Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
1
Replies

IPSec Problem

Ivan Kurguzov
Level 1
Level 1

‎11-18-2014 01:41 AM - edited ‎02-21-2020 07:56 PM

Hello.

There is the following structure:

 

192.168.34.0/23 <=> TMG <= IPSEC => ASA5510 9.0 (3) <=> 10.0.0.0/24 & 192.168.0.0/23.

 

Terminal server is located in subnet 10.0.0.0/24 and is being used by RDP users which are in 192.168.34.0/23 subnet. Users began receiving complaints that the session is often interrupted. I looked into the log of my Cisco, and found the following messages:

 

   713061     Group = X.X.20.138, IP = X.X.20.138, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy X.X.20.138/255.255.255.255/0/0 local proxy 10.0.0.0/255.255.255.0/0/0 on interface OUTSIDE1

   713902      Group = X.X.20.138, IP = X.X.20.138, QM FSM error (P2 struct &0xacfa1fd0, mess id 0x1)!

   713902      Group = X.X.20.138, IP = X.X.20.138, Removing peer from correlator table failed, no match!

 

Cisco ASA configuration:

object network 192168340

 subnet 192.168.34.0 255.255.254.0

object network 10000

 subnet 10.0.0.0 255.255.255.0

object network 19216800

 subnet 192.168.0.0 255.255.254.0

object-group network DM_INLINE_NETWORK_4

 network-object object 10000

 network-object object 19216800

crypto map OUTSIDE1_map 22 match address OUTSIDE1_cryptomap_21

crypto map OUTSIDE1_map 22 set pfs

crypto map OUTSIDE1_map 22 set peer X.X.20.138

crypto map OUTSIDE1_map 22 set ikev1 transform-set ESP-DES-MD5

tunnel-group X.X.20.138 type ipsec-l2l

tunnel-group X.X.20.138 general-attributes

 default-group-policy GroupPolicy_X.X.20.138

tunnel-group X.X.20.138 ipsec-attributes

 ikev1 pre-shared-key *****

 isakmp keepalive disable

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

group-policy GroupPolicy_X.X.20.138 internal

group-policy GroupPolicy_X.X.20.138 attributes

 vpn-tunnel-protocol ikev1

 

TMG configuration:

Local Tunnel Endpoint: X.X.20.138

Remote Tunnel Endpoint: X.X.147.246

IKE Phase I Parameters:

    Mode: Main mode

    Encryption: DES

    Integrity: MD5

    Diffie-Hellman group: Group 2 (1024 bit)

    Authentication Method: Pre-shared secret

    Security Association Lifetime: 86400 seconds

IKE Phase II Parameters:

    Mode: ESP tunnel mode

    Encryption: DES

    Integrity: MD5

    Perfect Forward Secrecy: ON.

    Diffie-Hellman group: Group 2 (1024 bit)

    Time Rekeying: ON

    Security Association Lifetime: 28800 seconds

    Kbyte Rekeying: ON

    Rekey After Sending: 4608000 Kbytes

Remote Network '' IP Subnets:

    Subnet = 10.0.0.0/255.255.255.0

    Subnet = 192.168.0.0/255.255.254.0

Local Network 'Internal' IP Subnets:

    Subnet = 192.168.34.0/255.255.254.0

Routable Local IP Addresses:

    Subnet = 192.168.34.0/255.255.254.0

 

What could cause the problem?

Labels:
0 Helpful
1 Reply 1

Ivan Kurguzov
Level 1
Level 1

‎11-19-2014 09:56 PM

Up

0 Helpful
Customers Also Viewed These Support Documents