cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
955
Views
1
Helpful
6
Replies

Site to Site VPN Connection Issue

philipvoceehs
Level 1
Level 1

Hi Guys,

Having problem establishing a site to site VPN connection. Site A is a 5506, site B is a 1010. Both running ASA and managed through ASDM.

I am getting various errors from our ASDM manager including:

4       IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 1.
4       IP = 108.170.XX.XX Information Exchange processing failed
4       Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1 after a failed attempt.. Map Tag = outside_map. Map Sequence Number = 1.

Running config from site A, some info committed for security:

Result of the command: "show running-config"

: Saved

:
: Serial Number: JAD2101029J
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
enable password XX encrypted
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 108.170.XX.XX 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa982-lfbff-k8.SPA
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

OMMITTED NETWORK OBJECTS

port-object eq 3391
access-list outside_access_in extended permit tcp object-group AllowedToRDP object-group RDPServerPrivateGroup eq 3389
access-list outside_access_in extended permit tcp object-group AppServer1Group object 192.168.1.3 eq 49160
access-list outside_access_in remark Ticket #2116342 - Additional Firewall Rules
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 object 192.168.1.11 eq 49160
access-list outside_access_in remark Ticket #2212279 - Firewall rule creation request
access-list outside_access_in extended permit tcp object-group CLIENT_Server object 192.168.1.11 eq 49160
access-list outside_access_in extended permit tcp object-group AppServer2Group object 192.168.1.3 eq 49170
access-list outside_access_in extended permit tcp any object-group webServer object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_2
access-list outside_access_in remark Ticket #2116342 - Additional Firewall Rules
access-list outside_access_in extended permit tcp any object 192.168.1.10 eq 587
access-list outside_access_in remark Ticket #2064714 -- Allow Nagios to everywhere
access-list outside_access_in extended permit ip object-group montoring any
access-list outside_access_in extended permit object backup_port_35108 object-group Backup any inactive
access-list outside_access_in extended permit icmp object-group montoring any log disable inactive
access-list outside_access_in extended permit tcp object-group montoring any object-group DM_INLINE_TCP_3 inactive
access-list outside_access_in extended permit icmp object-group Trusted any
access-list outside_access_in remark Ticket #2159850 - Allow IP through firewall
access-list outside_access_in extended permit tcp object 104.41.XX.XX object 108.170.XX.XX eq 491XX
access-list outside_access_in remark Ticket #2159927 - Allow 159.253.XX.XX through firewall
access-list outside_access_in extended permit ip any object Licensing
access-list outside_access_in extended permit tcp object Trusted_Office_new object 192.168.1.3 eq 49180
access-list outside_access_in extended permit object SQL_49200 object Trusted_Office_new object 192.168.1.3
access-list outside_access_in extended permit object PI_Server object CLIENT_PI object 108.170.XX.XX
access-list outside_access_in_1 extended permit ip any any
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Office_Network
pager lines 24
logging enable
logging asdm-buffer-size 510
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 5 burst-size 2
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 180
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Office_Network Office_Network no-proxy-arp route-lookup
!
OMMITTED NAT RULES
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in_1 in interface outside control-plane
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 108.170.48.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http server idle-timeout 60
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec profile AZURE-PROFILE
set ikev2 ipsec-proposal AZURE-PROPOSAL
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer SITEBADDRESS
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AZURE-PROPOSAL
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 54c91259
308202d4 308201bc a0030201 02020454 c9125930 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31373039 31333039 32343331
5a170d32 37303931 31303932 3433315a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613082
0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282 010100b6
b4b852ad 40d8cdce 5b3f183c 93f052cc 371df9f4 3c0d0cd0 4d43fadd bc0ea0d8
f3db0768 c2af1c95 51716f53 9bd8e3f2 e6483faa d9ef310b ce84f527 6ef6217f
4beca260 7d5e684a 7f1ade6b d7331360 85ad4894 b687b21d 8b9c9de6 524b9f5d
929bf6f6 1e8dd686 95d23f0c c23b6062 cd122fc0 7686f790 fbc63a78 ba9f5ddb
e9203e5f 06e9b95a da16bc05 1eb675b7 cbba8188 37d468a6 74208f9b 9b1f4a45
0282c45f f815940a ae0806a2 13f38a1f 1aaf868b f9d8faa5 af7f1657 01963908
d861dc8d b7209d9c ff25d2fe c6bef181 3e99edbb a4e7f463 d5117871 92f672eb
fd06314d 3ec6d7f1 f03e71dc 048ee5f2 7493ebc6 e48893b2 d5aa4012 f5fc2502
03010001 300d0609 2a864886 f70d0101 05050003 82010100 44b520d8 ef2f5ad8
b3ccefc8 8bdbfcea a1dcdc61 6f2dd80a 49baee64 1a261456 cf1068b3 fa327dd8
5f65bc77 d3397884 4dff200f 17fc8909 a7bff4e5 c057def1 b1ba121d cf6ab2c6
31f82d56 dc952ac5 6cc9df1d f2833124 95c3fcee 847cf22a 7a0cb204 464d1d40
3757eb9d e73c41f0 61298c8f f8c7ca54 1979629d 1913965b 30e1a29a 6c03a228
2eaab7df a674aa2e 012d0cea 5a54d1d9 d8b79502 f4094de7 9ce0f4cb c9590c9f
e820e8b3 452f4be5 8c0da350 d5e797cf 7f94245c 0aaf829f a755afab 804cc606
e284669c 637c1dee cf917bf3 376968e8 c9a24519 1134cd28 1ec4b937 956c8552
3a1ab886 d7d4c131 0118ab46 d009b0c4 a8613943 694b12e4
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
cache
disable
error-recovery disable
group-policy GroupPolicy_SITEBADDRESS internal
group-policy GroupPolicy_SITEBADDRESS attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
username admin password ICqdCUNoKFJxTOb9 encrypted privilege 15
tunnel-group SITEBADDRESS type ipsec-l2l
tunnel-group SITEBADDRESS general-attributes
default-group-policy GroupPolicy_SITEBADDRESS
tunnel-group SITEBADDRESS ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inside-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map outside-policy
class outside-class
inspect ctiqbe
inspect dcerpc
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect lisp
inspect mgcp
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect vxlan
inspect waas
inspect xdmcp
policy-map inside-policy
class inside-class
inspect ctiqbe
inspect dcerpc
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ip-options
inspect ipsec-pass-thru
inspect lisp
inspect mgcp
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect vxlan
inspect waas
inspect xdmcp
!
service-policy global_policy global
service-policy outside-policy interface outside
service-policy inside-policy interface inside
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fedb075fa8faa07bad6ef8085a5747ff
: end

Running config from site B, note site B does have an active site to site from elsewhere, this is an additional one as it will eventually have 4 separate tunnels again some info ommitted for security:

Result of the command: "show running-config"

: Saved

:
: Serial Number: JAD27200585
: Hardware: FPR-1010, 7204 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
ASA Version 9.16(2)3
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
!
license smart
feature tier standard
names
no mac-address auto

!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.100.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
security-level 0
pppoe client vpdn group EHS
ip address pppoe setroute
!
interface Ethernet1/2
switchport
!
interface Ethernet1/3
switchport
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
power inline auto
!
interface Ethernet1/8
switchport
power inline auto
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
OMMITTED NETWORK OBJECTS
access-list outside_access_in remark EHS VPN Connection
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object EHS_VPN_SERVER
access-list outside_access_in extended permit tcp any object-group Development_Agent_Servers object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group SVN_Connection
access-list outside_access_in remark ESET Management Server incoming connections
access-list outside_access_in extended permit tcp any object EHS_ESET_SERVER object-group ESET_Server
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group Dev_MPWeb_External
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit tcp any eq pptp any
access-list outside_cryptomap extended permit ip 10.0.100.0 255.255.255.0 object UK_HOSTED_NETWORK
access-list VPN_Filter extended permit ip object UK_HOSTED_DC_CONTROLLER object-group DM_INLINE_NETWORK_3
access-list outside_cryptomap_1 extended permit ip 10.0.100.0 255.255.255.0 object USA_Network
pager lines 24
logging enable
logging trap warnings
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
OMMITTED NAT RULES
!
object network obj_any
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 10.0.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 108.170.XX.XX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AZURE-PROPOSAL
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer 91.215.XX.XX
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0a0142800000014523c844b500000002
30820560 30820348 a0030201 0202100a 01428000 00014523 c844b500 00000230
0d06092a 864886f7 0d01010b 0500304a 310b3009 06035504 06130255 53311230
10060355 040a1309 4964656e 54727573 74312730 25060355 0403131e 4964656e
54727573 7420436f 6d6d6572 6369616c 20526f6f 74204341 2031301e 170d3134
30313136 31383132 32335a17 0d333430 31313631 38313232 335a304a 310b3009
06035504 06130255 53311230 10060355 040a1309 4964656e 54727573 74312730
25060355 0403131e 4964656e 54727573 7420436f 6d6d6572 6369616c 20526f6f
74204341 20313082 0222300d 06092a86 4886f70d 01010105 00038202 0f003082
020a0282 020100a7 5019de3f 993dd433 46f16f51 6182b2a9 4f8f6789 5d84d953
dd0c28d9 d7f0ffae 95437299 f9b55d7c 8ac142e1 315074d1 810d7ccd 9b21ab43
e2acad5e 866ef309 8a1f5a32 bda2eb94 f9e85c0a ecff98d2 af71b3b4 539f4e87
ef92bcbd ec4f3230 884b175e 57c453c2 f602978d d9622bbf 241f628d dfc3b829
4b49783c 93608822 fc99da36 c8c2a2d4 2c540067 356e73bf 0258f0a4 dde5b0a2
267acae0 36a51916 f5fdb7ef ae3f40f5 6d5a04fd ce34ca24 dc74231b 5d331312
5dc40125 f630dd02 5d9fe0d5 47bdb4eb 1ba1bb49 49d89f5b 02f38ae4 2490e462
4f4fc1af 8b0e7417 a8d17288 6a7a0149 ccb44679 c617b1da 981e0759 fa752185
65dd9056 cefbaba5 609dc49d f952b08b bd87f98f 2b230a23 763bf733 e1c900f3
69f94ba2 e04ebc7e 93398407 f744707e fe075ae5 b1acd118 ccf235e5 494908ca
56c93dfb 0f187d8b 3bc113c2 4d8fc94f 0e37e91f a10e6adf 622ecb35 0651792c
c82538f4 fa4ba789 5c9cd2e3 0d39864a 747cd559 87c23f4e 0c5c52f4 3df75282
f1eaa3ac fd49341a 28f34188 3a13eee8 deff991d 5fbacbe8 1ef2b950 60c031d3
73e5efbe a0ed330b 74be2020 c4676cf0 08037a55 807f464e 96a7f41e 3ee1f6d8
09e13364 2b63d732 5e9ff9c0 7b0f786f 97bc939a f99c1290 787a8087 15d77274
9c557478 b1bae16e 7004ba4f a0ba68c3 7bff31f0 733d3d94 2ab10b41 0ea0fe4d
88656b79 33b4d702 03010001 a3423040 300e0603 551d0f01 01ff0404 03020106
300f0603 551d1301 01ff0405 30030101 ff301d06 03551d0e 04160414 ed4419c0
d3f0068b eea47bbe 42e72654 c88e3676 300d0609 2a864886 f70d0101 0b050003
82020100 0dae9032 f6a64b7c 44761961 1e2728cd 5e54ef25 bce30890 f929d7ae
6808e194 0058ef2e 2e7e5352 8cb65c07 ea88ba99 8b5094d7 8280df61 090093ad
0d14e6ce c1f23794 78b05f9c b3a273b8 8f059338 cd8d3eb0 b8fbc0cf b1f2ec2d
2d1bccec aa9ab3aa 60821b2d 3bc3843d 578a961e 9c75b8d3 30cd6008 8390d38e
54f14d66 c05d7403 40a3ee85 7ec21f77 9c06e8c1 a7185d52 95edc9dd 259e6dfa
a9eda33a 34d0597b daed50f3 35bfedeb 144d31c7 60f4daf1 879ce248 e2c6c537
fb0610fa 75596631 4729da76 9a1ce982 aeef9ab9 51f78823 9a699562 3ce55580
36d75402 fff1b95d ced4236f d845844a 5b65ef89 0cdd14a7 20cb18a5 25b40df9
01f0a2d2 f400c874 8ea12a48 8e65db13 c4e22517 7debbe87 5b172054 51934a53
030bec5d ca33ed62 fd45c72f 5bdc58a0 8039e6fa d7fe1314 a6ed3d94 4a4274d4
c3775973 cd8f46be 5538effa e89132ea 97580422 de38c3cc bc6dc933 3a6a0a69
3fa0c8ea 728f8c63 8623bd6d 3c969e95 e0494caa a2b92a1b 9c368178 edc3e846
e2265944 751ed975 8951cd10 849d6160 cb5df997 224d8e98 e6e37ff6 5bbbaecd
ca4a816b 5e0bf351 e1742be9 7e27a7d9 99494ef8 a580db25 0f1c6362 8ac93367
6b3c1083 c6addea8 cd168e8d f0073771 9ff2abfc 41f5c18b ec00375d 09e54e80
effab15c 3806a51b 4ae1dc38 2d3cdcab 1f901ad5 4a9ceed1 706cccee f457f818
ba846e87
quit
crypto ca certificate chain _SmartCallHome_ServerCA2
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
6973204c 696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f
6f742043 41203230 1e170d30 36313132 34313832 3730305a 170d3331 31313234
31383233 33335a30 45310b30 09060355 04061302 424d3119 30170603 55040a13
1051756f 56616469 73204c69 6d697465 64311b30 19060355 04031312 51756f56
61646973 20526f6f 74204341 20323082 0222300d 06092a86 4886f70d 01010105
00038202 0f003082 020a0282 0201009a 18ca4b94 0d002daf 03298af0 0f81c8ae
4c19851d 089fab29 4485f32f 81ad321e 9046bfa3 86261a1e fe7e1c18 3a5c9c60
172a3a74 8333307d 615411cb edabe0e6 d2a27ef5 6b6f18b7 0a0b2dfd e93eef0a
c6b310e9 dcc24617 f85dfda4 daff9e49 5a9ce633 e62496f7 3fba5b2b 1c7a35c2
d667feab 66508b6d 28602bef d760c3c7 93bc8d36 91f37ff8 db1113c4 9c7776c1
aeb7026a 817aa945 83e205e6 b956c194 378f4871 6322ec17 6507958a 4bdf8fc6
5a0ae5b0 e35f5e6b 11ab0cf9 85eb44e9 f80473f2 e9fe5c98 8cf573af 6bb47ecd
d45c022b 4c39e1b2 95952d42 87d7d5b3 9043b76c 13f1dedd f6c4f889 3fd175f5
92c391d5 8a88d090 ecdc6dde 89c26571 968b0d03 fd9cbf5b 16ac92db eafe797c
adebaff7 16cbdbcd 252be51f fb9a9fe2 51cc3a53 0c48e60e bdc9b476 0652e611
13857263 0304e004 362b2019 02e874a7 1fb6c956 66f07525 dc67c10e 616088b3
3ed1a8fc a3da1db0 d1b12354 df44766d ed41d8c1 b222b653 1cdf351d dca1772a
31e42df5 e5e5dbc8 e0ffe580 d70b63a0 ff33a10f ba2c1515 ea97b3d2 a2b5bef2
8c961e1a 8f1d6ca4 6137b986 7333d797 969e237d 82a44c81 e2a1d1ba 675f9507
a32711ee 16107bbc 454a4cb2 04d2abef d5fd0c51 ce506a08 31f991da 0c8f645c
03c33a8b 203f6e8d 673d3ad6 fe7d5b88 c95efbcc 61dc8b33 77d34432 35096204
921610d8 9e2747fb 3b21e3f8 eb1d5b02 03010001 a381b030 81ad300f 0603551d
130101ff 04053003 0101ff30 0b060355 1d0f0404 03020106 301d0603 551d0e04
1604141a 8462bc48 4c332504 d4eed0f6 03c41946 d1946b30 6e060355 1d230467
30658014 1a8462bc 484c3325 04d4eed0 f603c419 46d1946b a149a447 3045310b
30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 6973204c
696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 6f742043
41203282 02050930 0d06092a 864886f7 0d010105 05000382 0201003e 0a164d9f
065ba8ae 715d2f05 2f67e613 4583c436 f6f3c026 0c0db547 645df8b4 72c946a5
03182755 89787d76 ea963480 1720dce7 83f88dfc 07b8da5f 4d2e67b2 84fdd944
fc775081 e67cb4c9 0d0b7253 f8760707 4147960c fbe08226 93558cfe 221f6065
7c5fe726 b3f73290 9850d437 7155f692 2178f795 79faf82d 26876656 3077a637
78335210 58ae3f61 8ef26ab1 ef187e4a 5963ca8d a256d5a7 2fbc561f cf39c1e2
fb0aa815 2c7d4d7a 63c66c97 443cd26f c34a170a f890d257 a21951a5 2d9741da
074fa950 da908d94 46e13ef0 94fd1000 38f53be8 40e1b46e 561a20cc 6f588ded
2e458fd6 e9933fe7 b12cdf3a d6228cdc 84bb226f d0f8e4c6 39e90488 3cc3baeb
557a6d80 9924f56c 01fbf897 b0945beb fdd26ff1 77680d35 6423acb8 55a103d1
4d4219dc f8755956 a3f9a849 79f8af0e b911a07c b76aed34 d0b62662 381a870c
f8e8fd2e d3907f07 912a1dd6 7e5c8583 99b03808 3fe95ef9 3507e4c9 626e577f
a75095f7 bac89be6 8ea201c5 d666bf79 61f33c1c e1b9825c 5da0c3e9 d848bd19
a2111419 6eb2861b 683e4837 1a88b75d 965e9cc7 ef276208 e291195c d2f121dd
ba174282 97718153 31a99ff6 7d62bf72 e1a3931d cc8a265a 0938d0ce d70d8016
b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
vpdn group EHS request dialout pppoe
vpdn group EHS localname XX@hg70.btclick.com
vpdn group EHS ppp authentication chap
vpdn username XX@hg70.btclick.com password *****
dhcpd auto_config outside
!
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_91.215.XX.XX internal
group-policy GroupPolicy_91.215.XX.XX attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_108.170.XX.XX internal
group-policy GroupPolicy_108.170.XX.XX attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** pbkdf2 privilege 15
tunnel-group 91.215.XX.XX type ipsec-l2l
tunnel-group 91.215.XX.XX general-attributes
default-group-policy GroupPolicy_91.215.XX.XX
tunnel-group 91.215.XX.XX ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 108.170.XX.XX type ipsec-l2l
tunnel-group 108.170.XX.XX general-attributes
default-group-policy GroupPolicy_108.170.XX.XX
tunnel-group 108.170.XX.XX ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect pptp
inspect icmp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
: end

Any help appreciated! Thanks in advance!

Cheers,
Dave

 



6 Replies 6

Sorry what error you get ?

Also can you share packet tracer for traffic from lan-to-lan pass through ipsec 

Note:- do packet tracer twice and share the second one

MHM

Hi there,

Errors are:

Local:217.45.XX.XX:500 Remote:108.170.48.14:500 Username:108.170.XX.XX IKEv2 Negotiation aborted due to ERROR: Received no proposal chosen notify
Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1 after a failed attempt.. Map Tag = outside_map. Map Sequence Number = 1.
IP = 108.170.XX.XX, Information Exchange processing failed
IP = 108.170.XX.XX, Error processing payload: Payload ID: 1
Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1 after a failed attempt.. Map Tag = outside_map. Map Sequence Number = 1.

ASDM packet tracer output screengrab attached.

Received no proposal chosen notify<-

This indicates that one of phase1/2 sa is not match 

I see many policy some use DH group 2
please share below 

debug condition peer x.x.x.x
debug crypto isakmp/ipsec 127

thanks 

MHM

ma1i8kumair
Level 1
Level 1

I have a problem in my vpn. It is not connecting to any other country except one, Please help me to resolve this issue.

philipvoceehs
Level 1
Level 1

I have resolved my issue, it was a mismatch in the IKEv2 encryption settings, subtle enough to not immediately notice!

Thanks for update us 

Please close this post with select solution 

Have a nice  day 

MHM