VPN: Cisco / Watchguard: IKE lost contact with remote peer

networking vpn firewall cisco watchguard

28,190

Solution 1

You have to give a DNS name or an IP address to the gateway ip in phase one.

Put the IP address in and select IP in the dropdown box under it.

Solution 2

Have you tried disabling DPD ? DPD between different vendors may work so-so... Is -both- devices set to use main mode? Go over settings again and again..

Solution 3

Here is a link to some tips on IKE SA mismatches that may help (also some debug commands to look at covered):

http://www.networkworld.com/subnets/cisco/1114-ch4-ipsec-vpn.html

28,190

DrStalker

Not my real birthdate.

Updated on September 17, 2022

Comments

DrStalker over 1 year

I'm trying to set up a lan-to-lan VPN between a Cisco ASA 5510 (7.0(5) firmware, IP 222.222.222.222) and a Watchguard X750e firewall (10.2 firmware, IP 111.111.111.111)

Phase 1 comes up but then the message "IKE lost contact with remote peer, deleting connection" comes up in the logs and the ASa never starts Phase 2 configuration. What could be causing this?

Log and config information follows, sorry about the ugly looking wall of text:

From the logs at the ASA end:

Jun 12 2009 21:00:51: %ASA-3-713119: Group = 111.111.111.111, IP = 111.111.111.111, PHASE 1 COMPLETED
Jun 12 2009 21:00:51: %ASA-7-713121: IP = 111.111.111.111, Keep-alive type for this connection: DPD
Jun 12 2009 21:00:51: %ASA-7-713906: Group = 111.111.111.111, IP = 111.111.111.111, Starting phase 1 rekey timer: 64800000 (ms)
Jun 12 2009 21:00:52: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de1)
Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:52: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=56732dee) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:54: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de2)
Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:54: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f3add2bd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:54: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Jun 12 2009 21:00:56: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de3)
Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:56: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f65762ed) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:57: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Jun 12 2009 21:00:58: %ASA-3-713123: Group = 111.111.111.111, IP = 111.111.111.111, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

And at the Watchguard end:

11:08:36 iked Drop negotiation to peer 222.222.222.222:500 due to phase 1 retry timeout msg_id="0203-5161"             Debug
11:08:40 iked WARNING: Mismatched ID settings at peer 222.222.222.222:500 caused an authentication failure msg_id="0203-5156"      Debug
11:08:40 iked  Process 5/6 Msg : failed to process ID payload              Debug

11:17:00 iked  Process 5/6 Msg : failed to process ID payload 4           Debug
11:17:00 iked  Process INFO_EXCHANGE : EncryptBit set before SA created              Debug
11:17:00 iked Cannot process the inform message from 222.222.222.222:500 to 111.111.111.111 cookies i=9a3397be 0547688f r=1665ee71 2185bf5c msg_id="0203-5059"       Debug

The config at our end looks like this:

object-group network REMOTENETWORK
 network-object 215.12.34.0 255.255.255.0

access-list outside_cryptomap_100 extended permit ip 10.88.88.96 255.255.255.240 object-group REMOTENETWORK 
access-list outside_cryptomap_100 extended permit ip 10.88.88.128 255.255.255.224 object-group REMOTENETWORK 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 111.111.111.111 
crypto map outside_map 100 set transform-set ESP-3DES-SHA

tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
 pre-shared-key SECRETKEY

Screenshots of remote Watchguard config for phase 1 and 2:

http://www.infinitemonkeyproductions.net/wow_forum/watchguard1.jpg http://www.infinitemonkeyproductions.net/wow_forum/watchguard1.jpg

http://www.infinitemonkeyproductions.net/wow_forum/watchguard2.jpg http://www.infinitemonkeyproductions.net/wow_forum/watchguard2.jpg

DrStalker almost 15 years

How do you explicitly disable DPD for a connection on an ASA, and how do you explicitly confirm main mode is enabled?
dadver almost 15 years

Sorry, can't help there, never used ASA, just gave you general IPSec TS info... Google it, saw that there were posts on Experts Exchange about similiar problem.