cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5356
Views
115
Helpful
75
Replies

HUB & SPOKE environment with ASA5512 as the HUB and ASA5505 as spoke.

Ken Mackay
Level 1
Level 1

I can't seem to get by the error's. Phase 1 completes, then the errors start, 7.0.0.2 recieved non-routine notify message no proposal choosen, connection terminated for peer 7.0.0.2 reason peer terminate remote proxy N/A local Proxy N/A, 7.0.0.2 removing peer from correlator table failed, no match, seesion being torn down reason user requested, group 7.0.0.2 automatic NAT detection status remote end is not behind NAT device, this end is not behind NAT device. The other end the ASA5512 I get IP 7.1.0.2 no valid authentication type found for the tunnel group, Remote end is not behind NAT device, the DAP records were selected for connection DfltAccessPolicy, Phase 1 completed, All IPSEC SA proposals found unacceptable, IP 7.1.0.2 QM FSM error, removing peer from correlator table failed no match, 7.1.0.2 session being torn down reason Phase 2 Mismatch, 7.1.0.2 session disconnected type IKEV1, recevied encrypted packet with no matchin SA dropping.

I have searched internet and found many results however as changes implemented I always end back at this point. Any HELP would be greatly appreciated. Lost two days in the LAB. I will post configs. This a test soon to go into production. Thanks

Ken

 

ASA1# sho run
: Saved
:
ASA Version 9.1(2)
!
hostname ASA1
domain-name TEST1.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 100
 ip address 7.0.0.2 255.255.255.0
!
interface GigabitEthernet0/1
 nameif AS1toR1
 security-level 50
 ip address 1.0.0.2 255.255.255.0
!
interface GigabitEthernet0/2
 nameif AS1toR2
 security-level 50
 ip address 3.0.0.2 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup AS1toR1
dns domain-lookup AS1toR2
dns domain-lookup management
dns server-group DefaultDNS
 name-server 201.201.201.201
 domain-name TEST1.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-1.0.0.0
object network 2.0.0.0
 subnet 2.0.0.0 255.255.255.0
object network 6.0.0.0
 subnet 6.0.0.0 255.255.255.0
object network 7.1.0.0
 subnet 7.1.0.0 255.255.255.0
object network 8.0.0.0
 subnet 8.0.0.0 255.255.255.0
object network 9.0.0.0
 subnet 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 1.0.0.0 255.255.255.0
 network-object 3.0.0.0 255.255.255.0
 network-object object 2.0.0.0
 network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_4
 network-object object 6.0.0.0
 network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_1
 network-object object 6.0.0.0
 network-object object 9.0.0.0
object-group network DM_INLINE_NETWORK_2
 network-object 1.0.0.0 255.255.255.0
 network-object 3.0.0.0 255.255.255.0
 network-object object 2.0.0.0
 network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_5
 network-object 1.0.0.0 255.255.255.0
 network-object 3.0.0.0 255.255.255.0
 network-object object 2.0.0.0
 network-object object 8.0.0.0
object-group network DM_INLINE_NETWORK_6
 network-object object 6.0.0.0
 network-object object 9.0.0.0
access-list HEADEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list Outside_cryptomap_15 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit icmp any4 any4
access-list AS1toR2_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit ip any any
access-list AS1toR1_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu AS1toR1 1500
mtu AS1toR2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group AS1toR1_access_in in interface AS1toR1
access-group AS1toR2_access_in in interface AS1toR2
!
router ospf 1
 network 1.0.0.0 255.255.255.0 area 0
 network 3.0.0.0 255.255.255.0 area 0
 network 7.0.0.0 255.255.255.0 area 0
 log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 7.0.0.1 125
route Outside 6.0.0.0 255.255.255.0 7.0.0.1 125
route Outside 9.0.0.0 255.255.255.0 7.0.0.1 125
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
eou allow none
http server enable
http 192.168.1.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 match address Outside_cryptomap_15
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set ikev1 transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 5 set reverse-route
crypto dynamic-map DYNMAP 10 set pfs
crypto dynamic-map DYNMAP 10 set ikev1 transform-set MAP-VPN1
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE 10 ipsec-isakmp dynamic DYNMAP
crypto map HQ2REMOTE interface Outside
crypto ca trustpool policy
crypto ikev1 enable Outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 30
vpn load-balancing
 interface lbpublic Outside
 interface lbprivate AS1toR1
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable Outside
 no anyconnect-essentials
group-policy DfltGrpPolicy attributes
 wins-server value 10.10.10.10
 dns-server value 201.201.201.201
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
 split-tunnel-network-list value HEADEND
 default-domain value TEST1.CA
 webvpn
  activex-relay disable
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
 secondary-authentication-server-group LOCAL
 authorization-server-group LOCAL
 nat-assigned-to-public-ip Outside
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
 ikev1 user-authentication none
tunnel-group DefaultWEBVPNGroup general-attributes
 secondary-authentication-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
 ikev1 user-authentication none
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 24
  subscribe-to-alert-group configuration periodic monthly 24
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:022709234965ad8943628e790ed5ed1f
: end
ASA1#
 
 
 
 
 
ASA2# sho run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA2
domain-name TEST2.CA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 14
!
interface Ethernet0/1
 switchport access vlan 24
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 switchport access vlan 4
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan4
 nameif management.
 security-level 0
 ip address 192.168.1.101 255.255.255.0
 management-only
!
interface Vlan14
 nameif Outside
 security-level 100
 ip address dhcp setroute
!
interface Vlan24
 nameif Inside
 security-level 50
 ip address 6.0.0.2 255.255.255.0
!
ftp mode passive
dns domain-lookup management.
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 domain-name TEST2.CA
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object 1.0.0.0 255.255.255.0
 network-object 2.0.0.0 255.255.255.0
 network-object 3.0.0.0 255.255.255.0
 network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 6.0.0.0 255.255.255.0
 network-object 9.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_5
 network-object 1.0.0.0 255.255.255.0
 network-object 2.0.0.0 255.255.255.0
 network-object 3.0.0.0 255.255.255.0
 network-object 8.0.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
 network-object 6.0.0.0 255.255.255.0
 network-object 9.0.0.0 255.255.255.0
access-list vpnend-to-hq extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list REMOTEEND extended permit ip any any
access-list hq-to-vpnend extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_access_in extended permit ip any any
access-list Outside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu management. 1500
mtu Outside 1500
mtu Inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
!
router ospf 1
 network 6.0.0.0 255.255.255.0 area 0
 network 7.1.0.0 255.255.255.0 area 0
 log-adj-changes
!
route Outside 1.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 2.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 3.0.0.0 255.255.255.0 7.0.0.2 125
route Outside 8.0.0.0 255.255.255.0 7.0.0.2 125
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
 network-acl REMOTEEND
eou allow none
http server enable
http 0.0.0.0 0.0.0.0 management.
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set MAP-VPN1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set MAP-VPN1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map HQ2REMOTE 15 match address vpnend-to-hq
crypto map HQ2REMOTE 15 set pfs
crypto map HQ2REMOTE 15 set connection-type originate-only
crypto map HQ2REMOTE 15 set peer 7.0.0.2
crypto map HQ2REMOTE 15 set transform-set MAP-VPN1
crypto map HQ2REMOTE 15 set security-association lifetime seconds 28800
crypto map HQ2REMOTE 15 set security-association lifetime kilobytes 4608000
crypto map HQ2REMOTE 15 set reverse-route
crypto map HQ2REMOTE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map HQ2REMOTE interface Outside
crypto isakmp enable Outside
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface Outside
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1
webvpn
 enable Outside
group-policy DfltGrpPolicy attributes
 wins-server value 10.10.10.10
 dns-server value 201.201.201.201
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-network-list value REMOTEEND
 default-domain value TEST2.CA
 smartcard-removal-disconnect disable
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
 authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *****
tunnel-group 7.0.0.2 type ipsec-l2l
tunnel-group 7.0.0.2 ipsec-attributes
 pre-shared-key *****
 peer-id-validate nocheck
tunnel-group-map default-group 7.0.0.2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d04273f55e788e2a4ad4d025084d33d
: end
ASA2#

 

75 Replies 75

Ken

Can you post full configs again as I want to see what they are currently working with please.

Jon

Great Jon. Should I put that password back into DefaultRAGroup?

Thanks,

Ken

Ken

This thread is getting very large.

Can you post any new outputs as attachments to the your post.

That should help keep the thread manageable.

Jon

Ken

I think we should try and get this working first.

You aren't doing remote access VPNs so it's not needed at the moment.

Can you post the current configs but as attachments to the post.

Jon

 

Jon,

Attached as requested.

Thanks,

Ken

Ken

On ASA1 some of the networks do not have subnet masks and some do but on ASA2 they all have subnet masks.

I know you said a while back you couldn't change them but you must be able to because some of the entries do have the right subnet mask.

You need to make ASA1 match exactly, including subnet masks.

Then as before clear the tunnels and retry.

If it isn't negotiating post the "debug crypto isakmp 127" output and if it has please post the "sh crypto ipsec sa" output.

Jon

Jon,

I know you mentioned that before. However when I'm reviewing from through the ASDM  all interfaces have subnet masks, static routes, ospf, and the ACL Manager. However when you do a show run it appears as you say? I'm sure your referring to the network objects and I have re-confirmed. I believe it has something to do with the different code versions? ASA1 9.1 and ASA2 8.2 Everything in this test setup is using the same subnet mask 255.255.255.0 I guess I could remove them all put them back to see if that corrects the issue? I'll look back on recent site to site VPN configs.

 

ASA1#
ASA1# clear crypto ipsec sa
ASA1# clear crypto isakmp sa
ASA1# debug crypto isakmp 127
ASA1#
ASA1# Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing SA payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Oakley proposal is acceptable
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 02 VID
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal ver 03 VID
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received NAT-Traversal RFC VID
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Fragmentation VID
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing IKE SA payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ISAKMP SA payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Traversal VID ver RFC payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Fragmentation VID + extended capabilities payload
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ke payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing ISA_KE payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing nonce payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Cisco Unity client VID
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received xauth V6 VID
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, processing NAT-Discovery payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing ke payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing nonce payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing Cisco Unity VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing xauth V6 VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send IOS VID
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, constructing NAT-Discovery payload
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, computing NAT Discovery hash
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Generating keys for Responder...
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 14:47:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing VID payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Received DPD VID
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing ID payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing hash payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Computing hash for ISAKMP
Mar 03 14:47:47 [IKEv1 DEBUG]IP = 7.1.0.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing dpd vid payload
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, PHASE 1 COMPLETED
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, Keep-alive type for this connection: DPD
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, Starting P1 rekey timer: 24480 seconds.
Mar 03 14:47:47 [IKEv1 DECODE]IP = 7.1.0.2, IKE Responder starting QM: msg id = 4741dcc5
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE RECEIVED Message (msgid=4741dcc5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing hash payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing SA payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing nonce payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 14:47:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.1.0.2
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received remote Proxy Host data in ID Payload:  Address 7.1.0.2, Protocol 0, Port 0
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing ID payload
Mar 03 14:47:47 [IKEv1 DECODE]Group = DefaultL2LGroup, IP = 7.1.0.2, ID_IPV4_ADDR ID received
7.0.0.2
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Received local Proxy Host data in ID Payload:  Address 7.0.0.2, Protocol 0, Port 0
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, processing notify payload
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM IsRekeyed old sa not found by addr
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Skipping dynamic map DYNMAP sequence 10: access-list mismatch.
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 7.1.0.2/255.255.255.255/0/0 local proxy 7.0.0.2/255.255.255.255/0/0 on interface Outside
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending notify message
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=2131178d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 236
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, QM FSM error (P2 struct &0x00007fffa0661590, mess id 0x4741dcc5)!
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE QM Responder FSM error history (struct &0x00007fffa0661590)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Removing peer from correlator table failed, no match!
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:8bfaf064 rcv'd Terminate: state MM_ACTIVE  flags 0x0001c042, refcnt 1, tuncnt 0
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, IKE SA MM:8bfaf064 terminating:  flags 0x0101c002, refcnt 0, tuncnt 0
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, sending delete/delete with reason message
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing blank hash payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing IKE delete payload
Mar 03 14:47:47 [IKEv1 DEBUG]Group = DefaultL2LGroup, IP = 7.1.0.2, constructing qm hash payload
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, IKE_DECODE SENDING Message (msgid=d158e734) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 03 14:47:47 [IKEv1]Group = DefaultL2LGroup, IP = 7.1.0.2, Session is being torn down. Reason: crypto map policy not found
Mar 03 14:47:47 [IKEv1]Ignoring msg to mark SA with dsID 929792 dead because SA deleted
Mar 03 14:47:47 [IKEv1]IP = 7.1.0.2, Received encrypted packet with no matching SA, dropping
 
ASA1# undebug all
ASA1#

 

Thanks,

Ken
 
 

 

It is complaining about an access-list mismatch so I'm assuming that is the problem although that might be misleading.

If you can get into the CLI and recreate the object groups on ASA1 so they are all using subnet masks then at least we have ruled something else out.

By the way sincere thank you for all the ratings, I appreciate you taking the time to rate as many don't.

However as this thread could well go on for a while could you just rate the last post that fixes it (and we will fix this) or I'm going to get into trouble and be accused of fixing the ratings system :-)

Many thanks so far Ken, I won't give up on this till we get it working.

Jon

 

Jon,

Oh I wasn't sure about the rating system? Since you started in the PM and I began first thing this AM perhaps you'd like to call it a day? I can re-create the object groups and we can pick this up tomorrow. I appreciate all your hard work on this.

Thanks,

Ken

Ken

It's absolutely not an issue so not worries about it.

I'm happy to carry on if you want to as I think we are getting quite close to getting this working.

It's still only evening here and I'm just catching up on BBC iplayer so if you want to try it out I'm happy to stick with it.

Jon

 

Well thanks Jon, however I have an appointment to get to. Besides you gave me a full day here. I'll re-create those object groups and hopefully we can pick it up tomorrow and get that tunnel back up. Yes, I know we are close. I must say I learned a few things from you.

Thanks,

Ken

Jon,

Good news after putting the ACL back in the tunnel came back up. I know now why some of the subnets appreared to have no subnetmask, it's be cause they were named 1.0.0.0 or 2.0.0.0 etc. It was misleading. I also insured that the key was removed on both ASA's for DefaultWEBVPNGroup and DefaultRAGroup. I have attached the current configs for your review. Also did a "clear crypto ipsec sa" and tunnel came back up.  Also with the file there is a "sho crypto ipsec sa" copy. So the only issue is to get traffic moving. Again I believe it's a ACL issue the error I'm recieving is Source IP 9.0.0.2 Source destination 8.0.0.1 Deny inbound icmp src Inside 9.0.0.2 dst Outside 8.0.0.1 (type 8, code 0)

Thanks,

Ken

Ken

This still isn't right. If it works then when you do a "sh crypto ipsec sa" you should see two SAs per entry in your acls which you aren't.

However I noticed that you are again missing the acl on ASA1 for the crypto map. Can you add this -

"crypto dynamic-map DYNMAP 10 match address <acl name>"

you have to make sure that is there otherwise ASA1 does not know what SAs to create.

Can you add that, clear the tunnels and try again.

Please capture a "debug crypto isakmp 127" and also include a "sh crypto ipsec sa" once the tunnels are back up.

Jon

Ken

You have recreated the object groups but make sure the acl you add references those object groups.

The acl in the crypto map must match ASA2 exactly including subnet masks.

Jon

Jon,

I was just about to forward the working config with the tunnel up passing data. However after entering the match address command I lost the pings and the tunnel is down. Attached are the debugs.

Thanks,

Ken