03-26-2018 05:08 PM - edited 03-12-2019 05:08 AM
Hi
I'm currently having issues connecting a Cisco 5520 Ver 9.1(7)10 to clients Cisco 1941 using site to site VPN
It seems to complete phase 1 but cannot complete phase 2.
I'm getting the following message during debug mode.
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, Sending keep-alive of type DPD R-U-THERE (seq number 0x54606ad0)
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, constructing blank hash payload
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, constructing qm hash payload
[IKEv1]IP = 206.128.13.147, IKE_DECODE SENDING Message (msgid=218e1e29) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
[IKEv1]IP = 206.128.13.147, IKE_DECODE RECEIVED Message (msgid=472e693c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, processing hash payload
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, processing notify payload
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x54606ad0)
[IKEv1]Group = 206.128.13.147, IP = 206.128.13.147, QM FSM error (P2 struct &0x7554a020, mess id 0xb572b418)!
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, IKE QM Initiator FSM error history (struct &0x7554a020) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, sending delete/delete with reason message
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, constructing blank hash payload
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, constructing IPSec delete payload
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, constructing qm hash payload
[IKEv1]IP = 206.128.13.147, IKE_DECODE SENDING Message (msgid=4c66ac75) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, IKE Deleting SA: Remote Proxy 10.60.0.0, Local Proxy 10.60.1.0
[IKEv1]Group = 206.128.13.147, IP = 206.128.13.147, Removing peer from correlator table failed, no match!
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, IKE SA MM:48c2cd55 rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, tuncnt 0
[IKEv1]Group = 206.128.13.147, IP = 206.128.13.147, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 38035456
[IKEv1]Group = 206.128.13.147, IP = 206.128.13.147, Remove from IKEv1 MIB Table succeeded for SA with logical ID 38035456
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, IKE SA MM:48c2cd55 terminating: flags 0x0100c022, refcnt 0, tuncnt 0
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, sending delete/delete with reason message
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, constructing blank hash payload
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, constructing IKE delete payload
[IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, constructing qm hash payload
[IKEv1]IP = 206.128.13.147, IKE_DECODE SENDING Message (msgid=616f9d10) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
[IKEv1]Group = 206.128.13.147, IP = 206.128.13.147, Warning: Ignoring IKE SA (dst) without VM bit set
[IKEv1]Group = 206.128.13.147, IP = 206.128.13.147, Session is being torn down. Reason: Lost Service
[IKEv1]IP = 206.128.13.147, Received encrypted packet with no matching SA, dropping
I've checked the Transform set, ACL and per-auth password they seem to be all correct.
What type of Encryption should I be using for 5520 VPN ?
03-27-2018 06:44 AM
Hello @gavinv123,
As you claim, Phase 2 is not coming up and that´s the reason why it is failing. Based on the debugs, your ASA is the initiator of the traffic and you are not going to be able to see what is going since you are sending your proposals. You need to do the following:
1. Turn on debugs with:
debug crypto condition peer x.x.x.x
debug crypto ikev1 255
debug crypto ipsec 255
2. Ask the remote end to initiate the traffic, this way you are going to see the proposals on the other side and you can check if you are matching or not, so far I think it is the ACL but let´s check.
HTH
Gio
03-28-2018 01:11 AM
03-28-2018 06:28 AM
Hello @gavinv123,
It is the same as before, just with debugs at 255 :)
The test should be initiated from the other side in order to get the results we want, you need to stop any traffic that is coming from the ASA side.
That´s the only way to compare based on what you have on your side.
HTH
Gio
03-28-2018 04:13 PM
Hi Gio
The traffic was generated from the Cisco 1941 on the other side. The first line says:
IP = 206.128.13.147, IKE Initiator: New Phase 1, Intf GlobalCreatures, IKE Peer 206.128.13.147 local Proxy Address 10.60.1.0, remote Proxy Address 10.60.0.0, Crypto map (AZURE-CRYPTO-MAP)
206.128.13.147 is the public IP address on the other side. I've undebug all and re-enter the following.
debug crypto condition peer x.x.x.x
debug crypto ikev1 255
debug crypto ipsec 255
And still got the following. Please see attachment.
Is pretty hard for me to just stop all traffic on the ASA since there about many client live production traffic and VPN going on the ASA but I'll try and see what I can do.
04-19-2018 01:40 PM
Hello @gavinv123,
I´m sorry for the ate response, I was checking the Logs and this seems to be a problem with SA that is not completing and for that reason the VPN tunnel is failing:
Mar 29 08:58:39 [IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, IKE Deleting SA: Remote Proxy 10.60.0.0, Local Proxy 10.60.1.0 --> This is not working, the SA is not matching and for that reason the ASA is dropping the packets for the entire VPN tunnel.
Mar 29 08:58:39 [IKEv1]Group = 206.128.13.147, IP = 206.128.13.147, Removing peer from correlator table failed, no match!
Mar 29 08:58:39 [IKEv1]IP = 206.128.13.147, Received encrypted packet with no matching SA, dropping --> Sometimes when the ASA doesn´t match the SA, it drops the entire tunnel. You need to verify with the remote end if everything is being matched.
HTH
Gio
04-19-2018 02:55 PM
Phase 1 is not completing as indicated by the QM_WAIT_MSG2:
Mar 29 08:58:39 [IKEv1 DEBUG]Group = 206.128.13.147, IP = 206.128.13.147, IKE QM Initiator FSM error history (struct &0x754afea0) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
I am leaning more toward that there is either an issue with either routing toward the peer IP at the remote end or a mismatch in Phase 1 configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide