HELP!
Site to site ipsec tunnel between 5510 ASA and 871 ROUTER cannot be stablished.
Config and debug info:
ASA:
1.1.1.26 External ip
1.1.1.254 Gateway ip
3.3.3.0 LAN network
3.3.3.250 LAN ip
3.3.3.20 PC in LAN
ROUTER 871
2.2.2.226 External ip
2.2.2.225 Gateway ip
4.4.4.0 LAN network
4.4.4.254 LAN ip
4.4.4.28 PC in LAN
5510 ASA CONFIG:
interface Ethernet0/0
description WAN
nameif AI_WAN
security-level 0
ip address 1.1.1.26 255.255.255.248
interface GigabitEthernet1/0
description AB LAN network
nameif AB_LAN
security-level 100
ip address 3.3.3.250 255.255.255.0
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map AI_WAN_map 1 match address AI_WAN_1_cryptomap
crypto map AI_WAN_map 1 set peer 2.2.2.226
crypto map AI_WAN_map 1 set transform-set ESP-DES-MD5
crypto map AI_WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map AI_WAN_map interface AI_WAN
crypto isakmp enable AI_WAN
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
route AI_WAN 0.0.0.0 0.0.0.0 1.1.1.254
route AI_WAN 4.4.4.0 255.255.255.0 2.2.2.226
access-list AI_WAN_1_cryptomap extended permit ip 3.3.3.0 255.255.255.0 4.4.4.0 255.255.255.0
tunnel-group 2.2.2.226 type ipsec-l2l
tunnel-group 2.2.2.226 general-attributes
tunnel-group 2.2.2.226 ipsec-attributes
pre-shared-key *****
871 ROUTER CONFIG:
crypto isakmp policy 2
authentication pre-share
group 2
crypto isakmp key ***** address 1.1.1.26
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to1.1.1.26
set peer 1.1.1.26
set transform-set des-md5
match address 100
interface FastEthernet4
ip address 2.2.2.226 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Vlan1
ip address 4.4.4.254 255.255.255.0
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 2.2.2.225
ip route 3.3.3.0 255.255.255.0 1.1.1.26
access-list 100 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255
5510 ASA DEBUGGING
ciscoasa(config)# Feb 25 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 180
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing SA payload
Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, Received NAT-Traversal ver 03 VID
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, Received NAT-Traversal ver 02 VID
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing IKE SA payload
Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 4
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing ISAKMP SA payload
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing NAT-Traversal VID ver 02 payload
Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing Fragmentation VID + extended capabilities payload
Feb 25 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Feb 25 21:58:15 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Feb 25 21:58:17 [IKEv1]: IP = 2.2.2.226, Duplicate first packet detected. Ignoring packet.
Feb 25 21:58:23 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Feb 25 21:58:27 [IKEv1]: IP = 2.2.2.226, Duplicate first packet detected. Ignoring packet.
Feb 25 21:58:31 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Feb 25 21:58:37 [IKEv1]: IP = 2.2.2.226, Duplicate first packet detected. Ignoring packet.
Feb 25 21:58:39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE MM Responder FSM error history (struct &0xadb2fdf8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
Feb 25 21:58:39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:8d4057b1 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Feb 25 21:58:39 [IKEv1 DEBUG]: IP = 2.2.2.226, sending delete/delete with reason message
Feb 25 21:58:47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 180
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing SA payload
Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, Received NAT-Traversal ver 03 VID
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, Received NAT-Traversal ver 02 VID
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing IKE SA payload
Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 4
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing ISAKMP SA payload
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing NAT-Traversal VID ver 02 payload
Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing Fragmentation VID + extended capabilities payload
Feb 25 21:58:47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Feb 25 21:58:55 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Feb 25 21:58:57 [IKEv1]: IP = 2.2.2.226, Duplicate first packet detected. Ignoring packet.
Feb 25 21:59:03 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Feb 25 21:59:11 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Feb 25 21:59:19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE MM Responder FSM error history (struct &0xadb2fdf8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
Feb 25 21:59:19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:7622a639 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Feb 25 21:59:19 [IKEv1 DEBUG]: IP = 2.2.2.226, sending delete/delete with reason message
871 ROUTER DEBUGGING
871_router#debu cry isa
871_router#ping 3.3.3.20 source 4.4.4.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.20, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.254
Feb 25 21:58:06.799: ISAKMP:(0): SA request profile is (NULL)
Feb 25 21:58:06.799: ISAKMP: Created a peer struct for 1.1.1.26, peer port 500
Feb 25 21:58:06.799: ISAKMP: New peer created peer = 0x834B2AB4 peer_handle = 0x8000000C
Feb 25 21:58:06.799: ISAKMP: Locking peer struct 0x834B2AB4, refcount 1 for isakmp_initiator
Feb 25 21:58:06.799: ISAKMP: local port 500, remote port 500
Feb 25 21:58:06.799: ISAKMP: set new node 0 to QM_IDLE
Feb 25 21:58:06.799: insert sa successfully sa = 83476114
Feb 25 21:58:06.799: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Feb 25 21:58:06.799: ISAKMP:(0):found peer pre-shared key matching 1.1.1.26
Feb 25 21:58:06.799: ISAKMP:(0): constructed NAT-T vendor-07 ID
Feb 25 21:58:06.799: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 25 21:58:06.799: ISAKMP:(0): constructed NAT-T vendor-02 ID
Feb 25 21:58:06.799: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Feb 25 21:58:06.799: ISAKMP:(0):Old State = IKE_READY New State = IKE._I_MM1
Feb 25 21:58:06.803: ISAKMP:(0): beginning Main Mode exchange
Feb 25 21:58:06.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE....
Success rate is 0 percent (0/5)
sokuluk#
Feb 25 21:58:16.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 25 21:58:16.803: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Feb 25 21:58:16.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 25 21:58:16.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 25 21:58:26.803: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Feb 25 21:58:26.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 25 21:58:26.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:36.799: ISAKMP: set new node 0 to QM_IDLE
Feb 25 21:58:36.799: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2.2.2.226, remote 1.1.1.26)
Feb 25 21:58:36.799: ISAKMP: Error while processing SA request: Failed to initialize SA
Feb 25 21:58:36.799: ISAKMP: Error while processing KMI message 0, error 2.
Feb 25 21:58:36.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 25 21:58:36.803: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Feb 25 21:58:36.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 25 21:58:36.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 25 21:58:46.803: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Feb 25 21:58:46.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 25 21:58:46.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 25 21:58:56.803: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Feb 25 21:58:56.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 25 21:58:56.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 25 21:59:06.799: ISAKMP:(0):peer does not do paranoid keepalives.
Feb 25 21:59:06.799: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 1.1.1.26)
Feb 25 21:59:06.799: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 1.1.1.26)
Feb 25 21:59:06.799: ISAKMP: Unlocking peer struct 0x834B2AB4 for isadb_mark_sa_deleted(), count 0
Feb 25 21:59:06.799: ISAKMP: Deleting peer node by peer_reap for 1.1.1.26: 834B2AB4
Feb 25 21:59:06.799: ISAKMP:(0):deleting node -254301187 error FALSE reason "IKE deleted"
Feb 25 21:59:06.799: ISAKMP:(0):deleting node -1584635621 error FALSE reason "IKE deleted"
Feb 25 21:59:06.799: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 25 21:59:06.799: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
