04-13-2016 03:41 PM - edited 02-21-2020 08:46 PM
Hi,
L2L tunnel is not coming up.
Only phase 1 comes
Below are logs from ASA which is initator
Peer IP 173.182.112.167
debug crypto ikev1 7
debug crypto ikev1 7
remote-video-vpn-asa# Apr 13 14:47:32 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Apr 13 14:47:32 [IKEv1]NAT-T disabled in crypto map Outside_map0 6.
Apr 13 14:47:32 [IKEv1]IP = 173.182.112.167, IKE Initiator: New Phase 1, Intf Inside, IKE Peer 173.182.112.167 local Proxy Address 0.0.0.0, remote Proxy Address 10.70.130.0, Crypto map (Outside_map0)
Apr 13 14:47:32 [IKEv1 DEBUG]IP = 173.182.112.167, constructing ISAKMP SA payload
Apr 13 14:47:32 [IKEv1 DEBUG]IP = 173.182.112.167, constructing Fragmentation VID + extended capabilities payload
Apr 13 14:47:32 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 224
Apr 13 14:47:33 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:33 [IKEv1]IP = 173.182.112.167, Received encrypted packet with no matching SA, dropping
Apr 13 14:47:33 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:33 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, processing SA payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Oakley proposal is acceptable
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, processing VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, processing VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Received DPD VID
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing ke payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing nonce payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing Cisco Unity VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing xauth V6 VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Send IOS VID
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 13 14:47:33 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
Apr 13 14:47:34 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Apr 13 14:47:34 [IKEv1 DEBUG]IP = 173.182.112.167, processing ke payload
Apr 13 14:47:34 [IKEv1 DEBUG]IP = 173.182.112.167, processing ISA_KE payload
Apr 13 14:47:34 [IKEv1 DEBUG]IP = 173.182.112.167, processing nonce payload
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, Connection landed on tunnel_group 173.182.112.167
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Generating keys for Initiator...
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing ID payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing hash payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Computing hash for ISAKMP
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing dpd vid payload
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Apr 13 14:47:34 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing ID payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing hash payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Computing hash for ISAKMP
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, Connection landed on tunnel_group 173.182.112.167
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Oakley begin quick mode
Apr 13 14:47:34 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, PHASE 1 COMPLETED
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, Keep-alive type for this connection: DPD
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Starting P1 rekey timer: 64800 seconds.
Apr 13 14:47:34 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 124235776
Apr 13 14:47:34 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Add to IKEv1 MIB Table succeeded for SA with logical ID 124235776
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE got SPI from key engine: SPI = 0x7c69b6b2
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE got SPI from key engine: SPI = 0x48be9caf
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE got SPI from key engine: SPI = 0x1f7e33f8
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE got SPI from key engine: SPI = 0x41ae2883
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, oakley constucting quick mode
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing blank hash payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing IPSec SA payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing IPSec nonce payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing proxy ID
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Transmitting Proxy Id:
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Remote subnet: 10.70.130.0 Mask 255.255.255.0 Protocol 0 Port 0
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing qm hash payload
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=c7e187fd) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 340
Apr 13 14:47:34 [IKEv1]IP = 173.182.26.211, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 224
Apr 13 14:47:35 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:35 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=4c854de3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Apr 13 14:47:35 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing hash payload
Apr 13 14:47:35 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing notify payload
Apr 13 14:47:35 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Received non-routine Notify message: No proposal chosen (14)
Apr 13 14:47:36 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:36 [IKEv1]IP = 173.182.112.167, Received encrypted packet with no matching SA, dropping
Apr 13 14:47:36 [IKEv1]IP = 173.182.30.56, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 224
Apr 13 14:47:37 [IKEv1]IP = 173.182.112.168, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 224
Apr 13 14:47:38 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:38 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=1aef4589) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 156
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing hash payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing SA payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing nonce payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing ID payload
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Received remote IP Proxy Subnet data in ID Payload: Address 10.70.130.0, Mask 255.255.255.0, Protocol 0, Port 0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing ID payload
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 1...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 1, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 2...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 2, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 3...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 3, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 4...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 4, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 5...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 5, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 6...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map Outside_map0, seq = 6 is a successful match
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, IKE Remote Peer configured for crypto map: Outside_map0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing IPSec SA payload
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, All IPSec SA proposals found unacceptable!
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, sending notify message
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing blank hash payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing ipsec notify payload for msg id 1aef4589
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing qm hash payload
Apr 13 14:47:38 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=cb90c912) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, QM FSM error (P2 struct &0x00007fffa0dc3b40, mess id 0x1aef4589)!
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE QM Responder FSM error history (struct &0x00007fffa0dc3b40) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, sending delete/delete with reason message
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, sending delete/delete with reason message
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing blank hash payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing IPSec delete payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing qm hash payload
Apr 13 14:47:38 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=8f0cf3ac) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Removing peer from correlator table failed, no match!
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE Deleting SA: Remote Proxy 10.70.130.0, Local Proxy 0.0.0.0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE Deleting SA: Remote Proxy 10.70.130.0, Local Proxy 0.0.0.0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE Deleting SA: Remote Proxy 10.70.130.0, Local Proxy 0.0.0.0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE Deleting SA: Remote Proxy 10.70.130.0, Local Proxy 0.0.0.0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE SA MM:2662f860 rcv'd Terminate: state MM_ACTIVE flags 0x00000062, refcnt 1, tuncnt 0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 124235776
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Remove from IKEv1 MIB Table succeeded for SA with logical ID 124235776
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE SA MM:2662f860 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, sending delete/delete with reason message
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing blank hash payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing IKE delete payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing qm hash payload
Apr 13 14:47:38 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=44f90172) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 13 14:47:38 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x41ae2883
Apr 13 14:47:38 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x41ae2883
Apr 13 14:47:38 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x41ae2883
Apr 13 14:47:38 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x41ae2883
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Session is being torn down. Reason: Phase 2 Mismatch
Apr 13 14:47:38 [IKEv1]Ignoring msg to mark SA with dsID 124235776 dead because SA deleted
Regards
MAhesh
04-13-2016 09:39 PM
Hi Mahesh,
As per the debug logs we are getting :
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, QM FSM error (P2 struct &0x00007fffa0dc3b40, mess id 0x1aef4589)!
QM FSM error is due to Phase 2 parameters mismatch.
Check the crypto ACL, phase 2 transform set,
Regards,
Aditya
Please rate helpful posts and mark correct answers.
04-14-2016 12:34 PM
PFS is not used.
How can I check NAT?
Regards
MAhesh
04-14-2016 12:43 PM
Can you post the local and remote crypto configuration?
All we can say is the configs don't match.
04-14-2016 01:26 PM
I have access to local only
crypto map Outside_map0 6 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5
show run | include transform-set
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
Regards
Mahesh
04-14-2016 01:35 PM
This doesn't show the encryption domain.
Can you ask the remote end for what settings that are using.
04-14-2016 02:31 PM
How can I check the encryption domain?
04-14-2016 02:55 PM
Only 1 way - you have to ask them what they have configured.
04-14-2016 04:43 PM
Hi Mahesh,
Encryption domain would be the crypto ACL configured on the device.
Make sure we have a mirror replica of the ACL on the other end.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
04-18-2016 10:43 AM
Hi Aditya,
Thanks for explain me that.
I will visit the remote site and check the config of it.
Regards
Mahesh
04-14-2016 02:55 PM
Like you said, phase 2 mis-match. Either the crypto algorithms are not identical on both sides, or the encryption domain is not the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide