Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
4
Replies

1800 to ASA VPN problem, fail at Phase 2

Go to solution
3moloz123
Level 1
Level 1

‎04-12-2011 01:55 AM

Hi,

I have a 1800 series running IOS 12.4(6)T11, and an ASA 5505 running 8.2 that I am trying to connect using a lan 2 lan tunnel.

1800:

WAN a.b.c.141

LAN 192.168.0.0/24

ASA5505:

WAN x.y.z.125

LAN 10-180.3.0/24

The 1800 also has pptp clients, on 172.16.99.0/24 network.

Problem:

When I try to establish a connection from a host on one of the LANs to the other, I can see that phase 1 works. During phase 2, some interesting debug messages are seen:

002611: *Apr 11 19:15:24.142 UTC: map_db_find_best did not find matching map
002612: *Apr 11 19:15:24.142 UTC: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported
002613: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031): IPSec policy invalidated proposal with error 32
002614: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031): phase 2 SA policy not acceptable! (local a.b.c.141 remote x.y.z.125)
002615: *Apr 11 19:15:24.142 UTC: ISAKMP: set new node -1883245570 to QM_IDLE     
002616: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 2215023312, message ID = -1883245570
002617: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031): sending packet to x.y.z.125 my_port 500 peer_port 500 (R) QM_IDLE     
002618: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031):purging node -1883245570
002619: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031):deleting node -9204283 error TRUE reason "QM rejected"
002620: *Apr 11 19:15:24.142 UTC: ISAKMP:(2031):Node -9204283, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

During the negotiation, "show crypto isakmp" first show "ACTIVE", but after a minute or so switch to "ACTIVE (DELETED)".

From what I can see, the cisco 1800 seem to terminate the tunnel because it is unhappy with some of the phase 2 options.

# on 1800

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
a.b.c.141  x.y.z.125  QM_IDLE           2029    0 ACTIVE

# on 5505
2   IKE Peer: a.b.c.141
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

# after a minut or so on the 1800 (no difference on 5505s output)

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
a.b.c.141  x.y.z.125  QM_IDLE           2030    0 ACTIVE
a.b.c.141  x.y.z.125  MM_NO_STATE       2029    0 ACTIVE (deleted)

I suspect it could be because of NATing on either side. I am a little unsure on the NAT config of the 1800, could it be that it tries to nat the 192.168.0.0/24 when passing it over the tunnel?

Labels:
84735-isakmp_sa.txt.zip
84733-5505_debug_crypto.txt.zip
84732-1800_debug_crypto.txt.zip
84734-asa5505_conf.txt.zip
84736-1800_conf.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andamani
Cisco Employee
Cisco Employee

‎04-12-2011 03:52 AM

Hi,

i don't see a nat exemption configured on the  router.

Please try the following:

ip  nat inside source route-map natmap interface overload.

Hope  this helps.

Regards,

Anisha

P.S.:  please mark this thread as answered if you feel your query is resolved.  Do rate helpful posts.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
andamani
Cisco Employee
Cisco Employee

‎04-12-2011 03:52 AM

Hi,

i don't see a nat exemption configured on the  router.

Please try the following:

ip  nat inside source route-map natmap interface overload.

Hope  this helps.

Regards,

Anisha

P.S.:  please mark this thread as answered if you feel your query is resolved.  Do rate helpful posts.

0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to andamani

‎04-12-2011 04:07 AM

As you can see, I already have a "ip nat" configured:

ip nat inside source list NAT_CLIENTS pool S_GLOBAL_IP_POOL overload

!

ip access-list standard NAT_CLIENTS

permit 192.168.0.0 0.0.255.255

permit 10.10.10.0 0.0.0.255

permit 172.16.99.0 0.0.0.255

In the above configuration, 192.1680.0.0/16 is permitted. I cant seem to add a rule that denies 192.168.0.0/24 (or /16) when destination is the LAN of the other side (10.180.3.0/24).

Secondly, if I issue "ip  nat inside source route-map natmap interface overload.", wouldnt that overwrite the ip nat above? (if so, all offices going through that router would loose their internet connectivity)

0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to andamani

‎04-12-2011 04:19 AM

As per your recomendation, I brought nat down on both interfaces -> cleared the translation table and finally replaced the "ip nat inside .... pool ...".

As you can se here, there is a clear exempt when src is LAN (192.168.0.0/24) on cisco 1800, and dst is the LAN behind the ASA (10.180.3.0/24):

ip nat pool S_GLOBAL_IP_POOL a.b.c.139 a.b.c.141 prefix-length 24
ip nat inside source route-map natmap pool S_GLOBAL_IP_POOL overload
!
ip access-list extended natrules
deny   ip 192.168.0.0 0.0.0.255 10.180.3.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.10.10.0 0.0.0.255 any
permit ip 172.16.99.0 0.0.0.255 any
!
route-map natmap permit 10
match ip address natrules

Show ip nat statistics confirms that the new route-map is in use:
Dynamic mappings:
-- Inside Source
[Id: 2] route-map natmap pool S_GLOBAL_IP_POOL refcount 1137
pool S_GLOBAL_IP_POOL: netmask 255.255.255.0
    start a.b.c.139 end a.b.c.141
    type generic, total addresses 3, allocated 2 (66%), misses 0
Queued Packets: 0

The error message seen by debuging does however persist, and with no other information in it.

0 Helpful

Go to solution
3moloz123
Level 1
Level 1
In response to 3moloz123

‎04-13-2011 01:35 AM

Match identity + proper nat exemption solved the problem!

0 Helpful
Customers Also Viewed These Support Documents