11-23-2010 06:32 PM
Trying to configure a dynamic L2L VPN connection between an HQ ASA that currently functions as a remote access VPN for end users and a 3825 router with a cellular module with a dynamically assigned address. I keep getting phase 2 failures. Attached configs
11-23-2010 06:55 PM
Hi David,
At first glance I don't see any problem with the configurations...
What phase 2 errors are you seeing?
Federico.
11-23-2010 07:03 PM
From the router:
Nov 24 02:41:39.123: ISAKMP:(1181):Send initial contact
Nov 24 02:41:39.123: ISAKMP:(1181):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 24 02:41:39.123: ISAKMP (1181): ID payload
next-payload : 8
type : 1
address :
protocol : 17
port : 500
length : 12
Nov 24 02:41:39.123: ISAKMP:(1181):Total payload length: 12
Nov 24 02:41:39.123: ISAKMP:(1181): sending packet to
Nov 24 02:41:39.123: ISAKMP:(1181):Sending an IKE IPv4 Packet.
Nov 24 02:41:39.123: ISAKMP:(1181):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 24 02:41:39.123: ISAKMP:(1181):Old State = IKE_I_MM4 New State = IKE_I_MM5
Nov 24 02:41:39.223: ISAKMP (1181): received packet from
Nov 24 02:41:39.223: ISAKMP:(1181): processing ID payload. message ID = 0
Nov 24 02:41:39.223: ISAKMP (1181): ID payload
next-payload : 8
type : 1
address :
protocol : 17
port : 500
length : 12
Nov 24 02:41:39.223: ISAKMP:(0):: peer matches *none* of the profiles
Nov 24 02:41:39.223: ISAKMP:(1181): processing HASH payload. message ID = 0
Nov 24 02:41:39.223: ISAKMP:received payload type 17
Nov 24 02:41:39.223: ISAKMP:(1181): processing vendor id payload
Nov 24 02:41:39.223: ISAKMP:(1181): vendor ID is DPD
Nov 24 02:41:39.223: ISAKMP:(1181):SA authentication status:
authenticated
Nov 24 02:41:39.223: ISAKMP:(1181):SA has been authenticated with
Nov 24 02:41:39.223: ISAKMP: Trying to insert a peer
Nov 24 02:41:39.227: ISAKMP:(1181):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 24 02:41:39.227: ISAKMP:(1181):Old State = IKE_I_MM5 New State = IKE_I_MM6
Nov 24 02:41:39.227: ISAKMP:(1181):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 24 02:41:39.227: ISAKMP:(1181):Old State = IKE_I_MM6 New State = IKE_I_MM6
Nov 24 02:41:39.227: ISAKMP:(1181):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 24 02:41:39.227: ISAKMP:(1181):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Nov 24 02:41:39.227: ISAKMP:(1181):beginning Quick Mode exchange, M-ID of -1994434420
Nov 24 02:41:39.227: ISAKMP:(1181):QM Initiator gets spi
Nov 24 02:41:39.227: ISAKMP:(1181): sending packet to
Nov 24 02:41:39.227: ISAKMP:(1181):Sending an IKE IPv4 Packet.
Nov 24 02:41:39.227: ISAKMP:(1181):Node -1994434420, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 24 02:41:39.227: ISAKMP:(1181):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Nov 24 02:41:39.227: ISAKMP:(1181):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 24 02:41:39.227: ISAKMP:(1181):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 24 02:41:39.335: ISAKMP (1181): received packet from
Nov 24 02:41:39.335: ISAKMP: set new node -576506105 to QM_IDLE
Nov 24 02:41:39.335: ISAKMP:(1181): processing HASH payload. message ID = -576506105
Nov 24 02:41:39.335: ISAKMP:(1181): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = -576506105, sa = 6A4EDE28
Nov 24 02:41:39.335: ISAKMP:(1181):deleting node -576506105 error FALSE reason "Informational (in) state 1"
Nov 24 02:41:39.335: ISAKMP:(1181):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 24 02:41:39.335: ISAKMP:(1181):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 24 02:41:39.335: ISAKMP (1181): received packet from
Nov 24 02:41:39.335: ISAKMP: set new node -1942414762 to QM_IDLE
Nov 24 02:41:39.335: ISAKMP:(1181): processing HASH payload. message ID = -1942414762
Nov 24 02:41:39.335: ISAKMP:(1181): processing DELETE payload. message ID = -1942414762
Nov 24 02:41:39.335: ISAKMP:(1181):peer does not do paranoid keepalives.
Nov 24 02:41:39.335: ISAKMP:(1181):deleting SA reason "No reason" state (I) QM_IDLE (peer
Nov 24 02:41:39.335: ISAKMP:(1181):deleting node -1942414762 error FALSE reason "Informational (in) state 1"
Nov 24 02:41:39.339: ISAKMP: set new node -819879339 to QM_IDLE
Nov 24 02:41:39.339: ISAKMP:(1181): sending packet to
Nov 24 02:41:39.339: ISAKMP:(1181):Sending an IKE IPv4 Packet.
Nov 24 02:41:39.339: ISAKMP:(1181):purging node -819879339
Nov 24 02:41:39.339: ISAKMP:(1181):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 24 02:41:39.339: ISAKMP:(1181):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Nov 24 02:41:39.339: ISAKMP:(1181):deleting SA reason "No reason" state (I) QM_IDLE (peer
Nov 24 02:41:39.339: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
Nov 24 02:41:39.339: ISAKMP: Unlocking peer struct 0x6A4BAC98 for isadb_mark_sa_deleted(), count 0
Nov 24 02:41:39.339: ISAKMP: Deleting peer node by peer_reap for
Nov 24 02:41:39.339: ISAKMP:(1181):deleting node -1994434420 error FALSE reason "IKE deleted"
Nov 24 02:41:39.339: ISAKMP:(1181):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 24 02:41:39.339: ISAKMP:(1181):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Nov 24 02:41:39.379: ISAKMP:(1179):purging SA., sa=6A93641C, delme=6A93641C
Nov 24 02:41:59.423: ISAKMP:(1180):purging node -60064817
Nov 24 02:41:59.431: ISAKMP:(1180):purging node -149000842
Nov 24 02:41:59.431: ISAKMP:(1180):purging node 754664172
Nov 24 02:42:09.431: ISAKMP:(1180):purging SA., sa=6A4C7BBC, delme=6A4C7BBC
Nov 24 02:42:29.335: ISAKMP:(1181):purging node -576506105
Nov 24 02:42:29.335: ISAKMP:(1181):purging node -1942414762
Nov 24 02:42:29.339: ISAKMP:(1181):purging node -1994434420
Nov 24 02:42:39.339: ISAKMP:(1181):purging SA., sa=6A4EDE28, delme=6A4EDE28
11-23-2010 07:10 PM
I read something about ASAs only supporting one dynamic crypto map per interface, but I assume that means one crypto map that can have multiple dynamic and static mappings in it.
12-28-2010 10:41 AM
I did get this to work finally. Apparently I had everything configured properly, once the router was rebooted the IPSec tunnel came right up and was happy. Not sure why it didn't work initially.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide