Microsoft
Software
Hardware
Network
Question : Problems moving L2L IPSec VPN from Cisco PIX to Cisco ASA 5520, connecting from Cisco 877
Dear Experts,
We had various remote sites (Cisco 800s) connecting to our HQ PIX firewall via IPSec VPN, and are now in the process of migrating the HQ to a new Internet circuit and Cisco ASA 5520 v8.3(1).
I managed to move three out of the four tunnels to the ASA, but am stuck on the last one, despite the configuration appearing to be acceptable. It might be significant, but the 877 in question actually gave some trouble when it was initially connected to the PIX some time back. The error looked similar to the current one pasted below, and was eventually solved by making the PIX present its IP address to the remote peer, rather than the hostname. However, that trick does not appear to work with the ASA.
It looks like ISAKMP phase 1 is not completing, although the parameters for the proposal do match.
Cisco 877 debug sample
Log Buffer (100000 bytes):
Jul 21 20:10:32: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 21 20:10:32: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 21 20:10:32: ISAKMP:(0):sending IKE_FRAG vendor ID
Jul 21 20:10:32: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 21 20:10:32: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:32: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:32: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 21 20:10:32: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Jul 21 20:10:34: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:34: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 21 20:10:34: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:34: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:34: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:40: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:10:40: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:10:40: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:10:41: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:41: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 21 20:10:41: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:41: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:41: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:44: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:44: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 21 20:10:44: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:44: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:44: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:45: ISAKMP:(0):purging SA., sa=84F7B828, delme=84F7B828
Jul 21 20:10:45: ISAKMP:(0):purging SA., sa=834553BC, delme=834553BC
Jul 21 20:10:45: ISAKMP:(0):purging SA., sa=84CC8650, delme=84CC8650
Jul 21 20:10:48: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:10:48: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:10:48: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:10:49: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:49: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 21 20:10:49: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:49: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:49: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:54: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:54: ISAKMP:(0):peer does not do paranoid keepalives.
Jul 21 20:10:54: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 2.2.2.2)
Jul 21 20:10:54: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 2.2.2.2)
Jul 21 20:10:54: ISAKMP: Unlocking peer struct 0x84CD087C for isadb_mark_sa_deleted(), count 0
Jul 21 20:10:54: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 84CD087C
Jul 21 20:10:54: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 21 20:10:54: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
Jul 21 20:10:56: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:10:56: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:10:56: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:10:57: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:57: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 21 20:10:57: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:57: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:57: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:05: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (N) NEW SA
Jul 21 20:11:05: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
Jul 21 20:11:05: ISAKMP: New peer created peer = 0x84CD087C peer_handle = 0x80000126
Jul 21 20:11:05: ISAKMP: Locking peer struct 0x84CD087C, refcount 1 for crypto_isakmp_process_bloc
k
Jul 21 20:11:05: ISAKMP: local port 500, remote port 500
Jul 21 20:11:05: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 834553BC
Jul 21 20:11:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 21 20:11:05: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jul 21 20:11:05: ISAKMP:(0): processing SA payload. message ID = 0
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v2
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v3
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 21 20:11:05: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): processing IKE frag vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID is IKE Fragmentation
Jul 21 20:11:05: ISAKMP:(0): AM Fragmentation supported
Jul 21 20:11:05: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
Jul 21 20:11:05: ISAKMP:(0): local preshared key found
Jul 21 20:11:05: ISAKMP : Scanning profiles for xauth ... isakmp isakmp_2
Jul 21 20:11:05: ISAKMP:(0):Checking ISAKMP transform 1 against priority 8 policy
Jul 21 20:11:05: ISAKMP: default group 5
Jul 21 20:11:05: ISAKMP: encryption AES-CBC
Jul 21 20:11:05: ISAKMP: keylength of 256
Jul 21 20:11:05: ISAKMP: hash SHA
Jul 21 20:11:05: ISAKMP: auth pre-share
Jul 21 20:11:05: ISAKMP: life type in seconds
Jul 21 20:11:05: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 21 20:11:05: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 21 20:11:05: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 20:11:05: ISAKMP:(0):Checking ISAKMP transform 2 against priority 8 policy
Jul 21 20:11:05: ISAKMP: default group 2
Jul 21 20:11:05: ISAKMP: encryption 3DES-CBC
Jul 21 20:11:05: ISAKMP: hash MD5
Jul 21 20:11:05: ISAKMP: auth pre-share
Jul 21 20:11:05: ISAKMP: life type in seconds
Jul 21 20:11:05: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 21 20:11:05: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 21 20:11:05: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 21 20:11:05: ISAKMP:(0):Acceptable atts:life: 0
Jul 21 20:11:05: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 21 20:11:05: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jul 21 20:11:05: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 21 20:11:05: ISAKMP:(0)::Started lifetime timer: 86400.
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v2
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v3
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 21 20:11:05: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): processing IKE frag vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID is IKE Fragmentation
Jul 21 20:11:05: ISAKMP:(0): AM Fragmentation supported
Jul 21 20:11:05: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 21 20:11:05: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 21 20:11:05: ISAKMP:(0):sending IKE_FRAG vendor ID
Jul 21 20:11:05: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 21 20:11:05: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:05: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:05: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 21 20:11:05: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Jul 21 20:11:07: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:11:07: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 21 20:11:07: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:11:07: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:07: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:13: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:11:13: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:11:13: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:11:14: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:11:14: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 21 20:11:14: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:11:14: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:14: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:17: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:11:17: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 21 20:11:17: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:11:17: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:17: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco ASA 5520 debug sample
Jul 21 19:01:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 21 19:01:53 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 21 19:01:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
In fact there is little in the way of errors on the ASA side!
I will paste some sanitised configs on here if requested. Thank you for your help!
Answer : Problems moving L2L IPSec VPN from Cisco PIX to Cisco ASA 5520, connecting from Cisco 877
please give the ASA and 877 config
Random Solutions
Computer reboots severat times a day
server name
Joomla Checkbox Array (need expert!)
how to make vlookup work
Get path of cfc file
XP install without access to CD drive
What is the next number of this number sequence? - General Math Question
Ethernet Network Connection Disables itself After Reboot (BOOTCAMP)
Search and replace script
IE sometimes fails to connect, gets worse with time since reboot
