Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6239
Views
5
Helpful
6
Replies

ASA 5505 IPSEC site to site VPN issue

Go to solution
Qays
Level 1
Level 1

‎09-17-2020 08:25 AM - edited ‎09-17-2020 08:26 AM

Hi

My company uses an ASA 5505 firewall to create IPSEC VPN tunnel with another partner, the other patner company uses Huawei Firewall, the vpn tunnel works and the connection  done, but some times the connection interrupted and there is no connectivity between the sites until the vpn tunnel rested using the command,

 

  #clear crypto isakmp.


While there is a connection between the sites I used the command # debug crypto ikev2 protocol

this is the output 
IKEv2-PROTO-1: (4): Failed to find a matching policy
IKEv2-PROTO-1: (4): Received Policies:
IKEv2-PROTO-1: (4): Failed to find a matching policy
IKEv2-PROTO-1: (4): Expected Policies:
IKEv2-PROTO-1: (4): Failed to find a matching policy
IKEv2-PROTO-1: (4):
IKEv2-PROTO-1: (4): Create child exchange failed

 

also my company have another ASA 5515 to use VPN tunnel from another site to the same partner and same Huawei Firewall the second tunnel works with out issues.

 

any ideas about this situation ???

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-17-2020 08:28 AM

Hi @Qays 

Check the IPSec and ISAKMP lifetimes configured on the ASA 5505 are the same as configured the Huawei Firewall. Ensure you have Dead Peer Detection (DPD) configured as well.


HTH

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-17-2020 09:47 AM - edited ‎09-20-2020 03:23 AM

make sure you verify each side config, or post the configuration to understand the issue,

 

check more of IPSEC Proposal :

 

https://support.huawei.com/enterprise/en/doc/EDOC1000154805/931088a3/basic-information-about-ipsec-interoperation-between-huawei-firewalls-and-cisco-firewalls

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎09-17-2020 08:28 AM

Hi @Qays 

Check the IPSec and ISAKMP lifetimes configured on the ASA 5505 are the same as configured the Huawei Firewall. Ensure you have Dead Peer Detection (DPD) configured as well.


HTH

Go to solution
Qays
Level 1
Level 1
In response to Rob Ingram

‎09-20-2020 02:02 AM - edited ‎09-20-2020 02:06 AM

 

Hi

Thanks for the answer,,,, I have checked the IPSec and ISAKMP lifetimes and the tunnel working better with out interruption until now,, also I still  receive this debug  from the same peer 

 

This is the received debug 

 

IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 1
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 3
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 5
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 6
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 7
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 8
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 9
IKEv2-PLAT-2: Crypto Map: No proxy match on map ######seq 10
IKEv2-PROTO-1: (21): Failed to find a matching policy
IKEv2-PROTO-1: (21): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA96 DH_GROUP_1536_MODP/Group 5

ESP: Proposal 2: AES-CBC-256 MD596 DH_GROUP_1536_MODP/Group 5

IKEv2-PROTO-1: (21): Failed to find a matching policy
IKEv2-PROTO-1: (21): Expected Policies:
IKEv2-PROTO-1: (21): Failed to find a matching policy
IKEv2-PROTO-1: (21):
IKEv2-PROTO-1: (21): Create child exchange failed


IKEv2-PLAT-1: Failed to decrement count for incoming negotiating

 

this is the configuration

 

 

crypto ipsec ikev2 ipsec-proposal AES265-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite

 


crypto map ###### match address #######
crypto map ###### set pfs group5
crypto map ###### set peer #######
crypto map ####### set ikev2 ipsec-proposal AES265-SHA1
crypto map ####### set security-association lifetime seconds 3600

 

crypto ikev2 policy 1
encryption aes-256
integrity sha512
group 5
prf sha512
lifetime seconds 86400

 



 

 

 

 

 

0 Helpful

Go to solution
Qays
Level 1
Level 1
In response to Rob Ingram

‎09-20-2020 03:17 AM

Thanks for the answer,,,,

 

After I have checked the IPSec and ISAKMP lifetimes the tunnel works batter but I still receive this debug from the same peer.

 

 

IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 1
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 3
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 5
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 6
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 7
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 8
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 9
IKEv2-PLAT-2: Crypto Map: No proxy match on map ###### seq 10


IKEv2-PROTO-1: (12): Failed to find a matching policy


IKEv2-PROTO-1: (12): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA96 DH_GROUP_1536_MODP/Group 5

ESP: Proposal 2: AES-CBC-256 MD596 DH_GROUP_1536_MODP/Group 5

IKEv2-PROTO-1: (12): Failed to find a matching policy
IKEv2-PROTO-1: (12): Expected Policies:
IKEv2-PROTO-5: (12): Failed to verify the proposed policies
IKEv2-PROTO-1: (12): Failed to find a matching policy

IKEv2-PROTO-2: (21): Sending DPD/liveness query

 


IKEv2-PROTO-2: (21): Process delete request from peer

 

 

 

 

The configuration 

 

 

crypto ipsec ikev2 ipsec-proposal AES265-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite

 


crypto map ###### match address #######
crypto map ###### set pfs group5
crypto map ###### set peer #######
crypto map ####### set ikev2 ipsec-proposal AES265-SHA1
crypto map ####### set security-association lifetime seconds 3600

 

crypto ikev2 policy 1
encryption aes-256
integrity sha512
group 5
prf sha512
lifetime seconds 86400

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Qays

‎09-20-2020 03:38 AM

Are your crypto map ACL that defines your interesting traffic correct between you and your peer? The should mirror your peers ACL. The first message "No proxy match on map" implies that traffic was sent over the tunnel that is not expected.

 

Which device initated the tunnel when it fails? Your or the peer? Is PFS enabled on the peer?

 

FYI, group 5 is weak and will be depreciated in latest versions of code, consider replacing at somepoint.

0 Helpful

Go to solution
Qays
Level 1
Level 1
In response to Rob Ingram

‎09-20-2020 03:56 AM

I can't access the the partner peer configuration but he should configure all parameters correctly. also the ACL should be correct. I will contact the partner for the conformation.

 

Also my devise role is RESPONDER.

 

Thanks for the reply 

 

 

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-17-2020 09:47 AM - edited ‎09-20-2020 03:23 AM

make sure you verify each side config, or post the configuration to understand the issue,

 

check more of IPSEC Proposal :

 

https://support.huawei.com/enterprise/en/doc/EDOC1000154805/931088a3/basic-information-about-ipsec-interoperation-between-huawei-firewalls-and-cisco-firewalls

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents