04-22-2014 09:41 AM
Hello i got a problem with the connection of VPN with 2 ASA 5510.
The log shows the following error:
Local:xx.xx.xx.xx 500 Remote:xx.xx.xx.xx:500 Username:Unknown Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired |
Can someone help me with the problem.
04-22-2014 10:57 AM
Hi Oscar,
Could you please share some more information about the type of VPN you are using i.e. Site to Site, Ikev1 remote access, Ikev2 or Anyconnect.
What code are you running on the ASA?
Is this a new setup or not. If not then what were the changes that brought this error.
If it is a new configuration (site to site) and you are getting Username:Unknown then it highlights that phase 1 is not completing properly. To make sure phase 1 setup is correct or not, make sure that these policies match on both the ends of the VPN tunnel:
1. Same Isakmp policies
2. Correct Ip address defined on both ends
3. Correct Pre-shared-key on both the ends
4. Correct interesting traffic defined on both the ends.
Vishnu
04-22-2014 11:20 AM
See the logs on ASDM, it seems that both the peers are not able to authenticate each other. Also post the output of show crypto isakmp sa
Debug crypto isakmp and generate interesting traffic to look for isakmp messages to know up to which msg isakmp is proceeding among 6 messages of main mode.
"Please rate helpful posts"
04-23-2014 03:16 PM
Thanks here are statistics
Result of the command: "show crypto isakmp"
There are no IKEv1 SAs
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 72576
Out Packets: 252
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 63
Initiator Fails: 63
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 50
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0
04-23-2014 03:44 PM
Please capture the output of the command "show crypto isakmp sa" when you initiate the traffic from one end and capture the same command output on both the devices. Share the output here.
At this moment, I see that phase 1 is completely down, so the purpose of capturing this command did not help.
Vishnu
04-23-2014 04:16 PM
Result of the command: "show crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer:
Type : L2L Role : responder
Rekey : no State : AM_WAIT_MSG3
There are no IKEv2 SAs
Result of the command: "show crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer:
Type : user Role : initiator
Rekey : no State : AM_WAIT_MSG2
There are no IKEv2 SAs
04-23-2014 04:26 PM
There are two things that can be possible here.
1. Either the Ip address is mentioned incorrectly and this is why we see that initiator is waiting for MSG_2 and responder is waiting work MSG_3.
OR
2. Port UDP 500 is blocked somewhere in between these devices. It could be on a device in your premises or on the ISP but that device lie somewhere in between.
Please apply capture on outside interface and see if you are able to see outgoing and incoming packets.
Vishnu
04-25-2014 09:02 AM
Hi thanks vishnsha
I do see built of the connection in both ends but the receiving ASA starts log of "duplicated packet detected. Ignoring packet." and at the end it teardown the connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide