IPSec Tunnel with Juniper Netscreen

ole-coot56 · ‎04-26-2011

Hello all,

I'm having an issue bringing a L2L tunnels up between my ASA 5510 and an ISPs Netscreens. I can establish the tunnels from my side by initiating traffic to the far end. The tunnels come up and stay up as long as there is traffic. Once the tunnels drop, they will not re-establish with inbound traffic. The only way to re-establish the tunnel is to send traffic outbound from our network. My ASAs are on ASA Version 7.0(8) in active/standby.

Here is my config as it pertains to the problem tunnels:

access-list 120 extended permit ip MY_IP_ADDRESS_NET_NUMBER 255.255.255.0 ISP_ADDRESS_1_NET 255.255.255.224

access-list 121 extended permit ip MY_IP_ADDRESS_NET_NUMBER 255.255.255.0 ISP_ADDRESS_2_NET 255.255.255.224

access-list 122 extended permit ip MY_IP_ADDRESS_NET_NUMBER 255.255.255.0 ISP_ADDRESS_3_NET 255.255.255.224

access-list 123 extended permit ip MY_IP_ADDRESS_NET_NUMBER 255.255.255.0 ISP_ADDRESS_4_NET 255.255.255.224

access-list 124 extended permit ip MY_IP_ADDRESS_NET_NUMBER 255.255.255.0 ISP_ADDRESS_5_NET 255.255.255.224

crypto ipsec transform-set ABC esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map TUNNEL 3 set peer ISP_ADDRESS_1

crypto map TUNNEL 3 set transform-set ABC

crypto map TUNNEL 3 set security-association lifetime seconds 28800

crypto map TUNNEL 3 set security-association lifetime kilobytes 4608000

crypto map TUNNEL 4 match address 121

crypto map TUNNEL 4 set pfs

crypto map TUNNEL 4 set peer ISP_ADDRESS_2

crypto map TUNNEL 4 set transform-set ABC

crypto map TUNNEL 4 set security-association lifetime seconds 28800

crypto map TUNNEL 4 set security-association lifetime kilobytes 4608000

crypto map TUNNEL 5 match address 122

crypto map TUNNEL 5 set pfs

crypto map TUNNEL 5 set peer ISP_ADDRESS_3

crypto map TUNNEL 5 set transform-set ABC

crypto map TUNNEL 5 set security-association lifetime seconds 28800

crypto map TUNNEL 5 set security-association lifetime kilobytes 4608000

crypto map TUNNEL 6 match address 123

crypto map TUNNEL 6 set pfs

crypto map TUNNEL 6 set peer ISP_ADDRESS_4

crypto map TUNNEL 6 set transform-set ABC

crypto map TUNNEL 6 set security-association lifetime seconds 28800

crypto map TUNNEL 6 set security-association lifetime kilobytes 4608000

crypto map TUNNEL 7 match address 124

crypto map TUNNEL 7 set pfs

crypto map TUNNEL 7 set peer ISP_ADDRESS_5

crypto map TUNNEL 7 set transform-set ABC

crypto map TUNNEL 7 set security-association lifetime seconds 28800

crypto map TUNNEL 7 set security-association lifetime kilobytes 4608000

crypto map TUNNEL interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption 3des

isakmp policy 2 hash md5

isakmp policy 2 group 2

isakmp policy 2 lifetime 86400

tunnel-group ISP_ADDRESS_1 type ipsec-l2l

tunnel-group ISP_ADDRESS_1 ipsec-attributes

pre-shared-key 123456

tunnel-group ISP_ADDRESS_2 type ipsec-l2l

tunnel-group ISP_ADDRESS_2 ipsec-attributes

pre-shared-key 123456

tunnel-group ISP_ADDRESS_3 type ipsec-l2l

tunnel-group ISP_ADDRESS_3 ipsec-attributes

pre-shared-key 123456

tunnel-group ISP_ADDRESS_4 type ipsec-l2l

tunnel-group ISP_ADDRESS_4 ipsec-attributes

pre-shared-key 123456

tunnel-group ISP_ADDRESS_5 type ipsec-l2l

tunnel-group ISP_ADDRESS_5 ipsec-attributes

pre-shared-key 123456

As stated, the tunnels work as expected with outbound traffic and once established, traffic flows in each direction. Once the tunnels come down, they will not re-establish with inbound only traffic. The traffic has to come from me to the ISP to get the tunnels back up. Unfortunately, since I don't own the equipment on the other end, I cannot provide that configuration other than it is Netscreen gear.

I do have a debug of a failed attempt to bring up the tunnel. Looks like PHASE 1 passes fine but PHASE 2 fails.

## 2011-04-22 14:17:37 : IKE<My_ASA_Outside_Address> clear auto sa sent: 1808

## 2011-04-22 14:17:37 : IKE<My_ASA_Outside_Address> clear sa recv: 1808

## 2011-04-22 14:17:37 : IKE<My_ASA_Outside_Address> deactive p2 sa 1808 send_delete 1

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> clear auto sa sent: 1808

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> clear sa recv: 1808

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> deactive p2 sa 1808 send_delete 1

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ****** Recv kernel msg IDX-1808, TYPE-5 ******

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> sa orig index<1808>, peer_id<1665>.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> isadb_get_entry_by_peer_and_local_if_port_p2sa isadb get entry by peer/local ip and port

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> create sa: ISP_PEER_1->My_ASA_Outside_Address

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct ISAKMP header.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Msg header built (next payload #1)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [SA] for ISAKMP

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> auth(1)<PRESHRD>, encr(5)<3DES>, hash(1)<MD5>, group(2)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> xauth attribute: disabled

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> lifetime/lifesize (28800/0)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct NetScreen [VID]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct custom [VID]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Xmit : [SA] [VID] [VID] [VID]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Initiator sending IPv4 IP My_ASA_Outside_Address/port 500

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Send Phase 1 packet (len=156)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Phase 2 task added

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ike packet, len 132, action 0

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: received 104 bytes from socket.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ****** Recv packet if <redundant1.1:1> of vsys <Root> ******

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: get 104 bytes. src port 500

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Recv : [SA] [VID]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> MM in state OAK_MM_NO_STATE.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [VID]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Vendor ID:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> receive unknown vendor ID payload

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [SA]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Proposal received: xauthflag 70

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> auth(1)<PRESHRD>, encr(5)<3DES>, hash(1)<MD5>, group(2)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> xauth attribute: disabled

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Phase 1 proposal [0] selected.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> SA Life Type = seconds

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> SA lifetime (TV) = 28800

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> DH_BG_consume OK. p1 resp

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Phase 1 MM Initiator constructing 3rd message.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct ISAKMP header.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Msg header built (next payload #4)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [KE] for ISAKMP

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [NONCE]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Xmit : [KE] [NONCE]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Initiator sending IPv4 IP My_ASA_Outside_Address/port 500

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Send Phase 1 packet (len=184)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> IKE msg done: PKI state<0> IKE state<1/0007>

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ike packet, len 284, action 0

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: received 256 bytes from socket.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ****** Recv packet if <redundant1.1:1> of vsys <Root> ******

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: get 256 bytes. src port 500

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Recv : [KE] [NONCE] [VID] [VID] [VID] [VID]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> MM in state OAK_MM_SA_SETUP.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [VID]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Vendor ID:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> rcv non-NAT-Traversal VID payload.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [VID]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Vendor ID:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> rcv XAUTH v6.0 vid

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [VID]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Vendor ID:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> rcv non-NAT-Traversal VID payload.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [VID]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Vendor ID:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> rcv non-NAT-Traversal VID payload.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [KE]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> processing ISA_KE in phase 1.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [NONCE]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> processing NONCE in phase 1.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> IKE msg done: PKI state<0> IKE state<1/a00080f>

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> gen_skeyid()

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> gen_skeyid: returning 0

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> MM in state OAK_MM_SA_SETUP.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> re-enter MM after offline DH done

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Phase 1 MM Initiator constructing 5th message.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct ISAKMP header.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Msg header built (next payload #5)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [ID] for ISAKMP

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [HASH]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ID, len=8, type=1, pro=17, port=500,

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> addr=ISP_PEER_1

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> throw packet to the peer, paket_len=60

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Xmit*: [ID] [HASH]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Encrypt P1 payload (len 60)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Initiator sending IPv4 IP My_ASA_Outside_Address/port 500

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Send Phase 1 packet (len=68)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ike packet, len 112, action 0

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: received 84 bytes from socket.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ****** Recv packet if <redundant1.1:1> of vsys <Root> ******

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: get 84 bytes. src port 500

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Decrypting payload (length 56)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Recv*: [ID] [HASH] [VID]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> MM in state OAK_MM_KEY_EXCH.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [VID]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Vendor ID:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [ID]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ID received: type=ID_IPV4_ADDR, ip = My_ASA_Outside_Address, port=500, protocol=17

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> peer gateway entry has no peer id configured

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ID processed. return 0. sa->p1_state = 2.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [HASH]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ID, len=8, type=1, pro=17, port=500,

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> addr=My_ASA_Outside_Address

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> completing Phase 1

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> sa_pidt = 30ed4fc0

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> found existing peer identity 30ed1cb0

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> peer_identity_unregister_p1_sa.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> peer_idt.c peer_identity_unregister_p1_sa 668: pidt deleted.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Phase 1: Completed Main mode negotiation with a <28800>-second lifetime.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Phase 2: Initiated Quick Mode negotiation.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Phase-2: start quick mode negotiation

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Phase-2: no tunnel interface binding for Modecfg IPv4 address.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Create conn entry...

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ...done(new a9db2f0b)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Initiator not set commit bit on 1st QM.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> DH_BG_consume OK. p2 init

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> 0,0/0(0)/spi(1282a2c0)/keylen(0)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct ISAKMP header.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Msg header built (next payload #8)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [HASH]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [SA] for IPSEC

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Set IPSEC SA attrs: lifetime(3600/0)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> atts<00000003 00000000 00000003 00000001 00000001 00000002>

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> proto(3)<ESP>, esp(3)<ESP_3DES>, auth(1)<MD5>, encap(1)<TUNNEL>, group(2)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Before NAT-T attr unmap: private tunnel = 1.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> After NAT-T attr unmap: private tunnel = 1.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Policy have separate SA. Use P2 ID from policy sa (67111436).

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Initiator P2 ID built: r.x.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Responder P2 ID built: r.x.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [NONCE] for IPSec

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [KE] for PFS

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Construct [ID] for Phase 2

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> construct QM HASH

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Xmit*: [HASH] [SA] [NONCE] [KE] [ID] [ID]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Encrypt P2 payload (len 292)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Initiator sending IPv4 IP My_ASA_Outside_Address/port 500

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Send Phase 2 packet (len=300)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> IKE msg done: PKI state<0> IKE state<3/80182f>

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ike packet, len 112, action 0

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: received 84 bytes from socket.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ****** Recv packet if <redundant1.1:1> of vsys <Root> ******

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: get 84 bytes. src port 500

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Create conn entry...

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ...done(new 2eb8ac3f)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Decrypting payload (length 56)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Recv*: [HASH] [NOTIF]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [NOTIF]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Received notify message for DOI <1> <14> <NO-PROPOSAL-CHOSEN>.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> WARN, Invalid spi sixe in notify message, 1

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> notify message for protocol 3 dropped, mess_id<2eb8ac3f>.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Delete conn entry...

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ...found conn entry(2eb8ac3f)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> IKE msg done: PKI state<0> IKE state<3/80182f>

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ike packet, len 104, action 0

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: received 76 bytes from socket.

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ****** Recv packet if <redundant1.1:1> of vsys <Root> ******

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Catcher: get 76 bytes. src port 500

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Create conn entry...

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ...done(new 286e0812)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Decrypting payload (length 48)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address > Recv*: [HASH] [DELETE]

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Process [DELETE]:

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> DELETE payload received, deleting Phase-1 SA

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> Delete conn entry...

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> ...found conn entry(286e0812)

## 2011-04-22 14:17:43 : IKE<My_ASA_Outside_Address> IKE msg done: PKI state<0> IKE state<3/80182f>

## 2011-04-22 14:17:47 : IKE<My_ASA_Outside_Address> phase-2 packet re-trans timer expired.

## 2011-04-22 14:17:47 : IKE<My_ASA_Outside_Address> bad sa, can't send request

## 2011-04-22 14:17:51 : IKE<My_ASA_Outside_Address> phase-2 packet re-trans timer expired.

## 2011-04-22 14:17:51 : IKE<My_ASA_Outside_Address> bad sa, can't send request

## 2011-04-22 14:17:55 : IKE<My_ASA_Outside_Address> phase-2 packet re-trans timer expired.

## 2011-04-22 14:17:55 : IKE<My_ASA_Outside_Address> bad sa, can't send request

Any ideas would be appreciated.

Marcin Latosiewicz · ‎04-26-2011

Vince,

Indeed the ASA is reporting a failure to choose correct proposals;

## 2011-04-22 14:17:43 : IKE Received 
notify message for DOI <1> <14> .

Juniper is sending ( esp(3), auth(1), encap(1), group(2)) which is what we have.

Get a full debug from ASA and Juniper so can compare (both working and non-working) (haha) it's a Cisco forum after all ...

BTW... 7.0... pre-hi-sto-ric ;-)

Marcin

ole-coot56 · ‎05-02-2011

Wanted to update this issue.

Updated the firmware on the ASAs to 7.2(4). I know it is outdated but the only firmware I had.

Issue turned out to be the dynamic tunnel map. I changed the statement to read:

crypto map TUNNEL 100 ipsec-isakmp dynamic VPN

Which put it at the end of my map statements an voila! tunnels now intiate in both directions.

Thanks