ASA 5505 to PIX tunnel Phase 1 problems

Posted on 2010-11-23
Last Modified: 2012-05-10
I am trying to set up a site to site and the pix is getting this error on phase 1 from debug crypto isakmp:

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0

Where do I need to start looking to solve this?
Question by:j_crow1
  • 5
  • 2

Expert Comment

ID: 34201235
What PIX are you using on the other end of the VPN tunnel?

"atts not acceptable" implies an invalid combination of attributes between the peers. Check if everything is the same on both ends, e.g. the name of the algorithm, the lifetime values, the authentication type, basically any value you used to configure the cryptomap. See link for programming example between ASA5500 and PIX.

This Cisco technote indicates that cryptomap could be applied to the wrong interface or that the attributes do not match between the peers.

Author Comment

ID: 34201932
It is a PIX 506 and a ASA 5505 - here are the configs -

PIX 506 - 

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname HOSTNAME

domain-name DOMAINNAME.COM

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


object-group service AltigenTCP tcp

  port-object range 49152 49213

object-group service AltigenUDP udp

  port-object range 49152 49213

access-list 110 permit ip

access-list 100 permit icmp any any

access-list 100 permit tcp any host OUTSIDEIP eq h323

access-list 100 permit ip any host OUTSIDEIP

access-list acl_out permit tcp host any eq smtp

access-list acl_out deny tcp any any eq smtp

access-list acl_out permit ip any any

access-list 145 permit ip

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside OUTSIDE IP AND MASK

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool PPTP

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 DIFFERENT OUTSIDE IP (Another one in the group)

nat (inside) 0 access-list 110

nat (inside) 1 0 0

access-group 100 in interface outside

access-group acl_out in interface inside

route outside GATEWAY 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map TUNNEL-MAP 45 ipsec-isakmp

crypto map TUNNEL-MAP 45 match address 145

crypto map TUNNEL-MAP 45 set peer ASAOUTSIDEIP

crypto map TUNNEL-MAP 45 set transform-set myset

crypto map TUNNEL-MAP interface outside

isakmp enable outside

isakmp key ******** address ASAOUTSIDEIP netmask

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

isakmp policy 51 authentication pre-share

isakmp policy 51 encryption des

isakmp policy 51 hash md5

isakmp policy 51 group 2

isakmp policy 51 lifetime 86400

telnet inside

telnet timeout 20

ssh *.*.*.* *.*.*.* outside

ssh timeout 20

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80


: end

ASA - 


interface Vlan1

 nameif inside

 security-level 100

 ip address


interface Vlan2

 nameif outside

 security-level 0

 pppoe client vpdn group ATT

 ip address ASAOUTSIDEIP pppoe


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

dns server-group DefaultDNS

 domain-name DOMAINNAME.COM

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip

access-list inside_NAT_outbound extended permit ip any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list 130 extended permit ip

access-list 145 extended permit ip

access-list 146 extended permit ip

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1492

ip local pool XXX mask

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_NAT_outbound

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside GATEWAYIP 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MYSET esp-des esp-md5-hmac

crypto map TUNNEL_MAP 43 match address 145

crypto map TUNNEL_MAP 43 set peer DIFFERENTPIX (Works great, no problems with this one)

crypto map TUNNEL_MAP 43 set transform-set MYSET

crypto map TUNNEL_MAP 44 match address 146

crypto map TUNNEL_MAP 44 set peer PIX506OUTSIDEIP

crypto map TUNNEL_MAP 44 set transform-set MYSET

crypto map TUNNEL_MAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption des

 hash md5

 group 1

 lifetime 86400

telnet inside

telnet timeout 5

ssh inside

ssh timeout 60

console timeout 0

vpdn group ATT request dialout pppoe

vpdn group ATT localname XXX

vpdn group ATT ppp authentication pap

vpdn username XXX password XXX

dhcpd dns OUTSIDEDNS

dhcpd domain DOMAINNAME.COM


dhcpd address inside

dhcpd enable inside


username admini password jBFrHOlRmYIzGm8t encrypted

tunnel-group WORKINGPIXIP type ipsec-l2l

tunnel-group WORKINGPIXIP ipsec-attributes

 pre-shared-key *

tunnel-group PIX506IP type ipsec-l2l

tunnel-group PIX506IP ipsec-attributes

 pre-shared-key *


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

prompt hostname context


: end

Open in new window


Author Comment

ID: 34205571
I rebooted both devices before I completely tore down and rebuilt the tunnels - still no luck. I am missing something somewhere.

Author Comment

ID: 34205984
I did notice that there is a difference in the sysopt connection tcpmss times on the PIX that is working with this ASA and the one that is not working. The PIX that is working has its time set to 1200 and the PIX that isnt working is set at 1380 - could this be the problem?
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Expert Comment

ID: 34206788
On your Isakmp key statement, I think you need to add some options, similar to this:
isakmp key ******** address a.b.c.d netmask no-xauth no-config-mode

Expert Comment

ID: 34206825
Also in the Pix 506, you may need to decrease the MTU on the outside interface to allow for the additional encryption in the header. Reduce it to 1460 or less. But I would try the no -xauth thing first.

Accepted Solution

j_crow1 earned 0 total points
ID: 34207399
I just created a separate transform-set for this vpn (3des sha) and it works now. Thanks for the help.

Author Closing Comment

ID: 34228740
Found a solution.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Wifi install - small London office 9 109
Cisco Sup720 Migrate to Sup2T 5 55
catalyst 6500 - recover from corrupted IOS 4 57
Some help with Network Design 4 25
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now