[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA 5505 to PIX tunnel Phase 1 problems

Posted on 2010-11-23
8
Medium Priority
?
639 Views
Last Modified: 2012-05-10
I am trying to set up a site to site and the pix is getting this error on phase 1 from debug crypto isakmp:


ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      encaps is 1
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0

Where do I need to start looking to solve this?
0
Comment
Question by:j_crow1
  • 5
  • 2
8 Comments
 
LVL 6

Expert Comment

by:bluemeln
ID: 34201235
What PIX are you using on the other end of the VPN tunnel?

"atts not acceptable" implies an invalid combination of attributes between the peers. Check if everything is the same on both ends, e.g. the name of the algorithm, the lifetime values, the authentication type, basically any value you used to configure the cryptomap. See link for programming example between ASA5500 and PIX.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

This Cisco technote indicates that cryptomap could be applied to the wrong interface or that the attributes do not match between the peers.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
0
 

Author Comment

by:j_crow1
ID: 34201932
It is a PIX 506 and a ASA 5505 - here are the configs -


PIX 506 - 

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname HOSTNAME
domain-name DOMAINNAME.COM
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service AltigenTCP tcp
  port-object range 49152 49213
object-group service AltigenUDP udp
  port-object range 49152 49213
access-list 110 permit ip 192.168.40.128 255.255.255.128 192.168.44.0 255.255.255.0
access-list 100 permit icmp any any
access-list 100 permit tcp any host OUTSIDEIP eq h323
access-list 100 permit ip any host OUTSIDEIP
access-list acl_out permit tcp host 192.168.40.131 any eq smtp
access-list acl_out deny tcp any any eq smtp
access-list acl_out permit ip any any
access-list 145 permit ip 192.168.40.128 255.255.255.128 192.168.44.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside OUTSIDE IP AND MASK
ip address inside 192.168.40.129 255.255.255.128
ip audit info action alarm
ip audit attack action alarm
ip local pool PPTP 192.168.40.240-192.168.40.245
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 DIFFERENT OUTSIDE IP (Another one in the group)
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group 100 in interface outside
access-group acl_out in interface inside
route outside 0.0.0.0 0.0.0.0 GATEWAY 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.40.128 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map TUNNEL-MAP 45 ipsec-isakmp
crypto map TUNNEL-MAP 45 match address 145
crypto map TUNNEL-MAP 45 set peer ASAOUTSIDEIP
crypto map TUNNEL-MAP 45 set transform-set myset
crypto map TUNNEL-MAP interface outside
isakmp enable outside
isakmp key ******** address ASAOUTSIDEIP netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 51 authentication pre-share
isakmp policy 51 encryption des
isakmp policy 51 hash md5
isakmp policy 51 group 2
isakmp policy 51 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh *.*.*.* *.*.*.* outside
ssh timeout 20
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:27abd81330f678294d440300c92b7c0a
: end


ASA - 
7.2(4)
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.44.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group ATT
 ip address ASAOUTSIDEIP 255.255.255.255 pppoe
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name DOMAINNAME.COM
access-list inside_nat0_outbound extended permit ip 192.168.44.0 255.255.255.0 192.168.40.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.44.0 255.255.255.0 192.168.40.128 255.255.255.128
access-list inside_NAT_outbound extended permit ip 192.168.44.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list 130 extended permit ip 192.168.44.0 255.255.255.128 192.168.40.128 255.255.255.128
access-list 145 extended permit ip 192.168.44.0 255.255.255.0 192.168.40.0 255.255.255.128
access-list 146 extended permit ip 192.168.44.0 255.255.255.0 192.168.40.128 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool XXX 192.168.44.20-192.168.44.49 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_NAT_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 GATEWAYIP 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.44.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto map TUNNEL_MAP 43 match address 145
crypto map TUNNEL_MAP 43 set peer DIFFERENTPIX (Works great, no problems with this one)
crypto map TUNNEL_MAP 43 set transform-set MYSET
crypto map TUNNEL_MAP 44 match address 146
crypto map TUNNEL_MAP 44 set peer PIX506OUTSIDEIP
crypto map TUNNEL_MAP 44 set transform-set MYSET
crypto map TUNNEL_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname XXX
vpdn group ATT ppp authentication pap
vpdn username XXX password XXX
dhcpd dns 192.168.40.4 OUTSIDEDNS
dhcpd domain DOMAINNAME.COM
!
dhcpd address 192.168.44.50-192.168.44.80 inside
dhcpd enable inside
!

username admini password jBFrHOlRmYIzGm8t encrypted
tunnel-group WORKINGPIXIP type ipsec-l2l
tunnel-group WORKINGPIXIP ipsec-attributes
 pre-shared-key *
tunnel-group PIX506IP type ipsec-l2l
tunnel-group PIX506IP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:24927e43b8d1454ed36fdd5dd420bea4
: end

Open in new window

0
 

Author Comment

by:j_crow1
ID: 34205571
I rebooted both devices before I completely tore down and rebuilt the tunnels - still no luck. I am missing something somewhere.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:j_crow1
ID: 34205984
I did notice that there is a difference in the sysopt connection tcpmss times on the PIX that is working with this ASA and the one that is not working. The PIX that is working has its time set to 1200 and the PIX that isnt working is set at 1380 - could this be the problem?
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34206788
On your Isakmp key statement, I think you need to add some options, similar to this:
isakmp key ******** address a.b.c.d netmask 255.255.255.255 no-xauth no-config-mode
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 34206825
Also in the Pix 506, you may need to decrease the MTU on the outside interface to allow for the additional encryption in the header. Reduce it to 1460 or less. But I would try the no -xauth thing first.
0
 

Accepted Solution

by:
j_crow1 earned 0 total points
ID: 34207399
I just created a separate transform-set for this vpn (3des sha) and it works now. Thanks for the help.
0
 

Author Closing Comment

by:j_crow1
ID: 34228740
Found a solution.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month19 days, 15 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question