Solved: Cannot finish "phase 2" while establishing site-to-site VPN tunnel.

JonCommins · ‎01-16-2014

I'm trying to establish a site-to-site VPN tunnel between a Cisco 1921 and an ASA.

I'm debugging using:

debug crypto isakmp

debug crypto ipsec

No debug messages are coming up on the 1921.

The following debug message keeps coming up on the ASA:

Jan 15 16:42:55 [IKEv1]: Group = 184.1.126.140, IP = 184.1.126.140, construct_ ipsec_delete(): No SPI to identify Phase 2 SA!

ASA config: http://pastebin.com/raw.php?i=wgTxe3gF

1921 config: http://pastebin.com/raw.php?i=TEihijEF

Why won't the two establish a VPN tunnel?

Collin Clark · ‎01-16-2014

It's very strange that the ASA shows the tunnel up, but the router does not. It looks like the router is expecting authentication.

Can you add-

crypto isakmp key  address 184.1.96.42 no-xauth

Can you debug isakmp and ipsec on the router and post it?

View solution in original post

Collin Clark · ‎01-16-2014

Add the transform set on the router

crypto map SDM_CMAP_1 1 ipsec-isakmp
  set transform-set ESP-3DES-SHA

Also run a debug cry ipsec and post the results

Collin Clark · ‎01-16-2014

We really need to see more of the debug. If that is all there is, can you add

debug cry isa 127

and post?

JonCommins · ‎01-16-2014

Here's the debug cry isa 127 and debug cry ipsec results for the ASA:

http://pastebin.com/raw.php?i=0DWVNdXc

There doesn't appear to be any debug result output for the 1921.

Collin Clark · ‎01-16-2014

Thanks for the debug. What is the state in a show cry isa sa? If it's blank, please try the tunnel again and then run the command.

JonCommins · ‎01-16-2014

ASA:

VMON-ASA# show crypto isakmp sa

   Active SA: 4
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 4

1   IKE Peer: 184.1.116.218
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 199.111.175.5
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
3   IKE Peer: 184.0.251.78
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
4   IKE Peer: 184.1.126.140
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

1921:

PG-1921#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
184.1.126.140  199.111.175.5   QM_IDLE           4359 ACTIVE
184.1.96.42    184.1.126.140  MM_NO_STATE       4677 ACTIVE (deleted)
211.232.113.52  184.1.126.140  MM_NO_STATE          0 ACTIVE
184.1.126.140  184.1.96.42    CONF_XAUTH        4679 ACTIVE
184.1.126.140  184.1.96.42    MM_NO_STATE       4678 ACTIVE (deleted)
184.1.126.140  184.71.109.110  QM_IDLE           4594 ACTIVE
184.1.116.218  184.1.126.140  QM_IDLE           5047 ACTIVE

Note:

WAN IP of ASA:

184.1.96.42

WAN IP of 1921:

184.1.126.140

Collin Clark · ‎01-16-2014

It's very strange that the ASA shows the tunnel up, but the router does not. It looks like the router is expecting authentication.

Can you add-

crypto isakmp key  address 184.1.96.42 no-xauth

Can you debug isakmp and ipsec on the router and post it?

JonCommins · ‎01-20-2014

After adding this line, the tunnel came up, and has been reliably up ever since. Thank you!

Collin Clark · ‎01-20-2014

Sweet. Glad to hear it's working.