Announcement

Collapse
No announcement yet.

ASA VPN - IKE lost contact with remote peer, deleting connection

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA VPN - IKE lost contact with remote peer, deleting connection

    I'm trying to set up a VPN between a Cisco ASA 5510 and a remote ISA server. Phase 1 comes up but then the "IKE lost contact with remote peer, deleting connection" comes up,

    What could be causing this?

    The logs (111.111.111.111 is the rmeote endpoint):
    21:00:51: %ASA-3-713119: Group = 111.111.111.111, IP = 111.111.111.111, PHASE 1 COMPLETED
    21:00:51: %ASA-7-713121: IP = 111.111.111.111, Keep-alive type for this connection: DPD
    21:00:51: %ASA-7-713906: Group = 111.111.111.111, IP = 111.111.111.111, Starting phase 1 rekey timer: 64800000 (ms)
    21:00:52: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de1)
    21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
    21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
    21:00:52: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=56732dee) with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
    21:00:54: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de2)
    21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
    21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
    21:00:54: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f3add2bd) with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
    21:00:54: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
    21:00:56: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de3)
    21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
    21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
    21:00:56: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f65762ed) with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
    21:00:57: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
    21:00:58: %ASA-3-713123: Group = 111.111.111.111, IP = 111.111.111.111, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)



    Config at our end:
    object-group network REMOTENETWORK
    network-object 215.12.34.0 255.255.255.0

    access-list outside_cryptomap_100 extended permit ip 10.88.88.96 255.255.255.240 object-group REMOTENETWORK
    access-list outside_cryptomap_100 extended permit ip 10.88.88.128 255.255.255.224 object-group REMOTENETWORK

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

    crypto map outside_map 100 match address outside_cryptomap_100
    crypto map outside_map 100 set peer 111.111.111.111
    crypto map outside_map 100 set transform-set ESP-3DES-SHA

    tunnel-group 111.111.111.111 type ipsec-l2l
    tunnel-group 111.111.111.111 ipsec-attributes
    pre-shared-key SECRETKEY

  • #2
    Re: ASA VPN - IKE lost contact with remote peer, deleting connection

    I've just been informed that the remote endpoint is not an ISA server, but a Watchguard X750e firewall (10.2 firmware). /sigh

    Comment


    • #3
      Re: ASA VPN - IKE lost contact with remote peer, deleting connection

      We have some logs from the remote server now: (222.222.222.222 is our endpoint)

      11:08:36 iked Drop negotiation to peer 222.222.222.222:500 due to phase 1 retry timeout msg_id="0203-5161" Debug
      11:08:40 iked WARNING: Mismatched ID settings at peer 222.222.222.222:500 caused an authentication failure msg_id="0203-5156" Debug
      11:08:40 iked Process 5/6 Msg : failed to process ID payload Debug



      11:17:00 iked Process 5/6 Msg : failed to process ID payload 4 Debug
      11:17:00 iked Process INFO_EXCHANGE : EncryptBit set before SA created Debug
      11:17:00 iked Cannot process the inform message from 222.222.222.222:500 to 111.111.111.111 cookies i=9a3397be 0547688f r=1665ee71 2185bf5c msg_id="0203-5059" Debug



      Screenshots of the remote setup:






      All the settings look like they match, does that give anyone a clue what we need to doublecheck?
      Last edited by DrStalker; 30th June 2009, 09:41.

      Comment

      Working...
      X