Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
897
Views
0
Helpful
0
Replies

ASA 5510 9.x IOS and Avaya phone vpn issue

endpoint
Level 1
Level 1

‎07-22-2013 04:59 AM

Hello,

womndering if anyine has some ideas how to solve this problem. I have asa 5510, runing ios ver 9.x and avaya phone that i need to esatblish vpn tunnel with asa.

THe regular Cisco vpn clients are all working fine.

The error message on teh ASA is:

Jul 22 2013 00:02:31: %ASA-7-713906: IP = 193.173.47.132, Connection landed on tunnel_group TG-PHONES

Jul 22 2013 00:02:31: %ASA-7-715047: Group = TG-PHONES, IP = 193.173.47.132, processing IKE SA payload

Jul 22 2013 00:02:35: %ASA-7-713236: IP = 193.173.47.132, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96

Jul 22 2013 00:02:35: %ASA-7-713906: Group = TG-PHONES, IP = 193.173.47.132, All SA proposals found unacceptable

Jul 22 2013 00:02:35: %ASA-7-713906: IP = 193.173.47.132, All IKE SA proposals found unacceptable!

The error message on Avaya is:

IKE phase 1 no response

Firewall config related to vpn:

ASA Version 9.0(1)

!

ip local pool TGN_POOL 172.30.20.1-172.30.23.254 mask 255.255.252.0

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

!

interface Red1

member-interface Ethernet0/2

member-interface Ethernet0/3

nameif inside

security-level 100

ip address 10.10.10.10 255.255.255.0

!

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name prc.net

object network TGN-POOL

subnet 172.30.20.0 255.255.252.0

access-list ACL-PHONES standard permit 10.0.0.0 255.0.0.0

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

anyconnect enable

group-policy TG-PHONES internal

group-policy TG-PHONES attributes

dns-server value 10.2.2.2 8.8.8.8

vpn-simultaneous-logins 3

vpn-idle-timeout 1440

vpn-session-timeout 14400

vpn-tunnel-protocol ikev1

group-lock value TG-PHONES

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL-PHONES

default-domain value prc.net

vlan none

address-pools value TGN_POOL

tunnel-group TG-PHONES type remote-access

tunnel-group TG-PHONES general-attributes

address-pool TGN_POOL

authentication-server-group RADIUS

authentication-server-group (inside) LOCAL

default-group-policy TG-PHONES

tunnel-group TG-PHONES ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate nocheck

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

==========================

Avaya phone setup:

Authentication type: PSK

IKE ID: TG-PHONES

PSK: xxxxx

IKE Ph1:

    IKE ID type: KEY_ID

    IKE Exchange Mode: Agressive

    IKE DH Group: 2

    IKE ENcryption Alg: 3DES

    IKE AUthentication algor: SHA-1

    IKE config mode: enabled

IKE Ph2:

    IPsec PFA DH Group:    2

    IPSec encryption algor: 3DES

    IPsec authentication algor: SHA-1

    Protected networks: 10.0.0.0/8

IKE over TCP: Never

============================

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents