ASA 5545-X and ASA 5520 FW VPN tunnel issue

Before upgrading ASA 5520 from 8.4.6 to version 9.1(7), VPN tunnel between both FW was working fine.
Now I am having few loggs on ASA 5520 about Ipsec.

on ASA 5545-X FW,
Command : show isakmp sa
36  IKE Peer: XXX-EXT
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

Loggs from ASA 5520:

Feb 21 2016 04:06:01: %ASA-7-713906: IKE Receiver: Packet received on XX.XX.XX.8:500 from XX.XX.XX.8:500
Feb 21 2016 04:06:01: %ASA-7-713236: IP = XX.XX.XX.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 244
Feb 21 2016 04:06:01: %ASA-7-715047: IP = XX.XX.XX.8, processing SA payload
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!
Feb 21 2016 04:06:01: %ASA-7-713236: IP = XX.XX.XX.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 172
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, All SA proposals found unacceptable
Feb 21 2016 04:06:01: %ASA-3-713048: IP = XX.XX.XX.8, Error processing payload: Payload ID: 1
Feb 21 2016 04:06:01: %ASA-7-715065: IP = XX.XX.XX.8, IKE MM Responder FSM error history (struct &0x760828c8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, IKE SA MM:b8ca90dc terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Feb 21 2016 04:06:01: %ASA-7-713906: IP = XX.XX.XX.8, sending delete/delete with reason message
Feb 21 2016 04:06:04: %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = outside_map.  Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Feb 21 2016 04:06:04: %ASA-6-713905: There is no valid IKE proposal available, check IPSec SA configuration!
Feb 21 2016 04:06:04: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = outside_map.  Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside_map.  Map Sequence Number = 10.
Feb 21 2016 04:06:04: %ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 10.
LVL 2
Swapnil Ashokkumar PatelNetwork Infrastructure EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
>>Feb 21 2016 04:06:01: %ASA-7-713906: IKE Proposals rejected, no responder proposals configured!

You phase one policies don't match, or one sides configured for IKE1 and the other IKE2
Swapnil Ashokkumar PatelNetwork Infrastructure EngineerAuthor Commented:
Both side we have ike1 and configuration is good.
William MurrayNetwork EngineerCommented:
It is saying that it connect find a match for the crypto policy.

Like this

crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Swapnil Ashokkumar PatelNetwork Infrastructure EngineerAuthor Commented:
Both side is same config.

From 5520 side----->>
access-list outside_cryptomap_10 remark TO-XX                                                
access-list outside_cryptomap_10 extended permit ip host XX.XX.XX.17 host XX.XX.XX.16 log                                                

crypto ipsec ikev1 transform-set XX esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer XX.XX.XX.XX YY.YY.YY.YY
crypto map outside_map 10 set ikev1 transform-set XX
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000

nat (inside,any) source static any any destination static obj-XX.XX.0 obj-XX.XX.0 no-proxy-arp route-lookup

tunnel-group XX.XX.XX.8 type ipsec-l2l
tunnel-group XX.XX.XX.8 ipsec-attributes
 ikev1 pre-shared-key XXX

From 5545-X side--->

access-list outside_cryptomap_200 remark TO-XX
access-list outside_cryptomap_200 extended permit ip host XX.XX.XX.16 host XX.XX.XX.17 log

nat (inside,outside) source static obj-XX.XX.0 obj-XX.XX.0 destination static obj-XX.XX.0 obj-XX.XX.0

crypto ipsec ikev1 transform-set XX esp-aes-256 esp-sha-hmac

crypto map outside_map 200 match address outside_cryptomap_200
crypto map outside_map 200 set peer XXX-EXT
crypto map outside_map 200 set ikev1 transform-set XXX
crypto map outside_map 200 set security-association lifetime seconds 28800
crypto map outside_map 200 set security-association lifetime kilobytes 4608000

tunnel-group XX.XX.XX.250 type ipsec-l2l
tunnel-group XX.XX.XX.250 ipsec-attributes
 ikev1 pre-shared-key XXX
Swapnil Ashokkumar PatelNetwork Infrastructure EngineerAuthor Commented:
Absolutely correct sir.
Swapnil Ashokkumar PatelNetwork Infrastructure EngineerAuthor Commented:
Its working now.
I was missing timeout command under policy.
Swapnil Ashokkumar PatelNetwork Infrastructure EngineerAuthor Commented:
And lifetime command too.
Its working now.

Thank you gentlemen.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.