06-29-2012 06:49 AM
I am trying to set up a tunnel between an ASA and PIX but I am having a few challenges.
On the ASA Side
Jun 29 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, QM FSM error (P2 struct &0xc9309260, mess id 0x7e79b74e)!
Jun 29 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, Removing peer from correlator table failed, no match!
Jun 29 08:09:44 [IKEv1]: Group = 190.213.57.203, IP = 190.213.57.203, Session is being torn down. Reason: Phase 2 Mismatch
On the PIX Side
ISAKMP (0): Total payload length: 37
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -813626169:cf810cc7IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xbb1797c2(3138885570) for SA
from 63.143.77.114 to 190.213.57.203 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:63.143.77.114/500 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:63.143.77.114/500 Ref cnt incremented to:1 Total VPN Peers:2
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
spi 0, message ID = 2038434904
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:63.143.77.114, dest:190.213.57.203 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 1798094647, spi size = 16
ISAKMP (0): deleting SA: src 190.213.57.203, dst 63.143.77.114
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x11fa6fc, conn_id = 0
ISADB: reaper checking SA 0x121ac3c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:63.143.77.114/500 Ref cnt decremented to:0 Total VPN Peers:2
VPN Peer: ISAKMP: Deleted peer: ip:63.143.77.114/500 Total VPN peers:1IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 63.143.77.114
ASA Configuration
ASA Version 8.2(5)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.102.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 63.143.77.114 255.255.255.252
!
ftp mode passive
clock timezone EST -5
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name lexlocal
object-group service DM_INLINE_SERVICE_3
service-object tcp eq https
service-object tcp eq telnet
service-object icmp
service-object tcp-udp eq www
service-object udp
object-group service DM_INLINE_SERVICE_5
service-object udp
service-object tcp
service-object tcp-udp eq www
service-object tcp eq www
service-object udp eq www
service-object icmp
object-group service DM_INLINE_SERVICE_8
service-object tcp eq https
service-object tcp-udp eq www
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_4
service-object tcp-udp eq www
service-object tcp eq https
service-object tcp eq smtp
service-object udp eq snmp
service-object ip
service-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object udp
protocol-object tcp
access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.102.0 255.255.255.0 Barbado-Internal 255.255.255.0
access-list inside_nat0_outbound extended permit ip any VPN_Access 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.102.0 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.102.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0
access-list outside_authentication extended permit object-group DM_INLINE_PROTOCOL_3 any any inactive
access-list inside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_5 host Jeremy any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 192.168.102.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 192.168.102.0 255.255.255.0 192.168.102.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host Jeremy interface outside inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any interface outside
access-list outside_access_in extended permit ip Barbado-Internal 255.255.255.0 192.168.102.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_8 any interface outside inactive
access-list outside_access_in extended permit ip JA_Office_Internal 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list outside_access_in extended permit ip P.O.S_Office_internal 255.255.255.0 P.O.S_Office_internal 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.102.0 255.255.255.0 Barbado-Internal 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.102.0 255.255.255.0 JA_Office_Internal 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.102.0 255.255.255.0 P.O.S_Office_internal 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Remote_Users 192.168.200.1-192.168.200.10 mask 255.255.255.0
ip local pool VPN_IPs 192.168.200.25-192.168.200.50 mask 255.255.255.248
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 63.143.77.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication match outside_authentication outside LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 200.50.87.198
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 66.54.113.191
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 190.213.57.203
crypto map outside_map 3 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp disconnect-notify
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.102.30-192.168.102.50 inside
dhcpd dns 66.54.116.4 66.54.116.5 interface inside
dhcpd enable inside
!
dhcpd dns 66.54.116.4 66.54.116.5 interface outside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol svc
default-domain value lexlocal
webvpn
svc keepalive none
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value lexlocal
webvpn
svc keepalive none
group-policy VPN_Tunnel_Client internal
group-policy VPN_Tunnel_Client attributes
dns-server value 192.168.102.1
vpn-tunnel-protocol IPSec l2tp-ipsec svc
default-domain value lexlocal
username VPN_Connect password 6f7B+J8S2ADfQF4a/CJfvQ== nt-encrypted
username VPN_Connect attributes
service-type nas-prompt
username xxxxex password iFxSRrE9uIWAFjJE encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool Remote_Users
address-pool VPN_IPs
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group 200.50.87.198 type ipsec-l2l
tunnel-group 200.50.87.198 ipsec-attributes
pre-shared-key *****
tunnel-group VPN_Tunnel_Client type remote-access
tunnel-group VPN_Tunnel_Client general-attributes
address-pool Remote_Users
default-group-policy VPN_Tunnel_Client
tunnel-group VPN_Tunnel_Client ipsec-attributes
pre-shared-key *****
tunnel-group 66.54.113.191 type ipsec-l2l
tunnel-group 66.54.113.191 ipsec-attributes
pre-shared-key *****
tunnel-group 190.213.57.203 type ipsec-l2l
tunnel-group 190.213.57.203 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
PIX Configuration
name 192.168.1.3 lexmailserver
name 192.168.1.120 Lextt-SF
name 192.168.1.6 Lextt-ms
name 192.168.100.0 Barbados
name 192.168.102.0 Data_Center_Internal
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq https
access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 Barbado
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 Data_Ce
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 Barbados 25
access-list outside_cryptomap_40 permit ip 192.168.1.0 255.255.255.0 Data_Center
pager lines 24
logging on
logging buffered debugging
logging trap informational
logging host outside 190.213.57.203
mtu outside 1500
mtu inside 1500
ip address outside 190.213.57.203 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.2.0-192.168.2.20
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location lexmailserver 255.255.255.255 outside
pdm location Lextt-ms 255.255.255.255 outside
pdm location 192.168.2.0 255.255.255.224 outside
pdm location 200.50.87.198 255.255.255.255 outside
pdm location Barbados 255.255.255.0 inside
pdm location Lextt-SF 255.255.255.255 inside
pdm location Barbados 255.255.255.0 outside
pdm location Lextt-ms 255.255.255.255 inside
pdm location Data_Center_Internal 255.255.255.0 outside
pdm logging alerts 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface smtp Lextt-SF smtp netmask 255.255.255.255
static (inside,outside) tcp interface www Lextt-ms www netmask 255.255.255.255 0
static (inside,outside) tcp interface https Lextt-ms https netmask 255.255.255.2
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 190.213.73.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http Barbados 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 200.50.87.198
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 63.143.77.114
crypto map outside_map 40 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 200.50.87.198 netmask 255.255.255.255
isakmp key ******** address 63.143.77.114 netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
Solved! Go to Solution.
06-29-2012 08:23 AM
If you haven't already, you have to clear the Phase I SAs on both sides after you make a change to the map. Once the Phase I SA has been cleared, it will renegotiate and reset Phase II. If you've alerady done that, the only other thing I can think of is manually rekeying the pre-shared secrets on the tunnel-groups then clearing both the Phase I and Phase II SAs.
06-29-2012 07:10 AM
On the ASA:
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
What is this on the PIX? Did you hardset this on the ASA? Also, if you haven't already - try entering the pre-shared key on the tunnel groups again. I know this seems silly, but this has fixed many of my site-to-site issues.
06-29-2012 07:38 AM
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
I didnt hard set that
But I have another tunnel group up to a similar fw and it works fine.
06-29-2012 07:58 AM
I have seen where it caused issues when it was hard set on one end but not the other end, but only once and it was an ASA and non Cisco product peering.
Also, you have PFS set on the ASA side, I can't remember on the PIX - but I'm not even sure if it supports it? Try removing it from the ASA map.
06-29-2012 08:16 AM
Removed it from ASA, no Joy.
06-29-2012 08:23 AM
If you haven't already, you have to clear the Phase I SAs on both sides after you make a change to the map. Once the Phase I SA has been cleared, it will renegotiate and reset Phase II. If you've alerady done that, the only other thing I can think of is manually rekeying the pre-shared secrets on the tunnel-groups then clearing both the Phase I and Phase II SAs.
06-29-2012 08:45 PM
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide