cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21573
Views
0
Helpful
10
Replies

Received Invalid Cookie message for non-existent SA and Information Exchange processing failed

ribin.jones
Level 1
Level 1

Hi,

I was trying to set up VPN between our two offices. One office has an ASA 5520 with ios ver 8.3 and the other office has a sonicwall. Below is the logs I receive in my ASA:

[IKEv1]: IP = a.b.c.d, Received Invalid Cookie message for non-existent SA
Jan 11 04:16:18 [IKEv1]: Group = a.b.c.d, IP = a.b.c.d, Information Exchange processing failed

Any idea what is wrong with my config?

- Ribin

10 Replies 10

rahgovin
Level 4
Level 4

Please post theentire  debug crypto isakmp 127 and debug cry ips 127 from the ASA if possible.

Also can you check if the "crypto isakmp identity" is set to address.

Find the attached debug.

Also, in my sh run I see the line "crypto isakmp identity hostname". I used wizard for vpn confgn.

- Ribin

I gave isakmp identity address and now vpn is shown up on both ASA and sonicwall, but I can only ping from network behind ASA (192.168.40.0/24) to network behind sonicwall (192.168.1.0/24) not viceversa.ie, I am not able to ping 192.168.40.0 network from behind sonicwall. What could be the issue?

- Ribin

Any help ??

- Ribin

When you ping from Sonicwall to ASA, do you see the packets decapsulated increasing? You can see the show crypto ipsec sa counters on the ASA to see that? Also make sure that the nat rules are right on the ASA.

Rahul,

show crypto ipsec sa counters command is not working in my ASA. But from ASDM I  suppose the packet hits is increasing (find the attachment).

Also, how can I make sure that my NAT rules are right?

- Ribin

Find the attached NAT exception rule for this particular vpn. My other vpn's also has the same problemng- i can ping destination networks, but my network is not ping ing from there.

- Ribin

What server are you trying to ping from there? Can you ping the same host from your ASA itself? Also try some other traffic apart from ping and test.

A correction to my previous post...I am able to ping my hosts and server through another vpn. The issue is with the vpn between asa and sonicwall alone. I tried ping/rdp and http.

- Ribin

Are you using ASA code 8.3.x? If so please follow the nat exemtpion according to this document.

https://supportforums.cisco.com/docs/DOC-11639