07-22-2013 04:59 AM
Hello,
womndering if anyine has some ideas how to solve this problem. I have asa 5510, runing ios ver 9.x and avaya phone that i need to esatblish vpn tunnel with asa.
THe regular Cisco vpn clients are all working fine.
The error message on teh ASA is:
Jul 22 2013 00:02:31: %ASA-7-713906: IP = 193.173.47.132, Connection landed on tunnel_group TG-PHONES
Jul 22 2013 00:02:31: %ASA-7-715047: Group = TG-PHONES, IP = 193.173.47.132, processing IKE SA payload
Jul 22 2013 00:02:35: %ASA-7-713236: IP = 193.173.47.132, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96
Jul 22 2013 00:02:35: %ASA-7-713906: Group = TG-PHONES, IP = 193.173.47.132, All SA proposals found unacceptable
Jul 22 2013 00:02:35: %ASA-7-713906: IP = 193.173.47.132, All IKE SA proposals found unacceptable!
The error message on Avaya is:
IKE phase 1 no response
Firewall config related to vpn:
ASA Version 9.0(1)
!
ip local pool TGN_POOL 172.30.20.1-172.30.23.254 mask 255.255.252.0
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
interface Red1
member-interface Ethernet0/2
member-interface Ethernet0/3
nameif inside
security-level 100
ip address 10.10.10.10 255.255.255.0
!
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name prc.net
object network TGN-POOL
subnet 172.30.20.0 255.255.252.0
access-list ACL-PHONES standard permit 10.0.0.0 255.0.0.0
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
anyconnect enable
group-policy TG-PHONES internal
group-policy TG-PHONES attributes
dns-server value 10.2.2.2 8.8.8.8
vpn-simultaneous-logins 3
vpn-idle-timeout 1440
vpn-session-timeout 14400
vpn-tunnel-protocol ikev1
group-lock value TG-PHONES
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-PHONES
default-domain value prc.net
vlan none
address-pools value TGN_POOL
tunnel-group TG-PHONES type remote-access
tunnel-group TG-PHONES general-attributes
address-pool TGN_POOL
authentication-server-group RADIUS
authentication-server-group (inside) LOCAL
default-group-policy TG-PHONES
tunnel-group TG-PHONES ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
==========================
Avaya phone setup:
Authentication type: PSK
IKE ID: TG-PHONES
PSK: xxxxx
IKE Ph1:
IKE ID type: KEY_ID
IKE Exchange Mode: Agressive
IKE DH Group: 2
IKE ENcryption Alg: 3DES
IKE AUthentication algor: SHA-1
IKE config mode: enabled
IKE Ph2:
IPsec PFA DH Group: 2
IPSec encryption algor: 3DES
IPsec authentication algor: SHA-1
Protected networks: 10.0.0.0/8
IKE over TCP: Never
============================
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide