cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5350
Views
0
Helpful
4
Replies

site to site vpn with asa 5505 and sonic firewall

esossamon
Level 1
Level 1

I'm trying to establish a vpn tunnel with a sonic firewall. We've checked both ends for differences and they are the same. PFS has been disabled on both ends. I'm seeing this in the logs.

%ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

%ASA-5-713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)

%ASA-5-713201: Group = x.x.x.x, IP = x.x.x.x, Duplicate Phase 1 packet detected. No last packet to retransmit.

%ASA-5-713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)

%ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x3f02c78, mess id 0x267fd72c)!

%ASA-1-713900: Group = x.x.x.x, IP = x.x.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

%ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

Hi, I would suggest to debug both isakmp and ipsec to give a bit more details of where could be failing even though your first message says phase 1 completed.. debug will provide some clues.

you probably have seen this link but in case you haven't go over this example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

if still no joy you can on the asa debug, post output of it .. try from the sonicwall side bring up the tunnel while you have debug on on the asa side.

terminal monitor

logging monitor 7

debug crypto isakmp

debug crypto ipsec

Regards

Jorge Rodriguez

vironet
Level 1
Level 1

the problem seems to be in your P2 confgurations (Networks local and remote, tranform set, encryption), Sometimes all other vendors by default use PFS, did you try enable pfs group2,

from what I've read is the sonicfirewalls have pfs disabled by default but we have confirmed neither end has it enabled.

nielsw weel
Level 1
Level 1

I had the same error.

I resolved it by adding the internal route to the sonicwall it was missing :$.

The sonicwall diden't know about the route so it doesn't accept the policy listed by the ASA ore visa versa.

with kind regards,

Niels