Link to home
Start Free TrialLog in
Avatar of travisryan
travisryanFlag for United States of America

asked on

Cisco ASA EZVPN AM_TM_INIT_XAUTH_V6H error

My main office ASA 5520 runs an EZVPN site to site with an ASA 5506. Up until storms the other night the VPN was up, after storms the VPN won't reconnect. I've tried rebooting the remote ASA, ran clear crypto ips sa peer <ASA IP> from both sides, and even pulled out the ezvpn config from the remote side and put it back in. No luck

sh crypto isa sa from the 5520 shows:
Company-Firewall# sh crypto isa sa

4   IKE Peer: <Remote FW IP>
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_WAIT_MSG3

Company-Firewall# sh crypto isa sa

Open in new window

Then
4   IKE Peer: <Remote FW IP>
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_TM_INIT_XAUTH_V6H

Open in new window


sh crypto isa sa on the 5506 shows the same thing only AM_WAIT_MSG2 instead of MSG3.

Debugging the connection from the 5520:
debug crypto isa 5
---===---
Jun 11 16:22:21 [IKEv1 DEBUG]Group = <EZVPN Group>, IP = <Remote FW IP>, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
Jun 11 16:22:21 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Jun 11 16:22:21 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Floating NAT-T from <Remote FW IP> port 500 to <Remote FW IP> port 4500
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW IP>, IKE: Dynamic-Access-Policy action is not continue, abort connection
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW IP>, IKE: Dynamic Access Policy failure, aborting connection
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW IP>, Connection terminated for peer <EZVPN User>.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Jun 11 16:22:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Jun 11 16:22:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Jun 11 16:22:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Jun 11 16:22:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Jun 11 16:22:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Jun 11 16:22:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Jun 11 16:22:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Jun 11 16:22:22 [IKEv1]Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Jun 11 16:22:22 [IKEv1 DEBUG]IP = <Remote FW IP>, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Jun 11 16:22:22 [IKEv1]IP = <Remote FW IP>, Connection landed on tunnel_group <EZVPN Group>
Jun 11 16:22:22 [IKEv1 DEBUG]Group = <EZVPN Group>, IP = <Remote FW IP>, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Floating NAT-T from <Remote FW IP> port 500 to <Remote FW IP> port 4500
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW IP>, IKE: Dynamic-Access-Policy action is not continue, abort connection
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW IP>, IKE: Dynamic Access Policy failure, aborting connection
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW IP>, Connection terminated for peer <EZVPN User>.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Jun 11 16:22:22 [IKEv1 DEBUG]IP = <Remote FW IP>, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Jun 11 16:22:17 [IKEv1]IP = <Remote FW IP>, Connection landed on tunnel_group <EZVPN Group>
Jun 11 16:22:17 [IKEv1 DEBUG]Group = <EZVPN Group>, IP = <Remote FW IP>, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
Jun 11 16:22:17 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Jun 11 16:22:17 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Floating NAT-T from <Remote FW IP> port 500 to <Remote FW IP> port 4500
Jun 11 16:22:17 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW IP>, IKE: Dynamic-Access-Policy action is not continue, abort connection
Jun 11 16:22:17 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW IP>, IKE: Dynamic Access Policy failure, aborting connection
Jun 11 16:22:17 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW IP>, Connection terminated for peer <EZVPN User>.  Reason: Peer Terminate  Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Jun 11 16:22:18 [IKEv1 DEBUG]IP = <Remote FW IP>, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True

Open in new window


Debugging from the 5506:
debug crypto isa 5
--==--
Jun 12 06:09:31 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, IKE AM Initiator FSM error history (struct &0x00002aaac1a8a600)  <state>, <event>
:  AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6C, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6C, NullEvent-->AM_TM_INIT_XAUTH_V6C, EV_START_TM-->AM_TM_INIT_XAUTH, EV_STAR
T_TM-->AM_SND_MSG3, EV_INIT_TM-->AM_SND_MSG3, EV_DSID_OK-->AM_SND_MSG3, EV_GET_DSID
Jun 12 06:09:31 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:31 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:31 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:31 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:31 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:31 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:31 [IKEv1]IP = <Main Office FW IP>, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer <Main Office FW IP>  local Proxy Address <Remote Office FW IP>,
remote Proxy Address <Main Office FW IP>,  Crypto map (_vpnc_cm)
Jun 12 06:09:31 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:500 from <Main Office FW IP>:500
Jun 12 06:09:31 [IKEv1 DEBUG]IP = <Main Office FW IP>, Oakley proposal is acceptable
Jun 12 06:09:31 [IKEv1 DEBUG]IP = <Main Office FW IP>, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Jun 12 06:09:31 [IKEv1]IP = <Main Office FW IP>, Connection landed on tunnel_group <Main Office FW IP>
Jun 12 06:09:31 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   en
d   IS   behind a NAT device
Jun 12 06:09:31 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Floating NAT-T to port 4500
Jun 12 06:09:31 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Proposing only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defi
ned by NAT-Traversal
Jun 12 06:09:32 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:4500 from <Main Office FW IP>:4500
Jun 12 06:09:32 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:4500 from <Main Office FW IP>:4500
Jun 12 06:09:32 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Headend security gateway has failed our user authentication attempt -  check configured
 username and password
Jun 12 06:09:32 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, IKE AM Initiator FSM error history (struct &0x00002aaac1a8a600)  <state>, <event>
:  AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6C, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6C, NullEvent-->AM_TM_INIT_XAUTH_V6C, EV_START_TM-->AM_TM_INIT_XAUTH, EV_STAR
T_TM-->AM_SND_MSG3, EV_INIT_TM-->AM_SND_MSG3, EV_DSID_OK-->AM_SND_MSG3, EV_GET_DSID
Jun 12 06:09:32 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:32 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:32 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:32 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:32 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:32 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:09:32 [IKEv1]IP = <Main Office FW IP>, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer <Main Office FW IP>  local Proxy Address <Remote Office FW IP>,
remote Proxy Address <Main Office FW IP>,  Crypto map (_vpnc_cm)
Jun 12 06:09:32 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:500 from <Main Office FW IP>:500
Jun 12 06:09:32 [IKEv1 DEBUG]IP = <Main Office FW IP>, Oakley proposal is acceptable
Jun 12 06:09:32 [IKEv1 DEBUG]IP = <Main Office FW IP>, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Jun 12 06:09:32 [IKEv1]IP = <Main Office FW IP>, Connection landed on tunnel_group <Main Office FW IP>
Jun 12 06:09:32 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   en
d   IS   behind a NAT device
Jun 12 06:09:32 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Floating NAT-T to port 4500
Jun 12 06:09:32 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Proposing only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defi
ned by NAT-Traversal
Jun 12 06:09:32 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:4500 from <Main Office FW IP>:4500
Jun 12 06:09:32 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:4500 from <Main Office FW IP>:4500
Jun 12 06:09:32 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Headend security gateway has failed our user authentication attempt -  check configured
 username and password
Jun 12 06:09:32 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, IKE AM Initiator FSM error history (struct &0x00002aaac1a8a600)  <state>, <event>
:  AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6C, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6C, NullEvent-->AM_TM_INIT_XAUTH_V6C, EV_START_TM-->AM_TM_INIT_XAUTH, EV_STAR
T_TM-->AM_SND_MSG3, EV_INIT_TM-->AM_SND_MSG3, EV_DSID_OK-->AM_SND_MSG3, EV_GET_DSID

debug crypto isa 127
--==--
Jun 12 06:17:01 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13)
 + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1031
Jun 12 06:17:01 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:500 from <Main Office FW IP>:500
Jun 12 06:17:01 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) +
 VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 444
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing SA payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, Oakley proposal is acceptable
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing ke payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing ISA_KE payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing nonce payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing ID payload
Jun 12 06:17:01 [IKEv1 DECODE]IP = <Main Office FW IP>, ID_IPV4_ADDR ID received
<Main Office FW IP>
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received Cisco Unity client VID
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received xauth V6 VID
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received DPD VID
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received NAT-Traversal RFC VID
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing NAT-Discovery payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, computing NAT Discovery hash
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing NAT-Discovery payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, computing NAT Discovery hash
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received Fragmentation VID
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:01 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 12 06:17:01 [IKEv1]IP = <Main Office FW IP>, Connection landed on tunnel_group <Main Office FW IP>
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Generating keys for Initiator...
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, processing hash payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Computing hash for ISAKMP
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing hash payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Computing hash for ISAKMP
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing NAT-Discovery payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, computing NAT Discovery hash
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing NAT-Discovery payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, computing NAT Discovery hash
Jun 12 06:17:01 [IKEv1 DECODE]IKE Initiator sending Initial Contact
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing dpd vid payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing VID payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Send Cisco Unity client VID
Jun 12 06:17:01 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (20) + NAT-D (20) + NOTIFY (11) +
VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jun 12 06:17:01 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   en
d   IS   behind a NAT device
Jun 12 06:17:01 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Floating NAT-T to port 4500
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Proposing only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defi
ned by NAT-Traversal
Jun 12 06:17:01 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:4500 from <Main Office FW IP>:4500
Jun 12 06:17:01 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE RECEIVED Message (msgid=53834897) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total lengt
h : 72
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, process_attr(): Enter!
Jun 12 06:17:01 [IKEv1 DEBUG]Processing cfg Request attributes
Jun 12 06:17:01 [IKEv1 DEBUG]Received Xauth Type in request!
Jun 12 06:17:01 [IKEv1 DEBUG]Received Xauth Username request!
Jun 12 06:17:01 [IKEv1 DEBUG]Received Xauth Password request!
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing blank hash payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing qm hash payload
Jun 12 06:17:01 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=53834897) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length
 : 92
Jun 12 06:17:01 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:4500 from <Main Office FW IP>:4500
Jun 12 06:17:01 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE RECEIVED Message (msgid=e29d7a6f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total lengt
h : 64
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, process_attr(): Enter!
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Processing cfg Request attributes
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Received Xauth Status Set!
Jun 12 06:17:01 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Headend security gateway has failed our user authentication attempt -  check configured
 username and password
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing blank hash payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing qm hash payload
Jun 12 06:17:01 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=e29d7a6f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length
 : 60
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, IKE AM Initiator FSM error history (struct &0x00002aaac1a8a600)  <state>, <event>
:  AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6C, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6C, NullEvent-->AM_TM_INIT_XAUTH_V6C, EV_START_TM-->AM_TM_INIT_XAUTH, EV_STAR
T_TM-->AM_SND_MSG3, EV_INIT_TM-->AM_SND_MSG3, EV_DSID_OK-->AM_SND_MSG3, EV_GET_DSID
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, IKE SA AM:7c465f2f terminating:  flags 0x0100c021, refcnt 0, tuncnt 0
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, sending delete/delete with reason message
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing blank hash payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing IKE delete payload
Jun 12 06:17:01 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing qm hash payload
Jun 12 06:17:01 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=f81e423e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total leng
th : 80
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer <Main Office FW IP>  local Proxy Address <Remote Office FW IP>,
remote Proxy Address <Main Office FW IP>,  Crypto map (_vpnc_cm)
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing ISAKMP SA payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing ke payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing nonce payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing ID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing Cisco Unity VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing xauth V6 VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing NAT-Traversal VID ver 02 payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing NAT-Traversal VID ver 03 payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing NAT-Traversal VID ver RFC payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing Fragmentation VID + extended capabilities payload
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13)
 + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1031
Jun 12 06:17:02 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:500 from <Main Office FW IP>:500
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) +
 VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 444
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing SA payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, Oakley proposal is acceptable
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing ke payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing ISA_KE payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing nonce payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing ID payload
Jun 12 06:17:02 [IKEv1 DECODE]IP = <Main Office FW IP>, ID_IPV4_ADDR ID received
<Main Office FW IP>
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received Cisco Unity client VID
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received xauth V6 VID
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received DPD VID
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received NAT-Traversal RFC VID
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing NAT-Discovery payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, computing NAT Discovery hash
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing NAT-Discovery payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, computing NAT Discovery hash
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received Fragmentation VID
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, processing VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, Connection landed on tunnel_group <Main Office FW IP>
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Generating keys for Initiator...
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, processing hash payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Computing hash for ISAKMP
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing hash payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Computing hash for ISAKMP
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing NAT-Discovery payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, computing NAT Discovery hash
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing NAT-Discovery payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, computing NAT Discovery hash
Jun 12 06:17:02 [IKEv1 DECODE]IKE Initiator sending Initial Contact
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing dpd vid payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Send Cisco Unity client VID
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + HASH (8) + NAT-D (20) + NAT-D (20) + NOTIFY (11) +
VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jun 12 06:17:02 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   en
d   IS   behind a NAT device
Jun 12 06:17:02 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Floating NAT-T to port 4500
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Proposing only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defi
ned by NAT-Traversal
Jun 12 06:17:02 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:4500 from <Main Office FW IP>:4500
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE RECEIVED Message (msgid=ba9ff267) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total lengt
h : 72
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, process_attr(): Enter!
Jun 12 06:17:02 [IKEv1 DEBUG]Processing cfg Request attributes
Jun 12 06:17:02 [IKEv1 DEBUG]Received Xauth Type in request!
Jun 12 06:17:02 [IKEv1 DEBUG]Received Xauth Username request!
Jun 12 06:17:02 [IKEv1 DEBUG]Received Xauth Password request!
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing blank hash payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing qm hash payload
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=ba9ff267) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length
 : 92
Jun 12 06:17:02 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:4500 from <Main Office FW IP>:4500
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE RECEIVED Message (msgid=ace6ee34) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total lengt
h : 64
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, process_attr(): Enter!
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Processing cfg Request attributes
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Received Xauth Status Set!
Jun 12 06:17:02 [IKEv1]Group = <Main Office FW IP>, IP = <Main Office FW IP>, Headend security gateway has failed our user authentication attempt -  check configured
 username and password
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing blank hash payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing qm hash payload
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=ace6ee34) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length
 : 60
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, IKE AM Initiator FSM error history (struct &0x00002aaac1a9f1a0)  <state>, <event>
:  AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6C, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6C, NullEvent-->AM_TM_INIT_XAUTH_V6C, EV_START_TM-->AM_TM_INIT_XAUTH, EV_STAR
T_TM-->AM_SND_MSG3, EV_INIT_TM-->AM_SND_MSG3, EV_DSID_OK-->AM_SND_MSG3, EV_GET_DSID
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, IKE SA AM:0cc00b1f terminating:  flags 0x0100c021, refcnt 0, tuncnt 0
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, sending delete/delete with reason message
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing blank hash payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing IKE delete payload
Jun 12 06:17:02 [IKEv1 DEBUG]Group = <Main Office FW IP>, IP = <Main Office FW IP>, constructing qm hash payload
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=28f2c7c5) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total leng
th : 80
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1]Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 12 06:17:02 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer <Main Office FW IP>  local Proxy Address <Remote Office FW IP>,
remote Proxy Address <Main Office FW IP>,  Crypto map (_vpnc_cm)
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing ISAKMP SA payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing ke payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing nonce payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing ID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing Cisco Unity VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing xauth V6 VID payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing NAT-Traversal VID ver 02 payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing NAT-Traversal VID ver 03 payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing NAT-Traversal VID ver RFC payload
Jun 12 06:17:02 [IKEv1 DEBUG]IP = <Main Office FW IP>, constructing Fragmentation VID + extended capabilities payload
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13)
 + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1031
Jun 12 06:17:02 [IKEv1]IKE Receiver: Packet received on <Remote Office FW IP>:500 from <Main Office FW IP>:500
Jun 12 06:17:02 [IKEv1]IP = <Main Office FW IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) +
 VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 444

Open in new window


What's going on here?
Avatar of travisryan
travisryan
Flag of United States of America image

ASKER

Main office, ASA 5520 ezvpn config:
!username <VPN username> password <removed>
tunnel-group <VPN group> type remote-access
tunnel-group <VPN group> general-attributes
default-group-policy <VPN policy>
tunnel-group <VPN group> ipsec-attributes
! ikev1 pre-shared-key <removed>
group-policy <VPN policy> internal
group-policy <VPN policy> attributes
nem enable

Open in new window


Remote office, ASA 5506 config:
vpnclient server <Main Office FW IP>
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup <ezvpn group> password *****
vpnclient username <ezvpn user> password *****
vpnclient enable

Open in new window

Avatar of travisryan
travisryan
Flag of United States of America image

ASKER

ASA 5506 software version 9.5(2)
ASA 5520 software version 9.1(3)
ASKER CERTIFIED SOLUTION
Avatar of travisryan
travisryan
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of travisryan
travisryan
Flag of United States of America image

ASKER

Cisco TAC helped me solve this issue.