VPN Problem Cisco PIX v6 to Cisco ASA 5500


KB ID 0000761 Dtd 06/02/13


I found this out purely by accident today, while replacing an old PIX 506E that had died with an ASA 5505. The client's other site still had a PIX 506E (Running 6.3(5)). I was setting up the VPN, and noticed something that WOULD have been a problem if I had not spotted it.


Essentially the older PIX firewalls are set for 3DES encryption, MD5 Hashing and Diffie Hellman 2. After version 8.4 the ASA does not have a policy set for this, you need to create one. If I had simply gone ahead, phase 1 of the VPN tunnel would not have established and I would have seen;
Password: Type help or '?' for a list of available commands. Petes-ASA> en Password: ******** Petes-ASA#debug crypto isakmp 200 <<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>> Apr 01 14:48:48 [IKEv1]: IP =, IKE_DECODE RECEIVED Message (msgid=ce4a3ffe) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56 Apr 01 14:48:48 [IKEv1]: IP =, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Apr 01 14:48:48 [IKEv1]: IP =, Information Exchange processing failed <<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>
And phase 1 would have sat saying, MM_WAIT_MSG2. So you need to create a matching phase 1 (ISAKMP) policy on the ASA.

Create an IKE version 1 Policy via Command Line

1. Connect to the ASA and issue the following commands;
Sent username "pete" Type help or '?' for a list of available commands. Petes-ASA> Petes-ASA> enable Password: ******* Petes-ASA# configure terminal Petes-ASA(config)#crypto ikev1 policy 1 Petes-ASA(config-ikev1-policy)# authentication pre-share Petes-ASA(config-ikev1-policy)# encryption 3des Petes-ASA(config-ikev1-policy)# hash md5 Petes-ASA(config-ikev1-policy)# group 2 Petes-ASA(config-ikev1-policy)# lifetime 86400 Petes-ASA(config-ikev1-policy)# exit Petes-ASA(config)# write mem Building configuration... Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96 3965 bytes copied in 1.490 secs (3965 bytes/sec) [OK]

Create an IKE version 1 Policy via ASDM

If you are creating a Site to Site VPN tunnel from the ASDM wizard you can add the policy during step 6, like so;

ADSM and IKEv1 Policy

Or to add it after the tunnel has been created, Configuration > Site-to-Site VPN > Advanced > IKE Policies > Add > The priority may be changed, but set the rest of the settings as shown. > OK > Apply > File > Save Running Configuration to Flash.

ADSM and IKE Policy

Related Articles, References, Credits, or External


Cisco ASA5500 Site to Site VPN from ASDM Cisco PIX 500 - IPSEC Site to Site VPNs (v6)

Author: Migrated

Share This Post On