Home  ›  What Is the Verizon Submission Id for Sending Back a Pkg

What Is the Verizon Submission Id for Sending Back a Pkg

Written By quarta-feira, 15 de dezembro de 2021 Add Comment Edit
  1. Home
  2. Networking
  3. Cisco

Hello everyone,

I have a problem with one of ours VPN Site-to-site tunnel on Cisco ASA 5515-X, can you take a look on this log:

I already work on this log, and i can see QM FSM ERROR, it seems to refer to crypto ACL but there are both correct, it's the same ACL

I always get Received non-routine Notify message: Invalid hash info (23), can anyone tell me what is the problem of this???

Finally, i get Received encrypted packet with no matching SA, dropping but i get the exact SA on both site. I don't get it...Can you just tell me where i have to search on my config? Thank you very much for your support! Here's the log:

QM FSM error (P2 struct &0x00007fff2ac41340, mess id 0xce302ad7)!

Duplicate Phase 2 packet detected.  Retransmitting last packet.

Received non-routine Notify message: Invalid hash info (23)

PHASE 2 COMPLETED (msgid=ce302ad7)

Initiator resending lost, last msg

Duplicate Phase 2 packet detected.  Retransmitting last packet.

Received non-routine Notify message: Invalid hash info (23)

PHASE 2 COMPLETED (msgid=ce302ad7)

Initiator resending lost, last msg

Duplicate Phase 2 packet detected.  Retransmitting last packet.

Received non-routine Notify message: Invalid hash info (23)

PHASE 2 COMPLETED (msgid=ce302ad7)

Initiator resending lost, last msg

Duplicate Phase 2 packet detected.  Retransmitting last packet.

Received non-routine Notify message: Invalid hash info (23)

PHASE 2 COMPLETED (msgid=ce302ad7)

IPSEC: An inbound LAN-to-LAN SA (SPI= 0x426E840C) between y.y.y.yand x.x.x.x (user= x.x.x.x) has been created.

Group = x.x.x.x, IP = x.x.x.x, Security negotiation complete for LAN-to-LAN Group (x.x.x.x)  Initiator, Inbound SPI = 0x426e840c, Outbound SPI = 0x15c976b8

IPSEC: An outbound LAN-to-LAN SA (SPI= 0x15C976B8) between y.y.y.yand x.x.x.x (user= x.x.x.x) has been created.

Group = x.x.x.x, IP = x.x.x.x, Responder forcing change of IPSec rekeying duration from 28800 to 1800 seconds

Group = x.x.x.x, IP = x.x.x.x, Responder forcing change of IKE rekeying duration from 86400 to 28800 seconds

Group = x.x.x.x, IP = x.x.x.x, Responder forcing change of IKE rekeying duration from 86400 to 28800 seconds

Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED

AAA retrieved default group policy (DfltGrpPolicy) for user = x.x.x.x

IP = x.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer x.x.x.x  local Proxy Address 10.136.193.0, remote Proxy Address 10.168.194.0,  Crypto map (outside_map)

Local:y.y.y.y:500 Remote:x.x.x.x:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.136.193.40-10.135.192.40 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.168.194.3-10.168.194.3 Protocol: 0 Port Range: 0-65535

IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

Local:y.y.y.y:500 Remote:x.x.x.x:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.136.193.40-10.136.193.40 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 10.168.194.3-10.168.194.3 Protocol: 0 Port Range: 0-65535

Group = x.x.x.x, Username = x.x.x.x, IP = x.x.x.x, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:30s, Bytes xmt: 1200, Bytes rcv: 0, Reason: Lost Service

Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: Lost Service

IPSEC: An inbound LAN-to-LAN SA (SPI= 0x8CF48106) between x.x.x.x and y.y.y.y(user= x.x.x.x) has been deleted.

IPSEC: An outbound LAN-to-LAN SA (SPI= 0x15C976B7) between y.y.y.yand x.x.x.x (user= x.x.x.x) has been deleted.

Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x00007fff2abed0d0, mess id 0xadf68908)!

Thank you


philedwards

Ok, i just configure the other tunnel with one subnet and i still have these errors, so the crypto ACL is not the problem...

The tunnel cannot go up, i don't know why...before setting up the new tunnel, the tunnel was working great...Is it possible there's conflict somewhere between two tunnels????

Tahnks

9 Replies

timjim88

Are your pre-shared keys good?  It looks like you're using IKEv2, so you your local PSK should match the peer PSK on the opposite firewall, and vice versa.

philedwards

Hello,thank you for your answer!

Actually, i'm sure that pre-shared keys are good because...the tunnel is working right now!!The tunnel using IKEv1 but even if i enable IKEv2,it's working.

You have to know that i have these errors when i enable an other VPN site to site on this Cisco ASA (it use IKEv1 too). I was wondering if it's possible there's a conflict between two tunnels?Maybe between Crypto ACL (refer to QM FSM error i see on log) but i don't know why is causing problems.....

Also, i see these errors: Invalid hash info (23), do you have any ideas on it?

Thanks

gb5102

philedwards wrote:

[...] You have to know that i have these errors when i enable an other VPN site to site on this Cisco ASA (it use IKEv1 too). I was wondering if it's possible there's a conflict between two tunnels? [...]
Does your ASA have a public IP on the WAN interface, or is it behind a NAT?

Specifically, I have seen similar issues when the responder or initiator is behind a NAT router which has IPSec Passthru feature enabled(common on consumer-grade/ISP routers). Ideally, both 'VPN routers' should have public IPs- but you should also be able to make it work using NAT-T if you can disable the IPSec-Passthru option on the NAT router (if present...)

philedwards

Hello gb5102 and thanks for your help

My ASA have a public IP on the WAN Interface and the other VPN Router too.There are not behind a NAT.

I already have two tunnels (site to site) running without no problems. NAT-T is enable on my ASA but i have to check this option on the other Router (Cisco RV), i cannot check that right now.

By the way, you should know that  the new site to site tunnel i want to add include 3 differents subnets, I add these 3 subnets on the crypto ACL of this tunnel. Is there an impact on other site to site tunnel?

It's very strange, when i setting up my new tunnel, all other tunnels crash and there are not coming back to up. There's only this new tunnel running, and i can see these log on the ASA (QM FSM Error/Invalid hash info/No matching SA dropping).Do you have any other ideas on this problem?

Thank you again for your time:)

gb5102

philedwards wrote:

My ASA have a public IP on the WAN Interface and the other VPN Router too.There are not behind a NAT.

I already have two tunnels (site to site) running without no problems. NAT-T is enable on my ASA but i have to check this option on the other Router (Cisco RV), i cannot check that right now.

If none of the routers are behind a NAT, then there is no need to enable NAT-T. It won't break anything, but it's not necessary.

philedwards wrote:

By the way, you should know that  the new site to site tunnel i want to add include 3 differents subnets, I add these 3 subnets on the crypto ACL of this tunnel. Is there an impact on other site to site tunnel?

It's very strange, when i setting up my new tunnel, all other tunnels crash and there are not coming back to up. There's only this new tunnel running, and i can see these log on the ASA (QM FSM Error/Invalid hash info/No matching SA dropping).Do you have any other ideas on this problem?

Thank you again for your time:)

Are any of the remote/destination subnets in the ACLs used in your crypto-maps conflicting? For example, if 2 of the remote locations are using the same (or overlapping) subnets they would conflict.
philedwards

Ok, i will show you my different crypto ACL:

For my first tunnel, i have this as crypto ACL

permit ip 10.140.195.0/24 172.16.3.0/24

For my second tunnel, i have this crypto ACL:

permit ip 10.140.195.0/24 10.168.194.0/24

For my new tunnel which include 3 subnets, i create a network object call "3subnets" and the remote-location subnet "LAN-REMOTE3" with 172.16.1.0 /24 for remote Lan. The remote router is configured with these 3 subnets for VPN tunnel

So in this network group, there's:

172.16.0.0 /24

10.140.195.0 /24

172.16.12.0 /24

So my crypto ACL for this tunnel is: permit ip 3subnets LAN-REMOTE3.

Do you see any problems on that configuration?It is correct to create network-object including 3 subnets on the tunnel?

Thank you

gb5102

philedwards wrote:

[...] For my new tunnel which include 3 subnets, i create a network object call "3subnets" and the remote-location subnet "LAN-REMOTE3" with 172.16.1.0 /24 for remote Lan. The remote router is configured with these 3 subnets for VPN tunnel

So in this network group, there's:

172.16.0.0 /24

10.140.195.0 /24

172.16.12.0 /24

So my crypto ACL for this tunnel is: permit ip 3subnets LAN-REMOTE3.

Do you see any problems on that configuration?It is correct to create network-object including 3 subnets on the tunnel?

Thank you

I'm really not sure if you can use object-groups in an ACL for IPSec, I think it should work(or at least give an error) but I have never done it that way.

In the past I have done this using separate ACEs:
(using 200 for the ACL id in this example)

                            access-list 200 extended permit ip 172.16.0.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list 200 extended permit ip 10.140.195.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list 200 extended permit ip 172.16.12.0 255.255.255.0 172.16.1.0 255.255.255.0

And corresponding crypto-map:
(I prefer same sequence # for crypto map and ACL id to make it easier when reading the config)
                            crypto map MY_MAP 200 match address 200
philedwards

Ok, that's very interesting..

I will configure my crypto ACL like you did, but i have another question:

How do you configure your Site-to-site VPN Tunnel? I mean you configure a tunnel like that:

i use my network object group "3subnets" to configure my VPN tunnel? i mean between "3subnets" and"LAN-REMOTE3".

Have you any ideas?Thanks

philedwards

Ok, i just configure the other tunnel with one subnet and i still have these errors, so the crypto ACL is not the problem...

The tunnel cannot go up, i don't know why...before setting up the new tunnel, the tunnel was working great...Is it possible there's conflict somewhere between two tunnels????

Tahnks

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

What Is the Verizon Submission Id for Sending Back a Pkg

Source: https://community.spiceworks.com/topic/1315129-problem-with-vpn-site-to-site-on-cisco-asa

0 Response to "What Is the Verizon Submission Id for Sending Back a Pkg"

Postar um comentário

Assinar: Postar comentários (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel