Question

Locked

vpn connection between asa 5505 and cisco concentrato 3000 not coming up

By anish4 ·
We are facing one issue while creating vpn TUNNEL (3DES/SHA1) between 2 sites. I am attaching that configuration as well as error message with this one. This configuration from my end and I do not have the other end configuration. please check it out and advice us the error from my end or from the other

ERROR MESSAGE THAT I GOT


Oct 27 05:55:23 [IKEv1 DEBUG]: IP = 194.170.10.85, IKE MM Initiator FSM error history (struct &0xd88ff31 <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Oct 27 05:55:23 [IKEv1 DEBUG]: IP = 194.170.10.85, IKE SA MM:ff73a10e terminating: flags 0x01000022, refcnt 0, tuncnt 0
Oct 27 05:55:23 [IKEv1 DEBUG]: IP = 194.170.10.85, sending delete/delete with reason message
Oct 27 05:55:23 [IKEv1]: IP = 194.170.10.85, Removing peer from peer table failed, no match!
Oct 27 05:55:23 [IKEv1]: IP = 194.170.10.85, Error: Unable to remove PeerTblEntry


i am attaching the cnfguration file also

SH RUN


ASA# sh run
:
:
ASA Version 8.0(4)
!
hostname ASA


names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.251 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside-acl extended permit ip 192.168.2.0 255.255.255.0 any
access-list outside-acl extended permit icmp 192.168.2.0 255.255.255.0 any
access-list inside-acl extended permit icmp any any
access-list outside_1_cryptomap extended permit ip 10.60.114.0 255.255.255.0 host 192.168.108.122
access-list inside_nat0_outbound extended permit ip 10.60.114.0 255.255.255.0 host 192.168.108.122
access-list inside_nat_outbound extended permit tcp 192.168.2.0 255.255.255.0 host 192.168.108.122 eq ssh
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 10.60.114.12 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat_outbound
nat (inside) 1 192.168.2.0 255.255.255.0
access-group inside-acl in interface outside
access-group outside-acl in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection preserve-vpn-flows
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 194.170.10.85
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 1440
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.129 inside
dhcpd dns 193.188.97.212 193.188.97.197 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password TOyVyM6G6TXcuQ5w encrypted privilege 15
tunnel-group 194.170.10.85 type ipsec-l2l
tunnel-group 194.170.10.85 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:49701686c6da153714a347d150c23599
: end

error messages i got:


ERROR MESSAGES(DURING VPN INITIALIZATION)---THIS ONE OCCURING WHENEVR WE TRIED TO MAKE VPN CONNECTION


ASA# Oct 28 05:14:39 [IKEv1]: IP = 194.170.10.85, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 308

ISAKMP Header
Initiator COOKIE: 69 7a 97 95 db 59 74 a2
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Aggressive Mode
Flags: (none)
MessageI 00000000
Length: 308
Payload Security Association
Next Payload: Key Exchange
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 0e 10
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
51 f5 22 76 ba 63 f8 d4 cf 66 2b 98 1b 0d 45 0b
0f 9d bd 57 f6 92 8f 2e b5 e0 6b f2 ce ec ce d8
d1 9b 60 30 91 b0 6f de a2 2e 38 f4 57 ad 07 69
e8 a7 02 9d d6 0e 02 6e 4e 01 95 e2 9b 53 39 0b
c8 a9 77 77 d4 3f af 74 9a 7f 08 29 5f df ef c1
c6 39 66 07 b2 82 a5 c4 91 55 5d 51 1f af 7a f2
20 13 f8 0c 55 72 e1 21 1d e9 b0 ca 0f fe 24 12
99 2c 50 2b 3c d3 3b 4f 35 9a d3 0b a4 a1 97 1b
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
b5 c9 65 dc 17 49 11 53 1e 1c 3a cf d7 35 c4 ed
ae ae f0 02
Payload Identification
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: 192.168.1.251
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
12 f5 f2 8c 45 71 68 a9 70 2d 9f e2 74 cc 01 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00

ASA# Oct 28 05:14:47 [IKEv1 DEBUG]: IP = 194.170.10.85, IKE AM Initiator FSM error history (struct &0xd4f11bd0) <state>, <event>: AM_DONE, EV_ERROR-->AM_WAIT_MSG2, EV_RETRY-->AM_WAIT_MSG2, EV_TIMEOUT-->AM_WAIT_MSG2, NullEvent-->AM_SND_MSG1, EV_SND_MSG-->AM_SND_MSG1, EV_START_TMR-->AM_SND_MSG1, EV_RESEND_MSG-->AM_WAIT_MSG2, EV_RETRY
Oct 28 05:14:47 [IKEv1 DEBUG]: IP = 194.170.10.85, IKE SA AM:95977a69 terminating: flags 0x01000021, refcnt 0, tuncnt 0
Oct 28 05:14:47 [IKEv1 DEBUG]: IP = 194.170.10.85, sending delete/delete with reason message
Oct 28 05:14:47 [IKEv1]: IP = 194.170.10.85, Removing peer from peer table failed, no match!
Oct 28 05:14:47 [IKEv1]: IP = 194.170.10.85, Error: Unable to remove PeerTblEntry

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Share your knowledge
Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums