Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
2
Replies

Problem with Site-to-site

stephanesanchez
Level 1
Level 1

‎01-14-2015 01:55 AM

Hello,

 

I have a problem with tunnel between ZyWALL USG100-PLUS and Cisco ASA 5525-X.

My tunnel is OK for 10 days but it's KO since 2 days.

I don't understand where is a problem:

 

Log in Cisco:

FW1P1(config)# Jan 14 10:43:13 [IKEv1]IP = 164.177.14.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 404
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing SA payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing ke payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing ISA_KE payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing nonce payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing ID payload
Jan 14 10:43:13 [IKEv1 DECODE]IP = 164.177.14.50, ID_IPV4_ADDR ID received
164.177.14.50
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, Received NAT-Traversal ver 02 VID
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, Received NAT-Traversal ver 03 VID
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, Received NAT-Traversal RFC VID
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, Received DPD VID
Jan 14 10:43:13 [IKEv1 DEBUG]IP = 164.177.14.50, processing VID payload
Jan 14 10:43:13 [IKEv1]IP = 164.177.14.50, Connection landed on tunnel_group 164.177.14.50
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing IKE SA payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 22
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing ISAKMP SA payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing ke payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing nonce payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, Generating keys for Responder...
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing ID payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing hash payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, Computing hash for ISAKMP
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing Cisco Unity VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing xauth V6 VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing dpd vid payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing NAT-Traversal VID ver RFC payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing NAT-Discovery payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, computing NAT Discovery hash
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing NAT-Discovery payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, computing NAT Discovery hash
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing Fragmentation VID + extended capabilities payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing VID payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 14 10:43:13 [IKEv1]IP = 164.177.14.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 14 10:43:13 [IKEv1]IP = 164.177.14.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 100
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing hash payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, Computing hash for ISAKMP
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing NAT-Discovery payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, computing NAT Discovery hash
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing NAT-Discovery payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, computing NAT Discovery hash
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, PHASE 1 COMPLETED
Jan 14 10:43:13 [IKEv1]IP = 164.177.14.50, Keep-alive type for this connection: DPD
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, Starting P1 rekey timer: 64800 seconds.
Jan 14 10:43:13 [IKEv1 DECODE]IP = 164.177.14.50, IKE Responder starting QM: msg id = 2ca4ba51
Jan 14 10:43:13 [IKEv1]IP = 164.177.14.50, IKE_DECODE RECEIVED Message (msgid=2ca4ba51) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 156
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing hash payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing SA payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing nonce payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing ID payload
Jan 14 10:43:13 [IKEv1 DECODE]Group = 164.177.14.50, IP = 164.177.14.50, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.255.252.0
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, Received remote IP Proxy Subnet data in ID Payload:   Address 10.0.0.0, Mask 255.255.252.0, Protocol 0, Port 0
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing ID payload
Jan 14 10:43:13 [IKEv1 DECODE]Group = 164.177.14.50, IP = 164.177.14.50, ID_IPV4_ADDR_SUBNET ID received--172.17.1.0--255.255.255.0
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, Received local IP Proxy Subnet data in ID Payload:   Address 172.17.1.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, QM IsRekeyed old sa not found by addr
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, Static Crypto Map check, checking map = Outside_map, seq = 1...
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, Static Crypto Map check, map Outside_map, seq = 1 is a successful match
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, IKE Remote Peer configured for crypto map: Outside_map
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, processing IPSec SA payload
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, All IPSec SA proposals found unacceptable!
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, sending notify message
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing blank hash payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing ipsec notify payload for msg id 2ca4ba51
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing qm hash payload
Jan 14 10:43:13 [IKEv1]IP = 164.177.14.50, IKE_DECODE SENDING Message (msgid=c37f6574) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, QM FSM error (P2 struct &0x00007fff35f9acd0, mess id 0x2ca4ba51)!
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, IKE QM Responder FSM error history (struct &0x00007fff35f9acd0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, sending delete/delete with reason message
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, Removing peer from correlator table failed, no match!
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, IKE SA AM:e88a2a68 rcv'd Terminate: state AM_ACTIVE  flags 0x00000041, refcnt 1, tuncnt 0
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, IKE SA AM:e88a2a68 terminating:  flags 0x01000001, refcnt 0, tuncnt 0
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, sending delete/delete with reason message
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing blank hash payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing IKE delete payload
Jan 14 10:43:13 [IKEv1 DEBUG]Group = 164.177.14.50, IP = 164.177.14.50, constructing qm hash payload
Jan 14 10:43:13 [IKEv1]IP = 164.177.14.50, IKE_DECODE SENDING Message (msgid=e01a3346) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, Session is being torn down. Reason: Phase 2 Mismatch
Jan 14 10:43:13 [IKEv1]Ignoring msg to mark SA with dsID 64020480 dead because SA deleted

 

Config Crypto:

crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 164.177.14.50
crypto map Outside_map 1 set ikev1 phase1-mode aggressive
crypto map Outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map Outside_map 1 set validate-icmp-errors

group-policy GroupPolicy_164.177.14.50 internal
group-policy GroupPolicy_164.177.14.50 attributes
 vpn-tunnel-protocol ikev1

tunnel-group 164.177.14.50 type ipsec-l2l
tunnel-group 164.177.14.50 general-attributes
 default-group-policy GroupPolicy_164.177.14.50
tunnel-group 164.177.14.50 ipsec-attributes
 ikev1 pre-shared-key *****

 

Stephane

 

Labels:
0 Helpful
2 Replies 2

jumukhi
Level 1
Level 1

‎01-15-2015 10:10 AM

Hi Stephane,

 

I can see that there is a phase-2 mismatch based on the debugs:

 

Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, All IPSec SA proposals found unacceptable!

 

Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, Removing peer from correlator table failed, no match!

 

Jan 14 10:43:13 [IKEv1]Group = 164.177.14.50, IP = 164.177.14.50, Session is being torn down. Reason: Phase 2 Mismatch

 

Can you let me know the phase-2 policies from the remote end?

 

Thanks,

Juhi

0 Helpful

stephanesanchez
Level 1
Level 1
In response to jumukhi

‎02-02-2015 07:30 PM

NOw it's OK, i remove my configuration and i recreate.

FInaly, i have a error with lifetime.

 

Thank.

 

Stephane

0 Helpful
Customers Also Viewed These Support Documents