08-28-2008 05:13 AM - edited 02-21-2020 03:54 PM
when i try to establish a VPN lan-to-lan
between asa and cisco router ios through a nat device .Vpn work fine if router start vpn but fail if asa start.
Router logs give these errors :
*Aug 27 07:11:09.945: ISAKMP:(0:961:SW:1): processing KE
> payload. message ID = 0
> *Aug 27 07:11:09.993: ISAKMP:(0:961:SW:1): processing NONCE
> payload. message ID = 0
> *Aug 27 07:11:10.001: ISAKMP:(0:961:SW:1):found peer
> pre-shared key matching 85.18.244.76
> *Aug 27 07:11:10.001: ISAKMP:(0:961:SW:1):SKEYID state generated
> *Aug 27 07:11:10.001: ISAKMP:(0:961:SW:1): processing vendor
> id payload
> *Aug 27 07:11:10.001: ISAKMP:(0:961:SW:1): vendor ID is Unity
> *Aug 27 07:11:10.001: ISAKMP:(0:961:SW:1): processing vendor
> id payload
> *Aug 27 07:11:10.001: ISAKMP:(0:961:SW:1): vendor ID seems
> Unity/DPD but major 132 mismatch
> *Aug 27 07:11:10.001: ISAKMP:(0:961:SW:1): vendor ID is XAUTH
> *Aug 27 07:11:10.001: ISAKMP:(0:961:SW:1): processing vendor
> id payload
> *Aug 27 07:11:10.001: ISAKMP:(0:961:SW:1): speaking to
> another IOS box!
> *Aug 27 07:11:10.005: ISAKMP:(0:961:SW:1): processing vendor
> id payload
> *Aug 27 07:11:10.005: ISAKMP:(0:961:SW:1):vendor ID seems
> Unity/DPD but hash mismatch
> *Aug 27 07:11:10.005: ISAKMP:received payload type 20
> *Aug 27 07:11:10.005: ISAKMP:received payload type 20
> *Aug 27 07:11:10.005: ISAKMP (0:134218689): NAT found, the
> node outside NAT
> *Aug 27 07:11:10.005: ISAKMP:(0:961:SW:1):Input =
> IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
> *Aug 27 07:11:10.005: ISAKMP:(0:961:SW:1):Old State =
> IKE_R_MM3 New State = IKE_R_MM3
Someone have any suggestions ?
Thank you
08-28-2008 05:19 AM
STEFANO,
Make sure both IKE policy settings are the same on both devices.
08-28-2008 08:13 AM
Most probably your phase 1 lifetimes are not same, set both the router and ASA to the same lifetime value:
crypto isakmp policy
lifetime
Regards
Farrukh
09-01-2008 04:28 AM
there is not eanough debugs provided here: you should enable debug cry isa and debug cry ips on both devices, and collect the full debug capture.
09-22-2008 11:01 PM
The problem was on encryption domain ACL .
we correct ACL on IOS router matching ASA ACL exactly and now works fine.
many thanks
09-23-2008 12:47 AM
NP - glad to help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide