Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
3
Replies

Cisco ASA 5505 VPN reconnection issues.

Taggart2004
Level 1
Level 1

‎02-04-2016 07:58 AM

Hi

Having this issue for a few days now. Initial VPN connection works and everything is ok for an hour or so. When the VPN drops out the ASA does not reconnect the VPN.

Cisco Adaptive Security Appliance Software Version 8.2(5)58 
Device Manager Version 7.5(1)90
Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

VPN initial connection after system startup.

# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: xx.xx.xx.xx
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 

# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : xx.xx.xx.xx
Index        : 1                      IP Addr      : xx.xx.xx.xx
Protocol     : IKE IPsec
Encryption   : 3DES                   Hashing      : MD5
Bytes Tx     : 362664                 Bytes Rx     : 3636746
Login Time   : 16:23:40 UTC Thu Feb 4 2016
Duration     : 0h:08m:43s
#

When the VPN drops; the state does not get beyond MM_WAIT_MSG2

# sh crypto isakmp sa                       

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: xx.xx.xx.xx
    Type    : user            Role    : initiator 
    Rekey   : no              State   : MM_WAIT_MSG2
#

Reconnection attempt log details are attached in ASA-logs.txt

VPN config

object-group network PALO_VPN
 network-object 10.21.0.0 255.255.0.0
 network-object 10.29.0.0 255.255.0.0

access-list VPNtoHQ extended permit ip 10.10.10.0 255.255.255.0 object-group PALO_VPN 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000

crypto map VPN 1 match address VPNtoHQ
crypto map VPN 1 set pfs 
crypto map VPN 1 set peer xx.xx.xx.xx
crypto map VPN 1 set transform-set ESP-3DES-MD5
crypto map VPN 1 set security-association lifetime seconds 86400
crypto map VPN 1 set security-association lifetime kilobytes 4608000
crypto map VPN interface outside

crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 110
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1

tunnel-group xx.xx.xx.xxtype ipsec-l2l
tunnel-group xx.xx.xx.xxipsec-attributes
 pre-shared-key **removed**

The peer is a Palo Alto with many other VPNs sucessfully connected and no issues with reconnections.

ASA has also been replaced but not made a difference.

Palo logs also attached (palo-logs.jpg), Palo Fails when trying to initiate P1, and the ASA does not get a responce when trying to initiate P1.

When the VPN drops on the ASA, the Palo keeps trying to send data over the VPN.

VPNs on Palo and ASA have been rebuilt but no difference - all settings confirmed to match on each end.

Any ideas?

Thanks

Iain

Labels:
Preview file
63 KB
Preview file
39 KB
0 Helpful
3 Replies 3

JP Miranda Z
Cisco Employee
Cisco Employee

‎02-04-2016 10:03 AM

Hi 

MM_WAITING_MSG2 normally means that you have a connectivity issue between the peers on udp500/4500.

When this issue is happening you can set up a capture on the outside interface in order to find out if traffic is flowing both ways:

capture test interface outside match ip host (ASApeerip) host (PALOpeerip)

Hope this helps you find the problem.

-JP- 

0 Helpful

Taggart2004
Level 1
Level 1
In response to JP Miranda Z

‎02-10-2016 03:50 AM

Hi JP

Thanks for your reply.Still stuck on the rekey, even if the timeout is an hour or 24 hours. On Rekey the VPN goes does and fails to re-establish the link.

All timeouts have since been removed.

This is the output from the capture


107 packets captured

   1: 12:34:48.774511 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557007:4128557075(68) ack 3615896712 win 32768 
   2: 12:34:48.801151 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557007 win 64384 
   3: 12:34:48.853303 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557075 win 64316 
   4: 12:34:49.196706 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 100 
   5: 12:34:49.660396 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896712:3615896764(52) ack 4128557075 win 64316 
   6: 12:34:49.660457 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896764 win 32768 
   7: 12:34:49.662029 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557075:4128557127(52) ack 3615896764 win 32768 
   8: 12:34:49.663097 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557127:4128557195(68) ack 3615896764 win 32768 
   9: 12:34:49.692316 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557195 win 64196 
  10: 12:34:49.842790 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896764:3615896816(52) ack 4128557195 win 64196 
  11: 12:34:49.842836 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896816 win 32768 
  12: 12:34:49.844301 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557195:4128557247(52) ack 3615896816 win 32768 
  13: 12:34:49.845400 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557247:4128557315(68) ack 3615896816 win 32768 
  14: 12:34:49.874939 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557315 win 64076 
  15: 12:34:49.995340 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896816:3615896868(52) ack 4128557315 win 64076 
  16: 12:34:49.995386 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896868 win 32768 
  17: 12:34:49.996866 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557315:4128557367(52) ack 3615896868 win 32768 
  18: 12:34:49.997949 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557367:4128557435(68) ack 3615896868 win 32768 
  19: 12:34:50.027525 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557435 win 63956 
  20: 12:34:50.428963 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 100 
  21: 12:34:51.054165 802.1Q vlan#2 P0 (ASApeerip).500 > (PALOpeerip).500:  udp 184 
  22: 12:34:52.193135 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 100 
  23: 12:34:52.869614 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 100 
  24: 12:34:53.427468 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 164 
  25: 12:34:53.443489 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 164 
  26: 12:34:53.664287 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896868:3615896920(52) ack 4128557435 win 63956 
  27: 12:34:53.664363 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896920 win 32768 
  28: 12:34:53.665920 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557435:4128557487(52) ack 3615896920 win 32768 
  29: 12:34:53.666698 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557487:4128557539(52) ack 3615896920 win 32768 
  30: 12:34:53.667445 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557539:4128557591(52) ack 3615896920 win 32768 
  31: 12:34:53.668178 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557591:4128557643(52) ack 3615896920 win 32768 
  32: 12:34:53.668910 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557643:4128557695(52) ack 3615896920 win 32768 
  33: 12:34:53.669643 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557695:4128557747(52) ack 3615896920 win 32768 
  34: 12:34:53.670390 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557747:4128557799(52) ack 3615896920 win 32768 
  35: 12:34:53.671138 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557799:4128557851(52) ack 3615896920 win 32768 
  36: 12:34:53.671870 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557851:4128557903(52) ack 3615896920 win 32768 
  37: 12:34:53.672603 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557903:4128557955(52) ack 3615896920 win 32768 
  38: 12:34:53.673335 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557955:4128558007(52) ack 3615896920 win 32768 
  39: 12:34:53.696375 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557539 win 63852 
  40: 12:34:53.700372 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557643 win 63748 
  41: 12:34:53.702371 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557747 win 63644 
  42: 12:34:53.704431 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557851 win 63540 
  43: 12:34:53.704477 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 84 
  44: 12:34:53.708428 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557955 win 64860 
  45: 12:34:53.764547 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558007 win 64808 
  46: 12:34:54.075710 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896920:3615896972(52) ack 4128558007 win 64808 
  47: 12:34:54.075771 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896972 win 32768 
  48: 12:34:54.077251 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558007:4128558059(52) ack 3615896972 win 32768 
  49: 12:34:54.079387 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558059:4128558175(116) ack 3615896972 win 32768 
  50: 12:34:54.080852 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558175:4128558275(100) ack 3615896972 win 32768 
  51: 12:34:54.081843 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558275:4128558343(68) ack 3615896972 win 32768 
  52: 12:34:54.107797 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558175 win 64640 
  53: 12:34:54.111780 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558343 win 64472 
  54: 12:34:54.190236 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 100 
  55: 12:34:54.627622 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896972:3615897024(52) ack 4128558343 win 64472 
  56: 12:34:54.627683 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897024 win 32768 
  57: 12:34:54.629224 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558343:4128558395(52) ack 3615897024 win 32768 
  58: 12:34:54.630277 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558395:4128558463(68) ack 3615897024 win 32768 
  59: 12:34:54.659755 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558463 win 64352 
  60: 12:34:54.812229 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897024:3615897076(52) ack 4128558463 win 64352 
  61: 12:34:54.812305 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897076 win 32768 
  62: 12:34:54.813846 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558463:4128558515(52) ack 3615897076 win 32768 
  63: 12:34:54.814945 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558515:4128558583(68) ack 3615897076 win 32768 
  64: 12:34:54.842485 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558583 win 64232 
  65: 12:34:54.978754 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897076:3615897128(52) ack 4128558583 win 64232 
  66: 12:34:54.978800 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897128 win 32768 
  67: 12:34:54.980219 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558583:4128558635(52) ack 3615897128 win 32768 
  68: 12:34:54.981287 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558635:4128558703(68) ack 3615897128 win 32768 
  69: 12:34:55.010955 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558703 win 64112 
  70: 12:34:55.163489 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897128:3615897180(52) ack 4128558703 win 64112 
  71: 12:34:55.163535 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897180 win 32768 
  72: 12:34:55.165061 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558703:4128558755(52) ack 3615897180 win 32768 
  73: 12:34:55.166129 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558755:4128558823(68) ack 3615897180 win 32768 
  74: 12:34:55.193608 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558823 win 63992 
  75: 12:34:56.435936 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 100 
  76: 12:34:57.202610 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 100 
  77: 12:34:57.862824 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 100 
  78: 12:34:58.418832 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 100 
  79: 12:34:58.435020 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip):  ip-proto-50, length 164 
  80: 12:34:58.567353 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897180:3615897248(68) ack 4128558823 win 63992 
  81: 12:34:58.567429 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897248 win 32768 
  82: 12:34:58.569199 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558823:4128558875(52) ack 3615897248 win 32768 
  83: 12:34:58.569947 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558875:4128558927(52) ack 3615897248 win 32768 
  84: 12:34:58.570679 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558927:4128558979(52) ack 3615897248 win 32768 
  85: 12:34:58.571427 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558979:4128559031(52) ack 3615897248 win 32768 
  86: 12:34:58.572159 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559031:4128559083(52) ack 3615897248 win 32768 
  87: 12:34:58.572907 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559083:4128559135(52) ack 3615897248 win 32768 
  88: 12:34:58.573639 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559135:4128559187(52) ack 3615897248 win 32768 
  89: 12:34:58.574387 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559187:4128559239(52) ack 3615897248 win 32768 
  90: 12:34:58.575104 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559239:4128559291(52) ack 3615897248 win 32768 
  91: 12:34:58.575852 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559291:4128559343(52) ack 3615897248 win 32768 
  92: 12:34:58.576584 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559343:4128559395(52) ack 3615897248 win 32768 
  93: 12:34:58.577316 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559395:4128559447(52) ack 3615897248 win 32768 
  94: 12:34:58.578049 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559447:4128559499(52) ack 3615897248 win 32768 
  95: 12:34:58.578781 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559499:4128559551(52) ack 3615897248 win 32768 
  96: 12:34:58.579529 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559551:4128559603(52) ack 3615897248 win 32768 
  97: 12:34:58.597610 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558927 win 63888 
  98: 12:34:58.601424 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559031 win 63784 
  99: 12:34:58.603484 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559135 win 63680 
 100: 12:34:58.605467 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559239 win 63576 
 101: 12:34:58.607436 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559343 win 64860 
 102: 12:34:58.611449 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559447 win 64756 
 103: 12:34:58.613539 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559551 win 64652 
 104: 12:34:58.667644 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559603 win 64600 
 105: 12:34:59.020888 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897248:3615897300(52) ack 4128559603 win 64600 
 106: 12:34:59.020949 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897300 win 32768 
 107: 12:34:59.022490 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559603:4128559655(52) ack 3615897300 win 32768 
 108: 12:34:59.023680 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559655:4128559707(52) ack 3615897300 win 32768 
 109: 12:34:59.024641 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559707:4128559775(68) ack 3615897300 win 32768 
109 packets shown

This is an output from debug crypto isakmp 200

Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), IKE MM Initiator FSM error history (struct &0xc92ffbe8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), IKE SA MM:7407846f terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), sending delete/delete with reason message
Feb 10 12:44:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:44:59 [IKEv1]: IP = (PALOpeerip), IKE Initiator: New Phase 1, Intf inside, IKE Peer (PALOpeerip)  local Proxy Address 10.10.10.0, remote Proxy Address 10.29.0.0,  Crypto map (outside_map0)
Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), constructing ISAKMP SA payload
Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), constructing Fragmentation VID + extended capabilities payload
Feb 10 12:44:59 [IKEv1]: IP = (PALOpeerip), IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 184
Feb 10 12:45:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:02 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:05 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:07 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:07 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:07 [IKEv1]: IP = (PALOpeerip), IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 184
Feb 10 12:45:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:10 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:11 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:15 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:15 [IKEv1]: IP = (PALOpeerip), IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 184
Feb 10 12:45:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:16 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:20 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:21 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:23 [IKEv1]: IP = (PALOpeerip), IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 184
Feb 10 12:45:24 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:24 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:26 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:30 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:31 [IKEv1 DEBUG]: IP = (PALOpeerip), IKE MM Initiator FSM error history (struct &0xc92ffbe8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Feb 10 12:45:31 [IKEv1 DEBUG]: IP = (PALOpeerip), IKE SA MM:557dc40c terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Feb 10 12:45:31 [IKEv1 DEBUG]: IP = (PALOpeerip), sending delete/delete with reason message
Feb 10 12:45:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:32 [IKEv1]: IP = (PALOpeerip), IKE Initiator: New Phase 1, Intf inside, IKE Peer (PALOpeerip)  local Proxy Address 10.10.10.0, remote Proxy Address 10.29.0.0,  Crypto map (outside_map0)
Feb 10 12:45:32 [IKEv1 DEBUG]: IP = (PALOpeerip), constructing ISAKMP SA payload

Thanks

Iain

0 Helpful

tolinrome tolinrome
Level 1
Level 1
In response to Taggart2004

‎02-10-2016 06:50 AM

If the ASA has been replaced and still there is a problem, then maybe its on the palo alto end, especially since the output shows that it cannot complete ike phase 1. Do both peers have a matching parameter for ike phase 1? Check that the lifetime settings on the palo alto aren't different than the ones on the ASA? 

0 Helpful
Customers Also Viewed These Support Documents