• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 649
  • Last Modified:

ASA 5505 to PIX tunnel Phase 1 problems

I am trying to set up a site to site and the pix is getting this error on phase 1 from debug crypto isakmp:

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0

Where do I need to start looking to solve this?
  • 5
  • 2
1 Solution
What PIX are you using on the other end of the VPN tunnel?

"atts not acceptable" implies an invalid combination of attributes between the peers. Check if everything is the same on both ends, e.g. the name of the algorithm, the lifetime values, the authentication type, basically any value you used to configure the cryptomap. See link for programming example between ASA5500 and PIX.

This Cisco technote indicates that cryptomap could be applied to the wrong interface or that the attributes do not match between the peers.
j_crow1Author Commented:
It is a PIX 506 and a ASA 5505 - here are the configs -

PIX 506 - 

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname HOSTNAME
domain-name DOMAINNAME.COM
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
object-group service AltigenTCP tcp
  port-object range 49152 49213
object-group service AltigenUDP udp
  port-object range 49152 49213
access-list 110 permit ip
access-list 100 permit icmp any any
access-list 100 permit tcp any host OUTSIDEIP eq h323
access-list 100 permit ip any host OUTSIDEIP
access-list acl_out permit tcp host any eq smtp
access-list acl_out deny tcp any any eq smtp
access-list acl_out permit ip any any
access-list 145 permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside OUTSIDE IP AND MASK
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 DIFFERENT OUTSIDE IP (Another one in the group)
nat (inside) 0 access-list 110
nat (inside) 1 0 0
access-group 100 in interface outside
access-group acl_out in interface inside
route outside GATEWAY 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map TUNNEL-MAP 45 ipsec-isakmp
crypto map TUNNEL-MAP 45 match address 145
crypto map TUNNEL-MAP 45 set peer ASAOUTSIDEIP
crypto map TUNNEL-MAP 45 set transform-set myset
crypto map TUNNEL-MAP interface outside
isakmp enable outside
isakmp key ******** address ASAOUTSIDEIP netmask
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 51 authentication pre-share
isakmp policy 51 encryption des
isakmp policy 51 hash md5
isakmp policy 51 group 2
isakmp policy 51 lifetime 86400
telnet inside
telnet timeout 20
ssh *.*.*.* *.*.*.* outside
ssh timeout 20
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
: end

ASA - 
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group ATT
 ip address ASAOUTSIDEIP pppoe
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name DOMAINNAME.COM
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_NAT_outbound extended permit ip any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list 130 extended permit ip
access-list 145 extended permit ip
access-list 146 extended permit ip
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool XXX mask
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside GATEWAYIP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map TUNNEL_MAP 43 match address 145
crypto map TUNNEL_MAP 43 set peer DIFFERENTPIX (Works great, no problems with this one)
crypto map TUNNEL_MAP 43 set transform-set MYSET
crypto map TUNNEL_MAP 44 match address 146
crypto map TUNNEL_MAP 44 set peer PIX506OUTSIDEIP
crypto map TUNNEL_MAP 44 set transform-set MYSET
crypto map TUNNEL_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
telnet inside
telnet timeout 5
ssh inside
ssh timeout 60
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname XXX
vpdn group ATT ppp authentication pap
vpdn username XXX password XXX
dhcpd dns OUTSIDEDNS
dhcpd domain DOMAINNAME.COM
dhcpd address inside
dhcpd enable inside

username admini password jBFrHOlRmYIzGm8t encrypted
tunnel-group WORKINGPIXIP type ipsec-l2l
tunnel-group WORKINGPIXIP ipsec-attributes
 pre-shared-key *
tunnel-group PIX506IP type ipsec-l2l
tunnel-group PIX506IP ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end

Open in new window

j_crow1Author Commented:
I rebooted both devices before I completely tore down and rebuilt the tunnels - still no luck. I am missing something somewhere.
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

j_crow1Author Commented:
I did notice that there is a difference in the sysopt connection tcpmss times on the PIX that is working with this ASA and the one that is not working. The PIX that is working has its time set to 1200 and the PIX that isnt working is set at 1380 - could this be the problem?
On your Isakmp key statement, I think you need to add some options, similar to this:
isakmp key ******** address a.b.c.d netmask no-xauth no-config-mode
Also in the Pix 506, you may need to decrease the MTU on the outside interface to allow for the additional encryption in the header. Reduce it to 1460 or less. But I would try the no -xauth thing first.
j_crow1Author Commented:
I just created a separate transform-set for this vpn (3des sha) and it works now. Thanks for the help.
j_crow1Author Commented:
Found a solution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now