VPN 3002 Hardware Client to ASA 5502 Problems

smartin · ‎03-23-2006

I trying to connect a VPN 3002 HC to a ASA 3002. Using the "VPN Wizard" I did a step-by-step configuration on the ASA. I believe my problem resides on the 3002. On the ASA I'm getting the followering errors.

%ASA-3-713123: Group = xxxxx, IP = x.x.x.x, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

%ASA-4-113019: Group = xxxxx, Username = xxxxx, IP = x.x.x.x, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h

:00m:23s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service.

Any help would be greatful !

smartin · ‎03-24-2006

Also on the ASA I believe Phase 1 is working. Under monitor I see IKE seems to be working. I believe I'm having Phase 2 issues.

ID - 1

Type- IKE

Encryption - 3DES-168

Other - Authentication Mode: preSharedKeys

UDP Source Port: 500

UDP Destination Port: 500

IKE Negotiation Moded: Aggressive

Hashing:SHA1

Diffie-Hellman Group:2

Rekey Time Interval:86400 Secords

Rekey Left(T):86397 Secords

IKE Peer: x.x.x.x

Type: L2l Role: responder

Rekey: no State: AM_ACTIVE

Encrypt: 3des Hash: SHA

Auth: preshared Lifetime: 86400

Lifetime Remaining : 86388

On the Cisco 3002 I'm seeing the Following:

28255 03/24/2006 10:07:14.990 SEV=4 IKE/41 RPT=2226 x.x.x.x

IKE Initiator: New Phase 1, Intf 12, IKE Peer x.x.x.x

local Proxy Address x.x.x.x, remote Proxy Address x.x.x.x,

SA (ESP-3DES-MD5)

28258 03/24/2006 10:07:15.200 SEV=5 IKEDBG/64 RPT=2225 x.x.x.x

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: True

28260 03/24/2006 10:07:15.350 SEV=5 IKE/172 RPT=2225 x.x.x.x

Group [test]

Automatic NAT Detection Status:

Remote end is NOT behind a NAT device

This end is NOT behind a NAT device

28264 03/24/2006 10:07:15.410 SEV=5 IKE/73 RPT=2214 x.x.x.x

Group [test]

Responder forcing change of IKE rekeying duration from 2147483647 to 86400 secon

ds