Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1915
Views
0
Helpful
3
Replies

VPN ASA5505 to Linksys BEFSX41

paulty
Level 1
Level 1

‎01-12-2011 09:20 AM

I am having issues getting a tunnel up between an ASA5505 and a Linksys BEFSX41

Local ip range of the network with the linksys is 10.1.3.0/24

The local ip range of the network with the ASA is 10.1.2.0/24

Log messages from the ASA

------------------------------------------

IKE Initiator: New Phase 1, Intf inside, IKE Peer 75.151.XXX.XXX  local Proxy Address 10.1.2.0, remote Proxy Address 10.1.3.0,  Crypto map (outside_map)

AAA retrieved default group policy (DfltGrpPolicy) for user = 75.151.XXX.XXX

Group = 75.151.XXX.XXX, IP = 75.151.XXX.XXX, PHASE 1 COMPLETED

Group = 75.151.XXX.XXX, IP = 75.151.XXX.XXX, Received non-routine Notify message: Invalid ID info (18)

Group = 75.151.XXX.XXX, IP = 75.151.XXX.XXX, QM FSM error (P2 struct &0xd8cf4b38, mess id 0x9ceab897)!

Group = 75.151.XXX.XXX, IP = 75.151.XXX.XXX, Removing peer from correlator table failed, no match!

Linksys

------------

local secure group: IP Range / 10.1.2.1~254

Remote Secure Group: IP Range / 10.1.2.1~254

Remote Security Gateway IP Addr. / 24.154.XXX.XXX

Encryption: 3DES / MD5

Key Management: Auto IKE, PFS OFF, Pre-shared Key: XXXXXXX

Key Lifetime 28800

*Advance Settings*

Phase 1

Operation mode: Main

Proposal 1:

3DES / MD5 / 1024-bit

Key Lifetime 28800

Phase 2

Proposal

Encryption: 3DES / MD5

PFS: OFF

Group: 1024-bit

Key Lifetime: 28800

Other Settings:

NetBIOS broadcast ----- This wont let me uncheck it, every time I do it just re-enables it. Is this the non-routine message reported in the asa log?

I do not have keep-alive checked because when it was the ASA was reporting that the remote device doesnt support keep-alive ???

Im attaching the ASA config

Labels:
78526-asaconfig.txt.zip
0 Helpful
3 Replies 3

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-12-2011 10:57 AM

Hi,

Make sure PFS is off for phase 2 on the linksys side:

Phase 2

Proposal

Encryption: 3DES / MD5

PFS: OFF

Group: 1024-bit

It shows PFS off, but it then shows Group 1024-bit which is group 2.

If the problem persists, please post the complete output from ''debug cry ips 127'' when attempting the connection.

Federico.

0 Helpful

paulty
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-12-2011 11:53 AM

In the linksys it only gives you the option to select group1 or group2 under the PFS

This is the only output I get from the debug when I try to bring up the tunnel.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.1.2.15:2, Dest=10.1.3.254:2

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC: New embryonic SA created @ 0xD8CB83D8,

    SCB: 0xD7DF2600,

    Direction: inbound

    SPI      : 0x20BA6A35

    Session ID: 0x00083000

    VPIF num  : 0x00000002

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to paulty

‎01-12-2011 01:33 PM

What if you enable PFS on the ASA side:

crypto map outside_map 1 set pfs groupx

Try deleting the SAs ''clear cry isa sa'' ''clear cry ips sa'' and establishing again to check the debugs.

Federico.

0 Helpful
Customers Also Viewed These Support Documents