ASA 5545-X and ASA 5520 FW VPN tunnel issue
Before upgrading ASA 5520 from 8.4.6 to version 9.1(7), VPN tunnel between both FW was working fine.
Now I am having few loggs on ASA 5520 about Ipsec.
on ASA 5545-X FW,
Command : show isakmp sa
36 IKE Peer: XXX-EXT
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Loggs from ASA 5520:
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Receiver: Packet received on XX.XX.XX.8:500 from XX.XX.XX.8:500
Feb 21 2016 04:06:01: %ASA-7-713236: IP = XX.XX.XX.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
Feb 21 2016 04:06:01: %ASA-7-715047: IP = XX.XX.XX.8, processing SA payload
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713236: IP = XX.XX.XX.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 172
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, All SA proposals found unacceptable
Feb 21 2016 04:06:01: %ASA-3-713048: IP = XX.XX.XX.8, Error processing payload: Payload ID: 1
Feb 21 2016 04:06:01: %ASA-7-715065: IP = XX.XX.XX.8, IKE MM Responder FSM error history (struct &0x760828c8) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, IKE SA MM:b8ca90dc terminating: flags 0x01000002, refcnt 0, tuncnt 0
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, sending delete/delete with reason message
Feb 21 2016 04:06:04: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Feb 21 2016 04:06:04: %ASA-6-713905: There is no valid IKE proposal available, check IPSec SA configuration!
Feb 21 2016 04:06:04: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 10.
Now I am having few loggs on ASA 5520 about Ipsec.
on ASA 5545-X FW,
Command : show isakmp sa
36 IKE Peer: XXX-EXT
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Loggs from ASA 5520:
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Receiver: Packet received on XX.XX.XX.8:500 from XX.XX.XX.8:500
Feb 21 2016 04:06:01: %ASA-7-713236: IP = XX.XX.XX.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
Feb 21 2016 04:06:01: %ASA-7-715047: IP = XX.XX.XX.8, processing SA payload
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713236: IP = XX.XX.XX.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 172
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, All SA proposals found unacceptable
Feb 21 2016 04:06:01: %ASA-3-713048: IP = XX.XX.XX.8, Error processing payload: Payload ID: 1
Feb 21 2016 04:06:01: %ASA-7-715065: IP = XX.XX.XX.8, IKE MM Responder FSM error history (struct &0x760828c8) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, IKE SA MM:b8ca90dc terminating: flags 0x01000002, refcnt 0, tuncnt 0
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, sending delete/delete with reason message
Feb 21 2016 04:06:04: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Feb 21 2016 04:06:04: %ASA-6-713905: There is no valid IKE proposal available, check IPSec SA configuration!
Feb 21 2016 04:06:04: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 10.
Last Comment
ASKER
Both side we have ike1 and configuration is good.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Both side is same config.
From 5520 side----->>
access-list outside_cryptomap_10 remark TO-XX
access-list outside_cryptomap_10 extended permit ip host XX.XX.XX.17 host XX.XX.XX.16 log
crypto ipsec ikev1 transform-set XX esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer XX.XX.XX.XX YY.YY.YY.YY
crypto map outside_map 10 set ikev1 transform-set XX
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000
nat (inside,any) source static any any destination static obj-XX.XX.0 obj-XX.XX.0 no-proxy-arp route-lookup
tunnel-group XX.XX.XX.8 type ipsec-l2l
tunnel-group XX.XX.XX.8 ipsec-attributes
ikev1 pre-shared-key XXX
From 5545-X side--->
access-list outside_cryptomap_200 remark TO-XX
access-list outside_cryptomap_200 extended permit ip host XX.XX.XX.16 host XX.XX.XX.17 log
nat (inside,outside) source static obj-XX.XX.0 obj-XX.XX.0 destination static obj-XX.XX.0 obj-XX.XX.0
crypto ipsec ikev1 transform-set XX esp-aes-256 esp-sha-hmac
crypto map outside_map 200 match address outside_cryptomap_200
crypto map outside_map 200 set peer XXX-EXT
crypto map outside_map 200 set ikev1 transform-set XXX
crypto map outside_map 200 set security-association lifetime seconds 28800
crypto map outside_map 200 set security-association lifetime kilobytes 4608000
tunnel-group XX.XX.XX.250 type ipsec-l2l
tunnel-group XX.XX.XX.250 ipsec-attributes
ikev1 pre-shared-key XXX
From 5520 side----->>
access-list outside_cryptomap_10 remark TO-XX
access-list outside_cryptomap_10 extended permit ip host XX.XX.XX.17 host XX.XX.XX.16 log
crypto ipsec ikev1 transform-set XX esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer XX.XX.XX.XX YY.YY.YY.YY
crypto map outside_map 10 set ikev1 transform-set XX
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000
nat (inside,any) source static any any destination static obj-XX.XX.0 obj-XX.XX.0 no-proxy-arp route-lookup
tunnel-group XX.XX.XX.8 type ipsec-l2l
tunnel-group XX.XX.XX.8 ipsec-attributes
ikev1 pre-shared-key XXX
From 5545-X side--->
access-list outside_cryptomap_200 remark TO-XX
access-list outside_cryptomap_200 extended permit ip host XX.XX.XX.16 host XX.XX.XX.17 log
nat (inside,outside) source static obj-XX.XX.0 obj-XX.XX.0 destination static obj-XX.XX.0 obj-XX.XX.0
crypto ipsec ikev1 transform-set XX esp-aes-256 esp-sha-hmac
crypto map outside_map 200 match address outside_cryptomap_200
crypto map outside_map 200 set peer XXX-EXT
crypto map outside_map 200 set ikev1 transform-set XXX
crypto map outside_map 200 set security-association lifetime seconds 28800
crypto map outside_map 200 set security-association lifetime kilobytes 4608000
tunnel-group XX.XX.XX.250 type ipsec-l2l
tunnel-group XX.XX.XX.250 ipsec-attributes
ikev1 pre-shared-key XXX
ASKER
Absolutely correct sir.
ASKER
Its working now.
I was missing timeout command under policy.
I was missing timeout command under policy.
ASKER
And lifetime command too.
Its working now.
Thank you gentlemen.
Its working now.
Thank you gentlemen.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
You phase one policies don't match, or one sides configured for IKE1 and the other IKE2