06-12-2015 01:46 PM
Hi!
I am trying to bringing up a Site-to-Site VPN tunnel between a ASA5505 and a Vshield Edge Gateway. It seems that Phase 1 gets ut, but not Phase 2.
The logs says
"Failure during phase 1 rekeying attempt due to collision"
"Received encrypted packet with no matching sa, dropping"
show crypto isakmp
Active SA: 1
Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: X.X.X.X
Type : L2L Role : responder
Rekey : no State : MM_REKEY_DONE_H2
2 IKE Peer: X.X.X.X
Type : L2L Role : responder
Rekey : yes State : MM_ACTIVE_REKEY
show crypto ipsec sa
There are no ipsec sas
Anyone have any suggestions on how to solve this issue?
06-12-2015 07:51 PM
Activate "debug crypto isakmp 7" and "debug crypto ipsec 7"
Introduce introducing traffic that should go between the LANs via the VPN.
Share the output
06-12-2015 10:57 PM
Tuned the debugging up to 200 on both isakmp and ipsec, got following output, replaced public ip of remote site with 1.1.1.1 :
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 220
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing SA payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Received DPD VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Received NAT-Traversal RFC VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Received NAT-Traversal ver 03 VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Received NAT-Traversal ver 02 VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing IKE SA payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 0 acceptable Matches global IKE entry # 15
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Traversal VID ver 02 payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 228
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ISA_KE payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing NAT-Discovery payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, computing NAT Discovery hash
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, processing NAT-Discovery payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, computing NAT Discovery hash
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ke payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing nonce payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Cisco Unity VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing xauth V6 VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing VID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Discovery payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, computing NAT Discovery hash
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing NAT-Discovery payload
Jun 13 07:54:19 [IKEv1 DEBUG]: IP = 1.1.1.1, computing NAT Discovery hash
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
Jun 13 07:54:19 [IKEv1 DECODE]: Group = 1.1.1.1, IP = 1.1.1.1, ID_IPV4_ADDR ID received
1.1.1.1
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
Jun 13 07:54:19 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 86
Jun 13 07:54:19 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Failure during phase 1 rekeying attempt due to collision
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE MM Responder FSM error history (struct &0xca623588) <state>, <event>: MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, IKE SA MM:be5cb988 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, sending delete/delete with reason message
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing IKE delete payload
Jun 13 07:54:19 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=aa351106) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 13 07:54:19 [IKEv1]: IP = 1.1.1.1, Received encrypted packet with no matching SA, dropping
06-13-2015 11:42 AM
The key message I see in the debug is "Failure during phase 1 rekeying attempt due to collision".
One of the best troubleshooting guides I refer to is the Cisco TAC-published guide "Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions".
That document indicates you should check your isakmp lifetimes for a possible mismatch when you see that error.
06-14-2015 01:34 AM
Solved the issue by deleting everything that was related to VPN, crypto maps etc. Then rebuilt the VPN and everything worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide