1. Home
  2. Cisco Systems
  3. Site to Site VPN error on Cisco ASA5500 and router 1800

Site to Site VPN error on Cisco ASA5500 and router 1800

Hi All, When I configured site to site VPN between Cisco ASA 5500 (outside IP address: 1.2.3.4, inside ip: 192.168.0.50) and 1800 router (outside IP address 5.6.7.8, inside ip: 192.168.46.1), I got the following error and can not establish VPN tunnel:

  1. Error on ASA 5500:

|11:45:35|713904|||IP = 5.6.7.8, Received encrypted packet with no matching SA, dropping |11:45:35|113019|||Group = 5.6.7.8, Username = 5.6.7.8, IP = 5.6.7.8, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:

00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, Removing peer from correlator table failed, no match! |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, QM FSM error (P2 struct &0x97f6d50, mess id 0xba4d2406)! |11:45:35|713904|||Group = 5.6.7.8, IP = 5.6.7.8, All IPSec SA proposals found unacceptable! |11:45:35|713119|||Group = 5.6.7.8, IP = 5.6.7.8, PHASE 1 COMPLETED |11:45:35|113009|||AAA retrieved default group policy (LAN-LAN) for user = 5.6.7.8 |11:45:35|713903|||Group = 5.6.7.8, IP = 5.6.7.8, Freeing previously allocated memory for authorization-dn-attributes |11:45:35|713172|||Group = 5.6.7.8, IP = 5.6.7.8, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

  1. Debug info on 1800 router:

13:28:50 Local7.Debug 192.168.46.1 2448: 13:28:50 Local7.Debug 192.168.46.1 2447: *Jan 4 18:29:17.255: ISAKMP: (2018):Old State = IKE_DEST_SA New State = IKE_DEST_SA 13:28:50 Local7.Debug 192.168.46.1 2446: *Jan 4 18:29:17.255: ISAKMP: (2018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 13:28:50 Local7.Debug 192.168.46.1 2445: *Jan 4 18:29:17.255: crypto_engine: Delete IKE SA 13:28:50 Local7.Debug 192.168.46.1 2444: *Jan 4 18:29:17.251: crypto engine: deleting IKE SA SW:18 13:28:50 Local7.Debug 192.168.46.1 2443: *Jan 4 18:29:17.251: ISAKMP: (2018):deleting node 853657057 error FALSE reason "IKE deleted" 13:28:49 Local7.Debug 192.168.46.1 2442: *Jan 4 18:29:17.251: ISAKMP: (2018):deleting node -533182858 error FALSE reason "IKE deleted" 13:28:49 Local7.Debug 192.168.46.1 2441: *Jan 4 18:29:17.251: ISAKMP: (2018):deleting node 28797199 error FALSE reason "IKE deleted" 13:28:49 Local7.Debug 192.168.46.1 2440: *Jan 4 18:29:17.251: ISAKMP: (2018):deleting SA reason "No reason" state (I) QM_IDLE (peer 1.2.3.4) 13:28:49 Local7.Debug 192.168.46.1 2439: 13:28:49 Local7.Debug 192.168.46.1 2438: *Jan 4 18:29:17.251: ISAKMP: (2018):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA 13:28:49 Local7.Debug 192.168.46.1 2437: *Jan 4 18:29:17.251: ISAKMP: (2018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 13:28:49 Local7.Debug 192.168.46.1 2436: *Jan 4 18:29:17.251: ISAKMP: (2018):purging node -751303044 13:28:49 Local7.Debug 192.168.46.1 2435: *Jan 4 18:29:17.251: ISAKMP: (2018):Sending an IKE IPv4 Packet. 13:28:49 Local7.Debug 192.168.46.1 2434: *Jan 4 18:29:17.251: ISAKMP: (2018): sending packet to 1.2.3.4 my_port 500 peer_port 500 (I) QM_IDLE 13:28:49 Local7.Debug 192.168.46.1 2433: *Jan 4 18:29:17.251: crypto_engine: Encrypt IKE packet 13:28:49 Local7.Debug 192.168.46.1 2432: *Jan 4 18:29:17.251: crypto_engine: Generate IKE hash 13:28:49 Local7.Debug 192.168.46.1 2431: *Jan 4 18:29:17.251: ISAKMP: set new node -751303044 to QM_IDLE 13:28:49 Local7.Debug 192.168.46.1 2430: *Jan 4 18:29:17.251: ISAKMP: (2018):deleting node 853657057 error FALSE reason "Informational (in) state 1" 13:28:49 Local7.Debug 192.168.46.1 2429: *Jan 4 18:29:17.251: ISAKMP: (2018):deleting SA reason "No reason" state (I) QM_IDLE (peer 1.2.3.4) 13:28:49 Local7.Debug 192.168.46.1 2428: 13:28:49 Local7.Debug 192.168.46.1 2427: *Jan 4 18:29:17.251: ISAKMP: (2018):peer does not do paranoid keepalives. 13:28:49 Local7.Debug 192.168.46.1 2426: *Jan 4 18:29:17.251: ISAKMP: (2018): processing DELETE payload. message ID = 853657057 13:28:49 Local7.Debug 192.168.46.1 2425: *Jan 4 18:29:17.251: ISAKMP: (2018): processing HASH payload. message ID = 853657057 13:28:49 Local7.Debug 192.168.46.1 2424: *Jan 4 18:29:17.251: crypto_engine: Generate IKE hash 13:28:49 Local7.Debug 192.168.46.1 2423: *Jan 4 18:29:17.251: crypto_engine: Decrypt IKE packet 13:28:49 Local7.Debug 192.168.46.1 2422: *Jan 4 18:29:17.251: ISAKMP: set new node 853657057 to QM_IDLE 13:28:49 Local7.Debug 192.168.46.1 2421: *Jan 4 18:29:17.251: ISAKMP (0:2018): received packet from 1.2.3.4 dport 500 sport 500 Global (I) QM_IDLE 13:28:49 Local7.Debug 192.168.46.1 2420: 13:28:49 Local7.Debug 192.168.46.1 2419: *Jan 4 18:29:17.251: ISAKMP: (2018):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 13:28:49 Local7.Debug 192.168.46.1 2418: *Jan 4 18:29:17.251: ISAKMP: (2018):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 13:28:49 Local7.Debug 192.168.46.1 2417: *Jan 4 18:29:17.251: ISAKMP: (2018):deleting node -533182858 error FALSE reason "Informational (in) state 1" 13:28:49 Local7.Debug 192.168.46.1 2416: spi 0, message ID =

-533182858, sa = 84B02BB0 13:28:49 Local7.Debug 192.168.46.1 2415: *Jan 4 18:29:17.251: ISAKMP: (2018): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 13:28:49 Local7.Debug 192.168.46.1 2414: *Jan 4 18:29:17.251: ISAKMP: (2018): processing HASH payload. message ID = -533182858 13:28:49 Local7.Debug 192.168.46.1 2413: *Jan 4 18:29:17.251: crypto_engine: Generate IKE hash 13:28:49 Local7.Debug 192.168.46.1 2412: *Jan 4 18:29:17.251: crypto_engine: Decrypt IKE packet 13:28:49 Local7.Debug 192.168.46.1 2411: *Jan 4 18:29:17.247: ISAKMP: set new node -533182858 to QM_IDLE

13:28:49 Local7.Debug 192.168.46.1 2410: *Jan 4 18:29:17.247: ISAKMP (0:2018): received packet from 1.2.3.4 dport 500 sport 500 Global (I) QM_IDLE

I compared IPsec, IKE site to site VPN setting on both end using ASDM/ SDM, I can not find any different, but it still show me the same error messages. I appreciate if some one can help out this.

Thank you, Young

Reply to
Young
Loading thread data ...

Hi Young

Can you post your config files?

cu ivo

Reply to
googlegroups

On Jan 6, 5:07=A0am, " snipped-for-privacy@ruetsche.com" wrote:

The following is the part of VPN configuration on both end, can you advise me what I have to correct. Thank you.

  1. On ASA 5510:

ASA Version 7.2(3) ! hostname asa5510 domain-name test.com enable password Q2REeCxc0Wlu3zej encrypted names name 1.2.3.4 WAN description WAN ! interface Ethernet0/0 description WAN nameif WAN security-level 10 ip address WAN 255.255.255.248 ospf cost 10 ! interface Ethernet0/1 description LAN nameif LAN security-level 90 ip address 192.168.0.50 255.255.255.0 ospf cost 10 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ospf cost 10 management-only !

same-security-traffic permit inter-interface same-security-traffic permit intra-interface

access-list LAN_nat0_outbound extended permit ip 192.168.0.0

255.255.255.0 192.168.46.0 255.255.255.0 access-list LAN_nat0_outbound extended permit ip 192.168.46.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list testing_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list management_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.46.0 255.255.255.0 access-list WAN_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.46.0 255.255.255.0

global (WAN) 1 interface nat (LAN) 0 access-list LAN_nat0_outbound nat (LAN) 1 192.168.0.0 255.255.255.0 nat (management) 0 access-list management_nat0_outbound =2E =2E =2E

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 86400 crypto dynamic-map LAN_dyn_map 20 set pfs crypto dynamic-map LAN_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map LAN_dyn_map 20 set security-association lifetime seconds 28800 crypto dynamic-map WAN_dyn_map 20 set pfs crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map WAN_dyn_map 20 set security-association lifetime seconds 28800 crypto dynamic-map WAN_dyn_map 40 set pfs crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA crypto dynamic-map WAN_dyn_map 40 set security-association lifetime seconds 28800 crypto dynamic-map WAN_dyn_map 60 set pfs crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA crypto dynamic-map WAN_dyn_map 60 set security-association lifetime seconds 28800 crypto dynamic-map WAN_dyn_map 80 set pfs crypto dynamic-map WAN_dyn_map 80 set transform-set ESP-3DES-SHA crypto dynamic-map WAN_dyn_map 80 set security-association lifetime seconds 28800 crypto map LAN_map 65535 ipsec-isakmp dynamic LAN_dyn_map crypto map LAN_map interface LAN crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 1 set peer 5.6.7.8 crypto map WAN_map 1 set transform-set ESP-3DES-SHA crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map crypto map WAN_map interface WAN

crypto isakmp enable WAN crypto isakmp enable LAN crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 no vpn-addr-assign aaa

group-policy testing internal group-policy testing attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value testing_splitTunnelAcl group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp enable re-xauth enable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac enable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools value ClientVPN smartcard-removal-disconnect enable client-firewall none client-access-rule none webvpn functions url-entry html-content-filter none homepage none keep-alive-ignore 4 http-comp gzip filter none url-list none customization value DfltCustomization port-forward none port-forward-name value Application Access sso-server none deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information svc none svc keep-installer installed svc keepalive none svc rekey time none svc rekey method none svc dpd-interval client none svc dpd-interval gateway none svc compression deflate

tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key Test

tunnel-group 5.6.7.8 type ipsec-l2l tunnel-group 5.6.7.8 ipsec-attributes pre-shared-key Test tunnel-group-map default-group TestVPN =2E =2E =2E End

  1. On Cisco 1800 Router version 12.4

hostname 1800 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key test address 1.2.3.4 255.255.255.248 no-xauth ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to1.2.3.4 set peer 1.2.3.4 set security-association lifetime seconds 86400 set transform-set ESP-3DES-SHA match address 102 ! ! interface FastEthernet0 description $FW_OUTSIDE$$ETH-WAN$ ip address 5.6.7.8 255.255.255.248 ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto crypto map SDM_CMAP_1 ! interface BVI1 description $ES_LAN$$FW_INSIDE$ ip address 192.168.46.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone

! ip access-list extended SDM_AH remark SDM_ACL Category=3D1 permit ahp any any ip access-list extended SDM_ESP remark SDM_ACL Category=3D1 permit esp any any ip access-list extended SDM_GRE remark SDM_ACL Category=3D0 permit gre any any ip access-list extended SDM_HTTPS remark SDM_ACL Category=3D1 permit tcp any any eq 443 ip access-list extended SDM_SHELL remark SDM_ACL Category=3D1 permit tcp any any eq cmd ip access-list extended SDM_SSH remark SDM_ACL Category=3D1 permit tcp any any eq 22 ip access-list extended To-test remark SDM_ACL Category=3D128

access-list 1 remark INSIDE_IF=3DVlan1 access-list 1 remark SDM_ACL Category=3D2 access-list 1 permit 10.10.10.0 0.0.0.7 access-list 100 remark SDM_ACL Category=3D128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark SDM_ACL Category=3D128 access-list 101 permit ip any any access-list 102 remark SDM_ACL Category=3D4 access-list 102 remark IPSec Rule access-list 102 permit ip 192.168.46.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 103 remark SDM_ACL Category=3D128 access-list 103 permit ip host 1.2.3.4 any access-list 104 remark SDM_ACL Category=3D0 access-list 104 remark IPSec Rule access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.46.0 0.0.0.255 access-list 106 remark SDM_ACL Category=3D0 access-list 106 remark IPSec Rule access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.46.0 0.0.0.255 access-list 107 remark SDM_ACL Category=3D2 access-list 107 remark IPSec Rule access-list 107 deny ip 192.168.46.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 107 permit ip 192.168.46.0 0.0.0.255 any ! ! route-map SDM_RMAP_2 permit 1 match ip address 107

Reply to
Young

Do the crypto maps match on both sides? I believe they should.

Reply to
CeykoVer

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.