ā04-18-2012 09:53 AM
We had a working IPSec connection with another location. On our end, we replaced an old Pix 515 with a new ASA 5520 and since then, the tunnel will not come up with the following in the log:
IP = x.x.75.65, Information Exchange processing failed
IP = x.x.75.65, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
IP = x.x.75.65, IKE_DECODE RECEIVED Message (msgid=9e681315) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102
IP = x.x.75.65, IKE_DECODE RECEIVED Message (msgid=9e681315) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102
IP = x.x.75.65, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
IP = x.x.75.65, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
I have poured over the old Pix config vs. the new ASA config but cannot find the mis-config. Can anyone see what I'm missing??
Old Pix 515 (tunnel working)
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name 192.168.200.0 IGOC_LAN
name 172.16.24.0 FLO_LAN
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any unreachable
access-list outside_access_in permit icmp any any time-exceeded
access-list inside_outbound_nat0_acl permit ip IGOC_LAN 255.255.255.0 192.168.201.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip IGOC_LAN 255.255.252.0 FLO_LAN 255.255.252.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.201.0 255.255.255.0
access-list igoc_splitTunnelAcl permit ip IGOC_LAN 255.255.252.0 any
access-list outside_cryptomap_40 permit ip IGOC_LAN 255.255.252.0 FLO_LAN 255.255.252.0
pager lines 24
logging on
logging standby
icmp permit FLO_LAN 255.255.252.0 inside
mtu outside 1500
mtu inside 1500
ip address outside x.x.246.132 255.255.255.0
ip address inside 192.168.200.1 255.255.252.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.202.200-192.168.202.250
pdm location IGOC_LAN 255.255.255.255 inside
pdm location 0.0.0.0 255.255.255.0 inside
pdm location IGOC_LAN 255.255.255.0 inside
pdm location FLO_LAN 255.255.252.0 outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.246.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection tcpmss 1250
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer x.x.75.65
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.75.65 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup igoc address-pool vpn
vpngroup igoc dns-server 8.8.8.8 8.8.4.4
vpngroup igoc default-domain igoc.com
vpngroup igoc split-tunnel igoc_splitTunnelAcl
vpngroup igoc idle-time 1800
vpngroup igoc password ********
: end
[OK]
New ASA 5520 config (Tunnel will not come up):
ASA Version 8.2(5)
!
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address x.x.246.132 255.255.255.0 standby x.x.246.134
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.2
vlan 2
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.0 standby 192.168.2.10
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
same-security-traffic permit inter-interface
access-list Outside_cryptomap extended permit ip 192.168.200.0 255.255.252.0 172.16.24.0 255.255.252.0
access-list Outside_access_in extended permit icmp any any
access-list Inside_nat0_outbound extended permit ip 192.168.200.0 255.255.252.0 172.16.24.0 255.255.252.0
access-list Outside_1_cryptomap extended permit ip 192.168.200.0 255.255.252.0 172.16.24.0 255.255.252.0
pager lines 24
logging enable
logging asdm debugging
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool RemoteAccessPool 192.168.203.100-192.168.203.199 mask 255.255.252.0
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/3
failover polltime interface 10 holdtime 50
failover key *****
failover link Failover GigabitEthernet0/3
failover interface ip Failover 10.0.0.1 255.255.255.0 standby 10.0.0.2
monitor-interface Inside
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.246.1 1
route Inside 192.168.1.0 255.255.255.0 192.168.2.3 1
route Inside 192.168.100.0 255.255.252.0 192.168.2.3 1
route Inside 192.168.200.0 255.255.252.0 192.168.2.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.0.0 management
http 192.168.0.0 255.255.0.0 Inside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer x.x.75.65
crypto map Outside_map 1 set transform-set ESP-3DES-MD5
crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Outside
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
vpn-tunnel-protocol svc
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool RemoteAccessPool
default-group-policy RemoteAccess
tunnel-group RemoteAccess webvpn-attributes
group-alias ifagoc enable
group-url https://x.x.246.132/ifagoc enable
tunnel-group x.x.75.65 type ipsec-l2l
tunnel-group x.x.75.65 ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
ā04-18-2012 10:16 AM
Hi,
Not really sure what the messages mean exactly.
Configurations seems to match.
Though the message would let you believe that it fails straight at Phase1.
Have you used
debug crypto isakmp
and
debug crypto ipsec
And seen what they give when trying to bring up the L2L VPN?
What does show crypto isakmp sa show when you are trying to bring up the connection?
- Jouni
ā04-18-2012 11:22 AM
debug crypto isakmp returns:
Apr 18 18:03:00 [IKEv1]: IP = x.x.75.65, Information Exchange processing failed
So yes, this seems to be phase one where the issue is. But it looks like all the phase one parameters match?
show crypto isakmp sa returns:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.75.65
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
ā04-18-2012 11:32 AM
Hi,
Yeah they do seem to match.
One source states this for the state MM_WAIT_MSG2
MM_WAIT_MSG2
Initial DH public key sent to responder. Awaiting initial contact reply from other side.
If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down.
- Jouni
ā04-18-2012 11:35 AM
Also,
Reasons for Phase1 failing
Verify ISAKMP parameters match exactly.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide