Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1332
Views
0
Helpful
8
Replies

VPN Errors

swashbuckler
Level 1
Level 1

‎10-15-2013 08:15 AM

I am currently getting the following errors:

Group = DefaultL2LGroup, IP = 62.73.210.70, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting


Group = DefaultL2LGroup, IP = 62.73.210.70, Removing peer from peer table failed, no match!


Group = DefaultL2LGroup, IP = 62.73.210.70, Error: Unable to remove PeerTblEntry

The pre-shared keys are the same.

Thanks for the help in advanced.

Below is my config:

IP Address: 172.25.62.226 and NAT'ed to Public 62.73.210.70

Gateway: 172.25.62.225

interface Vlan1
nameif inside
security-level 100
ip address 10.200.1.209 255.255.255.240
!
interface Vlan2
nameif outside
security-level 0
ip address 172.25.62.226 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2

ftp mode passive
access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 255                                                                                                 .255.255.0
access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 25                                                                                                 5.255.252.0
access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 25                                                                                                 5.255.255.0
access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 2                                                                                                 55.255.252.0
access-list 100 extended permit tcp host 89.254.12.35 host 10.200.1.213 eq www
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.25.62.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
crypto ipsec transform-set mytrans esp-des esp-md5-hmac
crypto map mymap 10 match address VPNL2L
crypto map mymap 10 set peer 65.181.59.210
crypto map mymap 10 set transform-set mytrans
crypto map mymap 10 set security-association lifetime seconds 3600
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal  21
tunnel-group 65.181.59.210 type ipsec-l2l
tunnel-group 65.181.59.210 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
: end

Labels:
0 Helpful
8 Replies 8

Patrick Moubarak
Level 4
Level 4

‎10-15-2013 09:17 AM

config looks ok and PSK is the same... what's on the other side; can you post the config?

also, strongly suggested to use stronger encryption/hashing than DES/MD5...

Patrick

0 Helpful

swashbuckler
Level 1
Level 1
In response to Patrick Moubarak

‎10-15-2013 09:32 AM

Patrick,

Thanks for the heads up on my encryption/hashing suggestion.

The above config is in a remote location.

Here is my current config at my location:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.181.59.210 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.199.1.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif insideNOV
security-level 100
ip address 10.10.144.47 255.255.252.0
!

ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name Rignet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service WML tcp
description Remote wits data access
port-object range 1 65535
access-list aclin extended permit object-group DM_INLINE_PROTOCOL_9 any host 65.181.59.219
access-list aclin extended permit object-group DM_INLINE_SERVICE_3 any host 65.181.59.216
access-list aclin extended permit object-group DM_INLINE_PROTOCOL_6 any host 65.181.59.220
access-list aclin extended permit object-group DM_INLINE_PROTOCOL_5 host 10.199.1.2 host 65.181.59.210
access-list aclin extended permit object-group DM_INLINE_SERVICE_1 any host 65.181.59.222
access-list no-nat remark Local Rules
access-list no-nat extended permit ip Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list no-nat remark Local Rules
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 10.200.1.80 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 ENI 255.255.255.240
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 ENI 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 Norway_Office 255.255.255.240
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 Norway_Office 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 BobbyVPN 255.255.255.0
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 BobbyVPN 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp interface inside any
access-list inside_access_in remark Block port 135 for port scanning
access-list inside_access_in extended deny 135 any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list test extended permit icmp any any echo
access-list test extended permit icmp any any echo-reply
access-list InsideNOV_access_in extended permit ip 10.200.0.0 255.255.0.0 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_7 any any
access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_4 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_12 Norway_Office 255.255.255.240 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_8 BobbyVPN 255.255.255.0 10.10.144.0 255.255.252.0
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_8 any any
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_5 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_6 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list inside_acl extended permit object-group DM_INLINE_PROTOCOL_10 10.200.0.0 255.255.0.0 Rignet 255.255.255.0
access-list inside_acl extended deny object-group DM_INLINE_PROTOCOL_11 host 192.168.56.1 any
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list inside_access_in_1 extended permit ip Rignet 255.255.255.0 Rignet 255.255.255.0
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 BobbyVPN 255.255.255.0 Rignet 255.255.255.0
access-list inside_access_in_2 extended permit object-group DM_INLINE_SERVICE_11 Rignet 255.255.255.0 Rignet 255.255.255.0
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu outside 1500
mtu inside 1500
mtu insideNOV 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any insideNOV
icmp permit any echo-reply insideNOV
icmp permit any echo insideNOV
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 65.181.57.51 netmask 255.255.255.255
nat (outside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list no-nat
nat (inside) 1 Rignet 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 65.181.59.222 10.199.1.23 netmask 255.255.255.255
static (inside,outside) 65.181.59.219 10.199.1.27 netmask 255.255.255.255
static (inside,outside) 65.181.59.216 10.199.1.54 netmask 255.255.255.255
static (inside,outside) 65.181.59.220 10.199.1.26 netmask 255.255.255.255
access-group aclin in interface outside
access-group inside_access_in_1 in interface inside
access-group InsideNOV_access_in in interface insideNOV
route outside 0.0.0.0 0.0.0.0 65.181.59.209 1
route inside 153.15.156.217 255.255.255.255 65.181.57.51 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec stop
snmp-server enable traps entity config-change
sysopt connection tcpmss 1100
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set mySET esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto dynamic-map myDYN-MAP 5 set security-association lifetime seconds 28800
crypto dynamic-map myDYN-MAP 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map myMAP 65000 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto ca trustpoint Intelliserv.rignet.local
enrollment terminal
subject-name CN=Rignet5550
keypair IntelliServ.rignet.local
crl configure
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=Rignet5550
password *
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 21
telnet timeout 5
console timeout 0
management-access inside
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
nem enable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group mytunnel type remote-access
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
pre-shared-key *
tunnel-group 164.85.0.18 type ipsec-l2l
tunnel-group 164.85.0.18 ipsec-attributes
peer-id-validate cert
chain
tunnel-group-map default-group DefaultL2LGroup
!class-map inspection_default
match default-inspection-traffic
!policy-map global_policy
class inspection_default

: end

0 Helpful

Patrick Moubarak
Level 4
Level 4
In response to swashbuckler

‎10-15-2013 10:21 AM

you need an entry in the dynamic-map for the site:

access-list VPNL2L extended permit ip 10.199.1.0 255.255.255.0 10.200.1.208 255.255.255.240

access-list VPNL2L extended permit ip 10.10.144.0 255.255.252.0 10.200.1.208 255.255.255.240

crypto dynamic-map myDYN-MAP 1 set transform-set mySET

crypto dynamic-map myDYN-MAP 1 match address VPNL2L

crypto dynamic-map myDYN-MAP 1 set security-association lifetime seconds 3600

I am guessing that you are using the DefaultL2LGroup because the remote site doesn't have a fixed IP address...

Patrick

0 Helpful

swashbuckler
Level 1
Level 1
In response to Patrick Moubarak

‎10-15-2013 12:45 PM

Patrick,

I put the commands in on my side but still I get the same errors as above.

From my ASA at my location I am able to ping the public 62.73.210.70 but not the remote ASA 10.200.1.209 or outside address of 172.25.62.226.

Thanks,

Bobby

0 Helpful

Patrick Moubarak
Level 4
Level 4
In response to swashbuckler

‎10-15-2013 01:22 PM

you probably will not be able to ping the private outside address 172.25.62.226 but just its NATted public one 62.73.210.70... this is normal.

is the public 62.73.210.70 a fixed IP or it could change?

if it is fixed, then it is better to create a tunnel-group for it and not use the DefaultL2LGroup + point to it in the crypto map set peer instead of using a dynamic-map...

if it is dynamic, it has to be the one initiating traffic since this side does not know its IP address in advance...

Also, it is usually a good idea to ping a device behind the ASA, not the interface IP itself. If you want to ping the interface, you need to make sure it is allowed (some commands might be needed: management-access inside, icmp permit any inside...)

Patrick.

0 Helpful

swashbuckler
Level 1
Level 1
In response to Patrick Moubarak

‎10-15-2013 01:59 PM

Patrick,

I also tried to ping the server behind the ASA with no luck, you are right the interfaces are not allowed.

I use defaultL2LGroup because it is easier cause of many multiple sites that change about every 3 months (Oil Rigs)

The rig is suppose to initiate the traffic via continous pings.  (rig 10.200.x.x network to me 10.199.x.x network) but the pings are failing and according to my logs here I am getting the errors listed in the main post.

Bobby

0 Helpful

pranesh deshpande
Level 1
Level 1
In response to swashbuckler

‎10-16-2013 02:48 AM

Hi

Seems preshare key is not same on both side.. tunnel should not be up check sh cry is sa and sh cry ips

Thanks

Pranesh

0 Helpful

swashbuckler
Level 1
Level 1
In response to pranesh deshpande

‎10-16-2013 08:14 AM

Pranesh,

I did this command on each ASA in remote site and local site:

more system:running-config | inc pre-shared

Both keys were the same but I do not understand why the errors.

Thanks,

Bobby

0 Helpful
Customers Also Viewed These Support Documents