02-02-2012 02:39 AM
Hi all,
I have a very perplexing issue.
Side A - ASA 5510
Side B - Cisco 891
Side B initiates connection,
Phase 1 settings
Pre-Share, AES-256, DH Grp 5, Hash - SHA, Lifetime - 28800.
Now there wasn't a IKE policy to this value on the ASA, so I added one (see screenshot).
And the remote end added / changed their phase 1 to match the default entries at the Side A (ASA) end.
But all we get on the ASDM log is the second screen shot saying about mis-match on configured policies.
Any one any ideas as to what's wrong.
Many Thanks
Stephen
Solved! Go to Solution.
02-02-2012 05:02 AM
So far if you are able to get far end site is fine.Atleast you can ask what is the other end configuration for UK tunnel.
Also based on logs DH group 5 is coming and Group 2 is configured try to change that might fix your issue.
02-02-2012 04:46 AM
Please post both end configuration.
02-02-2012 04:51 AM
Hi there,
Thanks for the interest, before I get hold of the config's. (One is a separate company and they may not give me their side of things.) I have had a thought.
The A end is in the UK, and the B end is in Auz (Sydney).
Could there be latency issues with the phase exchange, and if so, can anything be done to alter the timers ?
Thanks
Stephen
02-02-2012 05:02 AM
So far if you are able to get far end site is fine.Atleast you can ask what is the other end configuration for UK tunnel.
Also based on logs DH group 5 is coming and Group 2 is configured try to change that might fix your issue.
02-07-2012 07:48 AM
Hi there,
Believe it or not, this issue is caused by the request being sent back to the originator on the wrong port.
There were a few firewall inbetween, and one wasn't set to use NAT-T, so I'm told.
When amended all worked wonderfully well.
02-07-2012 07:52 AM
To those that read this post, I actually resolved the issue myself. See previous post.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: