01-24-2014 11:26 AM
Hello everyone,
Trying to set up a site-to-site VPN tunnel for a new building.
At our central site we have KSIASA01, which has been running as a remote access VPN server with a static IP address, no NAT.
At our new site we have KSIASA03, brand new ASA, outside address is DHCP, no NAT.
Attempts to build a tunnel are failing with "received non-routine Notify message: No proposal chosen." ISAKMP policies look like they match, but I'm thinking there's something involving the remote access VPN setup on KSIASA01 that is confusing things. Not sure what, though.
I have attached sanitized configs for both ASAs. Also, a debug from KSIASA03 taken as I tried to send traffic from that site to the central site. Thanks in advance for your help!
01-24-2014 02:26 PM
Hi,
I tried to go through your config and it seems that hosts or list of addresses are not same in crypto map.
On ksiasa01 you are using outside_cryptomap_20.100 and for this you are using following rule
access-list outside_cryptomap_20.100 extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0
Please notice that in Plant1-Plant2-MOS you have much more networks(about 8 subnets) included than on ksiasa03(just 3 subnets).
Also for ksiasa03 you have two access lists for outside_1_cryptomap. One permits ip and second permits icmp.
So probably this does not match on both sides and IPSEC will not form.
Regards,
Jan
01-24-2014 03:22 PM
Hi Jan,
Thanks for the tip. I changed the network group Plant1-Plant2-MOS on ksiasa01 to match the one on ksiasa03. Also, I removed the ACL for icmp on outside_1_cryptomap. Still no luck, unfortunately.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide