Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1796
Views
0
Helpful
1
Replies

VPN site to site Cisco ASA - Fortinet

Go to solution
paulkevinrengifosandoval7870
Level 1
Level 1

‎12-28-2019 11:46 AM

Hello guys

I have a problem, I'm trying to establish a VPN site to site, but it doesn't work, any ideas?

thats my config

Cisco Adaptive Security Appliance Software Version 9.1(7)16 
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5

crypto map outside_map 1 match address OUTSIDE_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer A.A.A.A
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set security-association lifetime kilobytes unlimited

access-list OUTSIDE_cryptomap line 1 extended permit ip object-group Name1 object-group Name2 (hitcnt=0) 0x213f8a72 
  access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.129.0 255.255.255.0 host 172.16.46.245 (hitcnt=0) 0xbf57b8c6 
  access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.128.0 255.255.255.0 host 172.16.46.245 (hitcnt=0) 0x71e6c289 
  access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.129.0 255.255.255.0 host 10.0.9.1 (hitcnt=0) 0x467a9c8f 
  access-list OUTSIDE_cryptomap line 1 extended permit ip 192.168.128.0 255.255.255.0 host 10.0.9.1 (hitcnt=0) 0xdd4436c8  
 
Session-id:1, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id                 Local                Remote     Status         Role
  4954889     B.B.B.B/500     A.A.A.A/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/56108 sec

that is the output of debug crypto ikev2 platform 127

IKEv2-PLAT-3: RECV PKT [CREATE_CHILD_SA] [A.A.A.A]:500->[B.B.B.B]:500 InitSPI=0x1f5a1bc7993df779 RespSPI=0xe44bcb6c47f97e49 MID=000005e8
IKEv2-PLAT-2: (1): Crypto Map: No proxy match on map outside_map seq 1
IKEv2-PLAT-2: (1): Crypto map outside_map seq 3 is incomplete
IKEv2-PLAT-2: (1): Crypto map outside_map seq 5 is incomplete
IKEv2-PLAT-2: (1): Crypto map outside_map seq 6 is incomplete
IKEv2-PLAT-2: (1): Crypto map outside_map seq 9 is incomplete
IKEv2-PLAT-2: (1): Crypto map: Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.IKEv2-PLAT-3: (1): SENT PKT [CREATE_CHILD_SA] [B.B.B.B]:500->[A.A.A.A]:500 InitSPI=0x1f5a1bc7993df779 RespSPI=0xe44bcb6c47f97e49 MID=000005e8
IKEv2-PLAT-5: Negotiating SA request deleted
IKEv2-PLAT-1: Failed to decrement count for incoming negotiating

Thanks for your help

 

Best regards

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-28-2019 02:44 PM

Hi,

The error message indicates that the traffic did not match outside_map seq 1. You should check the ACL and confirm the correct networks are defined to match the interesting traffic on both the ASA and the Fortinet firewalls.

 

HTH

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rob Ingram
VIP
VIP

‎12-28-2019 02:44 PM

Hi,

The error message indicates that the traffic did not match outside_map seq 1. You should check the ACL and confirm the correct networks are defined to match the interesting traffic on both the ASA and the Fortinet firewalls.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents