Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

No IKE Phase 2 between ASA 5540 and VPN 3002 device

Status
Not open for further replies.

Staticfactory

IS-IT--Management
Mar 1, 2005
79
CA
We are trying to get an old Cisco 3002 hardware VPN client to connect site-to-site with our central ASA5540 running the latest IOS version.

The client and the ASA successfully complete the IKE Phase 1 negotiations using a pre-shared key, but then the VPN device appears to stop responding and the SA negotiations are killed by the ASA. Repeat x infinity.

Any insight as to what could possibly cause the negotiations to fail at this point would be appreciated. Here is the log:

Mar 03 16:41:41 [IKEv1]: IP = 66.xxx.xxx.60, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1019
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing SA payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing ke payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing ISA_KE payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing nonce payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing ID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, Received xauth V6 VID
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, Received NAT-Traversal ver 02 VID
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, Received NAT-Traversal ver 03 VID
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, Received Fragmentation VID
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, processing VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: IP = 66.xxx.xxx.60, Received Cisco Unity client VID
Mar 03 16:41:41 [IKEv1]: IP = 66.xxx.xxx.60, Connection landed on tunnel_group DefaultL2LGroup
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, processing IKE SA payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, IKE SA Proposal # 1, Transform # 4 acceptable Matches global IKE entry # 4
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing ISAKMP SA payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing ke payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing nonce payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Generating keys for Responder...
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing ID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing hash payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Computing hash for ISAKMP
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing Cisco Unity VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing xauth V6 VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing dpd vid payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing Fragmentation VID + extended capabilities payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 03 16:41:41 [IKEv1]: IP = 66.xxx.xxx.60, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
Mar 03 16:41:41 [IKEv1]: IP = 66.xxx.xxx.60, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 140
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, processing hash payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Computing hash for ISAKMP
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, processing notify payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, processing VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Received DPD VID
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, processing VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, processing VID payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Received Cisco Unity client VID
Mar 03 16:41:41 [IKEv1]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, PHASE 1 COMPLETED
Mar 03 16:41:41 [IKEv1]: IP = 66.xxx.xxx.60, Keep-alive type for this connection: DPD
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Starting P1 rekey timer: 82080 seconds.
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, sending notify message
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing blank hash payload
Mar 03 16:41:41 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing qm hash payload
Mar 03 16:41:41 [IKEv1]: IP = 66.xxx.xxx.60, IKE_DECODE SENDING Message (msgid=beb2b113) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Mar 03 16:41:59 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Sending keep-alive of type DPD R-U-THERE (seq number 0x72b1e0df)
Mar 03 16:41:59 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing blank hash payload
Mar 03 16:41:59 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing qm hash payload
Mar 03 16:41:59 [IKEv1]: IP = 66.xxx.xxx.60, IKE_DECODE SENDING Message (msgid=fca78b71) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar 03 16:42:01 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Sending keep-alive of type DPD R-U-THERE (seq number 0x72b1e0e0)
Mar 03 16:42:01 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing blank hash payload
Mar 03 16:42:01 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing qm hash payload
Mar 03 16:42:01 [IKEv1]: IP = 66.xxx.xxx.60, IKE_DECODE SENDING Message (msgid=689a54f5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar 03 16:42:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, Sending keep-alive of type DPD R-U-THERE (seq number 0x72b1e0e1)
Mar 03 16:42:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing blank hash payload
Mar 03 16:42:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing qm hash payload
Mar 03 16:42:03 [IKEv1]: IP = 66.xxx.xxx.60, IKE_DECODE SENDING Message (msgid=4b243664) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar 03 16:42:05 [IKEv1]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Mar 03 16:42:05 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, IKE SA AM:3023ef95 rcv'd Terminate: state AM_ACTIVE flags 0x0001c041, refcnt 1, tuncnt 0
Mar 03 16:42:05 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, IKE SA AM:3023ef95 terminating: flags 0x0101c001, refcnt 0, tuncnt 0
Mar 03 16:42:05 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, sending delete/delete with reason message
Mar 03 16:42:05 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing blank hash payload
Mar 03 16:42:05 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing IKE delete payload
Mar 03 16:42:05 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 66.xxx.xxx.60, constructing qm hash payload
Mar 03 16:42:05 [IKEv1]: IP = 66.xxx.xxx.60, IKE_DECODE SENDING Message (msgid=5505aedc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar 03 16:42:05 [IKEv1]: Ignoring msg to mark SA with dsID 712704 dead because SA deleted

 
I should also mention that I'm not even sure if the 3002 is capable of tunneling L2L... we had it connect correctly using an RA configuration.
 
I don't think you can, I know it supports Network Extension mode - not sure if you will get more out of it than that.

Don't quote me though..
 
It's landing on the DefaultL2LGroup when it establishes IKE phase 1 (and it appears to like the pre-shared keys) so I'm a little confused.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top