cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2203
Views
0
Helpful
5
Replies

VPN L2L using GNS3 --> ERROR: Removing peer from correlator table failed, no match!

ajcamachou
Level 1
Level 1

I followed the instructions for interconnecting 2 LANs using VPN (I am using GNS3 simulating 2 ASA 5510 - one on each side to build the VPN) but I am receiving the following error (unfortunately, I am not an expert in terms of ASA.

ciscoasa2#   Apr 02 06:12:42 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, QM FSM error (P2 struct &0xbc396bb8, mess id 0x65d3a659)!

Apr 02 06:12:42 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, Removing peer from correlator table failed, no match!

Apr 02 06:12:42 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, Session is being torn down. Reason: Phase 2 Mismatch

Apr 02 06:12:44 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, QM FSM error (P2 struct &0xbc146df0, mess id 0x2709556c)!

The diagram is something like:

PC1-LAN1--ASA1---WAN---ASA2--LAN2---PC2

Before applying VPN, I could make Ping from PC1 to the OUTSIDE of ASA2 and viceversa.

The configuration for the ASA are:

SITE 1

ASA Version 8.4(2)
!
hostname ciscoasa2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
description CONEXION A ROUTER # 2
nameif outside
security-level 0
ip address 50.1.1.2 255.255.255.0
!
interface GigabitEthernet1
description CONEXION SWITCH # 2
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
SOME INTERFACES WERE OMITTED
!
ftp mode passive
object network INTERNAL_LAN
subnet 10.1.1.0 255.255.255.0
object network NETWORK-LOCAL
subnet 10.1.1.0 255.255.255.0
object network NETWORK-REMOTE
subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN remark Traffic from Outside (Internet) to Internal LAN
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
access-list VPN-TO-ASA1 extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK-LOCAL NETWORK-LOCAL destination static NETWORK-REMOTE NETWORK-REMOTE
!
object network INTERNAL_LAN
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set espSHA3DESproto esp-des esp-sha-hmac
crypto map IPSEC 10 match address VPN-TO-ASA1
crypto map IPSEC 10 set peer 67.94.1.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 67.94.1.2 type ipsec-l2l
tunnel-group 67.94.1.2 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:e96b9102c0afc699ca39df978dd1096b
: end
ciscoasa2#


SITE 2

ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
description CONEXION HACIA INTERNET 67.94.1.0 / 28
nameif outside
security-level 0
ip address 67.94.1.2 255.255.255.240
!
interface GigabitEthernet1
description CONEXION LAN INTERNA 172.16.1.0 / 24
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
!
ftp mode passive
object network Network-Local
subnet 172.16.1.0 255.255.255.0
object network Network-Remota
subnet 10.1.1.0 255.255.255.0
object network INTERNAL-LAN
subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN remark Traffic from Outside (Internet) to Internal LAN
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
access-list VPN-TO-ASA2 extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Network-Local Network-Local destination static Network-Remota Network-Remota
!
object network INTERNAL-LAN
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 67.94.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set espSHA3DESproto esp-3des esp-sha-hmac
crypto map IPSEC 10 match address VPN-TO-ASA2
crypto map IPSEC 10 set peer 50.1.1.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 50.1.1.2 type ipsec-l2l
tunnel-group 50.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:7f6998d87d35c9fab97d2c41f00c7d95
: end
ciscoasa#

VERSION OF IOS in the GNS ASA

ciscoasa2#      show flash
--#--  --length--  -----date/time------  path
    5  4096        Mar 31 2012 20:28:08  log
   10  4096        Mar 31 2012 20:28:12  coredumpinfo
   11  59          Mar 31 2012 20:28:12  coredumpinfo/coredump.cfg
   78  196         Mar 31 2012 20:28:12  upgrade_startup_errors_201203312028.log
   74  0           Mar 31 2012 21:13:36  nat_ident_migrate
268136448 bytes total (267767808 bytes free)
ciscoasa2# show ver
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa2 up 2 hours 59 mins
Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB

0: Ext: GigabitEthernet0    : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1    : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2    : address is 0000.ab96.ba02, irq 0
3: Ext: GigabitEthernet3    : address is 0000.abc5.8a03, irq 0
4: Ext: GigabitEthernet4    : address is 0000.ab7a.4604, irq 0
5: Ext: GigabitEthernet5    : address is 0000.abd9.1205, irq 0
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by enable_15 at 06:07:30.389 UTC Mon Apr 2 2012
ciscoasa2#

IN ADDITION TO THAT, I try to configure the isakmp policy, but I only have the following options:

ciscoasa(config)# crypto ?

configure mode commands/options:

  ca           Certification authority

  dynamic-map  Configure a dynamic crypto map

  ikev1        Configure IKEv1 policy

  ikev2        Configure IKEv2 policy

  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation

  isakmp       Configure ISAKMP

  key          Long term key operations

  map          Configure a crypto map

exec mode commands/options:

  ca  Execute Certification Authority Commands

ciscoasa(config)# crypto is

ciscoasa(config)# crypto isakmp ?

configure mode commands/options:

  disconnect-notify  Enable disconnect notification to peers

  identity           Set identity type (address, hostname or key-id)

  nat-traversal      Enable and configure nat-traversal

  reload-wait        Wait for voluntary termination of existing connections

                     before reboot

ciscoasa(config)#

ciscoasa(config)# crypto ?

configure mode commands/options:

  ca           Certification authority

  dynamic-map  Configure a dynamic crypto map

  ikev1        Configure IKEv1 policy

  ikev2        Configure IKEv2 policy

  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation

  isakmp       Configure ISAKMP

  key          Long term key operations

  map          Configure a crypto map

exec mode commands/options:

  ca  Execute Certification Authority Commands

ciscoasa(config)# crypto ike

ciscoasa(config)# crypto ikev1 ?

configure mode commands/options:

  am-disable      Disable inbound aggressive mode connections

  enable          Enable IKEv1 on the specified interface

  ipsec-over-tcp  Enable and configure IPSec over TCP

  policy          Set IKEv1 policy suite

ciscoasa(config)# crypto ikev1 policy ?

configure mode commands/options:

  <1-65535>  Policy suite priority(1 highest, 65535 lowest)

ciscoasa(config)#

That is the reason because I was able only to configure:

crypto ikev1 policy 10

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


There is not SA established between both ENDS

Thank you in advance for your orientation regarding this issue!!

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Your Site1 Transform set has "DES" , your Site2 has "3DES"

Site1: crypto ipsec ikev1 transform-set espSHA3DESproto esp-des esp-sha-hmac

Site2: crypto ipsec ikev1 transform-set espSHA3DESproto esp-3des esp-sha-hmac

- Jouni

Hi JouniForss,

Thank you so much, I made the modification and now it works.

I can continue simulating all the possible scenarios for interconnecting ASA + VMware for Web/FTP servers.

regards

Abraham

Hi,

Glad to hear you got it working

Please rate if you found it helpfull

- Jouni

Jouni, i am trying to rate it but it does not work. layer 8 problem apparently!!!

Hi,

There should be 2 rows of stars at the bottom of the every post. Left one of the rows should let you set a rating when you put your pointer over the stars.

But if it doesnt work its no problem