Advertisement

04.10.2008 at 03:24PM PDT, ID: 23313589
[x]
Attachment Details

Cisco ASA to SonicWall VPN tunnel fails to negotiate.  Odd errors.

Asked by cyberdragon666 in Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall

Tags: Cisco, ASA, 5505, site to site vpn

I have a site to site VPN tunnel setup between an ASA5505 and  SonicWall Pro 4060.
The tunnel won't setup and I am getting an odd set of errors (different from the ones I am used to).
This is the output from the ASA debug crypto isakmp and debug crypto ipsec commands:

CiscoASA# Apr 10 21:42:37 [IKEv1]: Group = 6.4.2.158, IP = 6.4.2.158, Information Exchange processing failed
Apr 10 21:42:39 [IKEv1]: Group = 6.4.2.158, IP = 6.4.2.158, Information Exchange processing failed
Apr 10 21:42:41 [IKEv1]: Group = 6.4.2.158, IP = 6.4.2.158, Information Exchange processing failed
Apr 10 21:42:43 [IKEv1]: IP = 6.4.2.158, Received Invalid Cookie message for non-existent SA

the "Received Invalid Cookie message for non-existent SA" is odd.  I usually just see a "mismatch" type error if IKE won't setup.  This one is new to me.


Here is the output from the SonicWall:

 04/10/2008 18:04:20.544 Debug VPN IKE SENDING>>>> ISAKMP OAK INFO (InitCookie:0x533a019dae043966 RespCookie:0x9bf507ab19992582, MsgID: 0xAD010BA) *(HASH, NOTIFY: INVALID_ID_INFO) 6.4.2.158, 4500 6.1.8.37, 4500    
2 04/10/2008 18:04:20.544 Warning VPN IKE IKE Initiator: Proposed IKE ID mismatch 6.4.2.158, 4500 6.1.8.37, 4500 VPN Policy: that VPN Tunnel; Local ID: 6.1.8.37;Remote ID: 192.168.1.66  
3 04/10/2008 18:04:20.544 Debug VPN IKE RECEIVED<<< ISAKMP OAK MM (InitCookie:0x533a019dae043966 RespCookie:0x9bf507ab19992582, MsgID: 0x0) *(ID, HASH, VID) 6.1.8.37, 4500 6.4.2.158, 4500    
4 04/10/2008 18:04:20.496 Debug VPN IKE SENDING>>>> ISAKMP OAK MM (InitCookie:0x533a019dae043966 RespCookie:0x9bf507ab19992582, MsgID: 0x0) *(ID, HASH, NOTIFY: INITIAL_CONTACT) 6.4.2.158, 4500 6.1.8.37, 4500    
5 04/10/2008 18:04:20.496 Info VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device        
6 04/10/2008 18:04:20.496 Debug VPN IKE RECEIVED<<< ISAKMP OAK MM (InitCookie:0x533a019dae043966 RespCookie:0x9bf507ab19992582, MsgID: 0x0) (KE, NON, VID, VID, VID, VID, NATD, NATD) 6.1.8.37, 500 6.4.2.158, 500    
7 04/10/2008 18:04:20.432 Debug VPN IKE SENDING>>>> ISAKMP OAK MM (InitCookie:0x533a019dae043966 RespCookie:0x9bf507ab19992582, MsgID: 0x0) (KE, NATD, NATD, NON, VID, VID, VID, VID) 6.4.2.158, 500 6.1.8.37, 500    
8 04/10/2008 18:04:20.432 Debug VPN IKE RECEIVED<<< ISAKMP OAK MM (InitCookie:0x533a019dae043966 RespCookie:0x9bf507ab19992582, MsgID: 0x0) (SA, VID, VID) 6.1.8.37, 500 6.4.2.158, 500    
9 04/10/2008 18:04:20.384 Debug VPN IKE SENDING>>>> ISAKMP OAK MM (InitCookie:0x533a019dae043966 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, VID, VID, VID, VID) 6.4.2.158, 500 6.1.8.37, 500    
10 04/10/2008 18:04:20.384 Info VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1) 6.4.2.158, 500 6.1.8.37, 500 VPN Policy: that VPN Tunnel

One thing to note:  I have this setup on a DSL line to test this before I put it out in the field.
The DSL modem has the ASA NAT-ed through so I can set up the tunnel.
The DSL modem also has IPSec pass through turned on.  I do not see anyway to force open the IPSec ports (UDP 500 and UDP 4500) but I don't think it is necessary with the pass through function.

Does anyone have any experience with this and maybe some guidance?
Thanks!Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:

: Saved
:
ASA Version 8.0(3)
!
hostname ciscoASA
domain-name ciscoasa.com
enable password *** encrypted
names
name 172.16.8.0 thatplace_172
name 192.168.5.0 thatplace_192
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.5.4.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.66 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd *** encrypted
boot system disk0:/asa803-k8.bin
boot config disk0:/startup-config
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.1.101
 domain-name ciscoasa.com
object-group network DM_INLINE_NETWORK_1
 network-object thatplace_172 255.255.248.0
 network-object thatplace_192 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object thatplace_172 255.255.248.0
 network-object thatplace_192 255.255.255.0
access-list outside_cryptomap extended permit ip any 10.5.4.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.5.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_outbound_nat0 extended permit ip any 10.5.4.0 255.255.255.0
access-list inside_outbound_nat0 extended permit ip 10.5.4.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list outside_cryptomap_dyn extended permit ip any 10.5.4.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool remote_vpn_pool 10.5.4.6-10.5.4.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 6.4.2.158
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 10.1.101
dhcpd auto_config outside
!
dhcpd address 10.5.4.16-10.5.4.35 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
ntp server 64.90.182.55 source outside
username administrator password *** encrypted privilege 15
tunnel-group 6.4.2.158 type ipsec-l2l
tunnel-group 6.4.2.158 ipsec-attributes
 pre-shared-key *
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
 address-pool remote_vpn_pool
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
 
: end
[+][-]04.10.2008 at 08:41PM PDT, ID: 21331253

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]04.11.2008 at 06:21AM PDT, ID: 21333946

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.11.2008 at 06:35AM PDT, ID: 21334064

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall
Tags: Cisco, ASA, 5505, site to site vpn
Sign Up Now!
Solution Provided By: arnold
Participating Experts: 1
Solution Grade: B
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 - Hierarchy / EE_QW_2_20070628