08-26-2013 05:10 AM
Hello everybody,
We currently want to build a Site-to-Site VPN between a PIX and a Small-Business SA540, but the
Phase 2 negotiation fails with "No Phase2 handle found":
Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] INFO: accept a request to establish IKE-SA: XXX.XXX.XXX.XX1
Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] INFO: Configuration found for XXX.XXX.XXX.XX1.
Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] INFO: Configuration found for XXX.XXX.XXX.XX1.
Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] INFO: Initiating new phase 2 negotiation: XXX.XXX.XXX.XX2[500]<=>XXX.XXX.XXX.XX1[0]
Mon Aug 26 09:24:37 2013 (GMT +0100): [Cisco] [IKE] ERROR: Unknown notify message from XXX.XXX.XXX.XX1[500].No phase2 handle found.
Mon Aug 26 09:24:47 2013 (GMT +0100): [Cisco] [IKE] ERROR: packet shorter than isakmp header size.
Mon Aug 26 09:24:47 2013 (GMT +0100): [Cisco] [IKE] ERROR: packet shorter than isakmp header size.
Config PIX:
crypto map OUTSIDE_MAP 60 ipsec-isakmp
crypto map OUTSIDE_MAP 60 match address TSM2ABC
crypto map OUTSIDE_MAP 60 set peer XXXXXXXXX
crypto map OUTSIDE_MAP 60 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_MAP 60 set security-association lifetime seconds 7200 kilobytes 4608000
!
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!
If have also checked the Pre-Shared Key...
The settings on the SA540 can be found in the attachments.
I have the latest firmware:
Has anybody tried a VPN between a PIX and SA540?
08-29-2013 07:07 AM
Hi Christoph, thank you for using our forum, my name is Luis I am part of the Small business Support community. In this case I could share to you an article from the SA540 in order to guide you with your VPN configuration, you could check the link below.
http://www6.nohold.net/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=2946
However, you can get more feedback about your VPN configuration, if you move your post using the actions panel on the right. You can move it to the link below.
https://supportforums.cisco.com/community/netpro/security/vpn
I hope you find this answer useful
Greetings,
Luis Arias.
Cisco Network Support Engineer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide