Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13370
Views
15
Helpful
7
Replies

Site-To-Site VPN ASA 5510

Oscar Madrigal
Level 1
Level 1

‎04-22-2014 09:41 AM

Hello i got a problem with the connection of VPN with 2 ASA 5510.

The log shows the following error:

 

        Local:xx.xx.xx.xx 500 Remote:xx.xx.xx.xx:500 Username:Unknown Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired

 

Can someone help me with the problem.

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Vishnu Sharma
Level 1
Level 1

‎04-22-2014 10:57 AM

Hi Oscar,

 

Could you please share some more information about the type of VPN you are using i.e. Site to Site, Ikev1 remote access, Ikev2 or Anyconnect. 

What code are you running on the ASA?

Is this a new setup or not. If not then what were the changes that brought this error. 

 

If it is a new configuration (site to site) and you are getting Username:Unknown then it highlights that phase 1 is not completing properly. To make sure phase 1 setup is correct or not, make sure that these policies match on both the ends of the VPN tunnel:

1. Same Isakmp policies

2. Correct Ip address defined on both ends

3. Correct Pre-shared-key on both the ends

4. Correct interesting traffic defined on both the ends.

 

Vishnu

Poonam Garg
Level 3
Level 3
In response to Vishnu Sharma

‎04-22-2014 11:20 AM

See the logs on ASDM, it seems that both the peers are not able to authenticate each other. Also post the output of show crypto isakmp sa

Debug crypto isakmp and generate interesting traffic to look for isakmp messages to know up to which msg isakmp is proceeding among 6 messages of main mode.

 

"Please rate helpful posts"
 

Oscar Madrigal
Level 1
Level 1
In response to Poonam Garg

‎04-23-2014 03:16 PM

Thanks here are statistics

 

Result of the command: "show crypto isakmp"

There are no IKEv1 SAs

There are no IKEv2 SAs

Global IKEv1 Statistics
  Active Tunnels:              0
  Previous Tunnels:            0
  In Octets:                   0
  In Packets:                  0
  In Drop Packets:             0
  In Notifys:                  0
  In P2 Exchanges:             0
  In P2 Exchange Invalids:     0
  In P2 Exchange Rejects:      0
  In P2 Sa Delete Requests:    0
  Out Octets:              72576
  Out Packets:               252
  Out Drop Packets:            0
  Out Notifys:                 0
  Out P2 Exchanges:            0
  Out P2 Exchange Invalids:    0
  Out P2 Exchange Rejects:     0
  Out P2 Sa Delete Requests:   0
  Initiator Tunnels:          63
  Initiator Fails:            63
  Responder Fails:             0
  System Capacity Fails:       0
  Auth Fails:                  0
  Decrypt Fails:               0
  Hash Valid Fails:            0
  No Sa Fails:                 0

IKEV1 Call Admission Statistics
  Max In-Negotiation SAs:                 50
  In-Negotiation SAs:                      0
  In-Negotiation SAs Highwater:            0
  In-Negotiation SAs Rejected:             0

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to Oscar Madrigal

‎04-23-2014 03:44 PM

Please capture the output of the command "show crypto isakmp sa" when you initiate the traffic from one end and capture the same command output on both the devices. Share the output here.

 

At this moment, I see that phase 1 is completely down, so the purpose of capturing this command did not help. 

 

Vishnu

0 Helpful

Oscar Madrigal
Level 1
Level 1
In response to Vishnu Sharma

‎04-23-2014 04:16 PM

Result of the command: "show crypto isakmp sa"

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer:
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_WAIT_MSG3

There are no IKEv2 SAs

 

Result of the command: "show crypto isakmp sa"

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer:
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_WAIT_MSG2

There are no IKEv2 SAs

0 Helpful

Vishnu Sharma
Level 1
Level 1
In response to Oscar Madrigal

‎04-23-2014 04:26 PM

There are two things that can be possible here.

1. Either the Ip address is mentioned incorrectly and this is why we see that initiator is waiting for MSG_2 and responder is waiting work MSG_3.

OR

2. Port UDP 500 is blocked somewhere in between these devices. It could be on a device in your premises or on the ISP but that device lie somewhere in between.

 

Please apply capture on outside interface and see if you are able to see outgoing and incoming packets.

 

Vishnu

 

 

Oscar Madrigal
Level 1
Level 1
In response to Vishnu Sharma

‎04-25-2014 09:02 AM

Hi thanks vishnsha

I do see built of the connection in both ends but the receiving ASA starts log of "duplicated packet detected. Ignoring packet." and at the end it teardown the connection.

0 Helpful
Customers Also Viewed These Support Documents