for IPsec traffic does not match.
1d00h: IPSec(validate_transform_proposal): proxy identities not supported
1d00h: ISAKMP: IPSec policy invalidated proposal
1d00h: ISAKMP (0:2): SA not acceptable!
Regards,
Deepak Kumatr
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide