01-30-2018 02:22 AM - edited 03-12-2019 04:58 AM
Hey Techies,
I am trying to set up an L2L VPN between a Cisco iOS rtr and ASA firewall. I can't seem to figure out what's wrong. Here's config below;
Here is the error message:
Removing peer from correlator table failed, no match!
QM FSM error (P2 struct &0x00007fff2b819090, mess id 0xfda7a478)!
And config on both routers
ASA CONFIG
Removing peer from correlator table failed, no match!
object-group network BWL-VI-TO-ABUJA
network-object object BWL-VI2
network-object object BWL-VI3
PHASE 1
crypto ikev1 policy 20
authentication pre-share
encryption aes 256
hash sha
group 2
lifetime 86400
crypto isakmp enable outside
tunnel-group 81.x.x.x type ipsec-l2l
tunnel-group 81.x.x.x ipsec-attributes
pre-shared-key xxxx
object network Abuja
subnet 172.16.130.0 255.255.255.128
PHASE 2
Access-list VI-to-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
Access-list VI-to-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
crypto ipsec transform-set VI-TO-ABUJA esp-aes esp-sha-hmac
crypto map outside-map 3 set peer 81.x.x.x
crypto map outside-map 3 match address VI-to-Abuja
crypto map outside-map 3 set transform-set VI-TO-ABUJA
crypto map outside-map interface outside
nat (INSIDE,outside) source static BWL-VI-TO-ABUJA BWL-VI-TO-ABUJA destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN
iOS
PHASE 1
ip route 0.0.0.0 0.0.0.0 91.x.x.2 (gateway)
crypto isakmp policy xx
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key xxx address 41.x.x.x
PHASE 2
ip access-list extended Abuja-to-VI
permit ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255
crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel
crypto map ABJ2ILPJ 30 ipsec-isakmp
set peer 41.x.x.x
set transform-set LAGOSSET
macth address Abuja-to-VI
int vlan1
crypto map ABJ2ILPJ
ip nat outside
ROUTES AND NONATS
ip route 172.16.120.0 255.255.248.0 91.x.x.2
ip access-list extended NONAT-VPN-TRAFFIC
deny ip 172.16.130.0 0.0.0.7 192.168.0.0 0.0.0.255
deny ip 172.16.130.0 0.0.0.7 172.16.120.0 0.0.7.255
permit ip any any
ip nat inside source list NONAT-VPN-TRAFFIC interface vlan1 overload
PLEASE HELP
Solved! Go to Solution.
02-07-2018 12:16 AM
Hello Guys,
So I somewhat sorted it out someway;
1. There is already an existing crypto map on the router before the one I configured. The new one I did had a misspelled crypto map name. It is ABJ2ILPJ not ABJ2IPJ. So I corrected that.
2. Secondly, since the traffic is not to be NAT'ed, as it is a LAN-TO-LAN VPN, I did a route map.
access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any
ip nat inside source list 110 interface Vlan1 overload
route-map nonat permit 10
Match ip address 110
The tunnel came up but i encountered another challenge. I may put that up on another post.
Thank you Deepak and everyone who assisted in some way. Deeply appreciate.
This forum is helpful.
01-30-2018 04:05 AM
Please share the error message with details.
Please run commands.
debug crypto isakmp 127
debug crypto ipsec127
sho crypto isakmp sa
sho crypto ipsec sa
Ipsec command may vary with IOS image version.
Regards,
Deepak Kumar
01-30-2018 05:19 AM
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, IKE got SPI from key engine: SPI = 0x053d3fc8
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, oakley constucting quick mode
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing blank hash payload
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing IPSec SA payload
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing IPSec nonce payload
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing proxy ID
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Transmitting Proxy Id:
Local subnet: 192.168.0.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 172.16.130.0 Mask 255.255.255.128 Protocol 0 Port 0
Jan 30 06:09:47 [IKEv1 DECODE]Group = 81.x.x.x, IP = 81.x.x.x, IKE Initiator sending Initial Contact
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing qm hash payload
Jan 30 06:09:47 [IKEv1 DECODE]Group = 81.x.x.x, IP = 81.x.x.x, IKE Initiator sending 1st QM pkt: msg id = 81002811
Jan 30 06:09:47 [IKEv1]IP = 81.x.x.x, IKE_DECODE SENDING Message (msgid=81002811) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 200
Jan 30 06:09:47 [IKEv1]IKE Receiver: Packet received on 41.x.x.x:500 from 81.x.x.x:500
Jan 30 06:09:47 [IKEv1]IP = 81.x.x.x, IKE_DECODE RECEIVED Message (msgid=89880999) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing hash payload
Jan 30 06:09:47 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing notify payload
Jan 30 06:09:47 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Received non-routine Notify message: No proposal chosen (14)
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195
IPSEC(crypto_map_check)-5: Checking crypto map outside-map 2: skipping because 5-tuple does not match ACL ILUPEJU_LAN_TRAFFIC.
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.0.120, sport=50195, daddr=172.16.130.15, dport=50195
IPSEC(crypto_map_check)-5: Checking crypto map outside-map 2: skipping because 5-tuple does not match ACL ILUPEJU_LAN_TRAFFIC.
IPSEC(crypto_map_check)-3: Checking crypto map outside-map 3: matched.
IPSEC WARNING: Failed to get last received info for SessionID: 0x00A99000
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x2ff0ee1b)
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing blank hash payload
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing qm hash payload
Jan 30 06:09:57 [IKEv1]IP = 81.x.x.x, IKE_DECODE SENDING Message (msgid=db6df04b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 06:09:57 [IKEv1]IKE Receiver: Packet received on 41.x.x.x:500 from 81.x.x.x:500
Jan 30 06:09:57 [IKEv1]IP = 81.x.x.x, IKE_DECODE RECEIVED Message (msgid=a67f61a8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing hash payload
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing notify payload
Jan 30 06:09:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x2ff0ee1b)
01-30-2018 05:22 AM
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing ke payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing ISA_KE payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing nonce payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing VID payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Received Cisco Unity client VID
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing VID payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Received DPD VID
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing VID payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f)
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing VID payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Received xauth V6 VID
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing NAT-Discovery payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, computing NAT Discovery hash
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, processing NAT-Discovery payload
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, computing NAT Discovery hash
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, Connection landed on tunnel_group 81.x.x.x
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Generating keys for Initiator...
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing ID payload
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing hash payload
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Computing hash for ISAKMP
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, constructing dpd vid payload
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Jan 30 06:12:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jan 30 06:12:57 [IKEv1]IKE Receiver: Packet received on 41.x.x.x:500 from 81.x.x.x:500
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + NONE (0) total length : 84
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing ID payload
Jan 30 06:12:57 [IKEv1 DECODE]Group = 81.x.x.x, IP = 81.x.x.x, ID_IPV4_ADDR ID received
81.x.x.x
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, processing hash payload
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Computing hash for ISAKMP
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Processing IOS keep alive payload: proposal=10/3 sec.
Jan 30 06:12:57 [IKEv1 DEBUG]IP = 81.x.x.x, Starting IOS keepalive monitor: 25 sec.
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, Connection landed on tunnel_group 81.x.x.x
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Oakley begin quick mode
Jan 30 06:12:57 [IKEv1 DECODE]Group = 81.x.x.x, IP = 81.x.x.x, IKE Initiator starting QM: msg id = 898f61e8
Jan 30 06:12:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, PHASE 1 COMPLETED
Jan 30 06:12:57 [IKEv1]IP = 81.x.x.x, Keep-alive type for this connection: DPD
Jan 30 06:12:57 [IKEv1 DEBUG]Group = 81.x.x.x, IP = 81.x.x.x, Starting P1 rekey timer: 82080 seconds.
IPSEC: New embryonic SA created @ 0x00007fff2bc41560,
01-30-2018 05:24 AM
# Jan 30 06:15:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, QM FSM error (P2 struct &0x00007fff2bcd2d50, mess id 0xe73fa829)!
Jan 30 06:15:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Removing peer from correlator table failed, no match!
Jan 30 06:15:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Session is being torn down. Reason: Lost Service
Jan 30 06:16:37 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, QM FSM error (P2 struct &0x00007fff2bcd2d50, mess id 0x8233c2a)!
Jan 30 06:16:37 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Removing peer from correlator table failed, no match!
Jan 30 06:16:37 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, Session is being torn down. Reason: Lost Service
01-30-2018 05:26 AM
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 91.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
01-30-2018 06:04 AM - edited 01-30-2018 06:05 AM
Hi,
There is some issue with Phase2
Jan 30 06:12:57 [IKEv1]Group = 81.x.x.x, IP = 81.x.x.x, PHASE 1 COMPLETED --> Phase 1 completed
IPSEC: New embryonic SA created @ 0x00007fff2bc41560, -----> Phase 2 (quick mode) begins.
Please check the Phase 2 settings as includes proxy IDs and IPsec policies and transform-set etc.
For more things please attach running configuration from both ASA.
Regards,
Deepak Kumar
01-31-2018 08:47 AM - edited 09-21-2018 04:46 AM
So I removed the former config and reconfigured it. Please see config below;
ASA 5515x Version 9.2
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set ABUJASET esp-aes esp-sha-hmac
access-list VI-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
access-list VI-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *******
crypto map outside-map 3 match address VI-Abuja
crypto map outside-map 3 set peer x.x.x.x
crypto map outside-map 3 set pfs group5
crypto map outside-map 3 set transform-set ABUJASET
crypto map outside-map 3 set reverse-route
crypto map outside-map interface outside
crypto isakmp enable outside
nat (INSIDE,outside) source static BWL-VI BWL-VIdestination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN
Cisco router iOS (2900 series, Version 15.2)
crypto isakmp policy 30
encryption ae
s
hash sha
authentication pre-share
group 2
crypto isakmp key ******** address X.X.X.X
ip access-list extended Abuja-VI
permit ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel
crypto map ABJ2IPJ 3 ipsec-isakmp
set peer X.X.X.X
set transform-set LAGOSSET
match address Abuja-VI
set pfs group5
SEE BELOW SHOW COMMAND OUTPUT
sh crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
1. Please find attached the complete configuration on both ASA and router 2900.
2. I configured route map with an overload on the outside interface (vlan1) so that LAN traffic on 2900 is not NAT'ed but it stops the other VPN from working, so i removed it from the configuration.
FROM ASA
sh crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
KINDLY ASSIST!!!
02-07-2018 12:16 AM
Hello Guys,
So I somewhat sorted it out someway;
1. There is already an existing crypto map on the router before the one I configured. The new one I did had a misspelled crypto map name. It is ABJ2ILPJ not ABJ2IPJ. So I corrected that.
2. Secondly, since the traffic is not to be NAT'ed, as it is a LAN-TO-LAN VPN, I did a route map.
access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any
ip nat inside source list 110 interface Vlan1 overload
route-map nonat permit 10
Match ip address 110
The tunnel came up but i encountered another challenge. I may put that up on another post.
Thank you Deepak and everyone who assisted in some way. Deeply appreciate.
This forum is helpful.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide