Solved

ASA 5505 to PIX tunnel Phase 1 problems

Posted on 2010-11-23
8
609 Views
Last Modified: 2012-05-10
I am trying to set up a site to site and the pix is getting this error on phase 1 from debug crypto isakmp:


ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0

Where do I need to start looking to solve this?
0
Comment
Question by:j_crow1
  • 5
  • 2
8 Comments
 
LVL 6

Expert Comment

by:bluemeln
ID: 34201235
What PIX are you using on the other end of the VPN tunnel?

"atts not acceptable" implies an invalid combination of attributes between the peers. Check if everything is the same on both ends, e.g. the name of the algorithm, the lifetime values, the authentication type, basically any value you used to configure the cryptomap. See link for programming example between ASA5500 and PIX.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

This Cisco technote indicates that cryptomap could be applied to the wrong interface or that the attributes do not match between the peers.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
0
 

Author Comment

by:j_crow1
ID: 34201932
It is a PIX 506 and a ASA 5505 - here are the configs -


PIX 506 - 



PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname HOSTNAME

domain-name DOMAINNAME.COM

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service AltigenTCP tcp

  port-object range 49152 49213

object-group service AltigenUDP udp

  port-object range 49152 49213

access-list 110 permit ip 192.168.40.128 255.255.255.128 192.168.44.0 255.255.255.0

access-list 100 permit icmp any any

access-list 100 permit tcp any host OUTSIDEIP eq h323

access-list 100 permit ip any host OUTSIDEIP

access-list acl_out permit tcp host 192.168.40.131 any eq smtp

access-list acl_out deny tcp any any eq smtp

access-list acl_out permit ip any any

access-list 145 permit ip 192.168.40.128 255.255.255.128 192.168.44.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside OUTSIDE IP AND MASK

ip address inside 192.168.40.129 255.255.255.128

ip audit info action alarm

ip audit attack action alarm

ip local pool PPTP 192.168.40.240-192.168.40.245

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 DIFFERENT OUTSIDE IP (Another one in the group)

nat (inside) 0 access-list 110

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group 100 in interface outside

access-group acl_out in interface inside

route outside 0.0.0.0 0.0.0.0 GATEWAY 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.40.128 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map TUNNEL-MAP 45 ipsec-isakmp

crypto map TUNNEL-MAP 45 match address 145

crypto map TUNNEL-MAP 45 set peer ASAOUTSIDEIP

crypto map TUNNEL-MAP 45 set transform-set myset

crypto map TUNNEL-MAP interface outside

isakmp enable outside

isakmp key ******** address ASAOUTSIDEIP netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

isakmp policy 51 authentication pre-share

isakmp policy 51 encryption des

isakmp policy 51 hash md5

isakmp policy 51 group 2

isakmp policy 51 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 20

ssh *.*.*.* *.*.*.* outside

ssh timeout 20

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:27abd81330f678294d440300c92b7c0a

: end





ASA - 

7.2(4)

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.44.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 pppoe client vpdn group ATT

 ip address ASAOUTSIDEIP 255.255.255.255 pppoe

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

 domain-name DOMAINNAME.COM

access-list inside_nat0_outbound extended permit ip 192.168.44.0 255.255.255.0 192.168.40.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 192.168.44.0 255.255.255.0 192.168.40.128 255.255.255.128

access-list inside_NAT_outbound extended permit ip 192.168.44.0 255.255.255.0 any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any

access-list 130 extended permit ip 192.168.44.0 255.255.255.128 192.168.40.128 255.255.255.128

access-list 145 extended permit ip 192.168.44.0 255.255.255.0 192.168.40.0 255.255.255.128

access-list 146 extended permit ip 192.168.44.0 255.255.255.0 192.168.40.128 255.255.255.128

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1492

ip local pool XXX 192.168.44.20-192.168.44.49 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_NAT_outbound

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 GATEWAYIP 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

http 192.168.44.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MYSET esp-des esp-md5-hmac

crypto map TUNNEL_MAP 43 match address 145

crypto map TUNNEL_MAP 43 set peer DIFFERENTPIX (Works great, no problems with this one)

crypto map TUNNEL_MAP 43 set transform-set MYSET

crypto map TUNNEL_MAP 44 match address 146

crypto map TUNNEL_MAP 44 set peer PIX506OUTSIDEIP

crypto map TUNNEL_MAP 44 set transform-set MYSET

crypto map TUNNEL_MAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption des

 hash md5

 group 1

 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

vpdn group ATT request dialout pppoe

vpdn group ATT localname XXX

vpdn group ATT ppp authentication pap

vpdn username XXX password XXX

dhcpd dns 192.168.40.4 OUTSIDEDNS

dhcpd domain DOMAINNAME.COM

!

dhcpd address 192.168.44.50-192.168.44.80 inside

dhcpd enable inside

!



username admini password jBFrHOlRmYIzGm8t encrypted

tunnel-group WORKINGPIXIP type ipsec-l2l

tunnel-group WORKINGPIXIP ipsec-attributes

 pre-shared-key *

tunnel-group PIX506IP type ipsec-l2l

tunnel-group PIX506IP ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:24927e43b8d1454ed36fdd5dd420bea4

: end

Open in new window

0
 

Author Comment

by:j_crow1
ID: 34205571
I rebooted both devices before I completely tore down and rebuilt the tunnels - still no luck. I am missing something somewhere.
0
 

Author Comment

by:j_crow1
ID: 34205984
I did notice that there is a difference in the sysopt connection tcpmss times on the PIX that is working with this ASA and the one that is not working. The PIX that is working has its time set to 1200 and the PIX that isnt working is set at 1380 - could this be the problem?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34206788
On your Isakmp key statement, I think you need to add some options, similar to this:
isakmp key ******** address a.b.c.d netmask 255.255.255.255 no-xauth no-config-mode
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34206825
Also in the Pix 506, you may need to decrease the MTU on the outside interface to allow for the additional encryption in the header. Reduce it to 1460 or less. But I would try the no -xauth thing first.
0
 

Accepted Solution

by:
j_crow1 earned 0 total points
ID: 34207399
I just created a separate transform-set for this vpn (3des sha) and it works now. Thanks for the help.
0
 

Author Closing Comment

by:j_crow1
ID: 34228740
Found a solution.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now