VPN Site to Site one way connection issue: Netgear to ASA

[David_549]

I have a Netgear Prosafe FVS318N that I need to setup for a site to site connection to my HQs ASA 5505. While I have done this before this time my remote Netgear is sitting within a hospitals network. The network administrator has told me that my router would be put on their guest lan and should have complete open access. So I have setup my Netgear Prosafe as an initiator and have setup my ASA to accept unknown connections via VPN with matching key (I believe) I'm still getting errors most of which are "Ignore information because the message has no has payload.

https://dl.dropboxusercontent.com/u/16202403/VPN1.JPG

https://dl.dropboxusercontent.com/u/16202403/VPN2.JPG

https://dl.dropboxusercontent.com/u/16202403/VPN3.JPG

Thank you so much

 

[bill001g]

Its been a long time since I used a cisco asa but they have excellent debug information most times without actually turning on the debug. You should be able to watch the session setup and see what phase the vpn is getting to. You can also capture the actual messages and since the setup messages are not actually encrypted you should be able to see if the packets are getting damaged.

Now if the session actually setup properly but you can not pass traffic that tends to be a MTU problem and something suppressing the messages ICMP messages telling the end client that the packet it too large.

 

[David_549]

Its been a long time since I used a cisco asa but they have excellent debug information most times without actually turning on the debug. You should be able to watch the session setup and see what phase the vpn is getting to. You can also capture the actual messages and since the setup messages are not actually encrypted you should be able to see if the packets are getting damaged.

Now if the session actually setup properly but you can not pass traffic that tends to be a MTU problem and something suppressing the messages ICMP messages telling the end client that the packet it too large.

When I have debugging on the ASA these are the messages I keep recieving

Tunnel Manager failed to dispatch a KEY_ACQUIRE message. Probable mis-configuration of the crypto map or tunnel-group. Map Tag = unknown. Map Sequence Number = 0.

Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5

IP = 74.51.xxx.xxx, All SA proposals found unacceptable

IP = 74.51.xxx.xxx, Error processing payload: Payload ID: 1


So it appears that my remote VPN is hitting my ASA just not sure what is keeping them from connecting.

 

[bill001g]

cisco are pretty picky, they are simple to get to work with other cisco not so much with other firewalls....especially consumer grade equipment.

There is likely some issue with the definisions of your group number in the policy of the asa. It also may not have a policy that allows the combinations you have selected on the netgear. It maybe simpler to just to keep changing the netgear and hope to get lucky. 3des is not really a recommended encryption one of the AES options is generally preferred.

Many times things like the order the policies appear can cause messages like this. I always hated ASA when you try to connected it to non cisco stuff.