ASA5510 Site-to-site VPN
I am in the process of migrating my site-to-site VPN traffic from a PIX506e to an ASA5510 at our main office. The current site-to-site is between the PIX506e at the main site and a PIX501 at the remote site and it works like a charm. When I attempt to move the site-to-site to the ASA5510 the tunnel does not establish.
I used ADSM to configure the ASA5510 and this is the config running on it:
--------------------------
ASA Version 7.2(3)
!
hostname dsm-asa9
domain-name domain.com
enable password Hd9lqPrsUVLyGqGl encrypted
names
!
interface Ethernet0/0
description Outside facing internet
nameif outside
security-level 0
ip address xxx.xxx.xxx.233 255.255.255.240
!
interface Ethernet0/1
description Inside facing LAN
nameif inside
security-level 100
ip address 172.16.100.9 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Iaj4vgQsIpB649yp encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.238 1
route inside 170.102.0.0 255.255.0.0 172.16.100.1 1
route inside xxx.xxx.xxx.64 255.255.255.192 172.16.100.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.16.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xxx.xxx.xxx.91
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 2400
telnet 172.16.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tunnel-group xxx.xxx.xxx.91 type ipsec-l2l
tunnel-group xxx.xxx.xxx.91 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:c39b1734d7f
: end
--------------------------
Here's the config for the remote end PIX501:
--------------------------
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Hd9lqPrsUVLyGqGl encrypted
passwd Iaj4vgQsIpB649yp encrypted
hostname car-pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list crypto2 permit ip 172.16.120.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list crypto2 permit ip 172.16.120.0 255.255.255.0 206.94.93.64 255.255.255.192
access-list crypto2 permit ip 172.16.120.0 255.255.255.0 170.102.0.0 255.255.0.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.91 255.255.255.248
ip address inside 172.16.120.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list crypto2
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.91 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map pix2map 10 ipsec-isakmp
crypto map pix2map 10 match address crypto2
crypto map pix2map 10 set peer xxx.xxx.xxx.233
crypto map pix2map 10 set transform-set myset
crypto map pix2map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.233 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 2400
telnet 172.16.120.0 255.255.255.0 inside
telnet 172.16.100.0 255.255.255.0 inside
telnet 172.16.110.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 172.16.120.100-172.16.120.
dhcpd dns 172.16.100.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:26f65baa4dd
: end
--------------------------
Here is the isakmp debug I receive on the ASA5510:
--------------------------
Jun 25 07:23:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:22 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91 local Proxy Address 172.16.0.0, remote Proxy Address 172.16.120.0, Crypto map (outside_map)
Jun 25 07:23:22 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 07:23:22 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 07:23:22 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing SA payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Oakley proposal is acceptable
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ke payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing nonce payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Cisco Unity VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing xauth V6 VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Send IOS VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing ke payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing ISA_KE payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing nonce payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Received xauth V6 VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Received DPD VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Received Cisco Unity client VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000025)
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, Connection landed on tunnel_group xxx.xxx.xxx.91
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Generating keys for Initiator...
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing ID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Computing hash for ISAKMP
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing dpd vid payload
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 63
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing ID payload
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, ID_FQDN ID received, len 7
0000: 6361722D 706978 car-pix
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Computing hash for ISAKMP
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, Connection landed on tunnel_group xxx.xxx.xxx.91
Jun 25 07:23:23 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Freeing previously allocated memory for authorization-dn-attribute
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Oakley begin quick mode
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Initiator starting QM: msg id = e7661a58
Jun 25 07:23:23 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, PHASE 1 COMPLETED
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, Keep-alive type for this connection: DPD
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Starting P1 rekey timer: 2280 seconds.
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE got SPI from key engine: SPI = 0x7e3bceed
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, oakley constucting quick mode
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing IPSec SA payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing IPSec nonce payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing proxy ID
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Transmitting Proxy Id:
Local subnet: 172.16.0.0 mask 255.255.0.0 Protocol 0 Port 0
Remote subnet: 172.16.120.0 Mask 255.255.255.0 Protocol 0 Port 0
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Initiator sending Initial Contact
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Initiator sending 1st QM pkt: msg id = e7661a58
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=e7661a58) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=68e3d755) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=139770f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 124
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:23 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Received non-routine Notify message: No proposal chosen (14)
Jun 25 07:23:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Sending keep-alive of type DPD R-U-THERE (seq number 0x6a1bc326)
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=687384fc) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=8f2dcef5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6a1bc326)
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Sending keep-alive of type DPD R-U-THERE (seq number 0x6a1bc327)
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:52 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=6a9f4252) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:52 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=211ee8b0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6a1bc327)
Jun 25 07:23:55 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, QM FSM error (P2 struct &0x1fa9b90, mess id 0xe7661a58)!
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE QM Initiator FSM error history (struct &0x1fa9b90) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2,
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:55 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Deleting SA: Remote Proxy 172.16.120.0, Local Proxy 172.16.0.0
Jun 25 07:23:55 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Removing peer from correlator table failed, no match!
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE SA MM:37d41ecc rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, tuncnt 0
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE SA MM:37d41ecc terminating: flags 0x0100c022, refcnt 0, tuncnt 0
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing IKE delete payload
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:55 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=40d09d59) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jun 25 07:23:55 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x7e3bceed
--------------------------
I'm no expert but didn't have any of these issues when I setup the PIX to PIX a few years back. Any help is appreciated.
Thanks,
- Brian
I used ADSM to configure the ASA5510 and this is the config running on it:
--------------------------
ASA Version 7.2(3)
!
hostname dsm-asa9
domain-name domain.com
enable password Hd9lqPrsUVLyGqGl encrypted
names
!
interface Ethernet0/0
description Outside facing internet
nameif outside
security-level 0
ip address xxx.xxx.xxx.233 255.255.255.240
!
interface Ethernet0/1
description Inside facing LAN
nameif inside
security-level 100
ip address 172.16.100.9 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Iaj4vgQsIpB649yp encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.238 1
route inside 170.102.0.0 255.255.0.0 172.16.100.1 1
route inside xxx.xxx.xxx.64 255.255.255.192 172.16.100.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.16.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xxx.xxx.xxx.91
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 2400
telnet 172.16.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tunnel-group xxx.xxx.xxx.91 type ipsec-l2l
tunnel-group xxx.xxx.xxx.91 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:c39b1734d7f
: end
--------------------------
Here's the config for the remote end PIX501:
--------------------------
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Hd9lqPrsUVLyGqGl encrypted
passwd Iaj4vgQsIpB649yp encrypted
hostname car-pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list crypto2 permit ip 172.16.120.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list crypto2 permit ip 172.16.120.0 255.255.255.0 206.94.93.64 255.255.255.192
access-list crypto2 permit ip 172.16.120.0 255.255.255.0 170.102.0.0 255.255.0.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.91 255.255.255.248
ip address inside 172.16.120.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list crypto2
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.91 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map pix2map 10 ipsec-isakmp
crypto map pix2map 10 match address crypto2
crypto map pix2map 10 set peer xxx.xxx.xxx.233
crypto map pix2map 10 set transform-set myset
crypto map pix2map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.233 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 2400
telnet 172.16.120.0 255.255.255.0 inside
telnet 172.16.100.0 255.255.255.0 inside
telnet 172.16.110.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 172.16.120.100-172.16.120.
dhcpd dns 172.16.100.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:26f65baa4dd
: end
--------------------------
Here is the isakmp debug I receive on the ASA5510:
--------------------------
Jun 25 07:23:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:22 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91 local Proxy Address 172.16.0.0, remote Proxy Address 172.16.120.0, Crypto map (outside_map)
Jun 25 07:23:22 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 07:23:22 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 07:23:22 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing SA payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Oakley proposal is acceptable
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ke payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing nonce payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Cisco Unity VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing xauth V6 VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Send IOS VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing ke payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing ISA_KE payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing nonce payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Received xauth V6 VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Received DPD VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Received Cisco Unity client VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000025)
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, Connection landed on tunnel_group xxx.xxx.xxx.91
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Generating keys for Initiator...
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing ID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Computing hash for ISAKMP
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing dpd vid payload
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 63
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing ID payload
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, ID_FQDN ID received, len 7
0000: 6361722D 706978 car-pix
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Computing hash for ISAKMP
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, Connection landed on tunnel_group xxx.xxx.xxx.91
Jun 25 07:23:23 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Freeing previously allocated memory for authorization-dn-attribute
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Oakley begin quick mode
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Initiator starting QM: msg id = e7661a58
Jun 25 07:23:23 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, PHASE 1 COMPLETED
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, Keep-alive type for this connection: DPD
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Starting P1 rekey timer: 2280 seconds.
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE got SPI from key engine: SPI = 0x7e3bceed
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, oakley constucting quick mode
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing IPSec SA payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing IPSec nonce payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing proxy ID
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Transmitting Proxy Id:
Local subnet: 172.16.0.0 mask 255.255.0.0 Protocol 0 Port 0
Remote subnet: 172.16.120.0 Mask 255.255.255.0 Protocol 0 Port 0
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Initiator sending Initial Contact
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Initiator sending 1st QM pkt: msg id = e7661a58
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=e7661a58) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=68e3d755) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=139770f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 124
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:23 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Received non-routine Notify message: No proposal chosen (14)
Jun 25 07:23:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Sending keep-alive of type DPD R-U-THERE (seq number 0x6a1bc326)
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=687384fc) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=8f2dcef5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6a1bc326)
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Sending keep-alive of type DPD R-U-THERE (seq number 0x6a1bc327)
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:52 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=6a9f4252) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:52 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=211ee8b0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6a1bc327)
Jun 25 07:23:55 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, QM FSM error (P2 struct &0x1fa9b90, mess id 0xe7661a58)!
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE QM Initiator FSM error history (struct &0x1fa9b90) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2,
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:55 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Deleting SA: Remote Proxy 172.16.120.0, Local Proxy 172.16.0.0
Jun 25 07:23:55 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Removing peer from correlator table failed, no match!
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE SA MM:37d41ecc rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, tuncnt 0
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE SA MM:37d41ecc terminating: flags 0x0100c022, refcnt 0, tuncnt 0
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing IKE delete payload
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:55 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=40d09d59) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jun 25 07:23:55 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x7e3bceed
--------------------------
I'm no expert but didn't have any of these issues when I setup the PIX to PIX a few years back. Any help is appreciated.
Thanks,
- Brian
On the 5510 check your cryptomap.
access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
It looks like you have the subnet wrong in the source. (/16 instead of /24).
access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
It looks like you have the subnet wrong in the source. (/16 instead of /24).
ASKER
On the 5510 side (main office) we actually have several subnets in the 172.16.x.x range to include 172.16.100.0, 172.16.110.0, 172.16.150.0, and 172.16.200.0
The crypto acl on the existing PIX506 that works just fine, looks like this:
--------------------------
access-list crypto1 permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
access-list crypto1 permit ip 206.94.93.64 255.255.255.192 172.16.120.0 255.255.255.0
access-list crypto1 permit ip 170.102.0.0 255.255.0.0 172.16.120.0 255.255.255.0
--------------------------
The crypto acl on the existing PIX506 that works just fine, looks like this:
--------------------------
access-list crypto1 permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
access-list crypto1 permit ip 206.94.93.64 255.255.255.192 172.16.120.0 255.255.255.0
access-list crypto1 permit ip 170.102.0.0 255.255.0.0 172.16.120.0 255.255.255.0
--------------------------
You're making it through Phase 1 but not Phase 2.
The crypto access-lists between the two devices must match exactly except one is inverse of the other.
Try making the first crypto access list a mirror of the second crypto access list except invert the netblocks.
The crypto access-lists between the two devices must match exactly except one is inverse of the other.
Try making the first crypto access list a mirror of the second crypto access list except invert the netblocks.
ASKER
I changed the crypto acl on the 5510 to match the acl on the 501 end so it now looks like this:
access-list outside_1_cryptomap extended permit ip 172.16.100.0 255.255.255.0 172.16.120.0 255.255.255.0
Still no joy. The latest debug is below from trying to ping a device on 172.16.120.0 from a device on 172.16.100.0
--------------------------
dsm-asa9# debug crypto isakmp 200
dsm-asa9# Jun 25 10:42:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:36 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91 local Proxy Address
172.16.100.0, remote Proxy Address 172.16.120.0, Crypto map (outside_map)
Jun 25 10:42:36 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 10:42:36 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 10:42:36 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
total length : 108
Jun 25 10:42:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:41 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:42:44 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:42:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:46 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:42:52 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:42:52 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:52 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:00 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:43:08 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE MM Initiator FSM error history (struct &0x3d4b760) <state>, <event>: MM_DONE,
EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
EV_START_TMR-->MM_SND_MSG1
Jun 25 10:43:08 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE SA MM:6cd69a3a terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jun 25 10:43:08 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 10:43:08 [IKEv1]: IP = xxx.xxx.xxx.91, Removing peer from peer table failed, no match!
Jun 25 10:43:08 [IKEv1]: IP = xxx.xxx.xxx.91, Error: Unable to remove PeerTblEntry
Jun 25 10:43:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91 local Proxy Address
172.16.100.0, remote Proxy Address 172.16.120.0, Crypto map (outside_map)
Jun 25 10:43:42 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 10:43:42 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 10:43:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
total length : 108
Jun 25 10:43:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:45 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:48 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:50 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:43:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:51 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:54 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:57 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:58 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:44:00 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:00 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:03 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:06 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:44:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:09 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:14 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE MM Initiator FSM error history (struct &0x3d4b760) <state>, <event>: MM_DONE,
EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
EV_START_TMR-->MM_SND_MSG1
Jun 25 10:44:14 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE SA MM:17833e5e terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jun 25 10:44:14 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 10:44:14 [IKEv1]: IP = xxx.xxx.xxx.91, Removing peer from peer table failed, no match!
Jun 25 10:44:14 [IKEv1]: IP = xxx.xxx.xxx.91, Error: Unable to remove PeerTblEntry
Jun 25 10:44:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:15 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91 local Proxy Address
172.16.100.0, remote Proxy Address 172.16.120.0, Crypto map (outside_map)
Jun 25 10:44:15 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 10:44:15 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 10:44:15 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
total length : 108
Jun 25 10:44:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:21 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:44:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:27 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:31 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
-------------------------
access-list outside_1_cryptomap extended permit ip 172.16.100.0 255.255.255.0 172.16.120.0 255.255.255.0
Still no joy. The latest debug is below from trying to ping a device on 172.16.120.0 from a device on 172.16.100.0
--------------------------
dsm-asa9# debug crypto isakmp 200
dsm-asa9# Jun 25 10:42:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:36 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91 local Proxy Address
172.16.100.0, remote Proxy Address 172.16.120.0, Crypto map (outside_map)
Jun 25 10:42:36 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 10:42:36 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 10:42:36 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
total length : 108
Jun 25 10:42:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:41 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:42:44 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:42:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:46 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:42:52 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:42:52 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:52 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:00 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:43:08 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE MM Initiator FSM error history (struct &0x3d4b760) <state>, <event>: MM_DONE,
EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
EV_START_TMR-->MM_SND_MSG1
Jun 25 10:43:08 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE SA MM:6cd69a3a terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jun 25 10:43:08 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 10:43:08 [IKEv1]: IP = xxx.xxx.xxx.91, Removing peer from peer table failed, no match!
Jun 25 10:43:08 [IKEv1]: IP = xxx.xxx.xxx.91, Error: Unable to remove PeerTblEntry
Jun 25 10:43:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91 local Proxy Address
172.16.100.0, remote Proxy Address 172.16.120.0, Crypto map (outside_map)
Jun 25 10:43:42 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 10:43:42 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 10:43:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
total length : 108
Jun 25 10:43:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:45 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:48 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:50 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:43:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:51 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:54 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:57 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:58 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:44:00 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:00 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:03 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:06 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:44:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:09 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:14 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE MM Initiator FSM error history (struct &0x3d4b760) <state>, <event>: MM_DONE,
EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
EV_START_TMR-->MM_SND_MSG1
Jun 25 10:44:14 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE SA MM:17833e5e terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jun 25 10:44:14 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 10:44:14 [IKEv1]: IP = xxx.xxx.xxx.91, Removing peer from peer table failed, no match!
Jun 25 10:44:14 [IKEv1]: IP = xxx.xxx.xxx.91, Error: Unable to remove PeerTblEntry
Jun 25 10:44:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:15 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91 local Proxy Address
172.16.100.0, remote Proxy Address 172.16.120.0, Crypto map (outside_map)
Jun 25 10:44:15 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 10:44:15 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 10:44:15 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
total length : 108
Jun 25 10:44:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:21 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
Jun 25 10:44:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:27 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:31 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE
(0) total length : 108
-------------------------
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jesper,
Thank you so much for your help. I had initially wanted to get my core data network going through the tunnel and then add the other necessary networks later. The PIX seems more forgiving than the ASA in that regard. I have now matched all the lines in the access list on both sides and it's up and going. My next step is to add an additional site-to-site to a new remote location we are bringing up in the near future. I've never had multiple site-to-sites but hopefully it will be smoother sailing now.
Thanks
Thank you so much for your help. I had initially wanted to get my core data network going through the tunnel and then add the other necessary networks later. The PIX seems more forgiving than the ASA in that regard. I have now matched all the lines in the access list on both sides and it's up and going. My next step is to add an additional site-to-site to a new remote location we are bringing up in the near future. I've never had multiple site-to-sites but hopefully it will be smoother sailing now.
Thanks
-> access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0