07-17-2018 10:40 AM - edited 03-12-2019 05:28 AM
Dear Community,
Today I swaped our RV180 Router with a RV340.
The RV340 has an public IP address while the ASAs are behind routers.
I was sure to copy the config one to one still the Site to Site VPNs are not connected.
They are all stuck at:
IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: RV340 Type : L2L Role : initiator Rekey : no State : MM_WAIT_MSG6
I checked the pre shared keys and ikev1 policy setting multible times and I don't think it is related to the pre shared key as MM_WAIT_MSG06 would indicate.
Running debug crypto ikev 7 doesn't indicate much but always stops at
Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end IS behind a NAT device Jul 17 09:46:04 [IKEv1]Group = RV340, IP = RV340, Floating NAT-T to port 4500 Jul 17 09:46:04 [IKEv1]IKE Receiver: Packet received on ASAIP:4500 from RV340
I don't know where to go with this.
Looking forward for any comments on this.
Thx.
Kr
07-17-2018 10:49 AM
Some more debug crypto ikev1 7
Jul 17 09:54:17 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, IKE MM Initiator FSM error history (struct &0x00007f6d928da260) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT Jul 17 09:54:17 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, IKE SA MM:202f6451 terminating: flags 0x0100c022, refcnt 0, tuncnt 0 Jul 17 09:54:17 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, sending delete/delete with reason message Jul 17 09:54:17 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, constructing blank hash payload Jul 17 09:54:17 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, constructing IKE delete payload Jul 17 09:54:17 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, constructing qm hash payload Jul 17 09:54:17 [IKEv1]IP = RV340 IP, IKE_DECODE SENDING Message (msgid=6722a2e2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Jul 17 09:54:17 [IKEv1]Group = RV340 IP, IP = RV340 IP, Warning: Ignoring IKE SA (dst) without VM bit set Jul 17 09:54:20 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0 Jul 17 09:54:20 [IKEv1]IP = RV340 IP, IKE Initiator: New Phase 1, Intf TrustedIf, IKE Peer RV340 IP local Proxy Address 10.10.110.0, remote Proxy Address 192.168.1.0, Crypto map (map_crypto_l2l) Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing ISAKMP SA payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing NAT-Traversal VID ver 02 payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing NAT-Traversal VID ver 03 payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing NAT-Traversal VID ver RFC payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing Fragmentation VID + extended capabilities payload Jul 17 09:54:20 [IKEv1]IP = RV340 IP, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172 Jul 17 09:54:20 [IKEv1]IKE Receiver: Packet received on privateASAIP:500 from RV340 IP:500 Jul 17 09:54:20 [IKEv1]IP = RV340 IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 156 Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing SA payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, Oakley proposal is acceptable Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing VID payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, Received xauth V6 VID Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing VID payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, Received DPD VID Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing VID payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, Received Cisco Unity client VID Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing VID payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, Received NAT-Traversal RFC VID Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing ke payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing nonce payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing Cisco Unity VID payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing xauth V6 VID payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, Send IOS VID Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing VID payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing NAT-Discovery payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, computing NAT Discovery hash Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, constructing NAT-Discovery payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, computing NAT Discovery hash Jul 17 09:54:20 [IKEv1]IP = RV340 IP, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304 Jul 17 09:54:20 [IKEv1]IKE Receiver: Packet received on privateASAIP:500 from RV340 IP:500 Jul 17 09:54:20 [IKEv1]IP = RV340 IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 244 Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing ke payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing ISA_KE payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing nonce payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing NAT-Discovery payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, computing NAT Discovery hash Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, processing NAT-Discovery payload Jul 17 09:54:20 [IKEv1 DEBUG]IP = RV340 IP, computing NAT Discovery hash Jul 17 09:54:20 [IKEv1]IP = RV340 IP, Connection landed on tunnel_group RV340 IP Jul 17 09:54:20 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, Generating keys for Initiator... Jul 17 09:54:20 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, constructing ID payload Jul 17 09:54:20 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, constructing hash payload Jul 17 09:54:20 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, Computing hash for ISAKMP Jul 17 09:54:20 [IKEv1 DEBUG]Group = RV340 IP, IP = RV340 IP, constructing dpd vid payload Jul 17 09:54:20 [IKEv1]IP = RV340 IP, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84 Jul 17 09:54:20 [IKEv1]Group = RV340 IP, IP = RV340 IP, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end IS behind a NAT device Jul 17 09:54:20 [IKEv1]Group = RV340 IP, IP = RV340 IP, Floating NAT-T to port 4500 Jul 17 09:54:20 [IKEv1]IKE Receiver: Packet received on privateASAIP:4500 from RV340 IP:4500
07-17-2018 12:27 PM
If working setup and you just have replaced with new kit. worth checking below diagnosis.
BB
07-17-2018 12:54 PM - edited 07-17-2018 12:55 PM
Thank you for the link.
the last output on the asa matches exactly this step. Than just nothing happens and the NAT-T message posted above is displayed.
MM6 received from responder. |
[IKEv1]: IP = 10.0.0.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 |
Do I need to configure NAT on the remote router for some reason?
It also has functions to bypass ipsec traffic but changing this option doesn;t change the output.
07-17-2018 09:55 PM
imho, vpn's not establishing are often over diagnosed and are typically the result of a parameter mismatch.
so the first thing i would do is to compare configs at both ends.
no, NAT is not a requirement for IPSEC to work
10-28-2020 01:42 AM
Hello,
Did you end up solving this issue ?
I'm in a similar situation, having a new remote RV160 not being able to connect to a 5506X, when another remote 5506X with same configuration can connect...
the logs on the RV160 says "found 1 matching config but none allows pre-shared key authentication using main mode".
I'm stuck there.
05-14-2021 02:10 AM
Is aggressive mode enabled on the S2S tunnel on RV???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide