ASA 5545-X and ASA 5520 FW VPN tunnel issue

Swapnil Ashokkumar Patel
Swapnil Ashokkumar Patel used Ask the Experts™
on
Before upgrading ASA 5520 from 8.4.6 to version 9.1(7), VPN tunnel between both FW was working fine.
Now I am having few loggs on ASA 5520 about Ipsec.

on ASA 5545-X FW,
Command : show isakmp sa
36  IKE Peer: XXX-EXT
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

Loggs from ASA 5520:

Feb 21 2016 04:06:01: %ASA-7-713906: IKE Receiver: Packet received on XX.XX.XX.8:500 from XX.XX.XX.8:500
Feb 21 2016 04:06:01: %ASA-7-713236: IP = XX.XX.XX.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
Feb 21 2016 04:06:01: %ASA-7-715047: IP = XX.XX.XX.8, processing SA payload
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713236: IP = XX.XX.XX.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 172
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, All SA proposals found unacceptable
Feb 21 2016 04:06:01: %ASA-3-713048: IP = XX.XX.XX.8, Error processing payload: Payload ID: 1
Feb 21 2016 04:06:01: %ASA-7-715065: IP = XX.XX.XX.8, IKE MM Responder FSM error history (struct &0x760828c8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, IKE SA MM:b8ca90dc terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, sending delete/delete with reason message
Feb 21 2016 04:06:04: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Feb 21 2016 04:06:04: %ASA-6-713905: There is no valid IKE proposal available, check IPSec SA configuration!
Feb 21 2016 04:06:04: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 10.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Pete LongTechnical Consultant

Commented:
>>Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!

You phase one policies don't match, or one sides configured for IKE1 and the other IKE2
Swapnil Ashokkumar PatelNetwork Infrastructure Engineer

Author

Commented:
Both side we have ike1 and configuration is good.
Network Engineer
Commented:
It is saying that it connect find a match for the crypto policy.

Like this

crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Swapnil Ashokkumar PatelNetwork Infrastructure Engineer

Author

Commented:
Both side is same config.

From 5520 side----->>
access-list outside_cryptomap_10 remark TO-XX                                                
access-list outside_cryptomap_10 extended permit ip host XX.XX.XX.17 host XX.XX.XX.16 log                                                

crypto ipsec ikev1 transform-set XX esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer XX.XX.XX.XX YY.YY.YY.YY
crypto map outside_map 10 set ikev1 transform-set XX
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000

nat (inside,any) source static any any destination static obj-XX.XX.0 obj-XX.XX.0 no-proxy-arp route-lookup

tunnel-group XX.XX.XX.8 type ipsec-l2l
tunnel-group XX.XX.XX.8 ipsec-attributes
 ikev1 pre-shared-key XXX

From 5545-X side--->

access-list outside_cryptomap_200 remark TO-XX
access-list outside_cryptomap_200 extended permit ip host XX.XX.XX.16 host XX.XX.XX.17 log

nat (inside,outside) source static obj-XX.XX.0 obj-XX.XX.0 destination static obj-XX.XX.0 obj-XX.XX.0

crypto ipsec ikev1 transform-set XX esp-aes-256 esp-sha-hmac

crypto map outside_map 200 match address outside_cryptomap_200
crypto map outside_map 200 set peer XXX-EXT
crypto map outside_map 200 set ikev1 transform-set XXX
crypto map outside_map 200 set security-association lifetime seconds 28800
crypto map outside_map 200 set security-association lifetime kilobytes 4608000

tunnel-group XX.XX.XX.250 type ipsec-l2l
tunnel-group XX.XX.XX.250 ipsec-attributes
 ikev1 pre-shared-key XXX
Swapnil Ashokkumar PatelNetwork Infrastructure Engineer

Author

Commented:
Absolutely correct sir.
Swapnil Ashokkumar PatelNetwork Infrastructure Engineer

Author

Commented:
Its working now.
I was missing timeout command under policy.
Swapnil Ashokkumar PatelNetwork Infrastructure Engineer

Author

Commented:
And lifetime command too.
Its working now.

Thank you gentlemen.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial