Solved: Jon,I have disabled the PFS

Ken Mackay · ‎02-27-2015

I can't seem to get by the error's. Phase 1 completes, then the errors start, 7.0.0.2 recieved non-routine notify message no proposal choosen, connection terminated for peer 7.0.0.2 reason peer terminate remote proxy N/A local Proxy N/A, 7.0.0.2 removing peer from correlator table failed, no match, seesion being torn down reason user requested, group 7.0.0.2 automatic NAT detection status remote end is not behind NAT device, this end is not behind NAT device. The other end the ASA5512 I get IP 7.1.0.2 no valid authentication type found for the tunnel group, Remote end is not behind NAT device, the DAP records were selected for connection DfltAccessPolicy, Phase 1 completed, All IPSEC SA proposals found unacceptable, IP 7.1.0.2 QM FSM error, removing peer from correlator table failed no match, 7.1.0.2 session being torn down reason Phase 2 Mismatch, 7.1.0.2 session disconnected type IKEV1, recevied encrypted packet with no matchin SA dropping.

I have searched internet and found many results however as changes implemented I always end back at this point. Any HELP would be greatly appreciated. Lost two days in the LAB. I will post configs. This a test soon to go into production. Thanks

Ken

ASA1# sho run
: Saved
:
ASA Version 9.1(2)
!
hostname ASA1
domain-name TEST1.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 100
ip address 7.0.0.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif AS1toR1
security-level 50
ip address 1.0.0.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif AS1toR2
security-level 50
ip address 3.0.0.2 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup AS1toR1
dns domain-lookup AS1toR2
dns domain-lookup management
dns server-group DefaultDNS
name-server 201.201.201.201
domain-name TEST1.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-1.0.0.0
object network 2.0.0.0
subnet 2.0.0.0 255.255.255.0
object network 6.0.0.0
subnet 6.0.0.0 255.255.255.0
object network 7.1.0.0
subnet 7.1.0.0 255.255.255.0
object network 8.0.0.0
subnet 8.0.0.0 255.255.255.0
object network 9.0.0.0
subnet 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_4
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object object 6.0.0.0
network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_2
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object object 2.0.0.0
network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_6
network-object object 6.0.0.0
network-object object 9.0.0.0
access-list HEADEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list Outside_cryptomap_15 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu AS1toR1 1500
mtu AS1toR2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group AS1toR1_access_in in interface AS1toR1
access-group AS1toR2_access_in in interface AS1toR2
!
router ospf 1
network 1.0.0.0 255.255.255.0 area 0
network 3.0.0.0 255.255.255.0 area 0
network 7.0.0.0 255.255.255.0 area 0
log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 7.0.0.1 125
route Outside 6.0.0.0 255.255.255.0 7.0.0.1 125
route Outside 9.0.0.0 255.255.255.0 7.0.0.1 125
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
http server enable
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 match address Outside_cryptomap_15
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set ikev1 transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set reverse-route
crypto dynamic-map DYNMAP 10 set pfs
crypto dynamic-map DYNMAP 10 set ikev1 transform-set MAP-VPN1
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE 10 ipsec-isakmp dynamic DYNMAP
crypto map HQ2REMOTE interface Outside
crypto ca trustpool policy
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 30
vpn load-balancing
interface lbpublic Outside
interface lbprivate AS1toR1
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
no anyconnect-essentials
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
split-tunnel-network-list value HEADEND
default-domain value TEST1.CA
webvpn
activex-relay disable
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
nat-assigned-to-public-ip Outside
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
secondary-authentication-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev1 user-authentication none
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 24
subscribe-to-alert-group configuration periodic monthly 24
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:022709234965ad8943628e790ed5ed1f
: end
ASA1#

ASA2# sho run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA2
domain-name TEST2.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 14
!
interface Ethernet0/1
switchport access vlan 24
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 4
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan4
nameif management.
security-level 0
ip address 192.168.1.101 255.255.255.0
management-only
!
interface Vlan14
nameif Outside
security-level 100
ip address dhcp setroute
!
interface Vlan24
nameif Inside
security-level 50
ip address 6.0.0.2 255.255.255.0
!
ftp mode passive
dns domain-lookup management.
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
domain-name TEST2.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
network-object 1.0.0.0 255.255.255.0
network-object 2.0.0.0 255.255.255.0
network-object 3.0.0.0 255.255.255.0
network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 6.0.0.0 255.255.255.0
network-object 9.0.0.0 255.255.255.0
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list REMOTEEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu management. 1500
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
!
router ospf 1
network 6.0.0.0 255.255.255.0 area 0
network 7.1.0.0 255.255.255.0 area 0
log-adj-changes
!
route Outside 1.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 2.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 3.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 8.0.0.0 255.255.255.0 7.0.0.2 125
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl REMOTEEND
eou allow none
http server enable
http 0.0.0.0 0.0.0.0 management.
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map HQ2REMOTE 15 match address vpnend-to-hq
crypto map HQ2REMOTE 15 set pfs
crypto map HQ2REMOTE 15 set connection-type originate-only
crypto map HQ2REMOTE 15 set peer 7.0.0.2
crypto map HQ2REMOTE 15 set transform-set MAP-VPN1
crypto map HQ2REMOTE 15 set security-association lifetime seconds 28800
crypto map HQ2REMOTE 15 set security-association lifetime kilobytes 4608000
crypto map HQ2REMOTE 15 set reverse-route
crypto map HQ2REMOTE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE interface Outside
crypto isakmp enable Outside
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1
webvpn
enable Outside
group-policy DfltGrpPolicy attributes
wins-server value 10.10.10.10
dns-server value 201.201.201.201
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-network-list value REMOTEEND
default-domain value TEST2.CA
smartcard-removal-disconnect disable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ipsec-attributes
pre-shared-key *****
tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group-map default-group 7.0.0.2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d04273f55e788e2a4ad4d025084d33d
: end
ASA2#

Jon Marshall · ‎02-28-2015

Mike

It's been a while since I did these but on your ASA 9.1 you are using the dynamic map called DYNMAP but you haven't told it what the IPs are to match ie. shouldn't you have -

crypto dynamic-map DYNMAP 10 match address <acl name> <--- you have multiple acls for the same thing so not sure what you want to use.

Also you don't need all those additional route entries for the crypto subnets pointing to the outside ie. the default route is enough but it won't hurt.

Jon

View solution in original post

Jon Marshall · ‎02-28-2015

Mike

It's been a while since I did these but on your ASA 9.1 you are using the dynamic map called DYNMAP but you haven't told it what the IPs are to match ie. shouldn't you have -

crypto dynamic-map DYNMAP 10 match address <acl name> <--- you have multiple acls for the same thing so not sure what you want to use.

Also you don't need all those additional route entries for the crypto subnets pointing to the outside ie. the default route is enough but it won't hurt.

Jon

Ken Mackay · ‎03-02-2015

Thanks Mike. You were correct on the "mach address <acl name> have changed that to <hq-to-vpnend> Also removed the excess route entries for the crypto. But still recieving the same errors??? Do you see anything else wrong with the config?

Thanks,

Ken

Jon Marshall · ‎03-02-2015

Ken

Sorry, I have no idea why I called you Mike :-)

Can you do a full debug on the ASA 9.1 and post the output.

Jon

Ken Mackay · ‎03-02-2015

Hey I made the same mistake Jon, with your name forgive me :) Jon can you be more specfic there is no debug all command.

Thanks,

Ken

Jon Marshall · ‎03-02-2015

Ken

Sorry, try these commands -

debug crypto isakmp 127

debug crypto IPsec 127

and then try to initiate the VPN.

Jon

Ken Mackay · ‎03-02-2015

Jon

Was able to get something from "debug crypto isakmp 127" however nothing from "debug crypto ipsec 127"

ASA1(config)# debug crypto isakmp 127
ASA1(config)# Mar 02 10:32:53 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 10:32:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 10:32:53 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 10:32:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 10:32:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, IKE: Filter conflict: received filter-ID (filter name=no filter) along with an AV-PAIR dynamic ACL filter (filter name = DAP-ip-user-A0F3D00B).AV-PAIR dynamic filter will be applied.
Mar 02 10:32:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, User () authenticated.
Mar 02 10:32:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 02 10:32:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, All IPSec SA proposals found unacceptable!
Mar 02 10:32:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9f9014a0, mess id 0xff7684e6)!
Mar 02 10:32:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 02 10:32:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Session is being torn down. Reason: Phase 2 Mismatch
Mar 02 10:32:53 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping

ASA1(config)# Mar 02 10:33:23 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 10:33:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 10:33:23 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 10:33:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 10:33:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, IKE: Filter conflict: received filter-ID (filter name=no filter) along with an AV-PAIR dynamic ACL filter (filter name = DAP-ip-user-A0F3D00B).AV-PAIR dynamic filter will be applied.
Mar 02 10:33:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, User () authenticated.
Mar 02 10:33:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 02 10:33:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, All IPSec SA proposals found unacceptable!
Mar 02 10:33:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9f9014a0, mess id 0x42ebba46)!
Mar 02 10:33:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 02 10:33:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Session is being torn down. Reason: Phase 2 Mismatch
Mar 02 10:33:23 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping

ASA1(config)# Mar 02 10:33:53 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 10:33:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 10:33:53 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 10:33:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 10:33:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, IKE: Filter conflict: received filter-ID (filter name=no filter) along with an AV-PAIR dynamic ACL filter (filter name = DAP-ip-user-A0F3D00B).AV-PAIR dynamic filter will be applied.
Mar 02 10:33:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, User () authenticated.
Mar 02 10:33:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 02 10:33:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, All IPSec SA proposals found unacceptable!
Mar 02 10:33:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9f9014a0, mess id 0x66195caf)!
Mar 02 10:33:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 02 10:33:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Session is being torn down. Reason: Phase 2 Mismatch
Mar 02 10:33:53 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping

ASA1(config)# debug crypto ipsec 127
ASA1(config)#
ASA1(config)#
ASA1(config)#
ASA1(config)#

Ken

Jon Marshall · ‎03-02-2015

Ken

Your crypto map acls are referencing object groups on each ASA.

Can you modify the object-groups on the ASA running 9.1 to match the 8.4 ones ie. you have used 255.255.255.0 subnet masks on all the networks in the 8.4 configuration but not on the 9.1.

Can you make them match exactly and try again.

Jon

Ken Mackay · ‎03-02-2015

Jon

All networks have the subnet masks of 255.255.255.0 although it doesn't appear so in the above posted configs. I believe it has something to do with different ASA's and code versions.

Thanks

Ken

Jon Marshall · ‎03-02-2015

Ken

Okay thanks.

Did you see my last post about adding that command to your DefaultL2LGroup ?

If you have added it can you run the debug crypto isakmp 127 command again to make sure it is using the right group this time.

Jon

Ken Mackay · ‎03-02-2015

Jon,

I was unable to add that command however DefaultL2LGroup is the default when reviewing in the Cisco ASDM on both ASA's.

ASA1(config)# debug crypto isakmp 127
ASA1(config)# Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing SA payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Oakley proposal is acceptable
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 02 VID
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 03 VID
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal RFC VID
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Received Fragmentation VID
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing IKE SA payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ISAKMP SA payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Generating keys for Responder...
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ID payload
Mar 02 12:02:53 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing hash payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing VID payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Received DPD VID
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing ID payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing hash payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 02 12:02:53 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 101
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: primary DNS = 201.201.201.201
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: secondary DNS = cleared
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: primary WINS = 10.10.10.10
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: secondary WINS = cleared
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: split tunneling list = HEADEND
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: default domain = TEST1.CA
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: IP Compression = disabled
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, IKE: Filter conflict: received filter-ID (filter name=no filter) along with an AV-PAIR dynamic ACL filter (filter name = DAP-ip-user-A0F3D00B).AV-PAIR dynamic filter will be applied.
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, User () authenticated.
Mar 02 12:02:53 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 29cf9586
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=29cf9586) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 320
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing hash payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing SA payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing nonce payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ke payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ISA_KE for PFS in phase 2
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ID payload
Mar 02 12:02:53 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ID payload
Mar 02 12:02:53 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing notify payload
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Static Crypto Map check, map DYNMAP, seq = 10 is a successful match
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, IKE Remote Peer configured for crypto map: DYNMAP
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing IPSec SA payload
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, All IPSec SA proposals found unacceptable!
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, sending notify message
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing ipsec notify payload for msg id 29cf9586
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=126f12e9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9e5d3850, mess id 0x29cf9586)!
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fff9e5d3850) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKE SA MM:14a47a0b rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKE SA MM:14a47a0b terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 02 12:02:53 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=ca6774f2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 02 12:02:53 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Session is being torn down. Reason: Phase 2 Mismatch
Mar 02 12:02:53 [IKEv1]Ignoring msg to mark SA with dsID 1896448 dead because SA deleted
Mar 02 12:02:53 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing SA payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Oakley proposal is acceptable
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 02 VID
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 03 VID
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal RFC VID
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Received Fragmentation VID
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing IKE SA payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ISAKMP SA payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Generating keys for Responder...
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ID payload
Mar 02 12:03:23 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing hash payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing VID payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Received DPD VID
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultRAGroup
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, No valid authentication type found for the tunnel group
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing ID payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing hash payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 02 12:03:23 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 101
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: primary DNS = 201.201.201.201
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: secondary DNS = cleared
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: primary WINS = 10.10.10.10
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: secondary WINS = cleared
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: split tunneling list = HEADEND
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: default domain = TEST1.CA
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: IP Compression = disabled
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, IKE: Filter conflict: received filter-ID (filter name=no filter) along with an AV-PAIR dynamic ACL filter (filter name = DAP-ip-user-A0F3D00B).AV-PAIR dynamic filter will be applied.
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, User () authenticated.
Mar 02 12:03:23 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 4203010f
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=4203010f) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 320
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing hash payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing SA payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing nonce payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ke payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ISA_KE for PFS in phase 2
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ID payload
Mar 02 12:03:23 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload: Address 7.1.0.2, Protocol 0, Port 0
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing ID payload
Mar 02 12:03:23 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload: Address 7.0.0.2, Protocol 0, Port 0
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing notify payload
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Static Crypto Map check, map DYNMAP, seq = 10 is a successful match
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, IKE Remote Peer configured for crypto map: DYNMAP
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, processing IPSec SA payload
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, All IPSec SA proposals found unacceptable!
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, sending notify message
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing ipsec notify payload for msg id 4203010f
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=5dc3acae) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fff9e5d3850, mess id 0x4203010f)!
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fff9e5d3850) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKE SA MM:c8ea33d7 rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, IKE SA MM:c8ea33d7 terminating: flags 0x0101c002, refcnt 0, tuncnt 0
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 02 12:03:23 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=b984f46a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 02 12:03:23 [IKEv1]Group = DefaultRAGroup, IP = 7.1.0.2, Session is being torn down. Reason: Phase 2 Mismatch
Mar 02 12:03:23 [IKEv1]Ignoring msg to mark SA with dsID 1900544 dead because SA deleted
Mar 02 12:03:23 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping

Thanks,

Ken

Jon Marshall · ‎03-02-2015

Ken

It appears from the output that it is using the wrong group to try and connect.

The DefaultRAGroup is for remote access VPNs not L2L VPNs.

Because your other end is dynamic you cannot set up an explicit tunnel-group for the remote ASA but I was hoping if you added that command to the DefaultL2LGroup it would use that group.

I'm not sure currently why it is using the wrong group.

Let me have a dig around.

Jon

Ken Mackay · ‎03-02-2015

Jon

Same key for all authentications.

Ken

Jon Marshall · ‎03-02-2015

Ken

This may be the issue.

From what I understand when the connection is first made because the remote end is dynamic your ASA doesn't know whether this is a remote access VPN or a L2L VPN.

So it defaults to the DefaultRAGroup and if you are using the same key it will authenticate.

I may be wrong but could you try using a different key for the L2L VPN and then running the debug again to see if it is then trying the DefaultL2LGroup.

Jon

Ken Mackay · ‎03-02-2015

Jon,

I have disabled the PFS enable on both ASA's and now the tunnel is up. However not passing traffic. I will review the firewall configuration to see if I can get ping across the tunnel.

Thanks,

Ken

HUB & SPOKE environment with ASA5512 as the HUB and ASA5505 as spoke.