Hi Guys, Kindly help in configuring site to site vpn cisco asa5510 and router 1840

meet_mkhan · ‎03-21-2013

I am getting these errors:

*Mar 21 22:43:08.871: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

*Mar 21 22:44:18.379: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

Kinldy check below the config of ROUTER and ASA.

CISCO ASA CONFIG:

interface Ethernet0/0

nameif outside

NO SH

security-level 0

ip address 192.168.11.2 255.255.255.0

interface Ethernet0/1

ip add 192.168.14.1

nameif inside

NO SH

access-list orig extended permit ip 192.168.14.0 255.255.255.0 192.168.17.0 255.255.255.0

access-list nat0 extended permit ip 192.168.14.0 255.255.255.0 192.168.17.0 255.255.255.0

access-list 100 extended permit ip any any

access-group 100 in interface outside

global (outside) 1 interface

nat (inside) 1 0 0

nat (inside) 0 access-list nat0

route outside 0.0.0.0 0.0.0.0 192.168.10.11

phase 2:

crypto ipsec transform-set transac esp-des esp-sha-hmac

crypto map outside_map 1 match address orig

crypto map outside_map 1 set peer 192.168.11.1

crypto map outside_map 1 set transform-set transac

crypto map outside_map 1 set security-association lifetime seconds 3600

crypto map outside_map interface outside

phase 1:

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

tunnel-group 192.168.11.1 type ipsec-l2l

tunnel-group 192.168.11.1 ipsec-attributes

pre-shared-key Cock<Tial>PRtee

===============cisco router=============================

interface FastEthernet0/0

ip address 192.168.11.1 255.255.255.0

no sh

interface FastEthernet0/1

ip address 192.168.17.1 255.255.255.0

no sh

access-list 101 permit ip 192.168.17.0 0.0.0.255 192.168.14.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 192.168.11.2

Phase 1:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp key Cock<Tial>PRtee address 192.168.11.2

Phase 2:

crypto ipsec transform-set transac esp-des esp-sha-hmac

crypto map cryptmap 1 ipsec-isakmp

set security-association lifetime seconds 3600

set peer 192.168.11.2

match address 101

interface FastEthernet0/0

crypto map cryptmap

Router(config-crypto-map)#set security-association lifetime sec

Router(config-crypto-map)#set security-association lifetime seconds 3600

Router(config-crypto-map)#

*Mar 21 21:29:25.591: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

*Mar 21 21:30:30.579: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

*Mar 21 21:31:35.587: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

*Mar 21 21:32:41.059: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

*Mar 21 21:33:51.067: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

*Mar 21 21:34:57.027: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

*Mar 21 21:36:07.495: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

=========================================

*Mar 21 22:43:03.423: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

*Mar 21 22:43:03.823: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p

acket.

(ip) vrf/dest_addr= /192.168.17.4, src_addr= 192.168.14.4, prot= 1

*Mar 21 22:43:08.871: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

*Mar 21 22:44:18.379: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail

ed with peer at 192.168.11.2

Router# sh crypto isakmp sa

dst src state conn-id slot status

192.168.11.1 192.168.11.2 QM_IDLE 9 0 ACTIVE

192.168.11.1 192.168.11.2 MM_NO_STATE 8 0 ACTIVE (deleted)

192.168.11.1 192.168.11.2 MM_NO_STATE 7 0 ACTIVE (deleted)

Router#sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: cryptmap, local addr 192.168.11.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0)

current_peer 192.168.11.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 59, #recv errors 0

local crypto endpt.: 192.168.11.1, remote crypto endpt.: 192.168.11.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

ciscoasa# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 192.168.11.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

ciscoasa# sh crypto ipsec sa

ciscoasa#

ciscoasa# debug crypto isakmp

ciscoasa#

ciscoasa# conf t

ciscoasa(config)# int e0/0

ciscoasa(config-if)#

ciscoasa(config-if)# sh

ciscoasa(config-if)# Jan 01 02:32:21 [IKEv1]: Group = 192.168.11.1, IP = 192.168

.11.1, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jan 01 02:32:21 [IKEv1]: Group = 192.168.11.1, IP = 192.168.11.1, Removing peer

from correlator table failed, no match!

Collin Clark · ‎03-21-2013

Check this link for troubleshooting-

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml