vpn on asa - no matching crypto map entry problem

Discussion in 'Cisco' started by anonymous, Apr 28, 2006.

  1. anonymous

    anonymous Guest

    Hello,

    I'm setting up a vpn on an ASA 5510 7.0(4)12 but it doesn't seem to be
    getting past completion of phase I. I'm getting this message in my logs
    (take a look at the line I marked with "***"):

    LOGS
    ========================================================================
    6|Apr 28 2006 12:21:41|713172: Group = my-Group, IP = 192.168.10.10,
    Automatic NAT Detection Status: Remote end IS behind a NAT
    device This end is NOT behind a NAT device
    6|Apr 28 2006 12:21:53|113012: AAA user authentication Successful :
    local database : user = testuser
    6|Apr 28 2006 12:21:53|113003: AAA group policy for user testuser is
    being set to my-Group
    6|Apr 28 2006 12:21:53|113011: AAA retrieved user specific group policy
    (my-Group) for user = testuser
    6|Apr 28 2006 12:21:53|113009: AAA retrieved default group policy
    (my-Group) for user = testuser
    6|Apr 28 2006 12:21:53|113008: AAA transaction status ACCEPT : user =
    testuser
    5|Apr 28 2006 12:21:53|713130: Group = my-Group, Username = testuser, IP
    = 192.168.10.10, Received unsupported transaction mode attribute: 5
    5|Apr 28 2006 12:21:53|713131: Group = my-Group, Username = testuser, IP
    = 192.168.10.10, Received unknown transaction mode attribute: 28683
    6|Apr 28 2006 12:21:53|713184: Group = my-Group, Username = testuser, IP
    = 192.168.10.10, Client Type: WinNT Client Application Version: 4.6.00.0045
    6|Apr 28 2006 12:21:53|713228: Group = my-Group, Username = testuser, IP
    = 192.168.10.10, Assigned private IP address 10.10.10.20 to remote user
    3|Apr 28 2006 12:21:53|713119: Group = my-Group, Username = testuser, IP
    = 192.168.10.10, PHASE 1 COMPLETED
    *****************
    ***3|Apr 28 2006 12:21:53|713061: Group = my-Group, Username = testuser,
    IP = 192.168.10.10, Rejecting IPSec tunnel: no matching crypto map entry
    for remote proxy 10.10.10.20/255.255.255.255/0/0 local proxy
    0.0.0.0/0.0.0.0/0/0 on interface outside
    *****************
    3|Apr 28 2006 12:21:53|713902: Group = my-Group, Username = testuser, IP
    = 192.168.10.10, QM FSM error (P2 struct &0x388d2b0, mess id 0x71fb8a55)!
    3|Apr 28 2006 12:21:53|713902: Group = my-Group, Username = testuser, IP
    = 192.168.10.10, Removing peer from correlator table failed, no match!
    4|Apr 28 2006 12:21:53|113019: Group = my-Group, Username = testuser, IP
    = 192.168.10.10, Session disconnected. Session Type: IPSec, Duration:
    0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
    5|Apr 28 2006 12:21:53|713904: IP = 192.168.10.10, Received encrypted
    packet with no matching SA, dropping
    ========================================================================

    I noticed this on Cisco's site:

    CISCO's EXPLANATION
    ========================================================================
    Error Message %PIX|ASA-3-713061: Tunnel rejected: Crypto Map Policy
    not found for Src:source_address, Dst: dest_address!

    Explanation This message indicates that the Cisco ASA was not able to
    find security policy information for the private networks or hosts
    indicated in the message. These networks

    or hosts were sent by the initiator and do not match any crypto ACLs at
    the Cisco ASA . This is most likely a misconfiguration.

    Recommended Action Check the protected network configuration in the
    crypto ACLs on both sides and make sure that the local net on the
    initiator is the remote net on the responder

    and vice-versa. Pay special attention to wildcard masks, host addresses
    versus network addresses, etc. Non-Cisco implementations may have the
    private addresses labeled as proxy addresses or red networks.
    ========================================================================

    AFAIK, I've done this. Is there something I'm missing here?

    ASA CONFIG
    ========================================================================
    ciscoasa# show run
    : Saved
    :
    ASA Version 7.0(4)12
    !
    hostname ciscoasa

    names
    !
    interface Ethernet0/0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 172.16.1.37 255.255.255.0
    !
    interface Ethernet0/1
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 10.10.10.5 255.255.255.0
    !

    ftp mode passive
    access-list inside_nat0_outbound extended permit ip 10.10.10.0
    255.255.255.0 any
    access-list my-Group_splitTunnelAcl standard permit 10.10.10.0
    255.255.255.0
    access-list outside_cryptomap_dyn_20 extended permit ip 10.10.10.0
    255.255.255.0 any
    access-list outside_cryptomap_dyn_20 extended permit udp 10.10.10.0
    255.255.255.0 eq isakmp any

    mtu management 1500
    mtu inside 1500
    mtu outside 1500
    ip local pool pac-vpn-ip-pool 10.10.10.20-10.10.10.100 mask 255.255.255.0
    asdm image disk0:/asdm-504.bin
    asdm history enable
    arp timeout 14400
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 0 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 172.16.1.33 1
    group-policy my-Group internal
    group-policy my-Group attributes
    wins-server value 10.10.10.58
    dns-server value 10.10.10.82
    vpn-tunnel-protocol IPSec
    ipsec-udp enable
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value my-Group_splitTunnelAcl
    client-firewall none
    webvpn
    username testuser password XXXXXXX encrypted privilege 1
    username testuser attributes
    vpn-group-policy my-Group
    webvpn
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 20 set reverse-route
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto ca certificate map 10
    subject-name attr ip eq 172.16.1.37
    isakmp identity address
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp nat-traversal 20
    isakmp ipsec-over-tcp port 10000
    tunnel-group my-Group type ipsec-ra
    tunnel-group my-Group general-attributes
    address-pool pac-vpn-ip-pool
    authentication-server-group none
    default-group-policy my-Group
    tunnel-group my-Group ipsec-attributes
    pre-shared-key *
    tunnel-group-map default-group my-Group
    tunnel-group-map 10 my-Group
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    client-update enable
    : end
    ========================================================================

    Thanks,
    STU
     
    anonymous, Apr 28, 2006
    #1
    1. Advertisements

  2. anonymous

    anonymous Guest

    I figured out what the problem was. My crypto map dynamic access lists
    were backwards:

    access-list outside_cryptomap_dyn_20 extended permit ip 10.10.10.0
    255.255.255.0 any

    should be:

    access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0
    255.255.255.0
     
    anonymous, Apr 28, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.