Re: ASA5510

sarojpradhan · ‎03-12-2011

I have configured site 2 site vpn on asa5510 and a customer end sonicwall FW.

in my cisco asa5510where one end of vpn i start pinging the remote machineon the list of crypto acl got the error on the syslog:construct_ipsec_delete(): No SPI to identify Phase 2 SA!

what is the solution of it?

please advice command

Federico Coto Fajardo · ‎03-12-2011

Hi,

Make sure that PFS is matching on both sides.

Better yet disable it on both ends if possible.

Also make sure the phase 2 parameters are matching as encryption/hash.

Try to establish the tunnel again and let us know.

Federico.

andamani · ‎03-13-2011

hi Saroj,

Could you please paste the configuration of tunnel

sh run cry

Also enable the debugs and paste the output of the same.

deb cry condition peer x.x.x.x

deb cry isa 127

deb cry ips 127.

Regards,

Anisha

sarojpradhan · ‎03-13-2011

Hi Anisha,

per your instruction i have enable the debug and captured the report.

sh run cry:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer h.sonivwall.VPN
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1800
no crypto isakmp nat-traversal

Debug of isa and ips:

Mar 13 18:24:37 [IKEv1]: Group = 68.21.58.66, IP = 68.21.58.66,                                                                              QM FSM error (P2 struct &0xd9da80c0, mess id 0xfe0ec465)!
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, IKE QM Ini                                                                             tiator FSM error history (struct &0xd9da80c0) , : QM_DONE, EV_ER                                                                             ROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_M                                                                             SG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_T                                                                             IMEOUT-->QM_WAIT_MSG2, NullEvent
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, sending de                                                                             lete/delete with reason message
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, constructi                                                                             ng blank hash payload
Mar 13 18:24:37 [IKEv1]: Group = 68.21.58.66, IP = 68.21.58.66, construct_ipsec_                                                                             delete(): No SPI to identify Phase 2 SA!
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, IKE Deleti                                                                             ng SA: Remote Proxy 192.168.100.145, Local Proxy 172.16.49.69
Mar 13 18:24:37 [IKEv1]: Group = 68.21.58.66, IP = 68.21.58.66, Removing peer fr                                                                             om correlator table failed, no match!
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, IKE SA MM:                                                                             155d9068 rcv'd Terminate: state MM_ACTIVE flags 0x00008062, refcnt 1, tuncnt 0
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, IKE SA MM:                                                                             155d9068 terminating: flags 0x01008022, refcnt 0, tuncnt 0
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, sending de                                                                             lete/delete with reason message
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, constructi                                                                             ng blank hash payload
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, constructi                                                                             ng IKE delete payload
Mar 13 18:24:37 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, constructi                                                                             ng qm hash payload
Mar 13 18:24:37 [IKEv1]: IP = 68.21.58.66, IKE_DECODE SENDING Message (msgid=8a4                                                                             41914) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar 13 18:24:42 [IKEv1]: IP = 68.21.58.66, IKE Initiator: New Phase 1, Intf insi                                                                             de, IKE Peer 68.21.58.66 local Proxy Address 172.16.49.69, remote Proxy Address                                                                              192.168.100.145, Crypto map (outside_map)
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, constructing ISAKMP SA payload
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, constructing Fragmentation VID                                                                              + extended capabilities payload
Mar 13 18:24:42 [IKEv1]: IP = 68.21.58.66, IKE_DECODE SENDING Message (msgid=0)                                                                              with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 13 18:24:42 [IKEv1]: IP = 68.21.58.66, IKE_DECODE RECEIVED Message (msgid=0)                                                                              with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 92
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, processing SA payload
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, Oakley proposal is acceptable
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, processing VID payload
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, constructing ke payload
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, constructing nonce payload
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, constructing Cisco Unity VID pa                                                                             yload
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, constructing xauth V6 VID paylo                                                                             ad
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, Send IOS VID
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, Constructing ASA spoofing IOS V                                                                             endor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, constructing VID payload
Mar 13 18:24:42 [IKEv1 DEBUG]: IP = 68.21.58.66, Send Altiga/Cisco VPN3000/Cisco                                                                              ASA GW VID
Mar 13 18:24:42 [IKEv1]: IP = 68.21.58.66, IKE_DECODE SENDING Message (msgid=0)                                                                              with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (                                                                             13) + VENDOR (13) + NONE (0) total length : 256
Mar 13 18:24:43 [IKEv1]: IP = 68.21.58.66, IKE_DECODE RECEIVED Message (msgid=0)                                                                              with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + NONE (0                                                                             ) total length : 208
Mar 13 18:24:43 [IKEv1 DEBUG]: IP = 68.21.58.66, processing ke payload
Mar 13 18:24:43 [IKEv1 DEBUG]: IP = 68.21.58.66, processing ISA_KE payload
Mar 13 18:24:43 [IKEv1 DEBUG]: IP = 68.21.58.66, processing nonce payload
Mar 13 18:24:43 [IKEv1 DEBUG]: IP = 68.21.58.66, processing VID payload
Mar 13 18:24:43 [IKEv1 DEBUG]: IP = 68.21.58.66, processing VID payload
Mar 13 18:24:43 [IKEv1 DEBUG]: IP = 68.21.58.66, Received xauth V6 VID
Mar 13 18:24:43 [IKEv1]: IP = 68.21.58.66, Connection landed on tunnel_group 68.                                                                             21.58.66
Mar 13 18:24:43 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, Generating                                                                              keys for Initiator...
Mar 13 18:24:43 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, constructi                                                                             ng ID payload
Mar 13 18:24:43 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, constructi                                                                             ng hash payload
Mar 13 18:24:43 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, Computing                                                                              hash for ISAKMP
Mar 13 18:24:43 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, constructi                                                                             ng dpd vid payload
Mar 13 18:24:43 [IKEv1]: IP = 68.21.58.66, IKE_DECODE SENDING Message (msgid=0)                                                                              with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length :                                                                              84
Mar 13 18:24:43 [IKEv1]: IP = 68.21.58.66, IKE_DECODE RECEIVED Message (msgid=0)                                                                              with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length :                                                                              92
Mar 13 18:24:43 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, processing                                                                              ID payload
Mar 13 18:24:43 [IKEv1 DECODE]: Group = 68.21.58.66, IP = 68.21.58.66, ID_IPV4_A                                                                             DDR ID received
68.21.58.66
Mar 13 18:24:43 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, processing                                                                              hash payload
Mar 13 18:24:43 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, Computing                                                                              hash for ISAKMP
Mar 13 18:24:43 [IKEv1 DEBUG]: Group = 68.21.58.66, IP = 68.21.58.66, processing                                                                              notify payload
Mar 13 18:24:43 [IKEv1]: IP = 68.21.58.66, Connection landed on tunnel_group 68.

21.58.66

IPSEC: New embryonic SA created @ 0xDBF869B8,
    SCB: 0xDC1D45E8,
    Direction: inbound
    SPI      : 0xBB11B22A
    Session ID: 0x0036E000
    VPIF num : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds

Please advice.

thanks,

Saroj

andamani · ‎03-13-2011

Hi,

Please do the following:

no crypto map outside_map 1 set pfs

Try initiate the tunnel and paste the output of:

sh cry isa sa

sh cry ips sa

Regards,

Anisha

sarojpradhan · ‎03-13-2011

Hi Anisha,

after running the said command now i am able to ping the remote Machine.

please find the Details:

Netlink-OS-ASA# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: h.sonivwall.VPN

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Netlink-OS-ASA# sh cry

Netlink-OS-ASA# sh crypto ips sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 122.168.191.66

access-list outside_1_cryptomap permit ip host h.Amol_combine_vpn host h.c ombine_IPSupport_vpn

local ident (addr/mask/prot/port): (h.Amol_combine_vpn/255.255.255.255/0/0 )

remote ident (addr/mask/prot/port): (h.combine_IPSupport_vpn/255.255.255.2 55/0/0)

current_peer: h.sonivwall.VPN

#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 19, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 122.168.191.66, remote crypto endpt.: h.sonivwall.VPN

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 3E7D70DD

inbound esp sas:

spi: 0xDA704CF7 (3664792823)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 3727360, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28558)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x3E7D70DD (1048408285)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 3727360, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274998/28556)

IV size: 8 bytes

replay detection support: Y

Crypto map tag: outside_map, seq num: 1, local addr: 122.168.191.66

access-list outside_1_cryptomap permit ip host h.Amol_combine_vpn host h.c ombine_citrixserver_vpn

local ident (addr/mask/prot/port): (h.Amol_combine_vpn/255.255.255.255/0/0 )

remote ident (addr/mask/prot/port): (h.combine_citrixserver_vpn/255.255.25 5.255/0/0)

current_peer: h.sonivwall.VPN

#pkts encaps: 195, #pkts encrypt: 195, #pkts digest: 195

#pkts decaps: 194, #pkts decrypt: 194, #pkts verify: 194

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 196, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 122.168.191.66, remote crypto endpt.: h.sonivwall.VPN

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: A8485A5E

inbound esp sas:

spi: 0xDEE67DEA (3739647466)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 3727360, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274988/28397)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xA8485A5E (2823314014)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 3727360, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274988/28395)

IV size: 8 bytes

replay detection support: Y

thnaks,

Saroj

andamani · ‎03-13-2011

Hi Saroj,

So the issue is resolved right.

Please mark this thread as answered so that others can benifit from it.

Regards,

Anisha