Solved: Re: ASA 5505 site-to-site not working

neb______ · ‎05-12-2011

Hello everyone,

I'm experiencing troubles in setting up a simple site-to-site VPN between two new ASA 5505. I tried several times with the ASDM tool entering configuration manually or using the wizard, resetting every time to factory defaults, but the tunnel wont work.

I tracked it down to the following lines on the receiving side:

May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 1 COMPLETED
May 11 16:42:53 [IKEv1]: IP = 1.1.1.2, Keep-alive type for this connection: DPD
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, Starting P1 rekey timer: 73440 seconds.
May 11 16:42:53 [IKEv1 DECODE]: IP = 1.1.1.2, IKE Responder starting QM: msg id = 693161c8
May 11 16:42:53 [IKEv1]: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=693161c8) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
May 11 16:42:53 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
1.1.1.2
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received remote Proxy Host data in ID Payload:  Address 1.1.1.2, Protocol 0, Port 0
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
May 11 16:42:53 [IKEv1 DECODE]: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
1.1.1.1
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Received local Proxy Host data in ID Payload:  Address 1.1.1.1, Protocol 0, Port 0
May 11 16:42:53 [IKEv1 DEBUG]: Group = 1.1.1.2, IP = 1.1.1.2, processing notify payload
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, QM IsRekeyed old sa not found by addr
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, checking map = outside_map, seq = 1...
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:1.1.1.2 dst:1.1.1.1
May 11 16:42:53 [IKEv1]: Group = 1.1.1.2, IP = 1.1.1.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 1.1.1.2/255.255.255.255/0/0 local proxy 1.1.1.1/255.255.255.255/0/0 on interface outside

´

Looks to me like the remote proxy host and local proxy host data is the outside IP instead of the local subnets (10.0.0.0/24 and 192.168.0.0/24)... how can I fix this?

Tommy Alexander · ‎05-15-2011

Hi,

The debugs show that the ASA is the responder, so the other ASA is the initiator.

It looks like you have configured the initiator as originate-only mode

Example:

crypto map OUTSIDE_map 20 set connection-type originate-only...

If you have this , then it tries to establish phase 2 sa between the peer ip (public) first, and then between the configured ACL ..

If you originate-only , please remove it.

View solution in original post

Tommy Alexander · ‎05-15-2011

Hi,

The debugs show that the ASA is the responder, so the other ASA is the initiator.

It looks like you have configured the initiator as originate-only mode

Example:

crypto map OUTSIDE_map 20 set connection-type originate-only...

If you have this , then it tries to establish phase 2 sa between the peer ip (public) first, and then between the configured ACL ..

If you originate-only , please remove it.

neb______ · ‎05-16-2011

Yes that solves the problem. I had it set on originate-only to build up the tunnel automatically.

Thank you for this valueable information, as there is no info on the internet and not even the Cisco ASA book is mentioning anything on this.

nareth_norung · ‎05-16-2011

Dear Neb,

Please see the link as below,

http://tunnelsup.com/tag/mm_wait_msg3/

hope it can help you!

Best Regards

norung