Thanks for any help... our internet connection was moved to a new IP address by the provider and I can not seem to get our site-to-site vpn back up. I continue to get the following from my ASA debug.
Mar 04 22:35:23 [IKEv1]IP = 207.177.XX, Connection landed on tunnel_group 207.177.XX
Mar 04 22:35:23 [IKEv1]Group = 207.177.XXX, IP = 207.177.XX, PHASE 1 COMPLETED
Mar 04 22:35:23 [IKEv1]Group = 207.177.XX, IP = 207.177.XX, All IPSec SA proposals found unacceptable!
Mar 04 22:35:23 [IKEv1]Group = 207.177.XX, IP = 207.177.XX, QM FSM error (P2 struct &0x00007fff2f5844c0, mess id 0xceaeff)!
Mar 04 22:35:23 [IKEv1]Group = 207.177.XX, IP = 207.177.XX, Removing peer from correlator table failed, no match!
Mar 04 22:35:23 [IKEv1]Group = 207.177.XX, IP = 207.177.XX, Session is being torn down. Reason: Phase 2 Mismatch
Mar 04 22:35:24 [IKEv1]IP = 207.177.XXX, Received encrypted packet with no matching SA, dropping
my relevant configs is below from my ASA and cisco 891W
ASA
----------------------------------------------------------------------
ASA Version 8.6(1)2
access-list outside_cryptomap extended permit ip 10.40.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1
access-list outside_cryptomap_2 extended permit ip any object XXX-range
nat (inside,outside) source static any any destination static obj-10.40.224.0 obj-10.40.224.0 route-lookup
nat (inside,any) source static XXX_TO_NOC XXX_TO_NOC destination static NOC2 NOC2
nat (inside,any) source static XXX_TO_NOC XXX_TO_NOC destination static NOC1 NOC1
route outside 0.0.0.0 0.0.0.0 71.6.XXX 1
route inside net_10_0_0_0-8 255.0.0.0 10.40.0.9 1
route inside 0.0.0.0 0.0.0.0 10.40.0.9 tunneled
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set esp-des esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set test esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set test mode transport
crypto ipsec ikev1 transform-set XXX esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set XXX mode transport
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df inside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 207.XXX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 hollister
crypto map outside_map 5 match address outside_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 204.XXX
crypto map outside_map 5 set ikev1 transform-set ESP-AES-256-SHA ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp nat-traversal 21
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
ROUTER
------------------------------------------------------------
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
crypto isakmp key XX address 71.XX
!
!
crypto ipsec transform-set vpn_trans esp-3des esp-sha-hmac
mode transport
!
crypto map vpn_map 10 ipsec-isakmp
set peer 71.XX
set security-association lifetime seconds 43200
set transform-set vpn_trans
match address 101
interface GigabitEthernet0
description $OUTSIDE$
bandwidth 4000
ip address 207.XXX 255.255.255.0
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn_map
ip nat inside source list 102 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 207.XXX
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.112.10.0 0.0.0.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.50.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 deny ip 10.112.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 102 deny ip 10.112.10.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 102 deny ip 10.112.10.0 0.0.0.255 10.50.0.0 0.0.255.255
access-list 102 deny ip 10.112.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 10.112.10.0 0.0.0.255 any
debug is not very helpful, except I notice on the ASA the ip address in the message ID_IPV4_SUBNET ID recieved intially is form 10.112.10.0/24 but a few lines later in the phase1/2 negotiation the ASA sees the address as ID_IPV4_SUBNET ID 10.0.0.0/8 which is not correct
also in the debug on the ASA the traffic from the 10.112.10.0 network is not hitting the crypto map check for acl seq 1 or 5... I think this traffic should be hitting seq1
Thanks!
