troubleshooting Question

Cisco ASA VPN Phase 1 Fail IPSEC IKE LAN-to-LAN VPN

Avatar of rigneydolphin
rigneydolphin asked on
VPNCisco
1 Comment1 Solution3097 ViewsLast Modified:
Hi,

Im receiving the below error when trying to setup a VPN between our Cisco 5520 and the Cisco5505 of one of our clients.

I have also posted the confg below, it seems to be failing at phase 1.

thanks,

7|Oct 29 2009 11:25:37|609002: Teardown local-host outside:81.AA.NN.198 duration 0:02:24
6|Oct 29 2009 11:25:37|302016: Teardown UDP connection 3145279 for outside:81.AA.NN.198/500 to NP Identity Ifc:84.203.232.98/500 duration 0:02:24 bytes 1588
4|Oct 29 2009 11:23:45|713903: IP = 81.AA.NN.198, Error: Unable to remove PeerTblEntry
3|Oct 29 2009 11:23:45|713902: IP = 81.AA.NN.198, Removing peer from peer table failed, no match!
7|Oct 29 2009 11:23:45|713906: IP = 81.AA.NN.198, sending delete/delete with reason message
7|Oct 29 2009 11:23:45|713906: IP = 81.AA.NN.198, IKE SA MM:86b01248 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
7|Oct 29 2009 11:23:45|715065: IP = 81.AA.NN.198, IKE MM Initiator FSM error history (struct &0x3f54d08)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
4|Oct 29 2009 11:23:37|713903: IP = 81.AA.NN.198, Information Exchange processing failed
5|Oct 29 2009 11:23:37|713904: IP = 81.AA.NN.198, Received an un-encrypted INVALID_COOKIE notify message, dropping
7|Oct 29 2009 11:23:37|713236: IP = 81.AA.NN.198, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Oct 29 2009 11:23:37|713236: IP = 81.AA.NN.198, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Oct 29 2009 11:23:37|713236: IP = 81.AA.NN.198, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256






ASA Version 7.0(8)
!
hostname firewall1
domain-name it.local
enable password *********/m encrypted
passwd********** /m encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 84.RR.DD.98 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.AA.BB.16 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
banner login
no ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group service HTTPHTTPS tcp
 port-object eq www
 port-object eq https
object-group service ClientCSG tcp
 description ClientC Service Group
 port-object range 60510 60510
 port-object eq www
 port-object eq https
object-group service PServiceGroup tcp
 port-object eq echo
 port-object eq www
 port-object range 6969 6969
 port-object eq ssh
 port-object eq ftp-data
 port-object eq rsh
 port-object eq https
 port-object eq ftp
 port-object range 60510 60510
 port-object range 11110 11112
 port-object range 5000 5000
object-group service EamonnF tcp
 port-object eq telnet
 port-object eq www
 port-object eq https
 port-object eq ftp
object-group service ClientA tcp
 port-object range 5900 5900
object-group service CLIENTBVNC tcp
 port-object range 5910 5910
object-group service ClientDWB tcp
 port-object range 5911 5911
object-group service EX2200 tcp
 port-object range 2200 2200
object-group service ClientAWB tcp
 description Access for Tight VNC on ClientA WB 10.AA.BB.17
 port-object eq 5900
 port-object eq 5800
object-group service CLIENTBWallboard tcp
 port-object eq 5910
 port-object eq 5810
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.BB.192 255.255.255.248 host 172.SS.LL.13
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip any 10.AA.DD.0 255.255.255.128
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.BB.0 255.255.255.0 10.AA.DD.0 255.255.255.128
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.CC.0 255.255.255.0 10.AA.DD.0 255.255.255.128
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.BB.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.CC.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.GG.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.EE.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip host 10.AA.FF.16 10.RR.FF.16 255.255.255.240
access-list ANPcrypto extended permit ip host 84.RR.DD.103 host 81.AA.NN.197
access-list ANP_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 81.AA.NN.197
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.BB.0 255.255.255.0
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.CC.0 255.255.255.0
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.FF.0 255.255.255.0
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.GG.0 255.255.255.0
access-list outside_cryptomap_40_1 extended permit ip host 84.RR.DD.99 host 192.WW.PP.40
access-list outside_cryptomap_40_1 extended permit ip host 84.RR.DD.99 host 192.WW.PP.42
access-list VF_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 192.WW.PP.40
access-list VF_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 192.WW.PP.42
access-list VF_NAT extended permit ip 10.AA.CC.0 255.255.255.0 host 192.WW.PP.40
access-list VF_NAT extended permit ip 10.AA.CC.0 255.255.255.0 host 192.WW.PP.42
access-list CLIENTC_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 217.VV.YY.188
access-list CLIENTC_NAT extended permit ip 10.AA.CC.0 255.255.255.0 host 217.VV.YY.188
access-list outside_cryptomap_CLIENTC extended permit ip host 84.RR.DD.100 host 217.VV.YY.188
access-list outside_cryptomap_80 extended permit ip 10.AA.BB.192 255.255.255.248 host 172.SS.LL.13
access-list Witness_splitTunnelAcl standard permit host 10.AA.FF.16
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging mail emergencies
logging from-address PP@it.com
logging recipient-address PP@it.com level emergencies
logging host inside 10.AA.BB.3
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNpool 10.RR.FF.50-10.RR.FF.100 mask 255.255.255.0
ip local pool WtinessPool 10.RR.FF.20-10.RR.FF.25 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (outside) 20 84.RR.DD.99
global (outside) 30 84.RR.DD.100
global (outside) 40 84.RR.DD.103
nat (inside) 0 access-list INSIDE_NO_NAT_OUTBOUND
nat (inside) 20 access-list VF_NAT
nat (inside) 30 access-list CLIENTC_NAT
nat (inside) 40 access-list ANP_NAT
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 84.RR.DD.102 smtp 10.AA.BB.35 smtp netmask 255.255.255.255
static (inside,outside) tcp interface imap4 10.AA.BB.9 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.AA.BB.9 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.AA.FF.16 www netmask 255.255.255.255
static (inside,outside) tcp interface telnet 10.AA.FF.14 telnet netmask 255.255.255.255
static (inside,outside) tcp interface 5902 10.AA.BB.33 5902 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 10.AA.BB.8 ftp netmask 255.255.255.255
static (inside,outside) tcp 84.RR.DD.101 www 10.AA.BB.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 7000 10.AA.BB.8 7000 netmask 255.255.255.255
static (inside,outside) tcp interface 11111 10.AA.BB.140 11111 netmask 255.255.255.255
static (inside,outside) tcp interface 5800 10.AA.BB.17 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 5910 10.AA.CC.12 5910 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 10.AA.BB.17 5900 netmask 255.255.255.255
static (inside,outside) tcp interface 5810 10.AA.CC.12 5810 netmask 255.255.255.255
static (inside,outside) tcp 84.RR.DD.108 ssh 10.AA.BB.9 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ssh 10.AA.BB.3 ssh netmask 255.255.255.255
static (inside,outside) udp 84.RR.DD.105 domain 10.AA.BB.25 domain netmask 255.255.255.255
static (inside,outside) tcp interface 5000 10.AA.BB.140 5000 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 84.RR.DD.97 1
route outside 10.AA.DD.0 255.255.255.0 84.RR.DD.97 1
route inside 10.TTT.YYY.0 255.255.255.0 10.AA.BB.11 1
route inside 10.0.0.0 255.255.0.0 10.AA.BB.11 1
route inside 10.10.10.0 255.255.255.0 10.AA.BB.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy RRRVPN internal
group-policy RRRVPN attributes
 wins-server value 10.AA.BB.8 10.AA.BB.25
 dns-server value 10.AA.BB.25 10.AA.BB.8
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RRRVPN_splitTunnelAcl
 default-domain value iota.local
 webvpn
group-policy Witness internal
group-policy Witness attributes
 banner value
 wins-server value 10.AA.BB.25 10.AA.BB.8
 dns-server value 10.AA.BB.25 10.AA.BB.8
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Witness_splitTunnelAcl
 default-domain value it.local
 webvpn
vpn-group-policy RRRVPN
 webvpn
http server enable
http 10.AA.BB.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 90 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 90 set security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 90 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 match address outside_cryptomap_40_1
crypto map outside_map 40 set peer 213.HHH.KKK.244
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 60 match address outside_cryptomap_CLIENTC
crypto map outside_map 60 set peer 217.EEE.HHH.241  
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 60 set security-association lifetime seconds 28800
crypto map outside_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer 21T.249.HHH.13Z
crypto map outside_map 80 set transform-set ESP-DES-MD5
crypto map outside_map 80 set security-association lifetime seconds 28800
crypto map outside_map 80 set security-association lifetime kilobytes 4608000
crypto map outside_map 90 match address ANPcrypto
crypto map outside_map 90 set peer 81.AA.NN.198
crypto map outside_map 90 set transform-set ESP-3DES-SHA
crypto map outside_map 90 set security-association lifetime seconds 3600
crypto map outside_map 90 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map crypto_ClientC 70 set security-association lifetime seconds 28800
crypto map crypto_ClientC 70 set security-association lifetime kilobytes 4608000
isakmp enable outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp nat-traversal  20
tunnel-group 81.AA.NN.198 type ipsec-l2l
tunnel-group 81.AA.NN.198 ipsec-attributes
 pre-shared-key *
tunnel-group 213.HHH.KKK.244 type ipsec-l2l
tunnel-group 213.HHH.KKK.244 ipsec-attributes
 pre-shared-key *
tunnel-group 217.EEE.HHH.241  type ipsec-l2l
tunnel-group 217.EEE.HHH.241  ipsec-attributes
 pre-shared-key *
tunnel-group 213.EEE.HHH130 type ipsec-l2l
tunnel-group 213.EEE.HHH.130 ipsec-attributes
 pre-shared-key *
tunnel-group RRRVPN type ipsec-ra
tunnel-group RRRVPN general-attributes
 address-pool (inside) VPNpool
 address-pool VPNpool
 default-group-policy RRRVPN
tunnel-group RRRVPN ipsec-attributes
 pre-shared-key *
tunnel-group Witness type ipsec-ra
tunnel-group Witness general-attributes
 address-pool WtinessPool
 default-group-policy Witness
tunnel-group Witness ipsec-attributes
 pre-shared-key *
telnet 10.AA.BB.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 10.AA.FF.11
tftp-server inside 10.AA.BB.140 test1016.cfg
smtp-server 10.AA.BB.9
Cryptochecksum:85cbd89674083d461bf9ef0969c23a5a
: end
ASKER CERTIFIED SOLUTION
pimsijnja

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros