Hello ,

when  i  run the packet capture  got  the following error.please help.

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (nat-xlate-failed) NAT failed

I still need your config before i (and the rest) can say something usefull...

please find the config of The ASA and  need your help.

Can you turn these arround? So object network VPN on top:

object network Inside-Network
 nat (inside,outside) dynamic interface
object network VPN
 nat (inside,outside) dynamic interface

I have  removed the first one and the second one  only exist. plaese find the debug message.

ERROR: % Incomplete command
axletech# Nov 19 20:10:43 [IKEv1]IP = 63.124.2.202, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 236
Nov 19 20:10:43 [IKEv1 DEBUG]IP = 63.124.2.202, processing SA payload
Nov 19 20:10:43 [IKEv1]IP = 63.124.2.202, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 128
Nov 19 20:10:43 [IKEv1 DEBUG]IP = 63.124.2.202, All SA proposals found unacceptable
Nov 19 20:10:43 [IKEv1]IP = 63.124.2.202, Error processing payload: Payload ID: 1
Nov 19 20:10:43 [IKEv1 DEBUG]IP = 63.124.2.202, IKE MM Responder FSM error history (struct &0x00007fffa1e5ee60)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Nov 19 20:10:43 [IKEv1 DEBUG]IP = 63.124.2.202, IKE SA MM:9f1ca80f terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Nov 19 20:10:43 [IKEv1 DEBUG]IP = 63.124.2.202, sending delete/delete with reason message

regards,

Saroj

I see a mismatch in phase 1 proposals:

Nov 19 20:10:43 [IKEv1 DEBUG]IP = 63.124.2.202, All SA proposals found unacceptable

Can you check if the proposals on both the sides match?

Hello ,

the DH Group was configured 2 at remote end and 5  at local end . Now both are  in  same DH group .Now that issue resolve but  tunnel is still down.

please help

Hi Saroj,

Can you provide the output of packet tracer again.I want to make sure that this traffic is hitting VPN:

Also enable conditional crypto debugs on the box and paste the outputs that you are getting.

Lab1(conf)#no logging console
lab1(conf)logging buffered debugging
lab1# debug crypto condition peer 63.124.2.202
lab1# show crypto isakmp 127
lab1# debug crypto ipsec 127

regards

Eric

Hello ,

The  tunnel  is  up  but  unable  to  ping the remote VPN end ip  address.

Regards,

Saroj

Hi

First of all you need to remove your access-lists that you have attached to your interfaces. You are making your firewall worthless by having them.

clear configure access-group

Then you would need to do a identity NAT so that your traffic crossing your tunnel isn't NATed. The problem is that with your crypto map you tunnel everything, even traffic to google etc. Is this what you want?

If so:

nat (inside,outside) source static VPN VPN

now  the VPN tunnel  is up and  i am able  to ping the remote device .But  the users unable to  access internet. The plan is to  user will access internate from VPN Tunnel.

Regards,

SarojP

what  is the peer device to which you are building the VPN tunnel ?

Is it also a cisco ASA?

No  it is  Palo Alto Networks PA-2020.

Regards,

Saroj P