Cisco 5505 Configuration - KEv1 was unsuccessful at setting up a tunnel

I am a new Employee at a company and was asked to configure a CISCO ASA 5505 , first time doing this and was told to copy the running configuration from a current working ASA and modify it on the current ASA.

Both ASAs have same firmware - 8.4.3
Ran crypto key generation rsa (Don't know if relevant as I am leaning how all the protocols are involved in VPN communication)

I copied the running configuration and thought I modified it correctly but when ASA startup configure was reload the logging loops with the following

%ASA-4-713157: IP = <I removed this as not sure if this is a security risk>, Timed out on initial contact to server [ XXX Deleted ]  Tunnel could not be established.
%ASA-4-752012: I.  Map Tag = _vpnc_cm.  Map Sequence Number = 10.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= _vpnc_cm.  Map Sequence Number = 10.
%ASA-5-111008: User 'Easy VPN Dynamic Configurator' executed the 'clear configure tunnel-group' command.
%ASA-5-111010: User 'Easy VPN Dynamic Configurator', running 'N/A' from IP 0.0.0.0, executed 'clear configure tunnel-group'
%ASA-5-111008: User 'Easy VPN Dynamic Configurator' executed the 'clear configure crypto map _vpnc_cm' command.
%ASA-5-111010: User 'Easy VPN Dynamic Configurator', running 'N/A' from IP 0.0.0.0, executed 'clear configure crypto map _vpnc_cm'
%ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = _vpnc_cm.  Map Sequence Number = 10.
%ASA-4-752010: IKEv2 Doesn't have a proposal specified

Not sure if relevant but I added a VPN Client User to the Domain Account but I don't think this matters as I believe this issue relates that the ASA can't connect get a tunnel established?

Additional Information which may be helpful:
show crypto ikev1 sa

1   IKE Peer: <I removed this IP>
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_WAIT_MSG2

Lastly when I was googling I saw a comment stating  "appears you have not applied the crypto map to the interfaces" but I don't know which interface I should apply to as I don't want cause more issues? Thanks for any help and let me know what logs could help.
Tim OBrienSystems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nickoargCommented:
You need to apply the crypto map on the outside interface, the one "closer" to the other ASA.
0
nickoargCommented:
Still, you need to specify the IKE keys. Can you paste the sanitized configuration?
0
Tim OBrienSystems EngineerAuthor Commented:
I apologize in advance for not understanding the ASA VPN as well as I should, I have a certification test I am taking this week so been studying that. I will focus more on the technical aspects how ASA works and VPN functionality when I finish and hopefully pass my VCP cert, anyways this is what I can provide you....

I run  a crypto key generate rsa
Reading the configuration document from the employee who left I should get prompted to  enter 2048 but this never happened. I assume this is when the IKE keys get generated?
When troubleshooting I ran the command: crypto key generate rsa modulus 2048 and generated the keys but this didn't solve the issue.

Don't know if this will help but I get this as well when I plug the ASA into a Comcast Modem

Aug 08 15:44:28 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicited request from x.x.x.x
Aug 08 15:44:28 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicited request from x.x.x.x
Aug 08 15:44:28 [IKEv1]IP = x.x.x.x, Invalid packet detected!
Aug 08 15:44:29 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicite
Aug 08 15:44:29 [IKEv1]IP = x.x.x.x, ISAKMP: VPNC anti-DoS, drop unsolicite
Aug 08 15:44:29 [IKEv1]IP = x.x.x.x, Invalid packet detected!

Running Configuration of ASA is as follows:

ASA Version 8.4(3)
!
hostname asa-va
domain-name domainame.com
enable password 8IUpdK56RC3IBrk2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.191.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 no forward interface Vlan1
 nameif guest
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
 domain-name domainname.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_inside
 subnet 192.168.191.0 255.255.255.0
object network obj_guest
 subnet 192.168.1.0 255.255.255.0
access-list snmp extended permit udp any any eq snmp
access-list global_access extended deny ip object obj_inside object obj_guest
access-list global_access extended permit ip object obj_inside any
access-list global_access extended deny ip object obj_guest object obj_inside
access-list global_access extended permit ip object obj_guest any
access-list global_access extended deny ip any any
access-list TCP extended permit tcp any any
!
tcp-map tmap
  tcp-options range 76 78 allow
!
pager lines 24
logging enable
logging console notifications
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
!
object network obj_inside
 nat (inside,outside) dynamic interface
object network obj_guest
 nat (guest,outside) dynamic interface
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Radius protocol radius
aaa-server Radius (inside) host x.x.x.x
 key *****
 radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication http console Radius LOCAL
aaa authentication ssh console Radius LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.0.x.x community ***** version 2c
snmp-server host inside 10.0.x.x community ***** version 2c
snmp-server host inside 10.0.x.x community ***** version 2c
snmp-server host inside 10.0.x.x community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto isakmp identity hostname
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
vpnclient server vpn3.domain.com vpn4.domain.com
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup VPN800SplitTunnel password *****
vpnclient username va-test password *****
vpnclient management tunnel 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
vpnclient enable
dhcpd auto_config outside
!
dhcpd address 192.168.191.100-192.168.191.199 inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd domain domainname.com interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.20-192.168.1.240 guest
dhcpd dns 8.8.8.8 8.8.4.4 interface guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server x.x.x.x
ntp server x.x.x.x
webvpn
username xxxx password QM5r3k9yGlewJRxf encrypted
!
class-map cmap
 match access-list TCP
class-map voice-signaling
 match dscp af41
class-map inspection_default
 match default-inspection-traffic
class-map voice-traffic
 match dscp ef
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map pmap
 class cmap
  set connection advanced-options tmap
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
 class cmap
  set connection advanced-options tmap
policy-map llq-policy
 class voice-traffic
  priority
 class voice-signaling
  priority
policy-map type inspect h323 H323_Low
 parameters
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f09958d1676f77da9568bd150908b099
: end
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

nickoargCommented:
I'll look into the configuration in a while. I beleive that you have a IKEv1 key and you are trying to use a IKEv2 configuration. Please check that and I'll read the conf later.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim OBrienSystems EngineerAuthor Commented:
I believe we are using IKEv1 but not 100% sure, where could I confirm the setting?
1
Tim OBrienSystems EngineerAuthor Commented:
I ran the command show crypto ikev2 sa and "There are no IKEv2 SAs
so safe to assume we are using IKEv1 only
0
nickoargCommented:
I was pointing to 2 messages on your log:

%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= _vpnc_cm.  Map Sequence Number = 10.

Open in new window


and

%ASA-4-752010: IKEv2 Doesn't have a proposal specified

Open in new window

This last one might be ignored since you say that you are not using ikev2. The first error could be a misstyped key on either side and therefore is failing the key exchange.
0
Tim OBrienSystems EngineerAuthor Commented:
Ok I turned on debugging and I am getting close...ikev2 can be ignored using ikev1 for sure.  I am not entering  a key on the configuration I am simply running the crypto key generate rsa command and not sure how I can screw that up. Key on the other end must be fine because we have any ASA routers configured so def. must be something on this ASA.

 ...
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Aug 11 13:58:59 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Rxed Hash is incorrect: Pre-shared                          key or Digital Signature mismatch
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE AM Initiator FSM error hi                         story (struct &0xcade9e48)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_WAIT_MSG2, EV_PROB_AUTH_FAIL-                         ->AM_WAIT_MSG2, EV_PROCESS_HASH-->AM_WAIT_MSG2, EV_CHK_AUTH_METHOD-->AM_WAIT_MSG2, EV_SKEYID_OK-->A                         M_WAIT_MSG2, NullEvent-->AM_WAIT_MSG2, EV_GEN_SKEYID-->AM_WAIT_MSG2, EV_GROUP_LOOKUP
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE SA AM:35dd18ef terminating:  flags 0x0100c021, refcnt 0, tuncnt 0
Aug 11 13:58:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message
Aug 11 13:58:59 [IKEv1]IP = x.x.x.x, No crypto map bound to interface... dropping pkt

Seems like crypto map is not bound to correct interface, I don't know the crypto map name? I would bound it to the outside interface but again the name is where I am now stuck. I believe
0
nickoargCommented:
The crypto key generate rsa command is not used for the IKE key, it generates the private key for the ASA.

Just looked at my conf backup:

crypto ikev1 enable outside
crypto ipsec ikev1 transform-set ikev1-set esp-aes esp-sha-hmac
access-list ikev1-list extended permit ip LAN_ORIGIN LAN_MASK DESTINATION_NW DESTINATION_MASK
ikev1 pre-shared-key this_is_a_key
crypto map ikev1-map 1 match address ikev1-list
crypto map ikev1-map 1 set peer REMOTE_SITE_IP
crypto map ikev1-map 1 set ikev1 transform-set ikev1-set
crypto map ikev1-map interface outside

Open in new window


Can you access the CLI?
0
Tim OBrienSystems EngineerAuthor Commented:
I may have figure out issue. please hold off on suggestions as I don't want to waste you time. Update coming shortly. Thanks.
0
Tim OBrienSystems EngineerAuthor Commented:
I indeed messed up the password, the Radius Server and the passwords required were not added correctly.

ASA is now up and running with an active VPN connection.  Thanks all for helping
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.