Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
3
Replies

Noobie Site to Site VPN issue on Phase 2

stephen.shaffer
Level 1
Level 1

‎05-01-2017 12:48 PM

I have a Cisco 5505 ASA version 8.2(5), ASDM version 6.4(5)

This ASA has one role and that is the Site to Site VPN with a supplier. Based on my limited understanding of VPNs Phase 1 is okay, but Phase 2 is where the VPN fails. 

In the log, I see the following

Group = 198.208.201.1, IP = 198.208.201.1, Removing peer from correlator table failed, no match!
Group = 198.208.201.1, IP = 198.208.201.1, QM FSM error (P2 struct &0xc9fa3108, mess id 0x26d8aaed)!

I was hoping that someone would be able to point me in the right direction of what could be wrong. Remember - ultimate n00b.

Internal traffic on my side is coming from 10.110.37.x inside and going out to the following networks for the supplier. 

10.121.22.0/24
10.121.23.0/24
117.105.91.0/24
130.170.76.0/24
130.172.77.0/24
130.172.78.0/24
130.172.159.0/24
130.172.9.0/24
148.93.41.0/24
148.93.42.0/24
148.93.45.0/24
148.93.51.0/24
148.93.120.0/24
148.95.198.0/24
164.56.196.0/24

I have been told this is what I need for phase 1 and phase 2 to establish the VPN.

IKE POLICY (PHASE 1)
IKE Encryption Policy 3DES (168 bit)
IKE Authentication Policy SHA1
IKE Lifetime (Seconds) 28800 / 480 minutes / 8 hours
Diffie Hellman Group Group 2 (1024 bit)
Authentication Pre-shared Key
Main Mode

Pre-shared Key To be agreed upon over the phone or via encrypted methods
-IPSEC POLICY (PHASE 2)
IPSEC Encryption Policy ESP - 3DES (168 bit)
IPSEC Authentication Policy SHA1
Perfect Forward Secrecy & DH Group Disabled
IPSEC SA Lifetime Seconds 28800
IPSEC SA Lifetime Kilobytes Disabled
Vendor ID Disabled
Compression Disabled

I have confirmed the Pre-shared key with the supplier and they match. 

I've attached my config. Let me know if there is something else I could provide to help.

Thanks in advance. 

Labels:
Preview file
7 KB
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎05-01-2017 01:34 PM

Capture the output of the following debug when you are trying to establish the tunnel:

debug crypto isakmp 127
debug crypto ipsec 127

One of the more common errors is a mismatch of local and remote "proxies" or networks that need to be encrypted. They have to be a mirror image on each of the peer devices. So You have:

access-list outside_1_cryptomap extended permit ip 10.110.37.0 255.255.255.0 object-group GM

The other side should have the exact reverse of this (src and dst networks).

0 Helpful

stephen.shaffer
Level 1
Level 1
In response to Rahul Govindan

‎05-01-2017 02:10 PM

Thank you Rahul,

I have attached the CLI output from last Friday when I was working with the supplier on this issue. 

Preview file
47 KB
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to stephen.shaffer

‎05-01-2017 03:48 PM 

Apr 27 13:19:18 [IKEv1]: Group = 198.208.201.1, IP = 198.208.201.1, Received non-routine Notify message: No proposal chosen (14)

Looks like the peer does not like the proposal you are sending as a part of Phase 2. You have to verify that the proxies that are configured on your side and remote peer are exact mirrors (src and dst network/mask is reversed). Another aspect to check is the IPsec proposal (encryption protocols etc.) are also the same on the peer side.

0 Helpful
Customers Also Viewed These Support Documents