Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1561
Views
0
Helpful
7
Replies

Site to Site ASA to Sonic Wall

burgessf
Level 1
Level 1

‎03-18-2013 01:30 PM

Currently, my ASA can send packets to the SonicWall VPN.  But when SW attempts to respond in phase 2, they get an error "NO_PROPOSAL_CHOSEN".  Our settings appear to be identical.  Any ideas?

Labels:
0 Helpful
7 Replies 7

Javier Portuguez
Level 9
Level 9

‎03-18-2013 01:33 PM

Hi

It looks like any of the following parameters does not match:

1- Transform-set.

2- PFS.

3- Crypto ACL.

Please attach the following log output:

     debug crypto ipsec 190

HTH.

Portu.

0 Helpful

burgessf
Level 1
Level 1
In response to Javier Portuguez

‎03-18-2013 01:47 PM

Mar 18 2013 16:34:53: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping

Mar 18 2013 16:34:53: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, droppingMar 18 2013 16:34:53: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping
Mar 18 2013 16:34:53: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping

0 Helpful

burgessf
Level 1
Level 1
In response to burgessf

‎03-18-2013 01:48 PM

Sorry...the prior post shows the output of the debug.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to burgessf

‎03-18-2013 09:51 PM

Those logs are not helpful.

Try this instead:

     debug crypto isakmp 190

     debug crypto ipsec 190

Thanks.

Portu.

0 Helpful

burgessf
Level 1
Level 1
In response to Javier Portuguez

‎03-19-2013 05:41 AM

I am not viewing/recording the debug information properly.  I enter the debug commands and then enter sh logs.  apparrently this is the wrong command to view the debugs.

What command should I use?

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to burgessf

‎03-19-2013 06:16 AM

Hi,

Try with "terminal monitor", to disable it "terminal no monitor".

Thanks.

0 Helpful

burgessf
Level 1
Level 1
In response to Javier Portuguez

‎03-20-2013 06:59 AM

Thank you,

           

Mar 20 2013 09:56:14: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping

Mar 20 2013 09:56:15: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping

Mar 20 2013 09:56:31: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping

Mar 20 2013 09:56:32: %ASA-5-713904: IP = 204.11.46.228, Received encrypted packet with no matching SA, dropping

Mar 20 2013 09:56:55: %ASA-5-111008: User 'burgesfl' executed the 'terminal no monitor' command.

Mar 20 2013 09:56:55: %ASA-5-111010: User 'burgesfl', running 'CLI' from IP 10.55.6.5, executed 'terminal no monitor'

Mar 20 2013 09:57:00: %ASA-5-111008: User 'burgesfl' executed the 'debug crypto ipsec 190' command.

Mar 20 2013 09:57:00: %ASA-5-111010: User 'burgesfl', running 'CLI' from IP 10.55.6.5, executed 'debug crypto ipsec 190'

Mar 20 2013 09:57:05: %ASA-5-111008: User 'burgesfl' executed the 'terminal monitor' command.

Mar 20 2013 09:57:05: %ASA-5-111010: User 'burgesfl', running 'CLI' from IP 10.55.6.5, executed 'terminal monitor'

VPN#

Similar output each time for both commands.

0 Helpful
Customers Also Viewed These Support Documents