Re: ASA L2L VPN problem

adapozzo79 · ‎03-28-2013

hi all,

I have two ASAs:

Cisco Adaptive Security Appliance Software Version 8.4(4)1

Cisco Adaptive Security Appliance Software Version 8.2(2)16

I don't understand why but I can't create the L2L vpn between the two devices.

Logging shows the following errors:

Mar 27 12:40:33 [IKEv1 DEBUG]IP = yyy.yyy.yyy.yyy, IKE SA Proposal # 1, Transform # 4 acceptable Matches global IKE entry # 1

Mar 28 2013 10:48:23: %ASA-5-713119: Group = yyy.yyy.yyy.yyy, IP = yyy.yyy.yyy.yyy, PHASE 1 COMPLETED

Mar 28 2013 10:48:23: %ASA-5-713904: Group = yyy.yyy.yyy.yyy, IP = yyy.yyy.yyy.yyy, All IPSec SA proposals found unacceptable!

Mar 28 2013 10:48:23: %ASA-3-713902: Group = yyy.yyy.yyy.yyy, IP = yyy.yyy.yyy.yyy, QM FSM error (P2 struct &0xade5b020, mess id 0x5b5ac87e)!

Mar 28 2013 10:48:23: %ASA-3-713902: Group = yyy.yyy.yyy.yyy, IP = yyy.yyy.yyy.yyy, Removing peer from correlator table failed, no match!

Mar 28 2013 10:48:23: %ASA-5-713259: Group = yyy.yyy.yyy.yyy, IP = yyy.yyy.yyy.yyy, Session is being torn down. Reason: Phase 2 Mismatch

Mar 28 2013 10:48:23: %ASA-4-113019: Group = yyy.yyy.yyy.yyy, Username = yyy.yyy.yyy.yyy, IP = yyy.yyy.yyy.yyy, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes ry: 0, Reason: Phase 2 Mismatch

Mar 28 2013 10:48:23: %ASA-5-713904: IP = yyy.yyy.yyy.yyy, Received encrypted packet with no matching SA, dropping

e: Mismatched attribute types for class Group Description: Ry'd: Group 5 Cfg'd: Group 2

Phase two seems correctly configured, but I don’t understand why I get the error shown above.

Below is the configuration on both devices:

Cisco Adaptive Security Appliance Software Version 8.4(4)1

access-list VPN_y extended permit ip yyy.yyy.yyy.yyy 255.255.255.192 xxx.xxx.xxx.xxx 255.255.255.0

crypto ipsec ikev1 transform-set ESP-AES-256 esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address VPN_y

crypto map outside_map 10 set pfs

crypto map outside_map 10 set peer yyy.yyy.yyy.yyy

crypto map outside_map 10 set ikev1 transform-set ESP-AES-256

crypto map outside_map 10 set security-association lifetime seconds 84600

tunnel-group yyy.yyy.yyy.yyy type ipsec-l2l

tunnel-group yyy.yyy.yyy.yyy ipsec-attributes

ikev1 pre-shared-key *****

crypto isakmp identity address

crypto ikev1 enable outside-3

crypto ikev1 policy 4 ---------> MATCH

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto ikev1 policy 80

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Cisco Adaptive Security Appliance Software Version 8.2(2)16

access-list VPN_X extended permit ip yyy.yyy.yyy.yyy 255.255.255.192 xxx.xxx.xxx.xxx 255.255.255.0

crypto ipsec transform-set ESP-AES-256 esp-aes-256 esp-sha-hmac

crypto map outside_map 70 match address VPN_x

crypto map outside_map 70 set pfs

crypto map outside_map 70 set peer xxx.xxx.xxx.xxx

crypto map outside_map 70 set transform-set ESP-AES-256

crypto map outside_map 70 set security-association lifetime seconds 84600

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key **

crypto isakmp enable Internet

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 5

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 8

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10 ----------> MATCH

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

crypto isakmp policy 40

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp policy 50

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto isakmp policy 80

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 100

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

crypto isakmp policy 110

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 1440

crypto isakmp policy 130

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 1440

crypto isakmp policy 160

authentication rsa-sig

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 170

authentication pre-share

encryption aes

hash sha

group 2

lifetime 2880

Please let me know how I can solve this issue.

Thanks

Marcin Latosiewicz · ‎03-28-2013

Andrea,

Post full debugs please, looks like you're having problem at phase 2 establishment not phase 1.

BTW your access lists are not mirrored:

Site 1

access-list VPN_y extended permit ip yyy.yyy.yyy.yyy 255.255.255.192 xxx.xxx.xxx.xxx 255.255.255.0

Site2:

access-list VPN_X extended permit ip yyy.yyy.yyy.yyy 255.255.255.192 xxx.xxx.xxx.xxx 255.255.255.0

M.

adapozzo79 · ‎03-28-2013

Hi Marcin,

thank for reply, in attach you can find a complete debug session.

silla · ‎03-29-2013

You are referencing the acl VPN_x in the crypto map, which doesn't exist, you have defined VPN_X.

Best regards,

Silla

techdata · ‎03-29-2013

Hi,

The problem relies on phase 2 so based on the configuration I can see that the ACL for the crypto map the is not matching. Remember that the ACL should be a mirror of each other so let me use this example.

site A:

access-list VPN_y extended permit ip 1.1.1.x 255.255.255.192 2.2.2.0 255.255.255.0

site B:

access-list VPN_y extended permit ip 2.2.2.0 255.255.255.0 1.1.1.x 255.255.255.192

so in your case on the site B you have to reverse the ACL that you have in place. and then try again.