cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
924
Views
5
Helpful
3
Replies

IKEv1 ASA to Router VPN S2S Phase 2 not working

chrisbuchner
Level 1
Level 1

Hi All,

I am trying to connect a cisco 4321 Router with Dynamic LTE IP to a static cisco 5506x ASA. When I create the tunnel statically it works 100%. But when I try to do dynamic on the ASA its complaining about: crypto map policy not found.

dst                             src                    state       conn-id status
ASAPUBLICIP ROUTERPUBLICIP MM_NO_STATE 1391 ACTIVE (deleted)

 

The router should be able to ping the network paste the ASA as well.

Attached is the config and debugs for both devices.

 

What am I missing in the configuration in order for it to work theres hardly any good examples for a dynamic router to vpn to a static ASA...

 

thanks for your help!

1 Accepted Solution

Accepted Solutions

oh Phase-2 Proposal Mismatch double check your ipsec transfrom-set value/configuration.

please do not forget to rate.

View solution in original post

3 Replies 3

on firewall you have access-list as

access-list ROUTER_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group ROUTER_NETWORK

!

object-group network LAN_NETWORKS
network-object 10.0.0.0 255.0.0.0
network-object 172.160.0.0 255.240.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
network-object object obj_any
object-group network ROUTER_NETWORKS
network-object 10.170.124.160 255.255.255.224

 

 

where as in your router acl you have define

!

ip access-list extended CMAP_ACL
permit ip any any

 

 

your access-list must have to be mirrior on both end as same.

please do not forget to rate.

Hi Sheraz,

I have set the two subnets as below would this

 

 

Router

ip access-list extended CMAP_ACL
permit ip 10.170.124.160 0.0.0.31 10.170.124.128 0.0.0.31

 

ASA

access-list ROUTER_VPN_ACL extended permit ip 10.170.124.128 255.255.255.224 object-group ROUTER_NETWORKS

 

but now I get on ASA:

 

Feb 23 2021 11:57:52: %ASA-3-713902: Group = DefaultL2LGroup, IP = ROUTERPUBLICIP, QM FSM error (P2 struct &0x00007f44b3516810, mess id 0x5e67a74e)!
Feb 23 2021 11:57:52: %ASA-3-713902: Group = DefaultL2LGroup, IP = ROUTERPUBLICIP, Removing peer from correlator table failed, no match!
Feb 23 2021 11:57:52: %ASA-3-713194: Group = DefaultL2LGroup, IP = ROUTERPUBLICIP, Sending IKE Delete With Reason message: Phase-2 Proposal Mismatch.
Feb 23 2021 11:57:52: %ASA-4-113019: Group = DefaultL2LGroup, Username = DefaultL2LGroup, IP = ROUTERPUBLICIP, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

 

oh Phase-2 Proposal Mismatch double check your ipsec transfrom-set value/configuration.

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: