Question

Need help with Cisco ASA VPN

Asked by: bouncyfires

I'm currently attempting to replace a Sonicwall TZ150 with a Cisco ASA 5505. With the configuration I've posted, users can get in from outside to the terminal server, but computers can't get out to the internet, nor is the vpn tunnel able to be established.

Here are the paramaters I've been given for the VPN tunnel:
Phase 1:
Authentication: Pre-shared
Encryption: 3DES
Hash: SHA
DH: 1
Lifetime: 86400

Phase 2:
ESP encryption: 3DES
ESP Authentication
Lifetime 28800

The config has been edited to protect my public IP.
Thanks in advance.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-03-27 at 06:25:42ID24270944
Topics

Virtual Private Networking (VPN)

,

Networking Hardware

Participating Experts
2
Points
500
Comments
21

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. VPN Tunnel ASA
    I have set up serveral VPN tunnels in the past but I can't seem to get this one working. It is between a ASA 5520 on my end and a ASA 5510 on the other end. Every thing looks right. I had the other engineer check some things on his end and they also seem right. The weird thin...
  2. VPN Client to ASA to VPN Tunnel in ASA
    Got some problem to get a VPN client to reach a lan that is situated behind a "second" VPN site-to-site, (ASA to ASA). No problem to log in and reach the "local" net, but I can´t reach the "second" net. The users that are locally attached inside ...
  3. ASA 5520 VPN Tunnel
    I have a ASA VPN Tunnel and all of my the tunnel I try to build between other vpn appliances will not come up unless I initate the tunnels. Why do I have to always initiate the tunnel? Shouldn't the appliance on the other side be able to initiate? Any help with this will be ...
  4. Cisco ASA 5510 Problem to sonicwal pro1260
    Hello experts, hope you can help I have a cisco asa5510 with multiple lan to lan vpn's configured (terminating on a mixture of cisco 837, 877 and pix 501) I also have a single lan to lan vpn terminating on a sonicwall pro 1260, this vpn does not come up, it fails phase 1, lo...
  5. VPN Iphone to Cisco ASA
    ASA Version 8.0(4) Can someone please explain how to setup a VPN tunnel from an Iphone to Cisco ASA?
  6. Cisco ASA 5505 vpn tunnel Issues
    I am setting up an vpn tunnel between a cisco asa 5505 and a digi connectport wan. The outside interfaces can ping each other, but the inside interfaces can't ping each other. I have a feeling it has to do with the configuration on the CISCO ASA, but I could be wrong. Below i...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: JFrederick29Posted on 2009-03-27 at 06:51:41ID: 24000825

Add this to get Internet working:

global (outside) 1 interface

For the VPN, post a "show cry isa sa" and a "show crypto ipsec sa" after initiating traffic from the 192.168.168.4 host to a 192.168.50.x host.

 

by: bouncyfiresPosted on 2009-03-27 at 07:08:37ID: 24001013

Thanks, will try it out around 4pm EST today.

 

by: bouncyfiresPosted on 2009-03-27 at 14:01:18ID: 24005450

show cry isa sa gives the following when trying to establish:
1   IKE Peer: xx.xxx.xx.108
   Type    : L2L             Role    : initiator
   Rekey   : no              State   : MM_WAIT_MSG6
show crypto ipsec sa gives:
There are no ipsec sas

 

by: JFrederick29Posted on 2009-03-27 at 18:29:59ID: 24006767

Add this to the config:

conf t
crypto map outside_map interface outside

Your settings look good for what they gave you.  Are you supposed to be NAT'ing the 192.168.168.4 host to xxx.xx.xxx.4?

Double check the preshared key by using the command "more system:runn".

 

by: bouncyfiresPosted on 2009-03-29 at 06:55:47ID: 24012728

That line is already added, and yes, 192.168.168.4 is supposed to be NAT'd to xxx.xx.xxx.4. I have also checked and retyped the pre-shared key, so I have no idea at this point what's preventing it from working. Thanks for the help so far.

 

by: TreyHPosted on 2009-03-29 at 19:45:26ID: 24015700

Not much experience with the ASA's but shouldn't
nat (inside) 10 access-list cryptomap_acl
instead be:
nat (inside) 0 access-list cryptomap_acl

It would appear that the cryptomap_acl access list is being processed after the "nat (inside) 1 0.0.0.0 0.0.0.0" and therefore the traffic you wish tunneled is instead getting natted? Again - not an expert on the ASA's - just taking a guess....

 

by: JFrederick29Posted on 2009-03-30 at 04:50:51ID: 24017886

Lets separate these functions out.

conf t
no access-list cryptomap_acl extended permit ip host 192.168.168.4 object-group remote-vpn-hosts

access-list vpn-policy-nat extended permit ip host 192.168.168.4 object-group remote-vpn-hosts

nat (inside) 10 access-list vpn-policy-nat
no nat (inside) 10 access-list cryptomap_acl

If still not working, have the other end double check their settings.  You can also enable some debugging (capture to a text file using Putty or Hyperterminal).

debug cry isa sa 150
debug cry ipsec sa 150

To stop the debug:

undebug all

 

by: bouncyfiresPosted on 2009-03-30 at 07:55:11ID: 24019558

Jfrederick,

That solution didn't work, and I've attached the debug message. Thanks for your help so far.

0006B11C5240(config)# debug crypto isakmp 150
 
0006B11C5240(config)# Mar 30 04:54:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 30 04:54:59 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Mar 30 04:54:59 [IKEv1]: IP = yy.yyy.yy.108, Received encrypted packet with no matching SA, dropping
Mar 30 04:55:01 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Mar 30 04:55:01 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, P1 Retransmit msg dispatched to MM FSM
Mar 30 04:55:01 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Mar 30 04:55:01 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, P1 Retransmit msg dispatched to MM FSM
Mar 30 04:55:01 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Mar 30 04:55:01 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, P1 Retransmit msg dispatched to MM FSM
Mar 30 04:55:01 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, IKE MM Initiator FSM error history (struct &0x3a492f8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_RESEND_MSG-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_RESEND_MSG
Mar 30 04:55:01 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, IKE SA MM:3af37ead terminating:  flags 0x0100c022, refcnt 0, tuncnt 0
Mar 30 04:55:01 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, sending delete/delete with reason message
Mar 30 04:55:01 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing blank hash payload
Mar 30 04:55:01 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing IKE delete payload
Mar 30 04:55:01 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing qm hash payload
Mar 30 04:55:01 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE SENDING Message (msgid=c26631a7) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar 30 04:55:01 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Removing peer from peer table failed, no match!
Mar 30 04:55:01 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Error: Unable to remove PeerTblEntry
Mar 30 04:55:04 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 30 04:55:04 [IKEv1]: IP = yy.yyy.yy.108, IKE Initiator: New Phase 1, Intf inside, IKE Peer yy.yyy.yy.108  local Proxy Address xxx.xx.xxx.4, remote Proxy Address 192.168.50.83,  Crypto map (outside_map)
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing ISAKMP SA payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing Fragmentation VID + extended capabilities payload
Mar 30 04:55:04 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 30 04:55:04 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing SA payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Oakley proposal is acceptable
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Received Fragmentation VID
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing ke payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing nonce payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing Cisco Unity VID payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing xauth V6 VID payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Send IOS VID
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing VID payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 30 04:55:04 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Mar 30 04:55:04 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing ke payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing ISA_KE payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing nonce payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Received Cisco Unity client VID
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Received xauth V6 VID
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 30 04:55:04 [IKEv1]: IP = yy.yyy.yy.108, Connection landed on tunnel_group yy.yyy.yy.108
Mar 30 04:55:04 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Generating keys for Initiator...
Mar 30 04:55:04 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing ID payload
Mar 30 04:55:04 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing hash payload
Mar 30 04:55:04 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Computing hash for ISAKMP
Mar 30 04:55:04 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 30 04:55:04 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing dpd vid payload
Mar 30 04:55:04 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Mar 30 04:55:09 [IKEv1]: IP = yy.yyy.yy.108, Received encrypted packet with no matching SA, dropping
Mar 30 04:55:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 30 04:55:10 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Mar 30 04:55:13 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Mar 30 04:55:13 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, P1 Retransmit msg dispatched to MM FSM
Mar 30 04:55:13 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Mar 30 04:55:13 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, P1 Retransmit msg dispatched to MM FSM
Mar 30 04:55:13 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Mar 30 04:55:13 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, P1 Retransmit msg dispatched to MM FSM
Mar 30 04:55:13 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, IKE MM Initiator FSM error history (struct &0x3a492f8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_RESEND_MSG-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_RESEND_MSG
Mar 30 04:55:13 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, IKE SA MM:1e12f6f8 terminating:  flags 0x0100c022, refcnt 0, tuncnt 0
Mar 30 04:55:13 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, sending delete/delete with reason message
Mar 30 04:55:13 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing blank hash payload
Mar 30 04:55:13 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing IKE delete payload
Mar 30 04:55:13 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing qm hash payload
Mar 30 04:55:13 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE SENDING Message (msgid=861ae908) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar 30 04:55:13 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Removing peer from peer table failed, no match!
Mar 30 04:55:13 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Error: Unable to remove PeerTblEntry
Mar 30 04:55:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 30 04:55:15 [IKEv1]: IP = yy.yyy.yy.108, IKE Initiator: New Phase 1, Intf inside, IKE Peer yy.yyy.yy.108  local Proxy Address xxx.xx.xxx.4, remote Proxy Address 192.168.50.83,  Crypto map (outside_map)
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing ISAKMP SA payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing Fragmentation VID + extended capabilities payload
Mar 30 04:55:15 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 30 04:55:15 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing SA payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Oakley proposal is acceptable
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Received Fragmentation VID
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing ke payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing nonce payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing Cisco Unity VID payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing xauth V6 VID payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Send IOS VID
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, constructing VID payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 30 04:55:15 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Mar 30 04:55:15 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing ke payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing ISA_KE payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing nonce payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Received Cisco Unity client VID
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Received xauth V6 VID
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, processing VID payload
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 30 04:55:15 [IKEv1]: IP = yy.yyy.yy.108, Connection landed on tunnel_group yy.yyy.yy.108
Mar 30 04:55:15 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Generating keys for Initiator...
Mar 30 04:55:15 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing ID payload
Mar 30 04:55:15 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing hash payload
Mar 30 04:55:15 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Computing hash for ISAKMP
Mar 30 04:55:15 [IKEv1 DEBUG]: IP = yy.yyy.yy.108, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Mar 30 04:55:15 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing dpd vid payload
Mar 30 04:55:15 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Mar 30 04:55:21 [IKEv1]: IP = yy.yyy.yy.108, Received encrypted packet with no matching SA, dropping
Mar 30 04:55:23 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Mar 30 04:55:23 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, P1 Retransmit msg dispatched to MM FSM
Mar 30 04:55:24 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Mar 30 04:55:24 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, P1 Retransmit msg dispatched to MM FSM
Mar 30 04:55:24 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Duplicate Phase 1 packet detected.  Retransmitting last packet.
Mar 30 04:55:24 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, P1 Retransmit msg dispatched to MM FSM
Mar 30 04:55:24 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, IKE MM Initiator FSM error history (struct &0x3a492f8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_RESEND_MSG-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_RESEND_MSG
Mar 30 04:55:24 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, IKE SA MM:b6afde7a terminating:  flags 0x0100c022, refcnt 0, tuncnt 0
Mar 30 04:55:24 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, sending delete/delete with reason message
Mar 30 04:55:24 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing blank hash payload
Mar 30 04:55:24 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing IKE delete payload
Mar 30 04:55:24 [IKEv1 DEBUG]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, constructing qm hash payload
Mar 30 04:55:24 [IKEv1]: IP = yy.yyy.yy.108, IKE_DECODE SENDING Message (msgid=228c5c75) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar 30 04:55:24 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Removing peer from peer table failed, no match!
Mar 30 04:55:24 [IKEv1]: Group = yy.yyy.yy.108, IP = yy.yyy.yy.108, Error: Unable to remove PeerTblEntry
Mar 30 04:55:32 [IKEv1]: IP = yy.yyy.yy.108, Received encrypted packet with no matching SA, dropping
undebug all
 
0006B11C5240(config)#

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:

Select allOpen in new window

 

by: JFrederick29Posted on 2009-03-30 at 08:00:38ID: 24019629

Hmm, Phase 1 doesn't complete so you may want to contact the other side of the tunnel and verify settings.  Do you control the other side?  Can you get the config from the other side?

 

by: bouncyfiresPosted on 2009-03-30 at 08:06:32ID: 24019689

I do not control the other side, I only have the paramaters that they provided me. Here are the full instructions they gave me:
Our endpoint is: yyy.yy.yyy.108
Our network is: 192.168.50.0 (255.255.255.0)
clinic will need to make ACL from xxx.xx.xxx.4  to host 192.168.50.83 and 192.168.50.86, if portal is used 192.168.50.50
clinic will need to NAT interesting traffic to xxx.xx.xxx.0 255.255.255.0

Phase 1
Authentication: Pre-Shared
Encryption: 3DES
Hash: SHA
DH: 1
Lifetime: 86400 sec
Pre-shared Key: xxxxxxxxxxxxxxxxxxx

Phase2
ESP encryption 3DES
ESP authentication
Lifetime 28800

Thanks,
Dylan

 

by: JFrederick29Posted on 2009-03-30 at 08:18:11ID: 24019810

You'll need to get clarification from them if they are expecting an interesting traffic access-list of:

What you have:

access-list cryptomap_acl extended permit ip host xxx.xx.xxx.4 host 192.168.50.50
access-list cryptomap_acl extended permit ip host xxx.xx.xxx.4 host 192.168.50.83
access-list cryptomap_acl extended permit ip host xxx.xx.xxx.4 host 192.168.50.86

Or:

access-list cryptomap_acl extended permit ip xxx.xx.xxx.0 255.255.255.0 192.168.50.0 255.255.255.0

 

by: bouncyfiresPosted on 2009-03-30 at 09:10:44ID: 24020303

They've said that they're trying to ping xxx.xx.xxx.4. When I tried the alternative access-list you provided, Phase 1 didn't even initiate, so I assume what I have is correct. Could anything else be wrong on my side?

 

by: JFrederick29Posted on 2009-03-30 at 09:13:47ID: 24020329

With your config, they can't ping xxx.xx.xxx.4.  With your config, the 192.168.168.4 host can only initiate traffic to the 192.168.50.x hosts, can you ping 192.168.50.50?  If they need to initiate communication to the 192.168.168.4/xxx.xx.xxx.4 host, you need to use a static NAT with an access-list.  So, when you leave an extended ping from the 192.168.168.4 host to 192.168.50.50, can you post a new "show cry isa sa" and "show cry ipsec sa"?

 

by: bouncyfiresPosted on 2009-03-30 at 10:59:45ID: 24021395

They do want to be able to intiate traffic, as they want to test the VPN by pinging xxx.xx.xxx.4. Are you saying that I would need to add a static (inside,outside) statement translating 192.168.168.4 to xxx.xx.xxx.4 and an access-list permitting the 192.168.50.0 hosts to communicate with xxx.xx.xxx.4? If you could provide explicit examples, that'd be great.

 

by: JFrederick29Posted on 2009-03-30 at 11:08:20ID: 24021488

Here is an example of static NAT based on destination.

no global (outside) 10 xxx.xx.xxx.4
no nat (inside) 10 access-list cryptomap_acl

access-list static-vpn1 permit ip host 192.168.168.4 object-group remote-vpn-hosts
static (inside,outside) xxx.xx.xxx.4 access-list static-vpn1

 

by: bouncyfiresPosted on 2009-03-30 at 11:41:37ID: 24021834

I receive the same message from sh cry isa sa with that configuration, it's still not getting past phase 1.

 

by: JFrederick29Posted on 2009-03-30 at 11:45:12ID: 24021876

Yeah, something is wrong fundamentally, policy mismatch, key mismatch, etc...

Try adding this:

crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

If still not working, they'll need to confirm their side is setup correctly as your config is fine.

 

by: bouncyfiresPosted on 2009-03-30 at 12:24:01ID: 24022296

Still the same message from sh cry isa sa:
1   IKE Peer: yy.yyy.yy.108
   Type    : L2L             Role    : initiator
   Rekey   : no              State   : MM_WAIT_MSG6

I will double-check with them to make sure their side is setup correctly.

Thanks for your help so far,
Dylan

 

by: bouncyfiresPosted on 2009-03-31 at 11:42:45ID: 24032161

Turns out they had my public ip wrong, thanks for the assistance.

 

by: JFrederick29Posted on 2009-03-31 at 11:44:03ID: 24032172

Glad to hear.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...