04-13-2016 03:41 PM - edited 02-21-2020 08:46 PM
Hi,
L2L tunnel is not coming up.
Only phase 1 comes
Below are logs from ASA which is initator
Peer IP 173.182.112.167
debug crypto ikev1 7
debug crypto ikev1 7
remote-video-vpn-asa# Apr 13 14:47:32 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Apr 13 14:47:32 [IKEv1]NAT-T disabled in crypto map Outside_map0 6.
Apr 13 14:47:32 [IKEv1]IP = 173.182.112.167, IKE Initiator: New Phase 1, Intf Inside, IKE Peer 173.182.112.167 local Proxy Address 0.0.0.0, remote Proxy Address 10.70.130.0, Crypto map (Outside_map0)
Apr 13 14:47:32 [IKEv1 DEBUG]IP = 173.182.112.167, constructing ISAKMP SA payload
Apr 13 14:47:32 [IKEv1 DEBUG]IP = 173.182.112.167, constructing Fragmentation VID + extended capabilities payload
Apr 13 14:47:32 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 224
Apr 13 14:47:33 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:33 [IKEv1]IP = 173.182.112.167, Received encrypted packet with no matching SA, dropping
Apr 13 14:47:33 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:33 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, processing SA payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Oakley proposal is acceptable
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, processing VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, processing VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Received DPD VID
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing ke payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing nonce payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing Cisco Unity VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing xauth V6 VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Send IOS VID
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, constructing VID payload
Apr 13 14:47:33 [IKEv1 DEBUG]IP = 173.182.112.167, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 13 14:47:33 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
Apr 13 14:47:34 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Apr 13 14:47:34 [IKEv1 DEBUG]IP = 173.182.112.167, processing ke payload
Apr 13 14:47:34 [IKEv1 DEBUG]IP = 173.182.112.167, processing ISA_KE payload
Apr 13 14:47:34 [IKEv1 DEBUG]IP = 173.182.112.167, processing nonce payload
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, Connection landed on tunnel_group 173.182.112.167
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Generating keys for Initiator...
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing ID payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing hash payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Computing hash for ISAKMP
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing dpd vid payload
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Apr 13 14:47:34 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing ID payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing hash payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Computing hash for ISAKMP
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, Connection landed on tunnel_group 173.182.112.167
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Oakley begin quick mode
Apr 13 14:47:34 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, PHASE 1 COMPLETED
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, Keep-alive type for this connection: DPD
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Starting P1 rekey timer: 64800 seconds.
Apr 13 14:47:34 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 124235776
Apr 13 14:47:34 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Add to IKEv1 MIB Table succeeded for SA with logical ID 124235776
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE got SPI from key engine: SPI = 0x7c69b6b2
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE got SPI from key engine: SPI = 0x48be9caf
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE got SPI from key engine: SPI = 0x1f7e33f8
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE got SPI from key engine: SPI = 0x41ae2883
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, oakley constucting quick mode
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing blank hash payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing IPSec SA payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing IPSec nonce payload
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing proxy ID
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, Transmitting Proxy Id:
Local subnet: 0.0.0.0 mask 0.0.0.0 Protocol 0 Port 0
Remote subnet: 10.70.130.0 Mask 255.255.255.0 Protocol 0 Port 0
Apr 13 14:47:34 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing qm hash payload
Apr 13 14:47:34 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=c7e187fd) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 340
Apr 13 14:47:34 [IKEv1]IP = 173.182.26.211, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 224
Apr 13 14:47:35 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:35 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=4c854de3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Apr 13 14:47:35 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing hash payload
Apr 13 14:47:35 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing notify payload
Apr 13 14:47:35 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Received non-routine Notify message: No proposal chosen (14)
Apr 13 14:47:36 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:36 [IKEv1]IP = 173.182.112.167, Received encrypted packet with no matching SA, dropping
Apr 13 14:47:36 [IKEv1]IP = 173.182.30.56, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 224
Apr 13 14:47:37 [IKEv1]IP = 173.182.112.168, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 224
Apr 13 14:47:38 [IKEv1]IKE Receiver: Packet received on 192.41.x.x:500 from 173.182.112.167:500
Apr 13 14:47:38 [IKEv1]IP = 173.182.112.167, IKE_DECODE RECEIVED Message (msgid=1aef4589) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 156
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing hash payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing SA payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing nonce payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing ID payload
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Received remote IP Proxy Subnet data in ID Payload: Address 10.70.130.0, Mask 255.255.255.0, Protocol 0, Port 0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing ID payload
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 1...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 1, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 2...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 2, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 3...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 3, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 4...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 4, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 5...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map = Outside_map0, seq = 5, ACL does not match proxy IDs src:10.70.130.0 dst:0.0.0.0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, checking map = Outside_map0, seq = 6...
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Static Crypto Map check, map Outside_map0, seq = 6 is a successful match
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, IKE Remote Peer configured for crypto map: Outside_map0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, processing IPSec SA payload
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, All IPSec SA proposals found unacceptable!
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, sending notify message
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing blank hash payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing ipsec notify payload for msg id 1aef4589
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing qm hash payload
Apr 13 14:47:38 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=cb90c912) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, QM FSM error (P2 struct &0x00007fffa0dc3b40, mess id 0x1aef4589)!
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE QM Responder FSM error history (struct &0x00007fffa0dc3b40) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, sending delete/delete with reason message
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, sending delete/delete with reason message
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing blank hash payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing IPSec delete payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing qm hash payload
Apr 13 14:47:38 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=8f0cf3ac) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Removing peer from correlator table failed, no match!
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE Deleting SA: Remote Proxy 10.70.130.0, Local Proxy 0.0.0.0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE Deleting SA: Remote Proxy 10.70.130.0, Local Proxy 0.0.0.0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE Deleting SA: Remote Proxy 10.70.130.0, Local Proxy 0.0.0.0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE Deleting SA: Remote Proxy 10.70.130.0, Local Proxy 0.0.0.0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE SA MM:2662f860 rcv'd Terminate: state MM_ACTIVE flags 0x00000062, refcnt 1, tuncnt 0
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 124235776
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Remove from IKEv1 MIB Table succeeded for SA with logical ID 124235776
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, IKE SA MM:2662f860 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, sending delete/delete with reason message
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing blank hash payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing IKE delete payload
Apr 13 14:47:38 [IKEv1 DEBUG]Group = 173.182.112.167, IP = 173.182.112.167, constructing qm hash payload
Apr 13 14:47:38 [IKEv1]IP = 173.182.112.167, IKE_DECODE SENDING Message (msgid=44f90172) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 13 14:47:38 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x41ae2883
Apr 13 14:47:38 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x41ae2883
Apr 13 14:47:38 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x41ae2883
Apr 13 14:47:38 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x41ae2883
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, Session is being torn down. Reason: Phase 2 Mismatch
Apr 13 14:47:38 [IKEv1]Ignoring msg to mark SA with dsID 124235776 dead because SA deleted
Regards
MAhesh
04-13-2016 09:39 PM
Hi Mahesh,
As per the debug logs we are getting :
Apr 13 14:47:38 [IKEv1]Group = 173.182.112.167, IP = 173.182.112.167, QM FSM error (P2 struct &0x00007fffa0dc3b40, mess id 0x1aef4589)!
QM FSM error is due to Phase 2 parameters mismatch.
Check the crypto ACL, phase 2 transform set,
Regards,
Aditya
Please rate helpful posts and mark correct answers.
04-14-2016 12:34 PM
PFS is not used.
How can I check NAT?
Regards
MAhesh
04-14-2016 12:43 PM
Can you post the local and remote crypto configuration?
All we can say is the configs don't match.
04-14-2016 01:26 PM
I have access to local only
crypto map Outside_map0 6 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5
show run | include transform-set
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
Regards
Mahesh
04-14-2016 01:35 PM
This doesn't show the encryption domain.
Can you ask the remote end for what settings that are using.
04-14-2016 02:31 PM
How can I check the encryption domain?
04-14-2016 02:55 PM
Only 1 way - you have to ask them what they have configured.
04-14-2016 04:43 PM
Hi Mahesh,
Encryption domain would be the crypto ACL configured on the device.
Make sure we have a mirror replica of the ACL on the other end.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
04-18-2016 10:43 AM
Hi Aditya,
Thanks for explain me that.
I will visit the remote site and check the config of it.
Regards
Mahesh
04-14-2016 02:55 PM
Like you said, phase 2 mis-match. Either the crypto algorithms are not identical on both sides, or the encryption domain is not the same.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: