Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2194
Views
0
Helpful
4
Replies

Cisco ASA and Barracuda NexGen f380 site-to-site VPN

fgasimzade
Level 4
Level 4

‎09-08-2016 05:41 AM

Hello!

 

We were migrating from SonicWall to Barracuda, VPN is not coming up

 

On Cisco ASA I see this in the logs:

 

IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 6

IKE MM Initiator FSM error history (struct &0xcef50278)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

 

Both Phase 1 and Phase 2 settings are the same. It seems to me it has something to do with Identity, on Barracuda it is set to IPV4_ADDR (auto), but when I try to set it to IPV4_ADDR (explicit) and type IP address it gives me an error

"Explicit ID for ID type needs exactly one network entry to work"

On Barracuda side in the logs I can see this:


2016 09 08 13:46:14    Notice    +02:00     message_negotiate_sa: no compatible proposal found
2016 09 08 13:46:14    Notice    +02:00     dropped message from x.x.x.x port 500 due to notification type NO_PROPOSAL_CHOSEN
2016 09 08 13:46:14    Notice    +02:00     >>> Create exchange <noname> as initiator for phase=1 DOI=IPSec
2016 09 08 13:46:14    Notice    +02:00     >>> Start exchange <noname> as initiator for phase=1 DOI=IPSec
2016 09 08 13:46:15    Notice    +02:00     message_recv: invalid cookie(s) 88e1d2b304272517 87b7df362257bb43

Any help?

Labels:
0 Helpful
4 Replies 4

JP Miranda Z
Cisco Employee
Cisco Employee

‎09-08-2016 07:00 AM

Hi 

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

fgasimzade
Level 4
Level 4
In response to JP Miranda Z

‎09-08-2016 07:10 AM

Yes, looks like UDP 500 is OK

 1: 18:08:01.952038 802.1Q vlan#30 P0 X.X.X.X.500 > Y.Y.Y.Y.500:  udp 132
   2: 18:08:02.033735 802.1Q vlan#30 P0 Y.Y.Y.Y.500 > X.X.X.X.500:  udp 56

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to fgasimzade

‎09-08-2016 08:55 AM

Ok so that looks good i guess. Now if you are completely sure the configuration is matching i will recomend you to get the debugs from the ASA:

debug cry condition peer <peerip>

debug cry isa 180

I am not really familiar with the baracuda config but this guide may help you:

https://campus.barracuda.com/product/nextgenfirewallf/article/NGF62/VPNSiteToSiteIPsecIKEv1/

Please attach the sanitized debugs so i can tell you what could be causing the problem from the ASA perspective.

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

fgasimzade
Level 4
Level 4
In response to JP Miranda Z

‎09-08-2016 10:57 PM

Here are debugs, IKE MM Responder FSM error history denotes to missmatching config, but it is matching! :(

ASA01# Sep 09 09:54:22 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xd0cca5a0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent

Sep 09 09:54:22 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:42339b28 terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Sep 09 09:54:22 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message

Sep 09 09:54:23 [IKEv1]: IP = X.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:23 [IKEv1]: IP = X.X.X.X, Received Invalid Cookie message for non-existent SA

Sep 09 09:54:24 [IKEv1]: IP = X.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:24 [IKEv1]: IP = X.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Sep 09 09:54:24 [IKEv1]: IP = X.X.X.X, Received Invalid Cookie message for non-existent SA

Sep 09 09:54:25 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 192

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, processing SA payload

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, Oakley proposal is acceptable

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, Received NAT-Traversal ver 02 VID

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, Received NAT-Traversal ver 03 VID

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, Received NAT-Traversal RFC VID

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, Received DPD VID

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, processing IKE SA payload

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 10

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, constructing NAT-Traversal VID ver 02 payload

Sep 09 09:54:25 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload

Sep 09 09:54:25 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:26 [IKEv1]: IP = X.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:26 [IKEv1]: IP = X.X.X.X, Received Invalid Cookie message for non-existent SA

Sep 09 09:54:27 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf5dec40)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent

Sep 09 09:54:27 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:709ec892 terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Sep 09 09:54:27 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message

Sep 09 09:54:28 [IKEv1]: IP = X.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:28 [IKEv1]: IP = X.X.X.X, Received Invalid Cookie message for non-existent SA

Sep 09 09:54:29 [IKEv1]: IP = X.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:29 [IKEv1]: IP = X.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Sep 09 09:54:29 [IKEv1]: IP = X.X.X.X, Received Invalid Cookie message for non-existent SA

Sep 09 09:54:30 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 192

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, processing SA payload

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, Oakley proposal is acceptable

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, Received NAT-Traversal ver 02 VID

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, Received NAT-Traversal ver 03 VID

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, Received NAT-Traversal RFC VID

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, Received DPD VID

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, processing IKE SA payload

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 10

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, constructing NAT-Traversal VID ver 02 payload

Sep 09 09:54:30 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload

Sep 09 09:54:30 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:31 [IKEv1]: IP = X.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:31 [IKEv1]: IP = X.X.X.X, Received Invalid Cookie message for non-existent SA

Sep 09 09:54:32 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xce5717c0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent

Sep 09 09:54:32 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:831cc3f6 terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Sep 09 09:54:32 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message

Sep 09 09:54:33 [IKEv1]: IP = X.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:33 [IKEv1]: IP = X.X.X.X, Received Invalid Cookie message for non-existent SA

Sep 09 09:54:34 [IKEv1]: IP = X.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

Sep 09 09:54:34 [IKEv1]: IP = X.X.X.X, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Sep 09 09:54:34 [IKEv1]: IP = X.X.X.X, Received Invalid Cookie message for non-existent SA

Sep 09 09:54:35 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 192

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, processing SA payload

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, Oakley proposal is acceptable

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, Received NAT-Traversal ver 02 VID

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, Received NAT-Traversal ver 03 VID

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, Received NAT-Traversal RFC VID

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, Received DPD VID

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, processing VID payload

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, processing IKE SA payload

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 10

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, constructing NAT-Traversal VID ver 02 payload

Sep 09 09:54:35 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload

Sep 09 09:54:35 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

uSep 09 09:54:36 [IKEv1]: IP = X.X.X.X, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132

nSep 09 09:54:36 [IKEv1]: IP = X.X.X.X, Received Invalid Cookie message for non-existent SA

debug alSep 09 09:54:37 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xd0cd2760)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent

Sep 09 09:54:37 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:aa81b7c9 terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Sep 09 09:54:37 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message

l

0 Helpful
Customers Also Viewed These Support Documents