Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9780
Views
5
Helpful
2
Replies

VPN Connection Dropping

Go to solution
Raymond Brown
Level 1
Level 1

‎04-25-2018 05:39 PM - edited ‎03-12-2019 05:14 AM

I have been recently having issues a few times a day where a site-to-site VPN connection keeps dropping to my cloud provider.  I am using a ASA 5510 and have a Juniper on the cloud provider side.  They have been recently doing software updates and maintenance on their network and I'm not sure if this is what is causing the issue.  Can someone please translate these syslog messages for me to lead me in the right direction.

 

 

 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: Group = 200.100.50.38, IP = 200.100.50.38, IKE Initiator: New Phase 2, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.128.238.0,  Crypto map (OUTSIDE_map)
 5:23 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, Removing peer from correlator table failed, no match!
 5:23 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, QM FSM error (P2 struct &0xae9d5be0, mess id 0xca8ac21e)!
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: Group = 200.100.50.38, IP = 200.100.50.38, IKE Initiator: New Phase 2, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.120.254.0,  Crypto map (OUTSIDE_map)
 5:23 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, Removing peer from correlator table failed, no match!
 5:23 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, QM FSM error (P2 struct &0xae5db8b8, mess id 0x1ca83c70)!
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: Group = 200.100.50.38, IP = 200.100.50.38, IKE Initiator: New Phase 2, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.128.238.0,  Crypto map (OUTSIDE_map)
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713119: Group = 200.100.50.38, IP = 200.100.50.38, PHASE 1 COMPLETED
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: IP = 200.100.50.38, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.120.254.0,  Crypto map (OUTSIDE_map)
 5:23 PM,Warning,192.168.1.250,%ASA-auth-4-113019: Group = 200.100.50.38, Username = 200.100.50.38, IP = 200.100.50.38, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
 5:23 PM,Notice,192.168.1.250,%ASA-vpn-5-713259: Group = 200.100.50.38, IP = 200.100.50.38, Session is being torn down. Reason: Lost Service
 5:23 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, Removing peer from correlator table failed, no match!
 5:23 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, QM FSM error (P2 struct &0xafc84b60, mess id 0xeb2e67a0)!
 5:23 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, Removing peer from correlator table failed, no match!
 5:23 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, QM FSM error (P2 struct &0xae9d5be0, mess id 0xa942c2f)!
 5:22 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:22 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:22 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:22 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: Group = 200.100.50.38, IP = 200.100.50.38, IKE Initiator: New Phase 2, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.120.254.0,  Crypto map (OUTSIDE_map)
 5:22 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:22 PM,Notice,192.168.1.250,%ASA-vpn-5-713119: Group = 200.100.50.38, IP = 200.100.50.38, PHASE 1 COMPLETED
 5:22 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: IP = 200.100.50.38, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.128.238.0,  Crypto map (OUTSIDE_map)
 5:22 PM,Warning,192.168.1.250,%ASA-auth-4-113019: Group = 200.100.50.38, Username = 200.100.50.38, IP = 200.100.50.38, Session disconnected. Session Type: IKE, Duration: 0h:01m:05s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
 5:22 PM,Notice,192.168.1.250,%ASA-vpn-5-713259: Group = 200.100.50.38, IP = 200.100.50.38, Session is being torn down. Reason: Lost Service
 5:22 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, Removing peer from correlator table failed, no match!
 5:22 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, QM FSM error (P2 struct &0xae9d5be0, mess id 0xdeb75009)!
 5:22 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:22 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, Removing peer from correlator table failed, no match!
 5:22 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, QM FSM error (P2 struct &0xaec9f3b8, mess id 0xa10c5466)!
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: Group = 200.100.50.38, IP = 200.100.50.38, IKE Initiator: New Phase 2, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.120.254.0,  Crypto map (OUTSIDE_map)
 5:21 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, Removing peer from correlator table failed, no match!
 5:21 PM,Error,192.168.1.250,%ASA-vpn-3-713902: Group = 200.100.50.38, IP = 200.100.50.38, QM FSM error (P2 struct &0xafc84b60, mess id 0x9547dffb)!
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713904: IP = 200.100.50.38, Received encrypted packet with no matching SA, dropping
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: Group = 200.100.50.38, IP = 200.100.50.38, IKE Initiator: New Phase 2, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.128.238.0,  Crypto map (OUTSIDE_map)
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713904: IP = 200.100.50.38, Received encrypted packet with no matching SA, dropping
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713068: Group = 200.100.50.38, IP = 200.100.50.38, Received non-routine Notify message: No proposal chosen (14)
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713119: Group = 200.100.50.38, IP = 200.100.50.38, PHASE 1 COMPLETED
 5:21 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: IP = 200.100.50.38, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.120.254.0,  Crypto map (OUTSIDE_map)
 5:20 PM,Notice,192.168.1.250,%ASA-vpn-5-713041: IP = 200.100.50.38, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer 200.100.50.38  local Proxy Address 10.0.0.0, remote Proxy Address 10.120.254.0,  Crypto map (OUTSIDE_map)
 5:20 PM,Warning,192.168.1.250,%ASA-auth-4-113019: Group = 200.100.50.38, Username = 200.100.50.38, IP = 200.100.50.38, Session disconnected. Session Type: IPsec, Duration: 1d 8h:40m:48s, Bytes xmt: 480074760, Bytes rcv: 1234112395, Reason: Lost Service
 5:20 PM,Notice,192.168.1.250,%ASA-vpn-5-713259: Group = 200.100.50.38, IP = 200.100.50.38, Session is being torn down. Reason: Lost Service
 5:20 PM,Error,192.168.1.250,%ASA-vpn-3-713123: Group = 200.100.50.38, IP = 200.100.50.38, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎04-26-2018 01:34 AM

Usually "Received non-routine Notify message: No proposal chosen" indicates mismatched transform sets, so you would need to check the encryption settings.

Basically the vpn peer is saying that that it did not find a match for the sent proposals.

I would try do to the following:

1. Make sure the encryption settings are the same on both sides, it wouldn't hurt to also check the crypto acls

2. Ask them to debug and see why the sent proposals are not being accepted or ask the to initiate the tunnel and debug on your end

 

HTH

Bogdan

View solution in original post

2 Replies 2

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎04-26-2018 01:34 AM

Usually "Received non-routine Notify message: No proposal chosen" indicates mismatched transform sets, so you would need to check the encryption settings.

Basically the vpn peer is saying that that it did not find a match for the sent proposals.

I would try do to the following:

1. Make sure the encryption settings are the same on both sides, it wouldn't hurt to also check the crypto acls

2. Ask them to debug and see why the sent proposals are not being accepted or ask the to initiate the tunnel and debug on your end

 

HTH

Bogdan

Go to solution
Raymond Brown
Level 1
Level 1
In response to Bogdan Nita

‎04-26-2018 07:00 AM

Thanks for the tips.

 

Would this cause it to go up and down a few times throughout the day?

0 Helpful
Customers Also Viewed These Support Documents