Solved

ASA5510 Site-to-site VPN

Posted on 2008-06-25
7
1,216 Views
Last Modified: 2012-08-14
I am in the process of migrating my site-to-site VPN traffic from a PIX506e to an ASA5510 at our main office.  The current site-to-site is between the PIX506e at the main site and a PIX501 at the remote site and it works like a charm.  When I attempt to move the site-to-site to the ASA5510 the tunnel does not establish.

I used ADSM to configure the ASA5510 and this is the config running on it:
------------------------------
ASA Version 7.2(3)
!
hostname dsm-asa9
domain-name domain.com
enable password Hd9lqPrsUVLyGqGl encrypted
names
!
interface Ethernet0/0
 description Outside facing internet
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.233 255.255.255.240
!
interface Ethernet0/1
 description Inside facing LAN
 nameif inside
 security-level 100
 ip address 172.16.100.9 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd Iaj4vgQsIpB649yp encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.com
access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.238 1
route inside 170.102.0.0 255.255.0.0 172.16.100.1 1
route inside xxx.xxx.xxx.64 255.255.255.192 172.16.100.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 172.16.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xxx.xxx.xxx.91
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 2400
telnet 172.16.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
tunnel-group xxx.xxx.xxx.91 type ipsec-l2l
tunnel-group xxx.xxx.xxx.91 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:c39b1734d7fe633e6abd4f8b9d6d75a5
: end
------------------------------

Here's the config for the remote end PIX501:
------------------------------
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Hd9lqPrsUVLyGqGl encrypted
passwd Iaj4vgQsIpB649yp encrypted
hostname car-pix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list crypto2 permit ip 172.16.120.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list crypto2 permit ip 172.16.120.0 255.255.255.0 206.94.93.64 255.255.255.192
access-list crypto2 permit ip 172.16.120.0 255.255.255.0 170.102.0.0 255.255.0.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.91 255.255.255.248
ip address inside 172.16.120.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list crypto2
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.91 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 172.16.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map pix2map 10 ipsec-isakmp
crypto map pix2map 10 match address crypto2
crypto map pix2map 10 set peer xxx.xxx.xxx.233
crypto map pix2map 10 set transform-set myset
crypto map pix2map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.233 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 2400
telnet 172.16.120.0 255.255.255.0 inside
telnet 172.16.100.0 255.255.255.0 inside
telnet 172.16.110.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
management-access inside
console timeout 0
dhcpd address 172.16.120.100-172.16.120.131 inside
dhcpd dns 172.16.100.12
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Cryptochecksum:26f65baa4dd7cb9171a668e0289c2ccb
: end
------------------------------

Here is the isakmp debug I receive on the ASA5510:
------------------------------
Jun 25 07:23:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:22 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91  local Proxy Address 172.16.0.0, remote Proxy Address 172.16.120.0,  Crypto map (outside_map)
Jun 25 07:23:22 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 07:23:22 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 07:23:22 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 80
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing SA payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Oakley proposal is acceptable
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ke payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing nonce payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Cisco Unity VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing xauth V6 VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Send IOS VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing ke payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing ISA_KE payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing nonce payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Received xauth V6 VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Received DPD VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Received Cisco Unity client VID
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, processing VID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000025)
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, Connection landed on tunnel_group xxx.xxx.xxx.91
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Generating keys for Initiator...
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing ID payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Computing hash for ISAKMP
Jun 25 07:23:23 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing dpd vid payload
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 63
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing ID payload
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, ID_FQDN ID received, len 7
0000: 6361722D 706978                         car-pix


Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Computing hash for ISAKMP
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, Connection landed on tunnel_group xxx.xxx.xxx.91
Jun 25 07:23:23 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Freeing previously allocated memory for authorization-dn-attributes
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Oakley begin quick mode
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Initiator starting QM: msg id = e7661a58
Jun 25 07:23:23 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, PHASE 1 COMPLETED
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, Keep-alive type for this connection: DPD
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Starting P1 rekey timer: 2280 seconds.
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE got SPI from key engine: SPI = 0x7e3bceed
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, oakley constucting quick mode
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing IPSec SA payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing IPSec nonce payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing proxy ID
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Transmitting Proxy Id:
  Local subnet:  172.16.0.0  mask 255.255.0.0 Protocol 0  Port 0
  Remote subnet: 172.16.120.0  Mask 255.255.255.0 Protocol 0  Port 0
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Initiator sending Initial Contact
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:23 [IKEv1 DECODE]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Initiator sending 1st QM pkt: msg id = e7661a58
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=e7661a58) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=68e3d755) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=139770f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 124
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:23 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:23 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Received non-routine Notify message: No proposal chosen (14)
Jun 25 07:23:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:38 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Sending keep-alive of type DPD R-U-THERE (seq number 0x6a1bc326)
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=687384fc) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=8f2dcef5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:42 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6a1bc326)
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Sending keep-alive of type DPD R-U-THERE (seq number 0x6a1bc327)
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:52 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=6a9f4252) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:52 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RECEIVED Message (msgid=211ee8b0) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing hash payload
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, processing notify payload
Jun 25 07:23:52 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6a1bc327)
Jun 25 07:23:55 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, QM FSM error (P2 struct &0x1fa9b90, mess id 0xe7661a58)!
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE QM Initiator FSM error history (struct &0x1fa9b90)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:55 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE Deleting SA: Remote Proxy 172.16.120.0, Local Proxy 172.16.0.0
Jun 25 07:23:55 [IKEv1]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, Removing peer from correlator table failed, no match!
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE SA MM:37d41ecc rcv'd Terminate: state MM_ACTIVE  flags 0x0000c062, refcnt 1, tuncnt 0
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, IKE SA MM:37d41ecc terminating:  flags 0x0100c022, refcnt 0, tuncnt 0
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing blank hash payload
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing IKE delete payload
Jun 25 07:23:55 [IKEv1 DEBUG]: Group = xxx.xxx.xxx.91, IP = xxx.xxx.xxx.91, constructing qm hash payload
Jun 25 07:23:55 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=40d09d59) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jun 25 07:23:55 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x7e3bceed
------------------------------

I'm no expert but didn't have any of these issues when I setup the PIX to PIX a few years back.  Any help is appreciated.

Thanks,
- Brian
0
Comment
Question by:b_stockton
  • 3
  • 3
7 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21867573
Are  you really using 172.16.120.0/24 at both ends?

-> access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
0
 
LVL 7

Expert Comment

by:mabutterfield
ID: 21867608
On the 5510 check your cryptomap.


access-list outside_1_cryptomap extended permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0


It looks like you have the subnet wrong in the source. (/16 instead of /24).

0
 

Author Comment

by:b_stockton
ID: 21868268
On the 5510 side (main office) we actually have several subnets in the 172.16.x.x range to include 172.16.100.0, 172.16.110.0, 172.16.150.0, and 172.16.200.0

The crypto acl on the existing PIX506 that works just fine, looks like this:
------------------------------
access-list crypto1 permit ip 172.16.0.0 255.255.0.0 172.16.120.0 255.255.255.0
access-list crypto1 permit ip 206.94.93.64 255.255.255.192 172.16.120.0 255.255.255.0
access-list crypto1 permit ip 170.102.0.0 255.255.0.0 172.16.120.0 255.255.255.0
------------------------------

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 21868388
You're making it through Phase 1 but not Phase 2.  

The crypto access-lists between the two devices must match exactly except one is inverse of the other.  

Try making the first crypto access list a mirror of the second crypto access list except invert the netblocks.
0
 

Author Comment

by:b_stockton
ID: 21868899
I changed the crypto acl on the 5510 to match the acl on the 501 end so it now looks like this:

access-list outside_1_cryptomap extended permit ip 172.16.100.0 255.255.255.0 172.16.120.0 255.255.255.0

Still no joy.  The latest debug is below from trying to ping a device on 172.16.120.0 from a device on 172.16.100.0
-------------------------------------
dsm-asa9# debug crypto isakmp 200
dsm-asa9# Jun 25 10:42:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:36 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91  local Proxy Address

172.16.100.0, remote Proxy Address 172.16.120.0,  Crypto map (outside_map)
Jun 25 10:42:36 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 10:42:36 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 10:42:36 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)

total length : 108
Jun 25 10:42:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:41 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:42:44 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE

(0) total length : 108
Jun 25 10:42:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:46 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:42:52 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE

(0) total length : 108
Jun 25 10:42:52 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:42:52 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:00 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE

(0) total length : 108
Jun 25 10:43:08 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE MM Initiator FSM error history (struct &0x3d4b760)  <state>, <event>:  MM_DONE,

EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1,

EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jun 25 10:43:08 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE SA MM:6cd69a3a terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Jun 25 10:43:08 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 10:43:08 [IKEv1]: IP = xxx.xxx.xxx.91, Removing peer from peer table failed, no match!
Jun 25 10:43:08 [IKEv1]: IP = xxx.xxx.xxx.91, Error: Unable to remove PeerTblEntry
Jun 25 10:43:42 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91  local Proxy Address

172.16.100.0, remote Proxy Address 172.16.120.0,  Crypto map (outside_map)
Jun 25 10:43:42 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 10:43:42 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 10:43:42 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)

total length : 108
Jun 25 10:43:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:45 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:48 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:50 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE

(0) total length : 108
Jun 25 10:43:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:51 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:54 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:43:57 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:43:58 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE

(0) total length : 108
Jun 25 10:44:00 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:00 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:03 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:06 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE

(0) total length : 108
Jun 25 10:44:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:09 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:14 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE MM Initiator FSM error history (struct &0x3d4b760)  <state>, <event>:  MM_DONE,

EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1,

EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jun 25 10:44:14 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, IKE SA MM:17833e5e terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Jun 25 10:44:14 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, sending delete/delete with reason message
Jun 25 10:44:14 [IKEv1]: IP = xxx.xxx.xxx.91, Removing peer from peer table failed, no match!
Jun 25 10:44:14 [IKEv1]: IP = xxx.xxx.xxx.91, Error: Unable to remove PeerTblEntry
Jun 25 10:44:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:15 [IKEv1]: IP = xxx.xxx.xxx.91, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.91  local Proxy Address

172.16.100.0, remote Proxy Address 172.16.120.0,  Crypto map (outside_map)
Jun 25 10:44:15 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing ISAKMP SA payload
Jun 25 10:44:15 [IKEv1 DEBUG]: IP = xxx.xxx.xxx.91, constructing Fragmentation VID + extended capabilities payload
Jun 25 10:44:15 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)

total length : 108
Jun 25 10:44:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:21 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:23 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE

(0) total length : 108
Jun 25 10:44:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 25 10:44:27 [IKEv1]: IP = xxx.xxx.xxx.91, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 25 10:44:31 [IKEv1]: IP = xxx.xxx.xxx.91, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE

(0) total length : 108
-------------------------
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 21869042
Does the *entire* access list for that crypto state match at both ends -- not just that one line?

If you have multiple crypto end points -- you need an access-list for each one.
0
 

Author Comment

by:b_stockton
ID: 21869641
Jesper,

Thank you so much for your help.  I had initially wanted to get my core data network going through the tunnel and then add the other necessary networks later.  The PIX seems more forgiving than the ASA in that regard.  I have now matched all the lines in the access list on both sides and it's up and going.  My next step is to add an additional site-to-site to a new remote location we are bringing up in the near future.  I've never had multiple site-to-sites but hopefully it will be smoother sailing now.

Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now