05-05-2023 10:29 AM
Hello everyone,
I'm trying to set up a site-to-site VPN from cisco ASA to Cisco ASR but Phase 1 is down, I check the Phase 1 parameter is ok even though the Key is correct.
I attached the config and error message that I'm getting from the ASDM
can You help me fix this issue .
Best regards
Younes
05-05-2023 10:38 AM
Point to check
1- are you config right dh group and prf in ASR
2- in asa config group-policy with vpn tunnel ikev2
3- in asa are enable ikev2 in asa outside interface
05-05-2023 10:49 AM - edited 05-05-2023 10:52 AM
1- yes Group and prf match on both side.
2- how can I check that, please
3- Ikev2 enabled on outside interface
05-05-2023 10:54 AM
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-idle-timeout 30
vpn-tunnel-protocol ikev2
tunnel-group <ip> type ipsec-l2l
default-group-policy GroupPolicy2
05-05-2023 10:54 AM
Also please make double check the prf in both asr and asa
05-05-2023 10:48 AM - edited 05-05-2023 10:49 AM
@ezzaariyouness the syslog event related to that error message 751013 indicates a memory or configuration error, can you run the IKEv2 debugs (debug crypto ikev2 ) as per the recommended action and provide the output for review please:-
You could also look to disable IKEv2 configuration exchange on the ASR, which is not supported on ASA/FTD.
crypto ikev2 profile IKEV2-PROFILE
no config-exchange request
05-05-2023 10:59 AM
Hi Rob ,
thank you for your information, let me share this with the remote Team.
05-07-2023 01:12 PM
@ezzaariyouness
Hi , i have seen such cases . As @Rob Ingram mentioned , disable config-exchange request (no config-exchange request ) under IKEv2 profile on ASR
or
Configure ASR as responder only and ASA as initiator for the Tunnel .
05-07-2023 01:38 PM
yes, I request the remote team to do that on the ASR
05-08-2023 05:05 AM
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc38984
there is bug for same case and the solution as @Salman Mahajan @Rob Ingram mention.
thanks
MHM
05-08-2023 09:24 AM
05-08-2023 09:44 AM - edited 05-08-2023 11:18 AM
IKEv2-PLAT-2: (56): Crypto Map: No proxy match on map VPN-L2L seq 1
I
are you sure the Peer IP's (remote lan)?
ciscoasa(config)# show crypto ikev2 sa detail <<- please share this if you can
05-09-2023 09:08 AM
Yes I'm sure of the Peer IPs
there is no ikev2 sa
05-09-2023 03:36 PM
access-list South-PD-Harris-CTS extended permit ip 10.2.55.0 255.255.255.0 host 10.208.120.2
access-list South-PD-Harris-CTS extended permit ip 10.2.56.0 255.255.255.0 host 10.208.120.2
access-list South-PD-Harris-CTS extended permit ip 10.2.49.0 255.255.255.0 host 10.208.120.2
access-list South-PD-Harris-CTS extended permit ip 10.2.49.0 255.255.255.0 host 10.208.120.3
access-list South-PD-Harris-CTS extended permit ip 10.2.56.0 255.255.255.0 host 10.208.120.3
access-list South-PD-Harris-CTS extended permit ip 10.2.55.0 255.255.255.0 host 10.208.120.3
if I am right
the IKEv2 for ASA not support multi-SA
and I see here you need 6 SA
to check remove other and keep only one and see the IKEv2
05-08-2023 10:58 AM
(57): NOTIFY(NO_PROPOSAL_CHOSEN)(57): Next payload: NONE, reserved: 0x0, length: 8
(57): Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN
Check for below on both ends
1. Transform Set ( Should match on both ends )
2. Proxy Id/Interesting traffic ( Should be mirror of Local Side )
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide