cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1469
Views
5
Helpful
9
Replies

Site to Site VPN error

eng.shadi
Level 1
Level 1

Dears,

i have an issue in the VPN sitte to site, any suggestion please because i tried alot of things to solve it.

the output of  debug crypto isakmp is

Dec 17 06:27:54 [IKEv1]: Group = 194.165.151.195, IP = x.x.x.x, QM FSM error (P2 struct &0x391f9a0, mess id 0x16b73592)!
Dec 17 06:27:54 [IKEv1]: Group = 194.165.151.195, IP = x.x.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Dec 17 06:27:54 [IKEv1]: Group = 194.165.151.195, IP = x.x.x.x, Removing peer from correlator table failed, no match!

and some times:

Header invalid, missing SA payload! (next payload = 133)

the output of the :

show cry isakmp sa

  Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

the configuration of the devices of the ASAs:

ASA1:

ASA Version 7.0(8)
!

access-list 101 extended permit ip 192.168.30.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.30.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list 101 extended permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list 102 extended permit ip 192.168.30.0 255.255.255.0 172.22.0.0 255.255.0.0
access-list 102 extended permit ip 192.168.30.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list 102 extended permit ip 192.168.30.0 255.255.255.0 172.16.0.0 255.255.0.0


nat (inside) 0 access-list 101

crypto ipsec transform-set sts esp-3des esp-md5-hmac
crypto ipsec transform-set sts1 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map vpn 10 match address 102
crypto map vpn 10 set pfs group1
crypto map vpn 10 set peer x.x.x.x
crypto map vpn 10 set transform-set sts1
crypto map vpn 10 set security-association lifetime seconds 28800
crypto map vpn 10 set security-association lifetime kilobytes 4608000
crypto map vpn interface outside


isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *

ASA2:

access-list 600 extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list 600 extended permit ip 172.20.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list 600 extended permit ip 172.22.0.0 255.255.0.0 192.168.30.0 255.255.255.0

access-list outside_40_cryptomap extended permit ip 172.22.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.20.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list outside_40_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0


nat (inside) 0 access-list outside_40_cryptomap

crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 60
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400

crypto ipsec transform-set sts1 esp-des esp-md5-hmac

crypto map vpn 60 match address 600
crypto map vpn 60 set pfs group1
crypto map vpn 60 set peer y.y.y.y
crypto map vpn 60 set transform-set sts1
crypto map vpn interface outside

tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *

9 Replies 9

Ivan Martinon
Level 7
Level 7

Hi Shadi,

Has this VPN worked before or it is always the same problem when trying to bring it up? The message "has no spi" means that your secure session is no longer on, and you would need to re negotiate the tunnel, go ahead and clear the vpn session on both ASAs and try again

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1571746

vpn-sessiondb logoff

As well check if both ones have keepalive enabled and correctly set with the period.

Dear Ivan,

it is a new tunnel. ASA1 is ASA, IOS version is 7.0 (8) but ASA2 is a PIX 515e with version 7.2 (2). the PIX firewall is a hub for 4 VPN tunnels and this tunnel is new tunnel.

when i do debug crypto isakmp,there is no output appeared to us and the tunnel is active. I did reboot yesterday for the two firewalls and still it is not working.

regarding the keepalive, I don't configure it, it is on default values. i cleared the sessions many times but still the tunnel is not working.

actually it is strange case that i have.

thanks Ivan.

Please get the complete configiuration from both devices, and the following outputs: show crypto isakmp sa, show crypto ipsec sa, try the debug with debub crypto isakmp 25

Ivan

hello

your ACL's wild card masks look wrong - shouldn't they read 192.168.30.0 0.0.0.255 and  172.22.0.0 0.0.255.255?

hth

andy

Dear Iva,

as you request, please find the attached files.

Thanks for ur support.

Your crypto acl on the pix for this vpn should only be these 3 lines.

access-list 600 extended permit ip 172.16.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list 600 extended permit ip 172.20.0.0 255.255.0.0 192.168.30.0 255.255.255.0
access-list 600 extended permit ip 172.22.0.0 255.255.0.0 192.168.30.0 255.255.255.0

Remove the other 3.

I removed these access lists yesterday, the access lists are wrong becuase of that i removed it yesterday. but still same issue.

thanks.

Your problem is the following:

nat (inside) 0 access-list outside_40_cryptomap

access-list outside_40_cryptomap is being used on the nat exempt config, and it is also used on the following crypto map:

crypto map STS 40 match address outside_40_cryptomap

AND the tunnel you are trying to configure is defined after this crypto map, since the traffic for tunnel 600 is included on line outside_40_crypto map this will be the crypto map processed intead of 600.

You should never define the nat exempt list to be one already used for the crypto map of another tunnel, so go ahead and duplicate access-list outside_40_crypto map into another one called something like nonat make sure it has all the lines for all the tunnels (which I believe crypto 40 has) and apply it to the nat (inside) 0 access-list nonat setup.

Then clean your crypto 40 from lines on the acl that do not belong to it. And try again.

This was the issue, it is working now... thnaks alot for your support. :-)