cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5202
Views
0
Helpful
4
Replies

Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'id@domain.com'

born.jason
Level 1
Level 1

Hi

i try to establish a site to site tunnel betweekn a umts router and a asa 5505. The asa has a static outside ip the umts router a dynamic. I have set up a connection profile on the asa without ip, transform set,........

If i now try to set up a site to site tunnel the folowing appears in the log of asdm:

IP = <umts public ip>, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name  'id@domain.com'

On the UMTS router i can set up a remote id and a local id but on the asa i have not found this option. Any suggestions?

Which outputs do you need?

regards

Jason

4 Replies 4

lginod
Level 1
Level 1

Hello Jason,

Can you please attach the "sh run crypto" and "sh run tunnel-group" output from the asa?

Also check on the UMTS router if the VPN mode is aggressive instead of main-mode.

Sent from Cisco Technical Support iPhone App

ok here it is:

sh run crypto:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set umts1_set esp-aes esp-sha-hmac
crypto ipsec transform-set umts2_set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map cisco 1 match address outside_cryptomap_10.1
crypto dynamic-map cisco 1 set transform-set umts1_set
crypto dynamic-map cisco 1 set reverse-route
crypto dynamic-map cisco 2 match address outside_cryptomap_10.2
crypto dynamic-map cisco 2 set transform-set umts2_set
crypto dynamic-map cisco 2 set reverse-route
crypto dynamic-map a@domain.com 1 match address outside_cryptomap
crypto dynamic-map a@domain.com 1 set pfs
crypto dynamic-map a@domain.com 1 set transform-set umts1_set
crypto dynamic-map a@domain.com 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dyn-map 1 ipsec-isakmp dynamic a@domain.com
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

on t he other side there is a entry called b@domain.com and this entry appears in the asdm log.


sh run tunnel-group:

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group client_vpn type remote-access
tunnel-group client_vpn general-attributes
address-pool VPNPOOL
default-group-policy client_vpn
tunnel-group client_vpn ipsec-attributes
pre-shared-key *****
tunnel-group a@domain.com type ipsec-l2l
tunnel-group a@domain.com ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable

One question. Normaly it should work without a connection profile, or?

any suggestions ?

1. By UMTS router do you mean a router of different brand or is it a cisco router which supports UMTS?

2. What was the reference to "on the other side there is an entry with b@domain.com" ? Is there a dynamic crypto map on the other side?

3. Is there a hostname based peer set on the router? Like using a hostname in the peer ip field instead of ip.

Sent from Cisco Technical Support iPhone App