03-17-2022 01:04 PM
Tunnel will not complete Phase 2 and I am out of ideas. Does anyone see anything I am missing in the crypto debug? It's between an ASA and an older Cisco Router.
sh cry ikev1 sa IKEv1 SAs: Active SA: 3 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 3 3 IKE Peer: X.X.X.X Type : L2L Role : initiator Rekey : no State : MM_ACTIVE debug crypto condition peer X.X.X.X debug cry ikev1 128 Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE Initiator: New Phase 1, Intf inside, IKE Peer X.X.X.X local Proxy Address 172.20.0.0, remote Proxy Address 192.168.1.0, Crypto map (outside_map) Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing ISAKMP SA payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver 02 payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver 03 payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Traversal VID ver RFC payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 484 Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing SA payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Oakley proposal is acceptable Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received NAT-Traversal RFC VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing ke payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing nonce payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing Cisco Unity VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing xauth V6 VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Send IOS VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Discovery payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, constructing NAT-Discovery payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304 Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304 Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing ke payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing ISA_KE payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing nonce payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received Cisco Unity client VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received DPD VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f) Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing VID payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Received xauth V6 VID Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing NAT-Discovery payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, processing NAT-Discovery payload Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, computing NAT Discovery hash Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Generating keys for Initiator... Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing ID payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing hash payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP Mar 17 14:41:45 [IKEv1 DEBUG]IP = X.X.X.X, Constructing IOS keep alive payload: proposal=32767/32767 sec. Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing dpd vid payload Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96 Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 104 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing ID payload Mar 17 14:41:45 [IKEv1 DECODE]Group = X.X.X.X, IP = X.X.X.X, ID_IPV4_ADDR ID received X.X.X.X Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing hash payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, processing notify payload Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Oakley begin quick mode Mar 17 14:41:45 [IKEv1 DECODE]Group = X.X.X.X, IP = X.X.X.X, IKE Initiator starting QM: msg id = f36e4384 Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, PHASE 1 COMPLETED Mar 17 14:41:45 [IKEv1]IP = X.X.X.X, Keep-alive type for this connection: DPD Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, Starting P1 rekey timer: 82080 seconds. Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 80740352 Mar 17 14:41:45 [IKEv1]Group = X.X.X.X, IP = X.X.X.X, Add to IKEv1 MIB Table succeeded for SA with logical ID 80740352 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xd85bf525 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xea2af025 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xd84aeba4 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xb561f125 Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, oakley constucting quick mode Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload Mar 17 14:41:45 [IKEv1 DEBUG]Group = X.X.X.X, IP = X.X.X.X, constructing IPSec SA payload Mar 17 14:41:4