- Cisco Community
- Technology and Support
- Security
- VPN
- So it appears there were
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA to non-ASA Site-to-site VPN - Tunnel not staying up
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2015 07:48 AM
I have a site-to-site tunnel up between two locations (non-ASA initiator, ASA responder). The tunnel will come up but not stay up. I'm 95% sure I have an issue in my crypto maps but I'm at a loss. The initiator's configuration is mostly hard coded.
For what I've posted below, 2.2.2.2 is a dummy address for the initiator. See "figure".
192.168.54.0/23 - 1.1.1.1 ------------ 2.2.2.2 - 10.24.16.0/28
Here are the more interesting parts of the config.
crypto ipsec security-association replay disable
crypto ipsec security-association pmtu-aging infinite
crypto map Internet_map 1 match address Internet_cryptomap_14
crypto map Internet_map 1 set pfs group5
crypto map Internet_map 1 set peer 2.2.2.2
crypto map Internet_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Internet_map interface Internet
crypto ca trustpool policy
crypto ikev1 enable Internet
crypto ikev1 policy 30
authentication pre-share
no arp permit-nonconnected
nat (Internet,Lab) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static interface JUMPHOST service RDP-to-JH RDP-real description RDP to Terminal Server
nat (any,Lab) source static local-network local-network destination static LABTS LABTS service HTTPS HTTPS net-to-net
nat (Lab,Internet) source dynamic any interface description Lab computers share firewall's Internet address.
nat (Lab,Internet) source static any any destination static NETWORK_OBJ_192.168.56.0_24 NETWORK_OBJ_192.168.56.0_24
nat (Lab,Internet) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup
access-list Lab_access_in extended permit ip object local-network object remote-network
access-list Internet_cryptomap extended permit ip any4 object remote-network
access-list Internet_cryptomap_1 extended permit ip any4 object remote-network
access-list Internet_cryptomap_2 extended permit ip object local-network object remote-network
access-list Internet_cryptomap_3 extended permit ip object local-network object remote-network
access-list Internet_cryptomap_4 extended permit ip object local-network object remote-network
access-list Internet_cryptomap_5 extended permit ip any4 any4
access-list Internet_cryptomap_65535.65535 extended permit ip object IP-for-RDP-PAT any4
access-list Internet_cryptomap_6 extended permit ip any4 object remote-network
access-list Internet_cryptomap_7 extended permit ip object local-network object remote-network
access-list Internet_cryptomap_65535.65535_1 extended permit ip any4 any4 inactive
access-list Lab_cryptomap_65535.65535 extended permit ip any4 any4 inactive
access-list Internet_cryptomap_9 extended permit ip object local-network object remote-network
access-list Internet_cryptomap_8 extended permit ip object local-network any4
access-list Internet_cryptomap_10 extended permit ip any4 object remote-network
access-list Internet_cryptomap_11 extended permit ip object local-network object remote-network
access-list Lab_cryptomap_1 extended permit ip object remote-network object local-network
access-list Internet_cryptomap_12 extended permit ip any any
access-list Internet_cryptomap_13 extended permit ip object local-network object remote-network
access-list Internet_cryptomap_14 extended permit ip object local-network object remote-network
Here's the output of "debug crypto isakmp 127".
Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing SA payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Oakley proposal is acceptable
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Received xauth V6 VID
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Received DPD VID
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing IKE SA payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, IKE SA Proposal # 1, Transform # 0 acceptable Matches global IKE entry # 4
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing ISAKMP SA payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing ke payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing ISA_KE payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing nonce payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing ke payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing nonce payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing Cisco Unity VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing xauth V6 VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Send IOS VID
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
Nov 24 08:41:54 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Responder...
Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:55 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, Keep-alive type for this connection: DPD
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 8100 seconds.
Nov 24 08:41:55 [IKEv1 DECODE]IP = 2.2.2.2, IKE Responder starting QM: msg id = 91e61bae
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=91e61bae) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 416
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing SA payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing nonce payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ke payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ISA_KE for PFS in phase 2
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:55 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR_SUBNET ID received--10.24.16.0--255.255.255.240
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received remote IP Proxy Subnet data in ID Payload: Address 10.24.16.0, Mask 255.255.255.240, Protocol 0, Port 0
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:55 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR_SUBNET ID received--192.168.54.0--255.255.254.0
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received local IP Proxy Subnet data in ID Payload: Address 192.168.54.0, Mask 255.255.254.0, Protocol 0, Port 0
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM IsRekeyed old sa not found by addr
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, checking map = Internet_map, seq = 1...
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, map Internet_map, seq = 1 is a successful match
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, IKE Remote Peer configured for crypto map: Internet_map
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing IPSec SA payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IPSec SA Proposal # 0, Transform # 1 acceptable Matches global IPSec SA entry # 1
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, IKE: requesting SPI!
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IKE got SPI from key engine: SPI = 0x59d8f571
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, oakley constucting quick mode
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec SA payload
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec nonce payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing pfs ke payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing proxy ID
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Transmitting Proxy Id:
Remote subnet: 10.24.16.0 Mask 255.255.255.240 Protocol 0 Port 0
Local subnet: 192.168.54.0 mask 255.255.254.0 Protocol 0 Port 0
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Sending RESPONDER LIFETIME notification to Initiator
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
Nov 24 08:41:55 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, IKE Responder sending 2nd QM pkt: msg id = 91e61bae
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=91e61bae) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 388
Nov 24 08:41:56 [IKEv1 DECODE]IP = 2.2.2.2, IKE Responder starting QM: msg id = 279cbbd1
Nov 24 08:41:56 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=279cbbd1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 408
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing SA payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing nonce payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ke payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ISA_KE for PFS in phase 2
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:56 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received remote Proxy Host data in ID Payload: Address 2.2.2.2, Protocol 0, Port 0
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:56 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
1.1.1.1
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received local Proxy Host data in ID Payload: Address 1.1.1.1, Protocol 0, Port 0
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM IsRekeyed old sa not found by addr
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, checking map = Internet_map, seq = 1...
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, map = Internet_map, seq = 1, ACL does not match proxy IDs src:2.2.2.2 dst:1.1.1.1
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 2.2.2.2/255.255.255.255/0/0 local proxy 1.1.1.1/255.255.255.255/0/0 on interface Internet
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, sending notify message
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
Nov 24 08:41:56 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=61889da) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 464
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM FSM error (P2 struct &0x00007fffa2f8dfe0, mess id 0x279cbbd1)!
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IKE QM Responder FSM error history (struct &0x00007fffa2f8dfe0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, sending delete/delete with reason message
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from correlator table failed, no match!
Nov 24 08:41:56 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=91e61bae) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, loading all IPSEC SAs
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Generating Quick Mode Key!
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, NP encrypt rule look up for crypto map Internet_map 1 matching ACL Internet_cryptomap_14: returned cs_id=a204c060; encrypt_rule=a2116350; tunnelFlow_rule=a2116a10
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Generating Quick Mode Key!
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, NP encrypt rule look up for crypto map Internet_map 1 matching ACL Internet_cryptomap_14: returned cs_id=a204c060; encrypt_rule=a2116350; tunnelFlow_rule=a2116a10
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Security negotiation complete for LAN-to-LAN Group (2.2.2.2) Responder, Inbound SPI = 0x59d8f571, Outbound SPI = 0xcce2fd3a
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IKE got a KEY_ADD msg for SA: SPI = 0xcce2fd3a
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Pitcher: received KEY_UPDATE, spi 0x59d8f571
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Starting P2 rekey timer: 3418 seconds.
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, PHASE 2 COMPLETED (msgid=91e61bae)
Nov 24 08:42:06 [IKEv1 DECODE]IP = 2.2.2.2, IKE Responder starting QM: msg id = 279cbbd1
Nov 24 08:42:06 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=279cbbd1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 408
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing SA payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing nonce payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ke payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ISA_KE for PFS in phase 2
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:42:06 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received remote Proxy Host data in ID Payload: Address 2.2.2.2, Protocol 0, Port 0
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:42:06 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
1.1.1.1
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received local Proxy Host data in ID Payload: Address 1.1.1.1, Protocol 0, Port 0
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM IsRekeyed old sa not found by addr
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, checking map = Internet_map, seq = 1...
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, map = Internet_map, seq = 1, ACL does not match proxy IDs src:2.2.2.2 dst:1.1.1.1
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 2.2.2.2/255.255.255.255/0/0 local proxy 1.1.1.1/255.255.255.255/0/0 on interface Internet
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, sending notify message
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
Nov 24 08:42:06 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=6516a9f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 464
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM FSM error (P2 struct &0x00007fffa2f8dfe0, mess id 0x279cbbd1)!
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IKE QM Responder FSM error history (struct &0x00007fffa2f8dfe0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, sending delete/delete with reason message
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from correlator table failed, no match!
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x5439854b)
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
Nov 24 08:42:10 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=290294a3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 24 08:42:10 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=de876da5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x5439854b)
Thanks in advance for the help.
LSC
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-24-2015 01:21 PM
So it appears there were multiple things going on here. For one, the remote device was the VPN initiator and apparently it doesn't like getting responder packets. I switched the ASA profile from "bidirectional" to "answer-only". That cleared up most of the errors shown above but traffic still wouldn't pass.
Turns out my NAT for the tunnel was at the bottom of the list so the traffic was being picked up by another NAT. Here's that the link tipped me off. Simply moved it to the top and all was well.
Thanks everyone for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide