Question

Locked

Need some help with Cisco ASA 5510 Site to Site VPN please?

By tonyrobinson ·
It should be straightforward but I'm missing something. I have two ASA 5510s, I have access to both ends. Due to not having access to the broadband routers, I stuck with one ASA having public outside address and the other having a private outside address. Added an extra route for the private outside address.

I also have a remote VPN which works to all servers behind each ASA. I've been through the ASA site to site wizard at both ends.

sho crypto isakmp returns: State: MM_WAIT_MSG2 at both ends so it's trying but not receiving a response. I've tried pumping through some interesting traffic but I can't get passed this stage.

The logs show very few errors, all informational messages until:
???IP=xxx.xxx.xxx.xxx, Removing peer from peer table, no match???

Any help would be appreciated.

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Verify the ISAKP Policies

by rpevley In reply to Need some help with Cisco ...

If the IPsec tunnel is not UP, check that the ISAKMP policies match with the remote peers. This ISAKMP policy is applicable to both the Site-to-Site (L2L) and Remote Access IPsec VPN.

If the Cisco VPN Clients or the Site-to-Site VPN are not able establish the tunnel with the remote-end device, check that the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values and when the remote peer policy specifies a lifetime less than or equal to the lifetime in the policy that the initiator sent. If the lifetimes are not identical, the security appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation, and the SA is not established.

"Error: Unable to remove Peer TblEntry, Removing peer from peer table
failed, no match!"
Here is the detailed log message:

4|Mar 24 2010 10:21:50|713903: IP = X.X.X.X, Error: Unable to remove PeerTblEntry
3|Mar 24 2010 10:21:50|713902: IP = X.X.X.X, Removing peer from peer table failed,
no match!
3|Mar 24 2010 10:21:50|713048: IP = X.X.X.X, Error processing payload: Payload ID: 1
4|Mar 24 2010 10:21:49|713903: IP = X.X.X.X, Information Exchange processing failed
5|Mar 24 2010 10:21:49|713904: IP = X.X.X.X, Received an un-encrypted
NO_PROPOSAL_CHOSEN notify message, dropping
This message usually appears due to mismatched ISAKMP policies or a missing NAT 0 statement.

In addition, this message appears:

Error Message %PIX|ASA-6-713219: Queueing KEY-ACQUIRE messages to be processed when
P1 SA is complete.
This message indicates that Phase 2 messages are being enqueued after Phase 1 completes. This error message might be due to one of these reasons:

Mismatch in phase on any of the peers

ACL is blocking the peers from completing phase 1

This message usually comes after the Removing peer from peer table failed, no match! error message.

If the Cisco VPN Client is unable to connect the head-end device, the problem can be the mismatch of ISAKMP Policy. The head-end device must match with one of the IKE Proposals of the Cisco VPN Client.

Note:??For the ISAKMP policy and IPsec Transform-set that is used on the PIX/ASA, the Cisco VPN client cannot use a policy with a combination of DES and SHA. If you use DES, you need to use MD5 for the hash algorithm, or you can use the other combinations, 3DES with SHA and 3DES with MD5.

Collapse -

Reponse To Answer

by tonyrobinson In reply to Verify the ISAKP Policies

Thanks for the comments, however, I'm still ahving the same problem.

The isakmp policies at both ends are:

isakmp identity address
isakmp enable outside
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash sha
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400

I assume policy 60 is negotiated for the remote VPN and policy 50 (should be) being negotiated for the site to site VPN.

I also have a nat0 acl:

access-list Inside_nat0_outbound extended permit ip 10.0.2.0 255.255.255.0 RDP 255.255.255.0
nat (inside) 0 access-list Inside_nat0_outbound

Collapse -

Reponse To Answer

by tonyrobinson In reply to Verify the ISAKP Policies

Further information:

At one end there is a broadband router just before the ASA which translates an outside 212.xxx.xxx.xxx to another 212.xxx.xxx.xxx which means the outside address of the ASA is also on 212.xxx.xxx.xxx subnet.

At the other end a broadband router just before the ASA translates an outside public IP of 87.xxx.xxx.xxx to 10.xxx.xxx.xxx which means the outside of the ASA is also on 10.xxx.xxx.xxx subnet.

When I come to set the crypto map VPN_map peer, should I use the outside address of the ASA at both ends or the outside of the bb router at one end?

Have tried various combinations resulting in MM_WAIT_MSG2, MM_WAIT_MSG3, MM_WAIT_MSG4.

Collapse -

Reponse To Answer

by tonyrobinson In reply to Verify the ISAKP Policies

Fixed it!

I set the peer to the outside address of the BB router instead of the outside address of the ASA and it started working.

Collapse -

Need some help with Cisco ASA 5510 Site to Site VPN please?

by sms21 In reply to Need some help with Cisco ...

You're missing the private key configuration line.

Collapse -

Reponse To Answer

by tonyrobinson In reply to Need some help with Cisco ...

I have a pre-shared-key - is that the same thing?

Collapse -

Have you tried the Cisco Support Community?

by lnl001 In reply to Need some help with Cisco ...

There are lots of great discussions and content on the Cisco Support COmmunity regarding the ASA 5510..
Here is a search result!

https://supportforums.cisco.com/search.jspa?peopleEnabled=true&userID=&containerType=&container=&spotlight=true&q=ASA+5510

Collapse -

Need some help with Cisco ASA 5510 Site to Site VPN please

by sms21 In reply to Need some help with Cisco ...

Key must match at both ends.

Collapse -

Need some help with Cisco ASA 5510 Site to Site VPN please

by sms21 In reply to Need some help with Cisco ...

Always follow these rules in order.
A-N-R-V I was taught this and it is fool proof.
A= Access create access-lists to allow the tunnel traffic. Also access-lists to make your lan traffic interesting, so it goes in the tunnel.

N=NAT( Network Address Translation) used when you want to disguise the real ip. Typically using the public ip of the internet facing interface.

R=Route, the tunnel endpoints must be able to ping each other to support the tunnel.

V=VPN, tunnel configuration to support the building of the tunnel and the encryption method.

Back to Networks Forum
10 total posts (Page 1 of 1)  

Hardware Forums