Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5349
Views
0
Helpful
4
Replies

site to site vpn with asa 5505 and sonic firewall

esossamon
Level 1
Level 1

‎08-28-2009 01:39 PM

I'm trying to establish a vpn tunnel with a sonic firewall. We've checked both ends for differences and they are the same. PFS has been disabled on both ends. I'm seeing this in the logs.

%ASA-3-713119: Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

%ASA-5-713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)

%ASA-5-713201: Group = x.x.x.x, IP = x.x.x.x, Duplicate Phase 1 packet detected. No last packet to retransmit.

%ASA-5-713068: Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No proposal chosen (14)

%ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x3f02c78, mess id 0x267fd72c)!

%ASA-1-713900: Group = x.x.x.x, IP = x.x.x.x, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

%ASA-3-713902: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎08-29-2009 06:58 PM

Hi, I would suggest to debug both isakmp and ipsec to give a bit more details of where could be failing even though your first message says phase 1 completed.. debug will provide some clues.

you probably have seen this link but in case you haven't go over this example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

if still no joy you can on the asa debug, post output of it .. try from the sonicwall side bring up the tunnel while you have debug on on the asa side.

terminal monitor

logging monitor 7

debug crypto isakmp

debug crypto ipsec

Regards

Jorge Rodriguez
0 Helpful

vironet
Level 1
Level 1

‎08-31-2009 01:51 PM

the problem seems to be in your P2 confgurations (Networks local and remote, tranform set, encryption), Sometimes all other vendors by default use PFS, did you try enable pfs group2,

0 Helpful

esossamon
Level 1
Level 1
In response to vironet

‎08-31-2009 08:24 PM

from what I've read is the sonicfirewalls have pfs disabled by default but we have confirmed neither end has it enabled.

0 Helpful

nielsw weel
Level 1
Level 1

‎07-29-2011 04:27 AM

I had the same error.

I resolved it by adding the internal route to the sonicwall it was missing :$.

The sonicwall diden't know about the route so it doesn't accept the policy listed by the ASA ore visa versa.

with kind regards,

Niels

0 Helpful
Customers Also Viewed These Support Documents