cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2803
Views
5
Helpful
2
Replies

Site to site IPSec SA proposals found unacceptable

vamos_fernholz
Beginner
Beginner

I'm trying to built a site to site VPN between a TP-Link TL-R600VPN and an ASA 5512 running ASA 9.6(2) and ASDM 7.6(2)150.

I managed to complete phase 1 succesfully. Phase 2 fails due to "All IPSec SA proposals found unacceptable!" The error occurs no matter what IKE Policy I set on the TP-Link. I tried AUTO, MD5 AES, SHA AES. I accept all possible proposals on the ASA.

Here is a part of my log:

|Nov 23 2016|10:28:42|713906|||||Ignoring msg to mark SA with dsID 3858432 dead because SA deleted
4|Nov 23 2016|10:28:42|113019|||||Group = AA.AA.AA.AA, Username = AA.AA.AA.AA, IP = AA.AA.AA.AA, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Nov 23 2016|10:28:42|713259|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Session is being torn down. Reason: Phase 2 Mismatch
7|Nov 23 2016|10:28:42|713236|||||IP = AA.AA.AA.AA, IKE_DECODE SENDING Message (msgid=c65444ac) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
7|Nov 23 2016|10:28:42|715046|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, constructing qm hash payload
7|Nov 23 2016|10:28:42|715046|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, constructing IKE delete payload
7|Nov 23 2016|10:28:42|715046|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, constructing blank hash payload
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, sending delete/delete with reason message
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, IKE SA MM:425778ef terminating: flags 0x01000002, refcnt 0, tuncnt 0
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Remove from IKEv1 MIB Table succeeded for SA with logical ID 3858432
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 3858432
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, IKE SA MM:425778ef rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
3|Nov 23 2016|10:28:42|713902|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Removing peer from correlator table failed, no match!
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, sending delete/delete with reason message
7|Nov 23 2016|10:28:42|715065|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, IKE QM Responder FSM error history (struct &0x00002aaac2f07fe0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
3|Nov 23 2016|10:28:42|713902|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, QM FSM error (P2 struct &0x00002aaac2f07fe0, mess id 0x8e60d51d)!
7|Nov 23 2016|10:28:42|713236|||||IP = AA.AA.AA.AA, IKE_DECODE SENDING Message (msgid=7827f8c1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
7|Nov 23 2016|10:28:42|715046|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, constructing qm hash payload
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, constructing ipsec notify payload for msg id 8e60d51d
7|Nov 23 2016|10:28:42|715046|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, constructing blank hash payload
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, sending notify message
5|Nov 23 2016|10:28:42|713904|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, All IPSec SA proposals found unacceptable!
7|Nov 23 2016|10:28:42|715047|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing IPSec SA payload
7|Nov 23 2016|10:28:42|713066|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, IKE Remote Peer configured for crypto map: htp_map
7|Nov 23 2016|10:28:42|713225|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Static Crypto Map check, map htp_map, seq = 1 is a successful match
7|Nov 23 2016|10:28:42|713221|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Static Crypto Map check, checking map = htp_map, seq = 1...
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, QM IsRekeyed old sa not found by addr
7|Nov 23 2016|10:28:42|713034|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Received local IP Proxy Subnet data in ID Payload: Address 192.168.2.0, Mask 255.255.255.0, Protocol 0, Port 0
7|Nov 23 2016|10:28:42|714011|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, ID_IPV4_ADDR_SUBNET ID received--192.168.2.0--255.255.255.0
7|Nov 23 2016|10:28:42|715047|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing ID payload
7|Nov 23 2016|10:28:42|713035|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask 255.255.255.0, Protocol 0, Port 0
7|Nov 23 2016|10:28:42|714011|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, ID_IPV4_ADDR_SUBNET ID received--192.168.0.0--255.255.255.0
7|Nov 23 2016|10:28:42|715047|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing ID payload
7|Nov 23 2016|10:28:42|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing ISA_KE for PFS in phase 2
7|Nov 23 2016|10:28:42|715047|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing ke payload
7|Nov 23 2016|10:28:42|715047|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing nonce payload
7|Nov 23 2016|10:28:42|715047|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing SA payload
7|Nov 23 2016|10:28:42|715047|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing hash payload
7|Nov 23 2016|10:28:42|713236|||||IP = AA.AA.AA.AA, IKE_DECODE RECEIVED Message (msgid=8e60d51d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 292
7|Nov 23 2016|10:28:42|714003|||||IP = AA.AA.AA.AA, IKE Responder starting QM: msg id = 8e60d51d
7|Nov 23 2016|10:28:42|713906|||||IKE Receiver: Packet received on BB.BB.BB.BB:500 from AA.AA.AA.AA:500
7|Nov 23 2016|10:28:41|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Add to IKEv1 MIB Table succeeded for SA with logical ID 3858432
7|Nov 23 2016|10:28:41|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 3858432
7|Nov 23 2016|10:28:41|715080|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Starting P1 rekey timer: 64800 seconds.
7|Nov 23 2016|10:28:41|713121|||||IP = AA.AA.AA.AA, Keep-alive type for this connection: DPD
5|Nov 23 2016|10:28:41|713119|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, PHASE 1 COMPLETED
6|Nov 23 2016|10:28:41|113009|||||AAA retrieved default group policy (GroupPolicy_AA.AA.AA.AA) for user = AA.AA.AA.AA
7|Nov 23 2016|10:28:41|713236|||||IP = AA.AA.AA.AA, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
7|Nov 23 2016|10:28:41|715046|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, constructing dpd vid payload
7|Nov 23 2016|10:28:41|715076|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Computing hash for ISAKMP
7|Nov 23 2016|10:28:41|715046|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, constructing hash payload
7|Nov 23 2016|10:28:41|715046|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, constructing ID payload
7|Nov 23 2016|10:28:41|713906|||||IP = AA.AA.AA.AA, Connection landed on tunnel_group AA.AA.AA.AA
7|Nov 23 2016|10:28:41|715076|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Computing hash for ISAKMP
7|Nov 23 2016|10:28:41|715047|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing hash payload
7|Nov 23 2016|10:28:41|714011|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, ID_IPV4_ADDR ID received
7|Nov 23 2016|10:28:41|715047|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, processing ID payload
7|Nov 23 2016|10:28:41|713236|||||IP = AA.AA.AA.AA, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
7|Nov 23 2016|10:28:41|713906|||||IKE Receiver: Packet received on BB.BB.BB.BB:500 from AA.AA.AA.AA:500
7|Nov 23 2016|10:28:41|713236|||||IP = AA.AA.AA.AA, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
7|Nov 23 2016|10:28:41|713906|||||Group = AA.AA.AA.AA, IP = AA.AA.AA.AA, Generating keys for Responder...
7|Nov 23 2016|10:28:41|713906|||||IP = AA.AA.AA.AA, Connection landed on tunnel_group AA.AA.AA.AA
7|Nov 23 2016|10:28:41|715048|||||IP = AA.AA.AA.AA, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Nov 23 2016|10:28:41|715046|||||IP = AA.AA.AA.AA, constructing VID payload
7|Nov 23 2016|10:28:41|715038|||||IP = AA.AA.AA.AA, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Nov 23 2016|10:28:41|715048|||||IP = AA.AA.AA.AA, Send IOS VID
7|Nov 23 2016|10:28:41|715046|||||IP = AA.AA.AA.AA, constructing xauth V6 VID payload
7|Nov 23 2016|10:28:41|715046|||||IP = AA.AA.AA.AA, constructing Cisco Unity VID payload
7|Nov 23 2016|10:28:41|715046|||||IP = AA.AA.AA.AA, constructing nonce payload
7|Nov 23 2016|10:28:41|715046|||||IP = AA.AA.AA.AA, constructing ke payload
7|Nov 23 2016|10:28:41|715047|||||IP = AA.AA.AA.AA, processing nonce payload
7|Nov 23 2016|10:28:41|715047|||||IP = AA.AA.AA.AA, processing ISA_KE payload
7|Nov 23 2016|10:28:41|715047|||||IP = AA.AA.AA.AA, processing ke payload
7|Nov 23 2016|10:28:41|713236|||||IP = AA.AA.AA.AA, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
7|Nov 23 2016|10:28:41|713906|||||IKE Receiver: Packet received on BB.BB.BB.BB:500 from AA.AA.AA.AA:500
7|Nov 23 2016|10:28:40|713236|||||IP = AA.AA.AA.AA, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
7|Nov 23 2016|10:28:40|715046|||||IP = AA.AA.AA.AA, constructing Fragmentation VID + extended capabilities payload
7|Nov 23 2016|10:28:40|713906|||||IP = AA.AA.AA.AA, NAT-T disabled in crypto map htp_map 1.
7|Nov 23 2016|10:28:40|715046|||||IP = AA.AA.AA.AA, constructing ISAKMP SA payload
7|Nov 23 2016|10:28:40|715028|||||IP = AA.AA.AA.AA, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 12
7|Nov 23 2016|10:28:40|715047|||||IP = AA.AA.AA.AA, processing IKE SA payload
7|Nov 23 2016|10:28:40|715049|||||IP = AA.AA.AA.AA, Received DPD VID
7|Nov 23 2016|10:28:40|715047|||||IP = AA.AA.AA.AA, processing VID payload
7|Nov 23 2016|10:28:40|715047|||||IP = AA.AA.AA.AA, processing VID payload

AA.AA.AA.AA is the TP-Link (local network 192.168.0.0), BB.BB.BB.BB is the external interface of the ASA (local network 192.168.2.0). 

2 Replies 2

JP Miranda Z
Cisco Employee
Cisco Employee

Hi vamos_fernholz,

There is definitely something the ASA is not liking:

Removing peer from correlator table failed, no match!

Is there any reason why NAT-T is disabled on the crypto map htp_map 1:

7|Nov 23 2016|10:28:40|713906|||||IP = AA.AA.AA.AA, NAT-T disabled in crypto map htp_map 1

Can you share a sanitized config of the ASA and maybe some config screenshots of the TP-Link?

Hope this info helps!!

Rate if helps you!! 

-JP-

I don't know what I did but the tunnel is now established. I enabled NAT-T, thanks, I missed that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers