Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21575
Views
0
Helpful
10
Replies

Received Invalid Cookie message for non-existent SA and Information Exchange processing failed

ribin.jones
Level 1
Level 1

‎01-10-2011 02:59 PM

Hi,

I was trying to set up VPN between our two offices. One office has an ASA 5520 with ios ver 8.3 and the other office has a sonicwall. Below is the logs I receive in my ASA:

[IKEv1]: IP = a.b.c.d, Received Invalid Cookie message for non-existent SA
Jan 11 04:16:18 [IKEv1]: Group = a.b.c.d, IP = a.b.c.d, Information Exchange processing failed

Any idea what is wrong with my config?

- Ribin

Labels:
0 Helpful
10 Replies 10

rahgovin
Level 4
Level 4

‎01-10-2011 03:12 PM

Please post theentire  debug crypto isakmp 127 and debug cry ips 127 from the ASA if possible.

Also can you check if the "crypto isakmp identity" is set to address.

0 Helpful

ribin.jones
Level 1
Level 1
In response to rahgovin

‎01-10-2011 03:19 PM

Find the attached debug.

Also, in my sh run I see the line "crypto isakmp identity hostname". I used wizard for vpn confgn.

- Ribin

Preview file
16 KB
0 Helpful

ribin.jones
Level 1
Level 1
In response to ribin.jones

‎01-10-2011 03:48 PM

I gave isakmp identity address and now vpn is shown up on both ASA and sonicwall, but I can only ping from network behind ASA (192.168.40.0/24) to network behind sonicwall (192.168.1.0/24) not viceversa.ie, I am not able to ping 192.168.40.0 network from behind sonicwall. What could be the issue?

- Ribin

0 Helpful

ribin.jones
Level 1
Level 1
In response to ribin.jones

‎01-10-2011 04:16 PM

Any help ??

- Ribin

0 Helpful

rahgovin
Level 4
Level 4
In response to ribin.jones

‎01-10-2011 07:15 PM

When you ping from Sonicwall to ASA, do you see the packets decapsulated increasing? You can see the show crypto ipsec sa counters on the ASA to see that? Also make sure that the nat rules are right on the ASA.

0 Helpful

ribin.jones
Level 1
Level 1
In response to rahgovin

‎01-11-2011 06:39 AM

Rahul,

show crypto ipsec sa counters command is not working in my ASA. But from ASDM I  suppose the packet hits is increasing (find the attachment).

Also, how can I make sure that my NAT rules are right?

- Ribin

Preview file
63 KB
0 Helpful

ribin.jones
Level 1
Level 1
In response to ribin.jones

‎01-11-2011 06:43 AM

Find the attached NAT exception rule for this particular vpn. My other vpn's also has the same problemng- i can ping destination networks, but my network is not ping ing from there.

- Ribin

Preview file
38 KB
0 Helpful

rahgovin
Level 4
Level 4
In response to ribin.jones

‎01-11-2011 08:55 AM

What server are you trying to ping from there? Can you ping the same host from your ASA itself? Also try some other traffic apart from ping and test.

0 Helpful

ribin.jones
Level 1
Level 1
In response to rahgovin

‎01-11-2011 08:18 PM

A correction to my previous post...I am able to ping my hosts and server through another vpn. The issue is with the vpn between asa and sonicwall alone. I tried ping/rdp and http.

- Ribin

0 Helpful

rahgovin
Level 4
Level 4
In response to ribin.jones

‎01-12-2011 09:25 AM

Are you using ASA code 8.3.x? If so please follow the nat exemtpion according to this document.

https://supportforums.cisco.com/docs/DOC-11639

0 Helpful
Customers Also Viewed These Support Documents