Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco Router to ASA VPN "received encrypted packet with no matching sa dropping"

Posted on 2011-10-04
4
Medium Priority
?
10,509 Views
Last Modified: 2014-05-22
I have got cisco 3750 and ASA and getting the "error message received encrypted packet with no matching sa dropping"
After googling i have come across usually you get the error message when there is an ACL mismatch however i am sure ACLs are same please see the config below and advise:


ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 21.21.21.1 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.6.200 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list policy-nat extended permit ip 10.10.6.0 255.255.255.0 192.168.3.0 255.255.255.0 log
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 192.168.2.0  access-list policy-nat
route outside 0.0.0.0 0.0.0.0 21.21.21.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 12.12.12.1
crypto map outside_map 20 set transform-set CISCO
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
tunnel-group 172.162.1.2 type ipsec-l2l
tunnel-group 12.12.12.1 type ipsec-l2l
tunnel-group 12.12.12.1 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
========================

Building configuration...

Current configuration : 1387 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$k7RW$jxBDdzyfM9LzSC3Ih5EYO0
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 21.21.21.1
!
!
crypto ipsec transform-set CISCO esp-des esp-md5-hmac
!
crypto map outside_map 20 ipsec-isakmp
 set peer 21.21.21.1
 set transform-set CISCO
 set pfs group2
 match address 150
!
!
interface Loopback0
 ip address 10.10.6.100 255.255.255.0
!
interface FastEthernet0/0
 ip address 12.12.12.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map outside_map
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.12.12.2
!
!
ip http server
no ip http secure-server
ip nat inside source static network 10.10.6.0 192.168.3.0 /24 no-alias
!
access-list 150 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end
=====================
Router Debug
====================
*Mar  1 02:35:21.047: ISAKMP:(0): SA request profile is (NULL)
*Mar  1 02:35:21.051: ISAKMP: Created a peer struct for 21.21.21.1, peer port 500
*Mar  1 02:35:21.051: ISAKMP: New peer created peer = 0x67BDDBA4 peer_handle = 0x8000001B
*Mar  1 02:35:21.055: ISAKMP: Locking peer struct 0x67BDDBA4, refcount 1 for isakmp_initiator
*Mar  1 02:35:21.059: ISAKMP: local port 500, remote port 500
*Mar  1 02:35:21.059: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 02:35:21.063: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 677474E8
*Mar  1 02:35:21.067: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar  1 02:35:21.067: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar  1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar  1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar  1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar  1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar  1 02:35:21.067: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 02:35:21.067: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 02:35:21.067: ISAKMP:(0): beginning Main Mode exchange
*Mar  1 02:35:21.067: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 02:35:21.067: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  1 02:35:21.143: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar  1 02:35:21.147: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 02:35:21.151: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  1 02:35:21.155: ISAKMP:(0): processing SA payload. message ID = 0
*Mar  1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:21.155: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 02:35:21.155: ISAKMP:(0): vendor ID is NAT-T v2
*Mar  1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:21.155: ISAKMP:(0): processing IKE frag vendor id payload
*Mar  1 02:35:21.155: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar  1 02:35:21.155: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar  1 02:35:21.155: ISAKMP:(0): local preshared key found
*Mar  1 02:35:21.155: ISAKMP : Scanning profiles for xauth ...
*Mar  1 02:35:21.155: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar  1 02:35:21.155: ISAKMP:      encryption DES-CBC
*Mar  1 02:35:21.155: ISAKMP:      hash MD5
*Mar  1 02:35:21.155: ISAKMP:      default group 2
*Mar  1 02:35:21.155: ISAKMP:      auth pre-share
*Mar  1 02:35:21.155: ISAKMP:      life type in seconds
*Mar  1 02:35:21.155: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 02:35:21.155: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar  1 02:35:21.155: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar  1 02:35:21.155: ISAKMP:(0):Acceptable atts:life: 0
*Mar  1 02:35:21.155: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar  1 02:35:21.155: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar  1 02:35:21.155: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar  1 02:35:21.155: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar  1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:21.155: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 02:35:21.155: ISAKMP:(0): vendor ID is NAT-T v2
*Mar  1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar  1 02:35:21.155: ISAKMP:(0): processing IKE frag vendor id payload
*Mar  1 02:35:21.155: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar  1 02:35:21.155: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 02:35:21.155: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 02:35:21.155: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar  1 02:35:21.155: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  1 02:35:21.155: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 02:35:21.155: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 02:35:21.395: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  1 02:35:21.395: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 02:35:21.395: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 02:35:21.395: ISAKMP:(0): processing KE payload. message ID = 0
*Mar  1 02:35:21.395: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar  1 02:35:21.395: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar  1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar  1 02:35:21.395: ISAKMP:(1018): vendor ID is Unity
*Mar  1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar  1 02:35:21.395: ISAKMP:(1018): vendor ID seems Unity/DPD but major 149 mismatch
*Mar  1 02:35:21.395: ISAKMP:(1018): vendor ID is XAUTH
*Mar  1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar  1 02:35:21.395: ISAKMP:(1018): speaking to another IOS box!
*Mar  1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar  1 02:35:21.395: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
*Mar  1 02:35:21.395: ISAKMP:received payload type 20
*Mar  1 02:35:21.395: ISAKMP:received payload type 20
*Mar  1 02:35:21.395: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 02:35:21.395: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 02:35:21.395: ISAKMP:(1018):Send initial contact
*Mar  1 02:35:21.395: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 02:35:21.395: ISAKMP (0:1018): ID payload
        next-payload : 8
        type         : 1
        address      : 12.12.12.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 02:35:21.395: ISAKMP:(1018):Total payload length: 12
*Mar  1 02:35:21.395: ISAKMP:(1018): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 02:35:21.395: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Mar  1 02:35:21.395: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 02:35:21.395: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 02:35:21.411: ISAKMP:(1016):purging SA., sa=67746644, delme=67746644
*Mar  1 02:35:21.547: ISAKMP (0:1018): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 02:35:21.551: ISAKMP:(1018): processing ID payload. message ID = 0
*Mar  1 02:35:21.551: ISAKMP (0:1018): ID payload
        next-payload : 8
        type         : 1
        address      : 21.21.21.1
        protocol     : 17
        port         : 0
        length       : 12
*Mar  1 02:35:21.551: ISAKMP:(0):: peer matches *none* of the profiles
*Mar  1 02:35:21.551: ISAKMP:(1018): processing HASH payload. message ID = 0
*Mar  1 02:35:21.551: ISAKMP:received payload type 17
*Mar  1 02:35:21.551: ISAKMP:(1018): processing vendor id payload
*Mar  1 02:35:21.551: ISAKMP:(1018): vendor ID is DPD
*Mar  1 02:35:21.551: ISAKMP:(1018):SA authentication status:
        authenticated
*Mar  1 02:35:21.551: ISAKMP:(1018):SA has been authenticated with 21.21.21.1
*Mar  1 02:35:21.551: ISAKMP: Trying to insert a peer 12.12.12.1/21.21.21.1/500/,  and inserted successfully 67BDDBA4.
*Mar  1 02:35:21.551: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 02:35:21.551: ISAKMP:(1018):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 02:35:21.551: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 02:35:21.551: ISAKMP:(1018):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 02:35:21.551: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 02:35:21.551: ISAKMP:(1018):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 02:35:21.551: ISAKMP:(1018):beginning Quick Mode exchange, M-ID of -209682273
*Mar  1 02:35:21.551: ISAKMP:(1018):QM Initiator gets spi
*Mar  1 02:35:21.559: ISAKMP:(1018): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 02:35:21.559: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Mar  1 02:35:21.567: ISAKMP:(1018):Node -209682273, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 02:35:21.567: ISAKMP:(1018):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 02:35:21.571: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 02:35:21.575: ISAKMP:(1018):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 02:35:21.703: ISAKMP (0:1018): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 02:35:21.707: ISAKMP: set new node -1840271890 to QM_IDLE
*Mar  1 02:35:21.711: ISAKMP:(1018): processing HASH payload. message ID = -1840271890
*Mar  1 02:35:21.715: ISAKMP:(1018): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = -1840271890, sa = 677474E8
*Mar  1 02:35:21.719: ISAKMP:(1018):deleting node -1840271890 error FALSE reason "Informational (in) state 1"
*Mar  1 02:35:21.719: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 02:35:21.719: ISAKMP:(1018):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 02:35:21.775: ISAKMP (0:1018): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 02:35:21.779: ISAKMP: set new node -1719484999 to QM_IDLE
*Mar  1 02:35:21.783: ISAKMP:(1018): processing HASH payload. message ID = -1719484999
*Mar  1 02:35:21.783: ISAKMP:(1018): processing DELETE payload. message ID = -1719484999
*Mar  1 02:35:21.783: ISAKMP:(1018):peer does not do paranoid keepalives.

*Mar  1 02:35:21.783: ISAKMP:(1018):deleting SA reason "No reason" state (I) QM_IDLE       (peer 21.21.21.1)
*Mar  1 02:35:21.783: ISAKMP:(1018):deleting node -1719484999 error FALSE reason "Informational (in) state 1"
*Mar  1 02:35:21.783: ISAKMP: set new node 343106909 to QM_IDLE
*Mar  1 02:35:21.783: ISAKMP:(1018): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 02:35:21.783: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Mar  1 02:35:21.787: ISAKMP:(1018):purging node 343106909
*Mar  1 02:35:21.791: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 02:35:21.795: ISAKMP:(1018):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar  1 02:35:21.803: ISAKMP:(1018):deleting SA reason "No reason" state (I) QM_IDLE       (peer 21.21.21.1)
*Mar  1 02:35:21.807: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Mar  1 02:35:21.811: ISAKMP: Unlocking peer struct 0x67BDDBA4 for isadb_mark_sa_deleted(), count 0
*Mar  1 02:35:21.815: ISAKMP: Deleting peer node by peer_reap for 21.21.21.1: 67BDDBA4
*Mar  1 02:35:21.823: ISAKMP:(1018):deleting node -209682273 error FALSE reason "IKE deleted"
*Mar  1 02:35:21.827: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 02:35:21.831: ISAKMP:(1018):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Mar  1 02:35:41.847: ISAKMP:(1017):purging node 1263461345
*Mar  1 02:35:41.915: ISAKMP:(1017):purging node -974081689
*Mar  1 02:35:41.915: ISAKMP:(1017):purging node -248042527
R1#
*Mar  1 02:35:51.915: ISAKMP:(1017):purging SA., sa=67747EE4, delme=67747EE4
==================
ASA Debug
===================

Nov 30 02:36:18 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd8acd6d8, mess id 0xf1372be1)!
Nov 30 02:36:18 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
Nov 30 02:36:48 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd8acc308, mess id 0xf380809f)!
Nov 30 02:36:48 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!

0
Comment
Question by:tech2010
4 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 36911623
You need to nonat between 192.168.2.0 and 192.168.3.0.

It also wouldn't hurt to recreate the key at both ends with something simple (letters and numbers to test) to verify that any unusual characters in the key are not causing the problem.  It shouldn't be an issue with v8 but I have had that problem with v7.
0
 

Author Comment

by:tech2010
ID: 36916408
Thanks for your response : do i need no nat when i am using static and actually ip addresses are overlapping.
After adding that command its still not jumping to phase II.

nat (inside) 0 access-list new
static (inside,outside) 192.168.2.0  access-list policy-nat

ciscoasa# shNov 30 22:22:54 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd8acd328, mess id 0xbc808a64)!
Nov 30 22:22:54 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
Nov 30 22:23:19 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd88ef720, mess id 0xa88819d3)!
Nov 30 22:23:19 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!

*Mar  1 22:22:16.082: ISAKMP: Locking peer struct 0x67BDE634, refcount 1 for isakmp_initiator
*Mar  1 22:22:16.086: ISAKMP: local port 500, remote port 500
*Mar  1 22:22:16.086: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 22:22:16.090: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67707D24
*Mar  1 22:22:16.094: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar  1 22:22:16.094: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar  1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar  1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar  1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar  1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Ma
R1#
R1#
R1#
R1#r  1 22:22:16.094: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 22:22:16.094: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 22:22:16.094: ISAKMP:(0): beginning Main Mode exchange
*Mar  1 22:22:16.094: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 22:22:16.094: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  1 22:22:16.158: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar  1 22:22:16.166: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 22:22:16.166: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  1 22:22:16.170: ISAKMP:(0): processing SA payload. message ID = 0
*Mar  1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar  1 22:22:16.170: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 22:22:16.170: ISAKMP:(0): vendor ID is NAT-T v2
*Mar  1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar  1 22:22:16.170: ISAKMP:(0): processing IKE frag vendor id payload
*Mar  1 22:22:16.170: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar  1 22:22:16.170: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar  1 22:22:16.170: ISAKMP:(0): local preshared key found
*Mar  1 22:22:16.170: ISAKMP : Scanning profiles for xauth ...
*Mar  1 22:22:16.170: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar  1 22:22:16.170: ISAKMP:      encryption DES-CBC
*Mar  1 22:22:16.170: ISAKMP:      hash MD5
*Mar  1 22:22:16.170: ISAKMP:      default group 2
*Mar  1 22:22:16.170: ISAKMP:      auth pre-share
*Mar  1 22:22:16.170: ISAKMP:      life type in seconds
*Mar  1 22:22:16.170: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  1 22:22:16.170: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar  1 22:22:16.170: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar  1 22:22:16.170: ISAKMP:(0):Acceptable atts:life: 0
*Mar  1 22:22:16.170: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar  1 22:22:16.170: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar  1 22:22:16.170: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar  1 22:22:16.170: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar  1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar  1 22:22:16.170: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 22:22:16.170: ISAKMP:(0): vendor ID is NAT-T v2
*Mar  1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar  1 22:22:16.170: ISAKMP:(0): processing IKE frag vendor id payload
*Mar  1 22:22:16.170: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar  1 22:22:16.170: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 22:22:16.170: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 22:22:16.170: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar  1 22:22:16.170: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  1 22:22:16.170: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 22:22:16.170: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 22:22:16.370: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  1 22:22:16.370: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 22:22:16.370: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 22:22:16.370: ISAKMP:(0): processing KE payload. message ID = 0
*Mar  1 22:22:16.370: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar  1 22:22:16.370: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar  1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar  1 22:22:16.370: ISAKMP:(1024): vendor ID is Unity
*Mar  1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar  1 22:22:16.370: ISAKMP:(1024): vendor ID seems Unity/DPD but major 200 mismatch
*Mar  1 22:22:16.370: ISAKMP:(1024): vendor ID is XAUTH
*Mar  1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar  1 22:22:16.370: ISAKMP:(1024): speaking to another IOS box!
*Mar  1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar  1 22:22:16.370: ISAKMP:(1024):vendor ID seems Unity/DPD but hash mismatch
*Mar  1 22:22:16.370: ISAKMP:received payload type 20
*Mar  1 22:22:16.370: ISAKMP:received payload type 20
*Mar  1 22:22:16.370: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 22:22:16.370: ISAKMP:(1024):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 22:22:16.370: ISAKMP:(1024):Send initial contact
*Mar  1 22:22:16.370: ISAKMP:(1024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 22:22:16.370: ISAKMP (0:1024): ID payload
        next-payload : 8
        type         : 1
        address      : 12.12.12.1
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 22:22:16.370: ISAKMP:(1024):Total payload length: 12
*Mar  1 22:22:16.370: ISAKMP:(1024): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 22:22:16.370: ISAKMP:(1024):Sending an IKE IPv4 Packet.
*Mar  1 22:22:16.370: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 22:22:16.370: ISAKMP:(1024):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 22:22:16.514: ISAKMP (0:1024): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 22:22:16.514: ISAKMP:(1024): processing ID payload. message ID = 0
*Mar  1 22:22:16.514: ISAKMP (0:1024): ID payload
        next-payload : 8
        type         : 1
        address      : 21.21.21.1
        protocol     : 17
        port         : 0
        length       : 12
*Mar  1 22:22:16.514: ISAKMP:(0):: peer matches *none* of the profiles
*Mar  1 22:22:16.514: ISAKMP:(1024): processing HASH payload. message ID = 0
*Mar  1 22:22:16.514: ISAKMP:received payload type 17
*Mar  1 22:22:16.514: ISAKMP:(1024): processing vendor id payload
*Mar  1 22:22:16.514: ISAKMP:(1024): vendor ID is DPD
*Mar  1 22:22:16.514: ISAKMP:(1024):SA authentication status:
        authenticated
*Mar  1 22:22:16.514: ISAKMP:(1024):SA has been authenticated with 21.21.21.1
*Mar  1 22:22:16.514: ISAKMP: Trying to insert a peer 12.12.12.1/21.21.21.1/500/,  and inserted successfully 67BDE634.
*Mar  1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 22:22:16.514: ISAKMP:(1024):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 22:22:16.514: ISAKMP:(1024):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 22:22:16.514: ISAKMP:(1024):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 22:22:16.514: ISAKMP:(1024):beginning Quick Mode exchange, M-ID of -1467475501
*Mar  1 22:22:16.514: ISAKMP:(1024):QM Initiator gets spi
*Mar  1 22:22:16.514: ISAKMP:(1024): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 22:22:16.514: ISAKMP:(1024):Sending an IKE IPv4 Packet.
*Mar  1 22:22:16.514: ISAKMP:(1024):Node -1467475501, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 22:22:16.514: ISAKMP:(1024):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 22:22:16.514: ISAKMP:(1024):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 22:22:16.674: ISAKMP (0:1024): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 22:22:16.674: ISAKMP: set new node 4648004 to QM_IDLE
*Mar  1 22:22:16.674: ISAKMP:(1024): processing HASH payload. message ID = 4648004
*Mar  1 22:22:16.674: ISAKMP:(1024): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = 4648004, sa = 67707D24
*Mar  1 22:22:16.674: ISAKMP:(1024):deleting node 4648004 error FALSE reason "Informational (in) state 1"
*Mar  1 22:22:16.674: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 22:22:16.674: ISAKMP:(1024):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 22:22:16.762: ISAKMP (0:1024): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 22:22:16.766: ISAKMP: set new node -1262945668 to QM_IDLE
*Mar  1 22:22:16.766: ISAKMP:(1024): processing HASH payload. message ID = -1262945668
*Mar  1 22:22:16.766: ISAKMP:(1024): processing DELETE payload. message ID = -1262945668
*Mar  1 22:22:16.766: ISAKMP:(1024):peer does not do paranoid keepalives.

*Mar  1 22:22:16.766: ISAKMP:(1024):deleting SA reason "No reason" state (I) QM_IDLE       (peer 21.21.21.1)
*Mar  1 22:22:16.766: ISAKMP:(1024):deleting node -1262945668 error FALSE reason "Informational (in) state 1"
*Mar  1 22:22:16.766: ISAKMP: set new node -1995485776 to QM_IDLE
*Mar  1 22:22:16.766: ISAKMP:(1024): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 22:22:16.766: ISAKMP:(1024):Sending an IKE IPv4 Packet.
*Mar  1 22:22:16.766: ISAKMP:(1024):purging node -1995485776
*Mar  1 22:22:16.766: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 22:22:16.766: ISAKMP:(1024):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar  1 22:22:16.766: ISAKMP:(1024):deleting SA reason "No reason" state (I) QM_IDLE       (peer 21.21.21.1)
*Mar  1 22:22:16.766: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Mar  1 22:22:16.766: ISAKMP: Unlocking peer struct 0x67BDE634 for isadb_mark_sa_deleted(), count 0
*Mar  1 22:22:16.766: ISAKMP: Deleting peer node by peer_reap for 21.21.21.1: 67BDE634
*Mar  1 22:22:16.766: ISAKMP:(1024):deleting node -1467475501 error FALSE reason "IKE deleted"
*Mar  1 22:22:16.766: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 22:22:16.766: ISAKMP:(1024):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Mar  1 22:22:36.690: ISAKMP:(1023):purging node 2024059111
*Mar  1 22:22:36.770: ISAKMP:(1023):purging node 810283079
*Mar  1 22:22:36.774: ISAKMP:(1023):purging node -1132426652
*Mar  1 22:22:46.770: ISAKMP:(1023):purging SA., sa=67708AA8, delme=67708AA8
*Mar  1 22:23:06.674: ISAKMP:(1024):purging node 4648004
*Mar  1 22:23:06.766: ISAKMP:(1024):purging node -1262945668
*Mar  1 22:23:06.770: ISAKMP:(1024):purging node -1467475501
*Mar  1 22:23:16.766: ISAKMP:(1024):purging SA., sa=67707D24, delme=67707D24
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 2000 total points
ID: 36916719

 your old config seems to be fine ... one thing I can see is  un loop back 0 Ip nat inside is missing ... its a type error or what ?

also try enable nat-control in ASA.
0
 

Expert Comment

by:V0LUME
ID: 40083513
I am experiencing a similar issue. I'm not that experienced with configuring ASAs. I have worked more with IOS devices. How do I configure this NONAT so I can establish my phase 2?
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month10 days, 23 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question