03-17-2022 01:04 PM
Tunnel will not complete Phase 2 and I am out of ideas. Does anyone see anything I am missing in the crypto debug? It's between an ASA and an older Cisco Router.
sh cry ikev1 sa IKEv1 SAs: Active SA: 3 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 3 3 IKE Peer: X.X.X.X Type : L2L Role : initiator Rekey : no State : MM_ACTIVE debug crypto condition peer X.X.X.X debug cry ikev1 128 Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE Initiator: New Phase 1, Intf inside, IKE Peer X.X.X.X local Proxy Address 172.20.0.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map) Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing ISAKMP SA payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver 02 payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver 03 payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver RFC payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 484 Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing SA payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Oakley proposal is acceptable Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received NAT-Traversal RFC VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing ke payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing nonce payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing Cisco Unity VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing xauth V6 VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Send IOS VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Discovery payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Discovery payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304 Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304 Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing ke payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing ISA_KE payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing nonce payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received Cisco Unity client VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received DPD VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f) Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received xauth V6 VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing NAT-Discovery payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing NAT-Discovery payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Generating keys for Initiator... Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing ID payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing hash payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Constructing IOS keep alive payload: proposal=32767/32767 sec. Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing dpd vid payload Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96 Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 104 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing ID payload Mar 17 14:41:45 [IKEv1 DECODE]Group = X.X.X.X, IP = X.X.X.X, ID_IPV4_ADDR ID received X.X.X.X Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing notify payload Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Oakley begin quick mode Mar 17 14:41:45 [IKEv1 DECODE]Group = X.X.X.X, IP = X.X.X.X, IKE Initiator starting QM: msg id = f36e4384 Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, PHASE 1 COMPLETED Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, Keep-alive type for this connection: DPD Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Starting P1 rekey timer: 82080 seconds. Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 80740352 Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Add to IKEv1 MIB Table succeeded for SA with logical ID 80740352 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xd85bf525 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xea2af025 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xd84aeba4 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xb561f125 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, oakley constucting quick mode Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing IPSec SA payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing IPSec nonce payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing pfs ke payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing proxy ID Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Transmitting Proxy Id: Local subnet: 172.20.0.0 mask 255.255.0.0 Protocol 0 Port 0 Remote subnet: 192.168.1.0 Mask 255.255.255.240 Protocol 0 Port 0 Mar 17 14:41:45 [IKEv1 DECODE]Group = X.X.X.X, IP = X.X.X.X, IKE Initiator sending Initial Contact Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload Mar 17 14:41:45 [IKEv1 DECODE]Group = X.X.X.X, IP = X.X.X.X, IKE Initiator sending 1st QM pkt: msg id = f36e4384 Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f36e4384) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 500 Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=e1980f39) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing notify payload Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Received non-routine Notify message: No proposal chosen (14) Mar 17 14:42:01 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Sending keep-alive of type DPD R-U-THERE (seq number 0x65d756d0) Mar 17 14:42:01 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload Mar 17 14:42:01 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload Mar 17 14:42:01 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=69fb131a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Mar 17 14:42:01 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=1dbb0857) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Mar 17 14:42:01 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload Mar 17 14:42:01 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing notify payload Mar 17 14:42:01 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x65d756d0) un allMar 17 14:42:11 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Sending keep-alive of type DPD R-U-THERE (seq number 0x65d756d1) Mar 17 14:42:11 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload Mar 17 14:42:11 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload Mar 17 14:42:11 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=9e091ef) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Mar 17 14:42:11 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=8bd79623) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Mar 17 14:42:11 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload Mar 17 14:42:11 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing notify payload Mar 17 14:42:11 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x65d756d1) Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Pitcher: received key delete msg, spi 0xd85bf525 Mar 17 14:42:15 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Connection terminated for peer X.X.X.X. Reason: Session Error Terminated Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Pitcher: received key delete msg, spi 0xea2af025 Mar 17 14:42:15 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Connection terminated for peer X.X.X.X. Reason: Session Error Terminated Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Pitcher: received key delete msg, spi 0xd84aeba4 Mar 17 14:42:15 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Connection terminated for peer X.X.X.X. Reason: Session Error Terminated Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Pitcher: received key delete msg, spi 0xb561f125 Mar 17 14:42:15 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Connection terminated for peer X.X.X.X. Reason: Session Error Terminated Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, sending delete/delete with reason message Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing IPSec delete payload Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload Mar 17 14:42:15 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=2505817d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE Deleting SA: Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE Deleting SA: Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE Deleting SA: Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE Deleting SA: Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0 Mar 17 14:42:15 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Removing peer from correlator table failed, no match! Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE SA MM:305003a5 rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, tuncnt 0 Mar 17 14:42:15 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 80740352 Mar 17 14:42:15 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Remove from IKEv1 MIB Table succeeded for SA with logical ID 80740352 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE SA MM:305003a5 terminating: flags 0x0100c022, refcnt 0, tuncnt 0 Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, sending delete/delete with reason message Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing IKE delete payload Mar 17 14:42:15 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload Mar 17 14:42:15 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=415739de) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Mar 17 14:42:15 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Session is being torn down. Reason: Unknown Mar 17 14:42:15 [IKEv1]IP = X.X.X.X, Received encrypted packet with no matching SA, dropping
03-17-2022 01:29 PM
Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0
the ACL in one Peer is not config correctly.
03-17-2022 02:14 PM
How did you see that exactly? Is it the "Removing peer from correlator table failed, no match!" line?
Or is it because the
Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0
is telling you thats the subnet with the issue?
03-17-2022 02:26 PM
Mar 17 14:42:15 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Connection terminated for peer X.X.X.X. Reason: Session Error Terminated Remote Proxy 192.168.1.0, Local Proxy 172.20.0.0
depend on this debug message, Do you check the ACL ?
03-17-2022 02:44 PM
The only thing that looks off is 2 objects on the ASA have a nested object inside of it and one side is missing a host? Would the host or nested objects cause it?
********
ASA
********
object-group network grp_remote
description remote
network-object 172.20.0.0 255.255.0.0
network-object 10.20.0.0 255.255.0.0
network-object host 10.130.249.9
network-object host 10.130.40.9
network-object object Int_10.235.0.0_net
network-object object Int_10.130.0.0_net
object-group network remote_mapped
description Remote
network-object 192.168.1.0 255.255.255.240
access-list in_inside remark remote rule
access-list in_inside extended permit ip object-group grp_remote 192.168.1.0 255.255.255.240
access-list outside_cryptomap_1 extended permit ip object-group grp_remote object-group remote_mapped
********
ROUTER
********
ip access-list extended site
permit ip 192.168.1.0 0.0.0.15 host 10.130.40.4
permit ip 192.168.1.0 0.0.0.15 host 10.130.40.9
permit ip 192.168.1.0 0.0.0.15 host 10.130.40.77
permit ip 192.168.1.0 0.0.0.15 172.20.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.15 10.130.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.15 10.220.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.15 10.130.0.0 0.0.255.255
03-17-2022 02:55 PM
to identify the issue first let try
object-group network grp_remote
description Local
network-object 172.20.0.0 255.255.0.0
object-group network remote_mapped
description Remote
network-object 192.168.1.0 255.255.255.240
!
permit ip 192.168.1.0 0.0.0.15 172.20.0.0 0.0.255.255
we will check if VPN is UP then try add one by one line to check the VPN until find ACE is make issue.
03-01-2024 10:41 AM
@OnTheCatwalks I wonder did you figure it out in the end? I am facing the same issue now. Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide