site-to-site between 2 ASA 5505s: "received non-routine Notify m

jeffrsonk · ‎01-24-2014

Hello everyone,

Trying to set up a site-to-site VPN tunnel for a new building.

At our central site we have KSIASA01, which has been running as a remote access VPN server with a static IP address, no NAT.

At our new site we have KSIASA03, brand new ASA, outside address is DHCP, no NAT.

Attempts to build a tunnel are failing with "received non-routine Notify message: No proposal chosen." ISAKMP policies look like they match, but I'm thinking there's something involving the remote access VPN setup on KSIASA01 that is confusing things. Not sure what, though.

I have attached sanitized configs for both ASAs. Also, a debug from KSIASA03 taken as I tried to send traffic from that site to the central site. Thanks in advance for your help!

Jan Rolny · ‎01-24-2014

Hi,

I tried to go through your config and it seems that hosts or list of addresses are not same in crypto map.

On ksiasa01 you are using outside_cryptomap_20.100 and for this you are using following rule

access-list outside_cryptomap_20.100 extended permit ip object-group Plant1-Plant2-MOS Plant3 255.255.240.0

Please notice that in Plant1-Plant2-MOS you have much more networks(about 8 subnets) included than on ksiasa03(just 3 subnets).

Also for ksiasa03 you have two access lists for outside_1_cryptomap. One permits ip and second permits icmp.

So probably this does not match on both sides and IPSEC will not form.

Regards,

Jan

jeffrsonk · ‎01-24-2014

Hi Jan,

Thanks for the tip. I changed the network group Plant1-Plant2-MOS on ksiasa01 to match the one on ksiasa03. Also, I removed the ACL for icmp on outside_1_cryptomap. Still no luck, unfortunately.

site-to-site between 2 ASA 5505s: "received non-routine Notify message: No proposal chosen"