cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1561
Views
5
Helpful
6
Replies

VPN Tunnel Won't come up and out of ideas

OnTheCatwalks
Level 1
Level 1

Tunnel will not complete Phase 2 and I am out of ideas. Does anyone see anything I am missing in the crypto debug? It's between an ASA and an older Cisco Router.

 

sh cry ikev1 sa

IKEv1 SAs:

   Active SA: 3
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3

3   IKE Peer: X.X.X.X
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
debug crypto condition peer X.X.X.X
debug cry ikev1 128
 Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE Initiator: New Phase 1, Intf inside, IKE Peer X.X.X.X  local Proxy Address 172.20.0.0, remote Proxy Address 192.168.1.0,  Crypto map (outside_map)
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing ISAKMP SA payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver 02 payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver 03 payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver RFC payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 484
Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing SA payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Oakley proposal is acceptable
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received NAT-Traversal RFC VID
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing ke payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing nonce payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing Cisco Unity VID payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing xauth V6 VID payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Send IOS VID
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing VID payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Discovery payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Discovery payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash
Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing ke payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing ISA_KE payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing nonce payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received Cisco Unity client VID
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received DPD VID
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f)
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received xauth V6 VID
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing NAT-Discovery payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing NAT-Discovery payload
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash
Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Generating keys for Initiator...
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing ID payload
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing hash payload
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP
Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing dpd vid payload
Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 104
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing ID payload
Mar 17 14:41:45 [IKEv1 DECODE]Group = X.X.X.X, IP = X.X.X.X, ID_IPV4_ADDR ID received
X.X.X.X
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing notify payload
Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Oakley begin quick mode
Mar 17 14:41:45 [IKEv1 DECODE]Group = X.X.X.X, IP = X.X.X.X, IKE Initiator starting QM: msg id = f36e4384
Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, PHASE 1 COMPLETED
Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, Keep-alive type for this connection: DPD
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Starting P1 rekey timer: 82080 seconds.
Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 80740352
Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Add to IKEv1 MIB Table succeeded for SA with logical ID 80740352
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xd85bf525
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xea2af025
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xd84aeba4
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xb561f125
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, oakley constucting quick mode
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload
Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing IPSec SA payload
Mar 17 14:41:4