03-21-2014 02:43 PM
I have two ASAs.
The first one gets its WAN IP via DHCP. The second one is static. Therefore my aim is a dynamic tunnel.
Here is the configuration for the first: http://pastebin.com/raw.php?i=guGPmjEU
And the second: http://pastebin.com/raw.php?i=djsPsbsm
Inside subnet of the first ASA: 10.75.0.0/16
Inside subnet of the second ASA: 10.80.0.0/16
"crypto map PG_TUNNEL_MAP 11" in the first ASA config, is for the tunnel to the second (static) ASA.
And here is the debug output I see (debug crypto <isakmp/ipsec> 127) on the second ASA when I send interesting traffic from the first ASA:
http://pastebin.com/raw.php?i=MSTkJ379
How come phase 2 does not complete?
Solved! Go to Solution.
03-24-2014 03:30 PM
The QM FSM error seems to be the failing point. That can be caused either by mismatch in proxy identities (those look ok) or transform set parameters.
For the latter, KAMLOOPS is using:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
while VMON-ASA is using:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
So you might try removing the pfs parameter in VMON-ASA's dynamic-map.
03-21-2014 08:23 PM
From your second ASA configuration -
access-list PG_Tunnel extended permit ip object-group DM_INLINE_NETWORK_1 10.70.0.0 255.255.0.0
shouldn't it be "10.75.0.0 255.255.0.0" ?
Jon
03-24-2014 01:38 PM
No, because "crypto map ___ 21" on the second ASA references that access-list. And crypto map 21 is a static map. This tunnel we're discussing is dynamic. Any other ideas?
03-24-2014 03:30 PM
The QM FSM error seems to be the failing point. That can be caused either by mismatch in proxy identities (those look ok) or transform set parameters.
For the latter, KAMLOOPS is using:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
while VMON-ASA is using:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
So you might try removing the pfs parameter in VMON-ASA's dynamic-map.
03-24-2014 03:30 PM
I ran the following on VMON-ASA:
no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
Then I sent some interesting traffic and the tunnel came up!
Thank you!!
03-25-2014 10:15 AM
You're welcome. Glad to hear it worked.
Thanks for the rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide