VPN: Cisco / Watchguard: IKE lost contact with remote peer
Solution 1
You have to give a DNS name or an IP address to the gateway ip in phase one.
Put the IP address in and select IP in the dropdown box under it.
Solution 2
Have you tried disabling DPD ? DPD between different vendors may work so-so... Is -both- devices set to use main mode? Go over settings again and again..
Solution 3
Here is a link to some tips on IKE SA mismatches that may help (also some debug commands to look at covered):
http://www.networkworld.com/subnets/cisco/1114-ch4-ipsec-vpn.html
Related videos on Youtube
Comments
-
DrStalker over 1 year
I'm trying to set up a lan-to-lan VPN between a Cisco ASA 5510 (7.0(5) firmware, IP 222.222.222.222) and a Watchguard X750e firewall (10.2 firmware, IP 111.111.111.111)
Phase 1 comes up but then the message "IKE lost contact with remote peer, deleting connection" comes up in the logs and the ASa never starts Phase 2 configuration. What could be causing this?
Log and config information follows, sorry about the ugly looking wall of text:
From the logs at the ASA end:
Jun 12 2009 21:00:51: %ASA-3-713119: Group = 111.111.111.111, IP = 111.111.111.111, PHASE 1 COMPLETED Jun 12 2009 21:00:51: %ASA-7-713121: IP = 111.111.111.111, Keep-alive type for this connection: DPD Jun 12 2009 21:00:51: %ASA-7-713906: Group = 111.111.111.111, IP = 111.111.111.111, Starting phase 1 rekey timer: 64800000 (ms) Jun 12 2009 21:00:52: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de1) Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload Jun 12 2009 21:00:52: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=56732dee) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Jun 12 2009 21:00:54: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de2) Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload Jun 12 2009 21:00:54: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f3add2bd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Jun 12 2009 21:00:54: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2 Jun 12 2009 21:00:56: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de3) Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload Jun 12 2009 21:00:56: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f65762ed) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Jun 12 2009 21:00:57: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2 Jun 12 2009 21:00:58: %ASA-3-713123: Group = 111.111.111.111, IP = 111.111.111.111, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
And at the Watchguard end:
11:08:36 iked Drop negotiation to peer 222.222.222.222:500 due to phase 1 retry timeout msg_id="0203-5161" Debug 11:08:40 iked WARNING: Mismatched ID settings at peer 222.222.222.222:500 caused an authentication failure msg_id="0203-5156" Debug 11:08:40 iked Process 5/6 Msg : failed to process ID payload Debug 11:17:00 iked Process 5/6 Msg : failed to process ID payload 4 Debug 11:17:00 iked Process INFO_EXCHANGE : EncryptBit set before SA created Debug 11:17:00 iked Cannot process the inform message from 222.222.222.222:500 to 111.111.111.111 cookies i=9a3397be 0547688f r=1665ee71 2185bf5c msg_id="0203-5059" Debug
The config at our end looks like this:
object-group network REMOTENETWORK network-object 215.12.34.0 255.255.255.0 access-list outside_cryptomap_100 extended permit ip 10.88.88.96 255.255.255.240 object-group REMOTENETWORK access-list outside_cryptomap_100 extended permit ip 10.88.88.128 255.255.255.224 object-group REMOTENETWORK crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 100 match address outside_cryptomap_100 crypto map outside_map 100 set peer 111.111.111.111 crypto map outside_map 100 set transform-set ESP-3DES-SHA tunnel-group 111.111.111.111 type ipsec-l2l tunnel-group 111.111.111.111 ipsec-attributes pre-shared-key SECRETKEY
Screenshots of remote Watchguard config for phase 1 and 2:
-
DrStalker almost 15 yearsHow do you explicitly disable DPD for a connection on an ASA, and how do you explicitly confirm main mode is enabled?
-
dadver almost 15 yearsSorry, can't help there, never used ASA, just gave you general IPSec TS info... Google it, saw that there were posts on Experts Exchange about similiar problem.