cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
927
Views
0
Helpful
4
Replies
Beginner

Site-to-Site VPN not showing up

Hi!

I am trying to bringing up a Site-to-Site VPN tunnel between a ASA5505 and a Vshield Edge Gateway. It  seems that Phase 1 gets ut, but not Phase 2. 

The logs says

"Failure during phase 1 rekeying attempt due to collision"

"Received encrypted packet with no matching sa, dropping" 

 

show crypto isakmp 

Active SA: 1
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: X.X.X.X
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_REKEY_DONE_H2
2   IKE Peer: X.X.X.X
    Type    : L2L             Role    : responder
    Rekey   : yes             State   : MM_ACTIVE_REKEY

 

show crypto ipsec sa

There are no ipsec sas

 

Anyone have any suggestions on how to solve this issue? 

4 REPLIES 4
Hall of Fame Guru

Activate "debug crypto isakmp

Activate "debug crypto isakmp 7"  and "debug crypto ipsec 7" 

Introduce introducing traffic that should go between the LANs via the VPN.

Share the output

Beginner

Tuned the debugging up to 200

Tuned the debugging up to 200 on both isakmp and ipsec, got following output, replaced public ip of remote site with 1.1.1.1 : 

Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 220
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing SA payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Received DPD VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Received NAT-Traversal RFC VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Received NAT-Traversal ver 03 VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Received NAT-Traversal ver 02 VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing IKE SA payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 15
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Traversal VID ver 02 payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 228
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ISA_KE payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing NAT-Discovery payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, computing NAT Discovery hash
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing NAT-Discovery payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, computing NAT Discovery hash
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ke payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing nonce payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Cisco Unity VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing xauth V6 VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Discovery payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, computing NAT Discovery hash
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Discovery payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, computing NAT Discovery hash
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
Jun 13 07:54:19 [IKEv1 DECODE]: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received
1.1.1.1
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
Jun 13 07:54:19 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 86
Jun 13 07:54:19 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Failure during phase 1 rekeying attempt due to collision
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0xca623588)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:be5cb988 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=aa351106) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping

Hall of Fame Guru

The key message I see in the

The key message I see in the debug is "Failure during phase 1 rekeying attempt due to collision".

One of the best troubleshooting guides I refer to is the Cisco TAC-published guide "Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions".

That document indicates you should check your isakmp lifetimes for a possible mismatch when you see that error.

Highlighted
Beginner

Solved the issue by deleting

Solved the issue by deleting everything that was related to VPN, crypto maps etc. Then rebuilt the VPN and everything worked.