cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1104
Views
0
Helpful
4
Replies

sitetosite with asa 5505 and rv180

philippowell
Level 1
Level 1

I've been trying to set up a permanent vpn between two sites. One site (rv180) currently has a dynamic ip, the other (asa 5505) is fixed.

Right now the connection is bailing with a "Phase 2 mismatch". I think the policies match up but it's rather hard to tell - both devices are rather different. I also only occasionly have access to the ASDM (for some reason it only runs on macs with 10.6 - we only have one such machine and it still gets a fair amount of regular use! CLI access is no problem.

 

Here's part of the asa log. I'll attach the run-log form the asa. There are some "object networks" in there that one should maybe clean up, There's at least one typo (12... instead od 192...).

Please tell me what you think. I'd be very greatful for any help. 

Cheers

Phil

 

Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, processing IPSec SA payload
Mar 25 16:03:03 [IKEv1]: Group = sitetosite, IP = b.b.b.b, All IPSec SA proposals found unacceptable!
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, sending notify message
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, constructing blank hash payload
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, constructing ipsec notify payload for msg id c466e273
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, constructing qm hash payload
Mar 25 16:03:03 [IKEv1]: IP = b.b.b.b, IKE_DECODE SENDING Message (msgid=b875781) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar 25 16:03:03 [IKEv1]: Group = sitetosite, IP = b.b.b.b, QM FSM error (P2 struct &0xcb00c5c0, mess id 0xc466e273)!
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, IKE QM Responder FSM error history (struct &0xcb00c5c0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, sending delete/delete with reason message
Mar 25 16:03:03 [IKEv1]: Group = sitetosite, IP = b.b.b.b, Removing peer from correlator table failed, no match!
Mar 25 16:03:03 [IKEv1]: Group = sitetosite, IP = b.b.b.b, Deleting static route for L2L peer that came in on a dynamic map. address: 10.0.0.0, mask: 255.0.0.0
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, IKE SA AM:58a6271e rcv'd Terminate: state AM_ACTIVE  flags 0x00010041, refcnt 1, tuncnt 0
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, IKE SA AM:58a6271e terminating:  flags 0x01010001, refcnt 0, tuncnt 0
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, sending delete/delete with reason message
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, constructing blank hash payload
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, constructing IKE delete payload
Mar 25 16:03:03 [IKEv1 DEBUG]: Group = sitetosite, IP = b.b.b.b, constructing qm hash payload
Mar 25 16:03:03 [IKEv1]: IP = b.b.b.b, IKE_DECODE SENDING Message (msgid=77f6cea7) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar 25 16:03:03 [IKEv1]: Group = sitetosite, IP = b.b.b.b, Session is being torn down. Reason: Phase 2 Mismatch
Mar 25 16:03:03 [IKEv1]: Ignoring msg to mark SA with dsID 3891200 dead because SA deleted

4 Replies 4

Mike Williams
Level 5
Level 5

I would look at your phase 2 transform set and verify that the access-list on the ASA matches the (reverse of) the matched subnets on the RV router. If you have multiple subnets on either side that you are matching, the RV will need a separate phase 2 configuration for each subnet pair.

Regards,

Mike

Hey Mike

Thanks for you reply.

On the rv180 the 10.1.1.0 subnet had a (default) mask of 255.0.0.0. I changed that to 255.255.255.0 but no change. I've attached a screenshot from the rv vpn policy settings.

The mask in the lan settings for the rv seems to be 255.255.255.0, but when i click in the field it surreptitiously changes it to 255.0.0.0! Any idea what that's about?

I guess the relevant errors are still:

All IPSec SA proposals found unacceptable!

Removing peer from correlator table failed, no match!

Session is being torn down. Reason: Phase 2 Mismatch

There's also

QM FSM error (P2 struct &0xcb014760, mess id 0xc69b9d9b)!

Here's the log from the rv:

 

Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Configuration found for a.a.a.a.
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Configuration found for a.a.a.a.
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Initiating new phase 1 negotiation: b.b.b.b[500]<=>a.a.a.a[500]
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Beginning Aggressive mode.
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  NAT-Traversal is Enabled
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:   [isakmp_agg.c:257]: XXX: NUMNATTVENDORIDS: 3
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 4
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 8
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 9
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Received Vendor ID: CISCO-UNITY
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Received Vendor ID: DPD
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Received unknown Vendor ID
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  Received unknown Vendor ID
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  NAT-D payload matches for b.b.b.b[500]
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  NAT-D payload matches for a.a.a.a[500]
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  For a.a.a.a[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Wed Mar 26 09:48:47 2014 (GMT +0100): [home] [IKE] INFO:  NAT not detected 
Wed Mar 26 09:48:48 2014 (GMT +0100): [home] [IKE] INFO:  ISAKMP-SA established for b.b.b.b[500]-a.a.a.a[500] with spi:69ef06e9683c60eb:be4f9b5e17c382ee
Wed Mar 26 09:48:48 2014 (GMT +0100): [home] [IKE] INFO:  Sending Informational Exchange: notify payload[608]
Wed Mar 26 09:48:48 2014 (GMT +0100): [home] [IKE] INFO:  Initiating new phase 2 negotiation: b.b.b.b[0]<=>a.a.a.a[0]
Wed Mar 26 09:48:48 2014 (GMT +0100): [home] [IKE] ERROR:  Unknown notify message from a.a.a.a[500].No phase2 handle found.
Wed Mar 26 09:48:48 2014 (GMT +0100): [home] [IKE] INFO:  Purged ISAKMP-SA with proto_id=ISAKMP and spi=69ef06e9683c60eb:be4f9b5e17c382ee.

 

Cheers

Phil

I've been combing through the asa conf. Do you think the default-group-policy for "sitetosite" is correct? The other tunnel-groups seem to have their own default-group-policies, but this one shares “pkpowell" with pkpowell.

 

tunnel-group sitetosite type ipsec-l2l
tunnel-group sitetosite general-attributes
 default-group-policy pkpowell
tunnel-group sitetosite ipsec-attributes
 pre-shared-key *****
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *****

Well I fiddled with settings on the 5505 and the tunnel came up. I think it was in the Tunnel Group settings.

I'll post any changes I remember doing later. Time for bed.

 

Cheers

Phil