Questions

VPN tunnel not coming up between Cisco ASA and Nortel Contivity

+
0 Votes
Locked

VPN tunnel not coming up between Cisco ASA and Nortel Contivity

anantha.krishnan
Hello,
One of my vendors has a cisco ASA5520 and we are trying to build a VPN tunnel between ASA 5520 and Nortel 4500 contivity box.

It passes phase 1 and during phase 2 i get this error message
----------
3|Dec 06 2006|11:51:39|713119|||Group = 1.1.1.1 IP = 1.1.1.1PHASE 1 COMPLETED
6|Dec 06 2006|11:51:39|113009|||AAA retrieved default group policy (DfltGrpPolicy) for user = 1.1.1.1
4|Dec 06 2006|11:51:39|113019|||Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:03s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Dec 06 2006|11:51:39|713903|||Group = 1.1.1.1, IP = 1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes
4|Dec 06 2006|11:51:36|713903|||Group = 1.1.1.1, IP = 1.1.1.1, Information Exchange processing failed
5|Dec 06 2006|11:51:36|713904|||Group = 1.1.1.1, IP = 1.1.1.1, Received an un-encrypted INVALID_ID_INFO notify message, dropping
----------------

Similarly when we check at the remote Contivity box, we get the similar error and it says as
----------
11/16/2006 12:43:39 0 Branch Office [01] IPSEC branch office connection initiated to rem[2.2.2.200-255.255.255.255]@[2.2.2.2] loc[10.50.61.0-255.255.255.0]
11/16/2006 12:43:39 0 Security [11] Session: IPSEC[2.2.2.2] attempting login
11/16/2006 12:43:39 0 Security [01] Session: IPSEC[2.2.2.2] has no active sessions
11/16/2006 12:43:39 0 Security [01] Session: IPSEC[2.2.2.2] Customer has no active accounts
11/16/2006 12:43:39 0 ISAKMP [13] Invalid ID information in message from 2.2.2.2
11/16/2006 12:43:39 0 tIsakmp [34] Failed Login Attempt: Username=2.2.2.2: Date/Time=11/16/2006 12:43:39
11/16/2006 12:43:39 0 ISAKMP [02] Deleting ISAKMP SA with 2.2.2.2
---------

Invalid ID info generally means when the networks are not matching else when we use different routing where one end is static or other end is dynamic. But in tihs case we check that as well and still we get the same error.

any clue how to troubleshoot further.
  • +
    0 Votes
    anantha.krishnan

    I fixed this issue myself after changing the IKE parameters in Cisco ASA box

    "isakmp identity automatic" from
    "isakmp identity address" in the global settings.

    every thing started working fine now

    +
    0 Votes
    imstester

    I was seeing the same error exactly. Tried all the settings suggested in other replies, but no change. Finally, I added the following line on the ASA:
    isakmp identity address
    This makes the ASA use it's IP Address as the peerID. This did the trick. here is my working config, FYI:

    PHASE 2:
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 match address IPSecTunnel-AccessList
    crypto map outside_map 20 set peer XXX.XXX.XXX.XXX
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 set security-association lifetime seconds 28800
    crypto map outside_map 20 set pfs group 2
    crypto map outside_map 20 set connection-type bidirectional
    crypto map outside_map 20 set phase1-mode main
    crypto map outside_map interface outside

    PHASE 1:
    isakmp identity address # use ip addr as peerID
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 28800

    TUNNEL GROUP:
    tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l # use ip addr as groupname or must be aggressive mode
    tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
    pre-shared-key test-123

  • +
    0 Votes
    anantha.krishnan

    I fixed this issue myself after changing the IKE parameters in Cisco ASA box

    "isakmp identity automatic" from
    "isakmp identity address" in the global settings.

    every thing started working fine now

    +
    0 Votes
    imstester

    I was seeing the same error exactly. Tried all the settings suggested in other replies, but no change. Finally, I added the following line on the ASA:
    isakmp identity address
    This makes the ASA use it's IP Address as the peerID. This did the trick. here is my working config, FYI:

    PHASE 2:
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 match address IPSecTunnel-AccessList
    crypto map outside_map 20 set peer XXX.XXX.XXX.XXX
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 20 set security-association lifetime seconds 28800
    crypto map outside_map 20 set pfs group 2
    crypto map outside_map 20 set connection-type bidirectional
    crypto map outside_map 20 set phase1-mode main
    crypto map outside_map interface outside

    PHASE 1:
    isakmp identity address # use ip addr as peerID
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 28800

    TUNNEL GROUP:
    tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l # use ip addr as groupname or must be aggressive mode
    tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
    pre-shared-key test-123