11-04-2011 09:11 AM
Helllo
I have a cisco asa 5510 running 8.2 and a tunnel connected to what I believe is a Fortinet device.
The errors in my ASDM 6.2 real time log state:
3 Nov 04 2011 12:01:09 713902 IP = 142.46.x.201, Invalid packet detected!
4 Nov 04 2011 12:01:08 713903 Group = 142.46.x.201, IP = 142.46.x.201, Error: Unable to remove PeerTblEntry
3 Nov 04 2011 12:01:08 713902 Group = 142.46.x.201, IP = 142.46.x.201, Removing peer from peer table failed, no match!
6 Nov 04 2011 12:01:08 713905 Group = 142.46.x.201, IP = 142.46.x.201, Rxed Hash is incorrect: Pre-shared key or Digital Signature mismatch
5 Nov 04 2011 12:01:08 713041 IP = 142.46.x.201, IKE Initiator: New Phase 1, Intf NYGHINT, IKE Peer 142.46.x.201 local Proxy Address 192.168.x.0, remote Proxy Address 10.21.x.0, Crypto map (SSHAEXTERNAL_map3)
These errors just keep repeating but occasionally the tunnel will come up for an unknown reason. I know that the preshared keys match and that all the crypto maps etc are correct. This is the first tunnel on a new ASA and that may be a factor but I am not sure.
Why does the box tell me I have a pre-shared key mismatch when I know I don't? I am not using certificates either, so the Digital Signature piece is not the issue.
Any help would be appreciated, I can post the config if that would help.
Thanks
11-04-2011 09:49 AM
Here is the config.
I apologise if there are glaring errors, this is my first ASA and by now with this problem I have had some varied input about various settings.
NYGHASAVPN# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname NYGHASAVPN
domain-name nygh.on.ca
enable password wtf encrypted
passwd rofl encrypted
names
name 10.x.x.98 ASA-EXT
name 205.x.x.1 ASA-INT
name 10.x.x.1 SSHANEXTHOP
!
interface Ethernet0/0
nameif SSHAEXTERNAL
security-level 0
ip address 10.x.x.111 255.255.255.128
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif NYGHINT
security-level 100
ip address ASA-INT 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address dhcp setroute
management-only
!
banner exec WELCOME!! ----------> You are entering NORMAL mode. <----------
banner exec For EXEC mode, please use enable and the EXEC password.
banner login !*!*!*!*!Welcome to the NYGH ASA VPN appliance!*!*!*!*!
banner login Please document any changes and make a backup before you start.
banner login **All changes are logged under the user ID**
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup SSHAEXTERNAL
dns domain-lookup NYGHINT
dns domain-lookup management
dns server-group DefaultDNS
name-server 205.x.x.248
domain-name nygh.on.ca
same-security-traffic permit inter-interface
object-group network echn-net
network-object echn-net2 255.255.255.0
network-object echn-net 255.255.255.128
object-group network NYGHALL
description All NYGH groups except 10.x.x.0 and 1010
network-object nygh1012 255.255.255.0
network-object nygh1013 255.255.255.0
network-object nygh1014 255.255.255.0
network-object nygh1015 255.255.255.0
network-object nygh20512 255.255.255.0
network-object nygh20513 255.255.255.0
network-object nygh20514 255.255.255.0
network-object nygh20515 255.255.255.0
network-object nygh205210 255.255.255.0
object-group network NYBHall
network-object nybh107 255.255.255.0
network-object nybh106 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 10.21.x.0 255.255.255.0
network-object 10.250.x.0 255.255.255.224
access-list NYGHSTAFF standard permit host slaptop
access-list SSHAEXTERNAL_cryptomap_3 extended permit ip 192.168.x.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list SSHAEXTERNAL_cryptomap_3 extended permit ip host 10.250.x.11 any
access-list outside-acl extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 40960
logging asdm-buffer-size 512
logging asdm informational
logging from-address NYGHASAVPN@ddd
logging recipient-address im@home level errors
logging facility 22
logging host NYGHINT 205.x.x.220
logging ftp-bufferwrap
logging ftp-server 205.x.x.219 /ciscoasa/ ****
mtu SSHAEXTERNAL 1500
mtu NYGHINT 1500
mtu management 1500
ip local pool vpndhcp 205.x.x.206-205.x.x.209 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any SSHAEXTERNAL
icmp permit any NYGHINT
no asdm history enable
arp timeout 14400
global (SSHAEXTERNAL) 101 Ext17221 netmask 255.255.255.255
!
router rip
passive-interface default
!
route NYGHINT 0.0.0.0 0.0.0.0 SSHANEXTHOP 1
routing not the problem...
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value NYGHBooks
aaa-server ADCRED protocol nt
aaa-server ADCRED (NYGHINT) host x.x.x.x
nt-auth-domain-controller x.x.x.x
aaa authentication enable console ADCRED LOCAL
aaa authentication http console ADCRED LOCAL
aaa authentication serial console ADCRED LOCAL
aaa authentication ssh console ADCRED LOCAL
aaa authentication telnet console ADCRED LOCAL
aaa authorization command LOCAL
http server enable
snmp-server location
snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Welcome
auth-prompt accept Your credentials have been accepted. Welcome
auth-prompt reject Your credentials have been rejected. Try again, check your spelling, try to remember your password.
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set CCIS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set SHL esp-aes-256 esp-sha-hmac
crypto ipsec transform-set SIEMENS esp-3des esp-md5-hmac
crypto ipsec transform-set SUNNY esp-aes esp-md5-hmac
crypto ipsec transform-set ECHN esp-aes-256 esp-sha-hmac
crypto ipsec transform-set WTIS esp-aes esp-sha-hmac
crypto ipsec transform-set ACCENTUS esp-3des esp-md5-hmac
crypto ipsec transform-set PHILIPS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set cGTAOLIS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set CCISPROD esp-aes esp-sha-hmac
crypto ipsec transform-set Feinberg esp-aes-256 esp-md5-hmac
crypto ipsec transform-set Feinberg mode transport
crypto ipsec transform-set Feinburg1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set Feinburg1 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP
-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map SSHAEXTERNAL_map3 4 match address SSHAEXTERNAL_cryptomap_3
crypto map SSHAEXTERNAL_map3 4 set pfs group5
crypto map SSHAEXTERNAL_map3 4 set peer 142.46.x.201
crypto map SSHAEXTERNAL_map3 4 set transform-set Feinberg Feinburg1 ESP-AES-256-SHA ESP-AES-256-MD5
crypto map SSHAEXTERNAL_map3 4 set security-association lifetime seconds 28800
crypto map SSHAEXTERNAL_map3 4 set phase1-mode aggressive group5
crypto map SSHAEXTERNAL_map3 4 set reverse-route
crypto map SSHAEXTERNAL_map3 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map SSHAEXTERNAL_map3 interface SSHAEXTERNAL
crypto isakmp enable SSHAEXTERNAL
crypto isakmp enable NYGHINT
crypto isakmp policy 1
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 28800
crypto isakmp policy 6
authentication pre-share
encryption aes
hash md5
group 5
lifetime 86400
crypto isakmp policy 7
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 8
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 9
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto isakmp policy 100
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
telnet slaptop 255.255.255.255 NYGHINT
telnet timeout 45
ssh timeout 45
console timeout 0
dhcp-client client-id interface management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server
webvpn
enable SSHAEXTERNAL
enable NYGHINT
smart-tunnel list RDP WINRDP %windir%\system32\mstsc.exe platform windows
group-policy DfltGrpPolicy attributes
banner value This is the default group policy banner.
group-policy NYGHTUNNELGROUP internal
group-policy NYGHTUNNELGROUP attributes
wins-server value x.x.x.x
dns-server value x.x.x.x
vpn-tunnel-protocol IPSec
default-domain value NYGHAD
group-policy NYGHVPNPolicy internal
group-policy NYGHVPNPolicy attributes
banner value NYGHVPN Banner specific to NYGHVPN policy hey ya
vpn-tunnel-protocol svc webvpn
webvpn
url-list value NYGHBooks
smart-tunnel enable RDP
group-policy NYGHWizardpolicy internal
group-policy NYGHWizardpolicy attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value NYGHBooks
username bbrien password uaCZBQknnQyjj6G8 encrypted privilege 15
username bbrien attributes
vpn-group-policy NYGHVPNPolicy
username testwebuser password iQa4p4DfannO6L6v encrypted privilege 5
username testwebuser attributes
vpn-group-policy NYGHVPNPolicy
service-type admin
username test password AmxUDeORS16jpSkB encrypted privilege 0
username test attributes
vpn-group-policy NYGHWizardpolicy
username testvpn password WDnnelLwaGzjjP0y encrypted privilege 0
username testvpn attributes
vpn-group-policy NYGHTUNNELGROUP
username skay password tkVNXd0m3GpaRIU3 encrypted privilege 15
username skay attributes
vpn-group-policy NYGHVPNPolicy
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
webvpn
url-list value NYGHBooks
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group ADCRED LOCAL
authentication-server-group (NYGHINT) ADCRED LOCAL
tunnel-group NYGHUSERS type remote-access
tunnel-group NYGHUSERS general-attributes
authentication-server-group ADCRED LOCAL
secondary-authentication-server-group ADCRED LOCAL
default-group-policy NYGHVPNPolicy
tunnel-group nyghwizard1 type remote-access
tunnel-group nyghwizard1 general-attributes
default-group-policy NYGHWizardpolicy
tunnel-group 142.46.x.201 type ipsec-l2l
tunnel-group 142.46.x.201 ipsec-attributes
pre-shared-key *
tunnel-group NYGHTUNNELGROUP type remote-access
tunnel-group NYGHTUNNELGROUP general-attributes
address-pool vpndhcpx
default-group-policy NYGHTUNNELGROUP
tunnel-group NYGHTUNNELGROUP ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c043b51197axeef3564f7f6a95d
: end
NYGHASAVPN#
11-04-2011 09:50 AM
do you have control of the remote device? What are the settings on that device?
11-10-2011 04:59 AM
Sorry for the dealy, I do not have access to the remote side device.
11-10-2011 09:43 AM
A few things.
1. Are these both ASAs?
2. The key could be correct but not compatable with both devices. Try generating new keys for both sides
3. What is the actual debug error?
11-11-2011 05:27 AM
See my OP, the device I believe is a Fortinet gateway device not an ASA. We have reentered the key to a very basic combination of letters and the @ symbol.
The debug errors are listed in the OP also, but include:
The errors in my ASDM 6.2 real time log state:
3 Nov 04 2011 12:01:09 713902 IP = 142.46.x.201, Invalid packet detected!
4 Nov 04 2011 12:01:08 713903 Group = 142.46.x.201, IP = 142.46.x.201, Error: Unable to remove PeerTblEntry
3 Nov 04 2011 12:01:08 713902 Group = 142.46.x.201, IP = 142.46.x.201, Removing peer from peer table failed, no match!
6 Nov 04 2011 12:01:08 713905 Group = 142.46.x.201, IP = 142.46.x.201, Rxed Hash is incorrect: Pre-shared key or Digital Signature mismatch
5 Nov 04 2011 12:01:08 713041 IP = 142.46.x.201, IKE Initiator: New Phase 1, Intf NYGHINT, IKE Peer 142.46.x.201 local Proxy Address 192.168.x.0, remote Proxy Address 10.21.x.0, Crypto map (SSHAEXTERNAL_map3)
the bizarre thing is that occasionally the tunnel will sudenly come up.without making any changes.
Any help would be appreciated including if you require the info from the debug.
11-11-2011 07:22 AM
Sounds like it is still a phase one error. You really need to confirm that both sides are using the same hash values and DH groups. Double check the transform set choices. Maybe it comes up sometimes because sometimes the sets match properly.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide