06-22-2009 02:49 AM
Trying to establish VPN between two ASA5520
Got stuck at
ciscoasa# sh crypto isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.254.17.9
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Looks like IKE phase 2 doesn not go through..
config1:
access-list 110 extended permit ip any any
route outside 0.0.0.0 0.0.0.0 10.254.17.9 1
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.9
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 10.254.17.9 type ipsec-l2l
tunnel-group 10.254.17.9 ipsec-attributes
pre-shared-key *
Config2:
access-list 110 extended permit ip any any
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 10.254.17.10 type ipsec-l2l
tunnel-group 10.254.17.10 ipsec-attributes
pre-shared-key *
I would appreciate any help..
06-22-2009 06:18 AM
You need "crypto isakmp enable outside" on the ASA's.
06-22-2009 06:42 AM
After I enabled isakmp on the outside interface, I get the following error in debug messages:
Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, All SA proposals found unaccept
able
Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Error processing payload: Payload ID:
1
Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, IKE MM Initiator FSM error hist
ory (struct &0xc958f6c0)
V_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1
, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1-->MM_BLD_MSG
1, EV_CREATE_TMR
Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, IKE SA MM:64292783 terminating:
flags 0x01000022, refcnt 0, tuncnt 0
Jun 22 07:06:27 [IKEv1 DEBUG]: IP = 10.254.17.9, sending delete/delete with reas
on message
Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Removing peer from peer table failed,
no match!
Jun 22 07:06:27 [IKEv1]: IP = 10.254.17.9, Error: Unable to remove PeerTblEntry
Jun 22 07:06:51 [IKEv1]: IP = 10.254.17.9, Invalid packet detected!
06-22-2009 06:46 AM
Make sure crypto isakmp enable outside is on both ASA's.
06-22-2009 06:59 AM
It is enabled on both ASA's.
What bothers me is this message
Jun 22 07:53:44 [IKEv1 DEBUG]: IP = 10.254.17.9, All SA proposals found unacceptable
Jun 22 07:53:44 [IKEv1]: IP = 10.254.17.9, Error processing payload: Payload ID:1
Jun 22 07:54:16 [IKEv1]: IP = 10.254.17.9, Invalid packet detected!
06-22-2009 07:04 AM
Please can you post the entire debugs from both ASA's:
debug crypto isakmp 127
debug crypto ipsec 127
Attach the debug as text files.
Also, please change your IPSec crypto ACL (acl 110) to only include the internal subnets, and not any any.
06-22-2009 07:29 AM
06-22-2009 07:33 AM
We would need to see the debugs from the other side. This debug says that we sent a packet to the ASA, but never got a response back.
06-22-2009 07:39 AM
I will be able to do it tomorrow. Thank you for your help!
06-22-2009 08:28 PM
06-22-2009 11:50 PM
The issue is solved now.. It is weird, I used 3des instead of des and config worked just fine.. Thank you
06-22-2009 06:23 AM
Check this troubleshooting guide-
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
06-22-2009 07:00 AM
Unfortunally, it didnt help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide