Site to site vpn : Cisco ASA to FG60B

Report Inappropriate Content · ‎06-24-2009

Hello All, I' m working on a site to site vpn from an ASA 5505(siteB) to FG60B(SiteA), I have configured on both side and i dont know the tunnel is not coming up.. I will give a brief idea about what i did in FG60B side -firmware v4.0.0,build0092,090220. (siteA) Internal network 192.168.1.0/24 Phase1 --- Remote gateway : static ip : 217.x.x.x.227 Local Interface: wan2 Mode: main authentication: preshare : password --- On advanced option:- enabled main interfacee IP P1 proposal : 1-encryption DES authentication SHA1 DH group : 2 keylife : 86400 nat traversal: enabled keepalive freqe: 20 dead peer detection: enabled ------------------------------- On phase 2:- seleced phase 1 and in advance P2 proposal 1- encryption: DES authentication SHA1 Enabled replay detection Enabled perfect forward secrecy(PFS). DH group : 2 keylife : 86400 auto keep alive : enabled --------- On firewall policy:- source : internal Source address : 192.168.1.0/24 dest interface : wan2 adres : 192.68.100.0/24 service : any action :ipsec vpn tunnel : selected the proper one nat: enabled VPN Tunnel Allowed inbound Inbound NAT : enabled Allowed outbound ----------------------- Thats it in FG side.. On ASA side , it bit different, I' m tryinf to do the vpn from inside the network, which means i have a dsl router and i have done a port forwarding to the ASA, so basically ASA outside interface get a private ip address which is mapped with my dsl router. i will give the conf detail also: ASA Version 7.2(4) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names name 192.168.1.0 peer ! interface Vlan1 nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.10.150 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 <--- More ---> ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 peer 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 peer 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 <--- More ---> asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 192.168.10.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 0.0.0.0 0.0.0.0 inside http peer 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 217.x.x.197 crypto map outside_map 1 set transform-set ESP-DES-SHA crypto map outside_map interface outside <--- More ---> crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns 213.42.20.20 dhcpd auto_config outside ! dhcpd address 192.168.100.2-192.168.100.254 inside dhcpd enable inside ! username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 tunnel-group 217.x.x.197 type ipsec-l2l tunnel-group 217.x.x.197 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic <--- More ---> ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context -------------------------- Jun 24 02:04:24 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:04:24 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 ciscoasa# Jun 24 02:04:32 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:04:32 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 Jun 24 02:04:38 [IKEv1]: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364 Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing SA payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, Oakley proposal is acceptable Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, Received NAT-Traversal RFC VID Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, Received NAT-Traversal ver 03 VID Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, Received NAT-Traversal ver 02 VID Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, Received DPD VID Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing IKE SA payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing ISAKMP SA payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing Fragmentation VID + extended capabilities payload Jun 24 02:04:38 [IKEv1]: IP = 192.168.10.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Jun 24 02:04:38 [IKEv1]: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180 Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing ke payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing ISA_KE payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, processing nonce payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing ke payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing nonce payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing Cisco Unity VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing xauth V6 VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, Send IOS VID Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing VID payload Jun 24 02:04:38 [IKEv1 DEBUG]: IP = 192.168.10.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jun 24 02:04:38 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Can' t find a valid tunnel group, aborting...! Jun 24 02:04:38 [IKEv1 DEBUG]: Group = 192.168.10.2, IP = 192.168.10.2, IKE MM Responder FSM error history (struct &0x3e5ea50) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY Jun 24 02:04:38 [IKEv1 DEBUG]: Group = 192.168.10.2, IP = 192.168.10.2, IKE SA MM:823a85e7 terminating: flags 0x01000002, refcnt 0, tuncnt 0 Jun 24 02:04:38 [IKEv1 DEBUG]: Group = 192.168.10.2, IP = 192.168.10.2, sending delete/delete with reason message Jun 24 02:04:38 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Removing peer from peer table failed, no match! Jun 24 02:04:38 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Error: Unable to remove PeerTblEntry Jun 24 02:04:40 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:04:40 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 Jun 24 02:04:44 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:04:44 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 Jun 24 02:04:52 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:04:52 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 Jun 24 02:04:58 [IKEv1]: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364 Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing SA payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, Oakley proposal is acceptable Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, Received NAT-Traversal RFC VID Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, Received NAT-Traversal ver 03 VID Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, Received NAT-Traversal ver 02 VID Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, Received DPD VID Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, processing IKE SA payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing ISAKMP SA payload Jun 24 02:04:58 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing Fragmentation VID + extended capabilities payload Jun 24 02:04:58 [IKEv1]: IP = 192.168.10.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Jun 24 02:05:00 [IKEv1]: IP = 192.168.10.2, Duplicate Phase 1 packet detected. Retransmitting last packet. Jun 24 02:05:00 [IKEv1]: IP = 192.168.10.2, P1 Retransmit msg dispatched to MM FSM Jun 24 02:05:00 [IKEv1]: IP = 192.168.10.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Jun 24 02:05:00 [IKEv1]: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180 Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, processing ke payload Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, processing ISA_KE payload Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, processing nonce payload Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing ke payload Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing nonce payload Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing Cisco Unity VID payload Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing xauth V6 VID payload Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, Send IOS VID Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing VID payload Jun 24 02:05:00 [IKEv1 DEBUG]: IP = 192.168.10.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jun 24 02:05:00 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Can' t find a valid tunnel group, aborting...! Jun 24 02:05:00 [IKEv1 DEBUG]: Group = 192.168.10.2, IP = 192.168.10.2, IKE MM Responder FSM error history (struct &0x3e5ea50) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY Jun 24 02:05:00 [IKEv1 DEBUG]: Group = 192.168.10.2, IP = 192.168.10.2, IKE SA MM:73cc7f62 terminating: flags 0x01000002, refcnt 0, tuncnt 0 Jun 24 02:05:00 [IKEv1 DEBUG]: Group = 192.168.10.2, IP = 192.168.10.2, sending delete/delete with reason message Jun 24 02:05:00 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Removing peer from peer table failed, no match! Jun 24 02:05:00 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Error: Unable to remove PeerTblEntry Jun 24 02:05:02 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:05:02 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 Jun 24 02:05:06 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:05:06 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 Jun 24 02:05:14 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:05:14 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 Jun 24 02:05:18 [IKEv1]: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364 Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing SA payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, Oakley proposal is acceptable Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, Received NAT-Traversal RFC VID Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, Received NAT-Traversal ver 03 VID Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, Received NAT-Traversal ver 02 VID Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, Received DPD VID Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing IKE SA payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2 Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing ISAKMP SA payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing Fragmentation VID + extended capabilities payload Jun 24 02:05:18 [IKEv1]: IP = 192.168.10.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108 Jun 24 02:05:18 [IKEv1]: IP = 192.168.10.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180 Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing ke payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing ISA_KE payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, processing nonce payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing ke payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing nonce payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing Cisco Unity VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing xauth V6 VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, Send IOS VID Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, constructing VID payload Jun 24 02:05:18 [IKEv1 DEBUG]: IP = 192.168.10.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jun 24 02:05:18 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Can' t find a valid tunnel group, aborting...! Jun 24 02:05:18 [IKEv1 DEBUG]: Group = 192.168.10.2, IP = 192.168.10.2, IKE MM Responder FSM error history (struct &0x3e5ea50) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY Jun 24 02:05:18 [IKEv1 DEBUG]: Group = 192.168.10.2, IP = 192.168.10.2, IKE SA MM:c70496bf terminating: flags 0x01000002, refcnt 0, tuncnt 0 Jun 24 02:05:18 [IKEv1 DEBUG]: Group = 192.168.10.2, IP = 192.168.10.2, sending delete/delete with reason message Jun 24 02:05:18 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Removing peer from peer table failed, no match! Jun 24 02:05:18 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Error: Unable to remove PeerTblEntry Jun 24 02:05:20 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:05:20 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 ciscoasa# Jun 24 02:05:24 [IKEv1]: IP = 192.168.10.2, Header invalid, missing SA payload! (next payload = 4) Jun 24 02:05:24 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68 can anybody please help me? Thanks in advance! Regards,

damiri · ‎07-02-2009

Jun 24 02:05:18 [IKEv1]: Group = 192.168.10.2, IP = 192.168.10.2, Can' t find a valid tunnel group, aborting...!

try to set quick selectors ...

Report Inappropriate Content · ‎07-02-2009

Thanks, I have sort it out some other way.. actually there was a routing issue in FG side... just followed another way http://kc.forticare.com/default.asp?id=3574&SID=&Lang=1 and it worked fine..really thanks

Site to site vpn : Cisco ASA to FG60B

Nominate a Forum Post for Knowledge Article Creation