Tunnel VPN between two Cisco ASA5505 drops every 15-30 minutes
authentication attempts but never reconnects. I have to restart the app
dence to back tunnel.
In syslogs, found the following:
2010-07-07 13:28:34 Local4.Notice 10.0.0.254: Jul 07 10:22:22 UTC: % ASA-vpn-5-713259: Group = 74.126.85.149, IP = 74.126.85.149, Session is be demolished. Reason: Service lost
2010-07-07 13:28:34 Local4.Warning 10.0.0.254: Jul 07 10:22:22 UTC: % ASA-auth-4-113019: Group = 74.126.85.149 username = 74.126.85.149, IP = 74.126.85.149, disconnected Session. Session type: IPsec, duration: 0 h: 36 m: 03 s, xmt bytes: 584567664, RRs bytes: 156692759, reason: Service lost
David,
Indeed, this might be the reason.
Any chance you can apply some kind of formatting? (Comes from bad to worse ASA can do very decently, but only in the outbound direction AFAIR)
Marcin
Tags: Cisco Security
Similar Questions
-
L2l VPN between two ASA5505 works not
Let me start who I know a thing or two about networks. VPN not so much.
I am trying to configure a Site-toSite VPN between two ASA 5505. I am building this in a laboratory of the Office before I deploy it to the end sites. I are the indications on this very informative forum and think I have it set up correctly. I can see the tunnel is being built and I see same incrementation of the traffic counters. But the real user sessions do not seem to work. For example, ping and telnet does not work.
An excerpt from the syslog for a ping test on a computer on the remote end.
(10.1.10.5 is the local computer, 10.1.11.5 is the remote computer. 10.1.11.1 is the interface of the ASA remote interior)
6. January 20, 2012 | 01:04:12 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
6. January 20, 2012 | 01:04:10 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
6. January 20, 2012 | 01:04:07 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
6. January 20, 2012 | 01:04:05 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
6. January 20, 2012 | 01:04:02 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
6. January 20, 2012 | 01:04:00 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
6. January 20, 2012 | 01:03:57 | 302021 | 10.1.11.1 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0 ICMP
6. January 20, 2012 | 01:03:55 | 302020 | 10.1.10.5 | 1. 10.1.11.1 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.1/0
6. January 20, 2012 | 01:03:48 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
6. January 20, 2012 | 01:03:46 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
6. January 20, 2012 | 01:03:43 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
6. January 20, 2012 | 01:03:41 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
6. January 20, 2012 | 01:03:38 | 302021 | 10.1.11.5 | 0 | 10.1.10.5 | 1. Connection of disassembly for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0 ICMP
6. January 20, 2012 | 01:03:36 | 302020 | 10.1.10.5 | 1. 10.1.11.5 | 0 | Built of outbound ICMP connection for faddr gaddr laddr 10.1.10.5/1 10.1.10.5/1 10.1.11.5/0
5. January 20, 2012 | 01:03:32 | 713041 | IP = 192.168.24.211, initiator of IKE: New Phase 1, Intf inside, IKE Peer 192.168.24.211 address local proxy 10.1.10.0, address remote Proxy 10.1.11.0, Card Crypto (outside_map)This is the configuration for one of them. The other is configured in the same way with the usual across settings.
ASA Version 8.2 (1)
!
hostname ASATWDS
!names of
name 10.1.11.0 remote control-network
!
interface Vlan1
nameif inside
security-level 100
IP 10.1.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP 192.168.24.210 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
access extensive list ip 10.1.10.0 outside_1_cryptomap allow 255.255.255.0 255.255.255.0 network-remote control
access extensive list ip 10.1.10.0 inside_nat0_outbound allow 255.255.255.0 255.255.255.0 network-remote control
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 192.168.24.1 1
course outside remote control-network 255.255.255.0 192.168.24.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
Enable http server
http 10.1.10.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs
peer set card crypto outside_map 1 192.168.24.211
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
card crypto outside_map 1 phase 1-mode of aggressive setting
card crypto outside_map 1 the value reverse-road
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 10.1.10.5 - 10.1.10.36 inside
dhcpd dns 209.18.47.61 209.18.47.62 interface inside
dhcpd allow inside
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
tunnel-group 192.168.24.211 type ipsec-l2l
IPSec-attributes tunnel-group 192.168.24.211
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b4bea5393489da3aa83f281d3107a32eThe Configuration looks good to me, but I think that you don't need next: -.
card crypto outside_map 1 phase 1-mode of aggressive setting
card crypto outside_map 1 the value reverse-road
Anyway,.
1 > can you please check if the computer you are trying to Ping or Telnet isn't the Machine based Firewall or anti-virus or iptables (Linux)?
2 > dough out of the
a > sh crypto ipsec his
b > sh crypto isakmp his
Manish
-
Easy VPN between two ASA 9.5 - Split tunnel does not
Hi guys,.
We have set up a site to site vpn using easy configuration vpn between ver 9.5 race (1) two ASA. The tunnels are up and ping is reached between sites. I also configured split tunnel for internet traffic under the overall strategy of the ASA easy vpn server. But for some unknown reason all the customer same internet traffic is sent to the primary site. I have configured NAT to relieve on the side of server and client-side. Please advise if no limitation so that the installation program.
Thank you and best regards,
Arjun T P
I have the same question and open a support case.
It's a bug in the software 9.5.1. See the bug: CSCuw22886
-
IPsec VPN between two routers - mode ESP Transport and Tunnel mode
Hi experts,
I have this question about the Transport mode and Tunnel mode for awhile.
Based on my understanding of 'Transport' mode is not possible because you always original "internal" private in the IP headers or IP addresses. They are always different as public IP on interfaces enabled with Crypto Card addresses. When encapsulated in the VPN tunnel, the internal IP addresses must be included or the remote VPN router won't know where to forward the packet.
To test, I built a simple GNS3 with three routers laboratory. R1 and R3 are configured as VPN routers and the R2 must simulate Internet.
My configs are also very basic. The R2 is routing between 1.1.1.0/24 and 2.2.2.0/24. It is defined as the gateway of R1 and R3.
R1:
crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 2.2.2.2
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 2.2.2.2
transformation-ESP_null game
match address VPN!
list of IP - VPN access scope
ip permit 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!R3:
crypto ISAKMP policy 100
BA aes
preshared authentication
Group 2
ISAKMP crypto key 123456 address 1.1.1.2
!
!
Crypto ipsec transform-set ESP_null null esp esp-sha-hmac
!
10 map ipsec-isakmp crypto map
defined peer 1.1.1.2
transformation-ESP_null game
match address VPN!
list of IP - VPN access scope
Licensing ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255I configured transform-"null" value, while it will not encrypt the traffic.
Then I tried the two 'transport' mode and mode "tunnel". I ping a host in the internal network of the R1 to another host in the internal network of the R3. I also tried 'telnet'. I also captured packets and carefully compared in both modes.
Packets encapsulated in exactly the same way!
It's just SPI + sequence No. +
+ padding I will attach my screenshots here for you guys to analyze it. I would be grateful for any explanation. I confused maybe just when it comes to the NAT...
I guess my next step is to check if the two modes to make the difference when the GRE is used.
Thank you
Difan
Hi Difan,
As you point out the mode of transport is not always applicable (i.e. applicable if IP source and destination is equal to corresnpoding proxy IDs).
A typical scenario in this mode of transport is used:
-Encryption between two hosts
-GRE tunnels
-L2TP over IPsec
Even if you set "transport mode" this does not mean that it will be used. IOS routers and I blieve also ASA will perform backup even if the mode of transport is configured but does not apply in tunnel mode.
I can take a look at your traces to sniff, but all first can you please check if you transport mode on your ipsec security associations? "See the crypto ipsec his" exit you will show the tunnel or transport mode.
HTH,
Marcin
-
IPSec Tunnel permanent between two ASA
Hello
I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.
What should I do?
Thanks for any help
Yves
Disables keepalive IKE processing, which is enabled by default.
(config) #tunnel - 10.165.205.222 group ipsec-attributes
KeepAlive (ipsec-tunnel-config) #isakmp disable
Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:
attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - idle - timeout noattributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - session - timeout noThank you
Ajay
-
ASA 5505 - I can't create an IPSEC VPN between two ASA 5505
Hello
I have two ASA 5505 with basic license and I'm trying to create a VPN IPSEC using the CLI. Here are the steps I did:
1 Configure ASA-1 (host name, vlan 1 and vlan 2).
2. configure a static route
3. create object network (local and remote)
4. create the access list
5. create ikev1 crypto
6. create tunnel-group
7 Configure nat
and I repeat the steps above with the ASA but another change IP.
Are to correct the above steps?
Why can I not create an IPSEC VPN between devices?.
No, you needn't. The ASA configuration is ok. Packet trace proved it. I think it can be a problem on the hosts. Please, check the firewall on the PC and try to put out of service, if it is running.
-
Need some advice about the VPN between local Cisco router and remote Watchguard
Hi all
I am configuring a Cisco 887 to VPN router to a device of watchguard at the remote site.
From what I understand, the VPN tunnel is in PLACE. I can ping to the remote server on the 192.168.110.0 of the network, but whenever I try to navigate to it on the local server, it wouldn't work.
I ping the remote server via the IP address on the local server, but not on the Cisco router. Is - will this work as expected?
--------------------------------------------------------------------------------------
R5Router #sh crypto isakmp his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
110.142.127.237 122.3.112.10 QM_IDLE 2045 ACTIVE
IPv6 Crypto ISAKMP Security Association
--------------------------------------------------------------------------------------
R5Router #sh encryption session
Current state of the session crypto
Interface: Virtual-Access2
The session state: down
Peer: 122.3.112.10 port 500
FLOW IPSEC: allowed ip 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0
Active sAs: 0, origin: card crypto
FLOW IPSEC: allowed 1 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0
Active sAs: 0, origin: card crypto
FLOW IPSEC: allowed 6 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0
Active sAs: 0, origin: card crypto
FLOW IPSEC: allowed ip host 122.3.112.10 192.168.0.0/255.255.255.0
Active sAs: 0, origin: card crypto
Interface: Dialer0
The session state: UP-ACTIVE
Peer: 122.3.112.10 port 500
IKEv1 SA: local 110.142.127.237/500 remote 122.3.112.10/500 Active
FLOW IPSEC: allowed ip 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0
Active sAs: 2, origin: card crypto
FLOW IPSEC: allowed 1 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0
Active sAs: 0, origin: card crypto
FLOW IPSEC: allowed 6 192.168.0.0/255.255.255.0 192.168.110.0/255.255.255.0
Active sAs: 0, origin: card crypto
FLOW IPSEC: allowed ip host 122.3.112.10 192.168.0.0/255.255.255.0
Active sAs: 0, origin: card crypto
Crypto ACL 102, should really include only 1 line, that is to say:
10 permit ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255
and you should have the image mirror on the remote end ACL line too.
PLS, remove the remaining lines on 102 ACL ACL.
I guess that the ACL 101 is NAT exemption, if it is pls include "deny ip 192.168.0.0 0.0.0.255 192.168.110.0 0.0.0.255" on top of your current line "license".
Clear the tunnels as well as the NAT translation table after the changes described above.
-
VPN between two computers xp via a dsl connection
Is it possible to remotely connect to two computers xp via a dsl connection? Using vpn
Hello
To establish a VPN connection must act as a VPN server.
There are hardware devices (such as some routers) that can do the job.
Or try this, http://www.aeonity.com/frost/howto-windows-xp-vpn-server-setup
-
Number of records between two dates which lasted more than a minute
I need to count the number of events/records in a single table with the dates of appointment and for how long the appointments in another table, I have two cells to hold dated (start and end dates) give a range. I want to count the number of appointments that lasted more than a minute falling into the test range.
I am sure that this is COUNTIFS and I tried to make it work.
Hope you can help.
Thank you
You could do something like that
The data table on the left and are named "Data."
Data in the table on the right. Enter the Start Date, end Date and time Min.
D2 = COUNTIF (Data::B, "> =" & C2, Data::A, "> =" & A2, Data::A,")<>
It's abbreviation dethrone select cell D2, and then type (or Coptic and paste here) the formula:
= COUNTIFS(Data::B, ">="&C2, Data::A, ">="&A2, Data::A, ")<>
-
How backup VPN configuration between two universities?
Hello, I am a student of the Greece and I have a graduation project to configure Backup VPN between two universities. Principal of communication made with leased lines. I study a lot, but now that it's time for implementation I have some thoughts:
-What hardware and software IOS do I need? Cisco 1841 it is ok for A & D routers?
-Use GRE IPSec transport mode or IPsec Tunnel mode?
-What will be the failover mechanism for switching traffic lines leased to IP VPN Backup and opposite? A teacher told me something about the Interface Prioritys. I read somewhere that this is done with the such as EIGRP routing protocol. who was right the Professor or the book? :-D
-In the same place, they have Firewall and NAT, I need to do any action for this?
The attached file contains topology I want to implement
'My' talk site 1
2 a Central Site
E communicates with A, but no traffic is to A of E with normal circumstances. Subnet on E access Internet through F, then press D. VPN will be implemented on the LAN but the specific source E traffic will pass through the Backdoor VPN (I think that the solution to this is ACL on the router). They have no routing protocol in 'my' site A directly connected routers and the default routes.
How imlement this?
I think the first thing to do is A to D connectivity
I will try to do this to tracers package first, but how can ' I imitate the SP network?
I need help I can get!
Hi John,.
In our scenario, given that our main connection is a direct leased line between E and F, so I guess there is no other network between the two routers. In this case we do not need to configure SLA monitoring or any interface a priority. We can simply enter two default routes:
IP route
IP route 254
In this scenario, if the leased line interface goes down, the second default route is used and the traffic should be routed by A router.
SLA monitoring monitors connection (using the ping tests) by one of the interfaces of the router, and when we are not able to ping from one server (specified in the configuration of the SLA) through the interface, then we change the default track to track traffic through some other interface.
So, in your scenario, we can monitor the connection between E and F, and when the link goes down, we can change the default route to point a.
This is useful in the scenario where we have another ISP connection as our primary connection.
Here is a link on how to configure SLA monitoring on the router:
http://www.Cisco.com/en/us/docs/iOS/12_4/ip_sla/configuration/guide/hsicmp.html
After you have configured the SLA followed by using the link above, you can bind it to the default route by using the following command line:
track road IP / / default main route
IP route 255 / / default route with a metric of higer that comes into play when the main default route goes down
In addition, the sample configuration that you give in the doc is almost correct, defined transformation is missing just a hashing algorithm. Here is a link with an example for a tunnel from lan-to-lan between two routers:
-
Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers
Hello world
I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).
I created a tunnel interfaces on both routers as follows.
2620XM
interface Tunnel0
IP 10.1.5.2 255.255.255.252
tunnel source x.x.x.x
tunnel destination y.y.y.y
end
836
interface Tunnel0
IP 10.1.5.1 255.255.255.252
tunnel source y.y.y.y
tunnel destination x.x.x.x
end
and configuration of isakmp/ipsec as follows,
2620XM
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address y.y.y.y no.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_melissia
!
myvpn 9 ipsec-isakmp crypto map
defined peer y.y.y.y
Set transform-set to_melissia
match address 101
2620XM-router #sh ip access list 101
Expand the access IP 101 list
10 permit host x.x.x.x y.y.y.y host will
836
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address x.x.x.x No.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi
!
myvpn 10 ipsec-isakmp crypto map
defined peer x.x.x.x
Set transform-set to_metamorfosi
match address 101
836-router #sh access list 101
Expand the access IP 101 list
10 licences will host host x.x.x.x y.y.y.y
Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.
CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.
Any ideas why I get this result? Any help will be a great help
Thank you!!!
I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.
As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:
card crypto-address
so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.
HTH
Rick
-
VPN between 2 routers Cisco 1841 (LAN to LAN)
Hello
I need to connect two offices (two different LAN) using routers cisco 1841 at both ends.
Currently the two cisco router are in working condition and refer the internet LAN clients. (making the NAT).
Can someone please tell us what is the easiest way to set up a VPN between two sites, so that LAN users to an office to access mail servers electronic/request to the office LAN.
I understand that I need IPSec Site to Site VPN (I think).
Anyonce can you please advise.
Kind regards.
s.nasheet wrote:
Hi ,
I need to connect two offices ( two different LAN's) together using cisco 1841 routers at both end.
Currently both cisco router are in working order and acting as a internet gateway to the LAN clients. ( doing NAT).
Can anybody please advise what is the easiest method to configure VPN between two sites so that LAN users at one office be able to access the email/application servers at the other LAN office.
I understand I need IPSec Site to Site VPN ( i think).
Can anyonce please advise.
Regards.
Yes, you need a VPN site-to site. Start with this link which gives a number of examples to set up a VPN S2S between 2 routers Cisco.
http://www.Cisco.com/en/us/Tech/tk583/TK372/tech_configuration_examples_list.html#anchor16
Jon
-
IPSec VPN between Cisco and ScreenOS
Hello
I'm trying to set up a simple IPSec VPN between a Cisco 2911 router and a Juniper Netscreen ScreenOS (not exactly now the model) device. Initially the debbuging seems good (QM_IDLE), but the ISAKMP Security Association is deleted.
The guy managing the Juniper device send me an extract from his diary:
###########################################################################
2012-08-28 10:24:16 info 00536 IKE Phase 2 msg ID
System 9b 839579: negotiations failed.
2012-08-28 10:24:16 info system 00536 rejected a package of IKE loopback.11
of
: 500 to 217.150.152.45:500 with cookies
87960e39d074ca49 and 9302d26c7ce324a5
because there is no acceptable Phase
2 proposals...
It has defined the following phase 2 proposals:
IKE the value p2-proposal "G2_esp_aes256_sha_1800s" group2 esp aes256-sha-1, 1800 second
###########################################################################
And I use these:
###########################################################################
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
ISAKMP crypto key
address 217.150.152.45 Crypto ipsec transform-set esp - aes esp - aes 256 esp-sha-hmac
card crypto ipsec vpn 2 isakmp
Description * VPN Anbindung nach PKI in Magdeburg *.
defined by peer 217.150.152.45
define security-association life seconds 1800
the value of the transform-set esp - aes
match address PKI-TRAFFIC
!
###########################################################################
Here is my Log:
#################################################################################################################
28 August 08:23:46.416: ISAKMP: (0): profile of THE request is (NULL)
28 August 08:23:46.416: ISAKMP: created a struct peer 217.150.152.45, peer port 500
28 August 08:23:46.416: ISAKMP: new position created post = 0x2A2D7150 peer_handle = 0x8000003A
28 August 08:23:46.416: ISAKMP: lock struct 0x2A2D7150, refcount 1 to peer isakmp_initiator
28 August 08:23:46.416: ISAKMP: 500 local port, remote port 500
28 August 08:23:46.416: ISAKMP: set new node 0 to QM_IDLE
28 August 08:23:46.416: ISAKMP: (0): insert his with his 31627E04 = success
28 August 08:23:46.416: ISAKMP: (0): cannot start aggressive mode, try the main mode.
28 August 08:23:46.416: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-rfc3947 ID
28 August 08:23:46.416: ISAKMP: (0): built the seller-07 ID NAT - t
28 August 08:23:46.416: ISAKMP: (0): built of NAT - T of the seller-03 ID
28 August 08:23:46.416: ISAKMP: (0): built the seller-02 ID NAT - t
28 August 08:23:46.416: ISAKMP: (0): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
28 August 08:23:46.416: ISAKMP: (0): former State = new State IKE_READY = IKE_I_MM1
28 August 08:23:46.416: ISAKMP: (0): Beginner Main Mode Exchange
28 August 08:23:46.416: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_NO_STATE
28 August 08:23:46.416: ISAKMP: (0): sending a packet IPv4 IKE.
28 August 08:23:46.448: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_NO_STATE
28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM1 = IKE_I_MM2
28 August 08:23:46.448: ISAKMP: (0): treatment ITS payload. Message ID = 0
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload
28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled
28 August 08:23:46.448: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.448: ISAKMP: (0): pre-shared key local found
28 August 08:23:46.448: ISAKMP: analysis of the profiles for xauth...
28 August 08:23:46.448: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
28 August 08:23:46.448: ISAKMP: AES - CBC encryption
28 August 08:23:46.448: ISAKMP: SHA hash
28 August 08:23:46.448: ISAKMP: group by default 2
28 August 08:23:46.448: ISAKMP: pre-shared key auth
28 August 08:23:46.448: ISAKMP: keylength 256
28 August 08:23:46.448: ISAKMP: type of life in seconds
28 August 08:23:46.448: ISAKMP: life (IPV) 0 x 0 0 x 1 0 x 51 0x80
28 August 08:23:46.448: ISAKMP: (0): atts are acceptable. Next payload is 0
28 August 08:23:46.448: ISAKMP: (0): Acceptable atts: real life: 0
28 August 08:23:46.448: ISAKMP: (0): Acceptable atts:life: 0
28 August 08:23:46.448: ISAKMP: (0): fill atts in his vpi_length:4
28 August 08:23:46.448: ISAKMP: (0): fill atts in his life_in_seconds:86400
28 August 08:23:46.448: ISAKMP: (0): return real life: 86400
28 August 08:23:46.448: ISAKMP: (0): timer life Started: 86400.
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 239
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): provider ID is DPD
28 August 08:23:46.448: ISAKMP: (0): load useful vendor id of treatment
28 August 08:23:46.448: ISAKMP: (0): IKE frag vendor processing id payload
28 August 08:23:46.448: ISAKMP: (0): IKE Fragmentation support not enabled
28 August 08:23:46.448: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.448: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2
28 August 08:23:46.448: ISAKMP: (0): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_SA_SETUP
28 August 08:23:46.448: ISAKMP: (0): sending a packet IPv4 IKE.
28 August 08:23:46.452: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.452: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM3
28 August 08:23:46.484: ISAKMP (0): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_SA_SETUP
28 August 08:23:46.484: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.484: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4
28 August 08:23:46.484: ISAKMP: (0): processing KE payload. Message ID = 0
28 August 08:23:46.508: ISAKMP: (0): processing NONCE payload. Message ID = 0
28 August 08:23:46.508: ISAKMP: (0): pair found pre-shared key matching 217.150.152.45
28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM4
28 August 08:23:46.508: ISAKMP: (1049): send initial contact
28 August 08:23:46.508: ISAKMP: (1049): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
28 August 08:23:46.508: ISAKMP (1049): payload ID
next payload: 8
type: 1
address: 92.67.80.237
Protocol: 17
Port: 500
Length: 12
28 August 08:23:46.508: ISAKMP: (1049): the total payload length: 12
28 August 08:23:46.508: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) MM_KEY_EXCH
28 August 08:23:46.508: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.508: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.508: ISAKMP: (1049): former State = new State IKE_I_MM4 = IKE_I_MM5
28 August 08:23:46.540: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) MM_KEY_EXCH
28 August 08:23:46.540: ISAKMP: (1049): payload ID for treatment. Message ID = 0
28 August 08:23:46.540: ISAKMP (1049): payload ID
next payload: 8
type: 1
address: 217.150.152.45
Protocol: 17
Port: 500
Length: 12
28 August 08:23:46.540: ISAKMP: (0): peer games * no * profiles
28 August 08:23:46.540: ISAKMP: (1049): HASH payload processing. Message ID = 0
28 August 08:23:46.540: ISAKMP: (1049): SA authentication status:
authenticated
28 August 08:23:46.540: ISAKMP: (1049): SA has been authenticated with 217.150.152.45
28 August 08:23:46.540: ISAKMP: try inserting a peer
/217.150.152.45/500/ and inserted 2A2D7150 successfully. 28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM5 = IKE_I_MM6
28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_I_MM6
28 August 08:23:46.540: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
28 August 08:23:46.540: ISAKMP: (1049): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE
28 August 08:23:46.540: ISAKMP: (1049): start Quick Mode Exchange, M - ID of 1582159006
28 August 08:23:46.552: ISAKMP: (1049): initiator QM gets spi
28 August 08:23:46.552: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE
28 August 08:23:46.552: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.552: ISAKMP: (1049): entrance, node-1582159006 = IKE_MESG_INTERNAL, IKE_INIT_QM
28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_QM_READY = IKE_QM_I_QM1
28 August 08:23:46.552: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
28 August 08:23:46.552: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
28 August 08:23:46.584: ISAKMP (1049): received 217.150.152.45 packet dport 500 sport Global 500 (I) QM_IDLE
28 August 08:23:46.584: ISAKMP: node set-452721455 to QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): HASH payload processing. Message ID =-452721455
28 August 08:23:46.584: ISAKMP: (1049): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 1
SPI 0, message ID =-452721455, his 0x31627E04 =
28 August 08:23:46.584: ISAKMP: (1049): peer does not paranoid KeepAlive.
28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)
28 August 08:23:46.584: ISAKMP: (1049): node-452721455 error suppression FALSE reason 'informational (en) State 1.
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
28 August 08:23:46.584: ISAKMP: node set 494253780 to QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): lot of 217.150.152.45 sending my_port 500 peer_port 500 (I) QM_IDLE
28 August 08:23:46.584: ISAKMP: (1049): sending a packet IPv4 IKE.
28 August 08:23:46.584: ISAKMP: (1049): purge the node 494253780
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
28 August 08:23:46.584: ISAKMP: (1049): remove the reason for HIS "fatal Recevied of information' State (I) QM_IDLE (post 217.150.152.45)
Intertoys_Zentrale_Waddinxveen_01 #.
28 August 08:23:46.584: ISAKMP: Unlocking counterpart struct 0x2A2D7150 for isadb_mark_sa_deleted(), count 0
28 August 08:23:46.584: ISAKMP: delete peer node by peer_reap for 217.150.152.45: 2A2D7150
28 August 08:23:46.584: ISAKMP: (1049): node-1582159006 error suppression FALSE reason 'IKE deleted.
28 August 08:23:46.584: ISAKMP: (1049): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
28 August 08:23:46.584: ISAKMP: (1049): former State = new State IKE_DEST_SA = IKE_DEST_SA
#################################################################################################################
Is there something special that needs to be addressed when creating a VPN for Juniper devices?
Greetings
Thomas
The peer IPSec a PFS enabled, do the same in your crypto-map:
card crypto ipsec vpn 2 isakmp
PFS group2 Set
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
Tunnel VPN IPSEC (LAN to LAN) not succeeded traffic
I had a temporary scenario I need to establish an IPSEC VPN between branch (cisco router) and HQ (VPN concentrator).
The tunnel is established end but traffic stop happening after some 5-10 minutes. I have to manually clear the session encryption and then connectivity is fine. To test the above, I'll send branch ICMP packets to HQ. I can see ' cryto isakmp his ' and ' crytpo ipsec his ' active and fine.
Share your opinion on this guy!
Hello
Make sure that this life corresponds to the router and the hub.
This is a doc for IPSEC troubleshooting: -.
http://www.Cisco.com/en/us/customer/products/ps6120/products_tech_note09186a00807e0aca.shtml
Parminder Sian
-
Tunnel VPN IPSEC site 2 Site will not appear.
Hello Experts,
I was wondering if I can get help on creating an IPSEC VPN between a Cisco 2921 and ASA 550 x tunnel. Here is the config
See the race | s crypto
Crypto pki token removal timeout default 0
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key address A.A.A.A xxxxxxxxxxxxxxxxxxxxxx
Crypto ipsec transform-set ESP-AES128-SHA aes - esp esp-sha-hmac
transport mode
ICQ-2-ILAND 1 ipsec-isakmp crypto map
defined by peer A.A.A.A
game of transformation-ESP-AES128-SHA
match the address iland_london_s2s_vpn
ICQ-2-ILAND crypto card
The config on the remote end has not been shared with me, so I don't know if I'm doing something wrong locally, or if the remote end is configured incorrectly.
The command Sh crypto isakmp its the following message
ISAKMP crypto to show his
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
A.A.A.A B.B.B.B MM_NO_STATE 1231 ACTIVE (deleted)IPv6 Crypto ISAKMP Security Association
See the session encryption
Current state of the session cryptoInterface: GigabitEthernet0/0
The session state: DOWN-NEGOTIATION
Peer: Port A.A.A.A 500
IKEv1 SA: local B.B.B.Bremote 500 A.A.A.A500 inactive
IKEv1 SA: local B.B.B.Bremote 500 A.A.A.A500 inactive
FLOW IPSEC: allowed ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
Active sAs: 0, origin: card crypto
FLOW IPSEC: allowed ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
Active sAs: 0, origin: card cryptoThe command debug crypto isakmp debug logs are listed below.
ISAKMP: (0): pre-shared key local found
08:51:52.019 on 6 Dec: ISAKMP: analysis of the profiles for xauth...
08:51:52.019 on 6 Dec: ISAKMP: (0): audit ISAKMP transform 1 against the policy of priority 1
08:51:52.019 on 6 Dec: ISAKMP: AES - CBC encryption
08:51:52.019 on 6 Dec: ISAKMP: keylength 128
08:51:52.019 on 6 Dec: ISAKMP: SHA hash
08:51:52.019 on 6 Dec: ISAKMP: group by default 2
08:51:52.019 on 6 Dec: ISAKMP: pre-shared key auth
08:51:52.019 on 6 Dec: ISAKMP: type of life in seconds
08:51:52.019 on 6 Dec: ISAKMP: life (basic) of 28800
08:51:52.019 on 6 Dec: ISAKMP: (0): atts are acceptable. Next payload is 0
08:51:52.019 on 6 Dec: ISAKMP: (0): Acceptable atts: real life: 0
08:51:52.019 on 6 Dec: ISAKMP: (0): Acceptable atts:life: 0
08:51:52.019 on 6 Dec: ISAKMP: (0): base life_in_seconds:28800
08:51:52.019 on 6 Dec: ISAKMP: (0): return real life: 28800
08:51:52.019 on 6 Dec: ISAKMP: (0): timer life Started: 28800.DEC 6 08:51:52.019: ISAKMP: (0): load useful vendor id of treatment
DEC 6 08:51:52.019: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
DEC 6 08:51:52.019: ISAKMP: (0): provider ID is NAT - T v2
DEC 6 08:51:52.019: ISAKMP: (0): load useful vendor id of treatment
DEC 6 08:51:52.019: ISAKMP: (0): IKE frag vendor processing id payload
08:51:52.019 on 6 Dec: ISAKMP: (0): IKE Fragmentation support not enabled
08:51:52.019 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
08:51:52.019 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM2DEC 6 08:51:52.019: ISAKMP: (0): A packet is sent. A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
08:51:52.019 on 6 Dec: ISAKMP: (0): sending a packet IPv4 IKE.
08:51:52.019 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
08:51:52.019 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM2 = IKE_I_MM308:51:52.155 on 6 Dec: ISAKMP (0): packet received dport 500 sport Global 500 (I) MM_SA_SETUP A.A.A.A
08:51:52.155 on 6 Dec: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
08:51:52.155 on 6 Dec: ISAKMP: (0): former State = new State IKE_I_MM3 = IKE_I_MM4DEC 6 08:51:52.155: ISAKMP: (0): processing KE payload. Message ID = 0
DEC 6 08:51:52.175: ISAKMP: (0): processing NONCE payload. Message ID = 0
08:51:52.175 on 6 Dec: ISAKMP: (0): pre-shared key found peer corresponding to A.A.A.A
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.175: ISAKMP: (1227): provider ID is the unit
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.175: ISAKMP: (1227): provider ID seems the unit/DPD but major incompatibility of 92
DEC 6 08:51:52.175: ISAKMP: (1227): provider ID is XAUTH
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.175: ISAKMP: (1227): addressing another box of IOS!
DEC 6 08:51:52.175: ISAKMP: (1227): load useful vendor id of treatment
08:51:52.175 on 6 Dec: ISAKMP: (1227): vendor ID seems the unit/DPD but hash mismatch
08:51:52.175 on 6 Dec: ISAKMP: receives the payload type 20
08:51:52.175 on 6 Dec: ISAKMP (1227): sound not hash no match - this node outside NAT
08:51:52.175 on 6 Dec: ISAKMP: receives the payload type 20
08:51:52.175 on 6 Dec: ISAKMP (1227): No. NAT found for oneself or peer
08:51:52.175 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
08:51:52.179 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM4 = IKE_I_MM408:51:52.179 on 6 Dec: ISAKMP: (1227): send initial contact
08:51:52.179 on 6 Dec: ISAKMP: (1227): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
08:51:52.179 on 6 Dec: ISAKMP (1227): payload ID
next payload: 8
type: 1
address: B.B.B.B
Protocol: 17
Port: 500
Length: 12
08:51:52.179 on 6 Dec: ISAKMP: (1227): the total payload length: 12
DEC 6 08:51:52.179: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
08:51:52.179 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
08:51:52.179 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
08:51:52.179 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM4 = IKE_I_MM508:51:52.315 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) MM_KEY_EXCH A.A.A.A
DEC 6 08:51:52.315: ISAKMP: (1227): payload ID for treatment. Message ID = 0
08:51:52.315 on 6 Dec: ISAKMP (1227): payload ID
next payload: 8
type: 1
address: A.A.A.A
Protocol: 17
Port: 0
Length: 12
DEC 6 08:51:52.315: ISAKMP: (0): peer games * no * profiles
DEC 6 08:51:52.315: ISAKMP: (1227): HASH payload processing. Message ID = 0
08:51:52.315 on 6 Dec: ISAKMP: received payload type 17
DEC 6 08:51:52.315: ISAKMP: (1227): load useful vendor id of treatment
DEC 6 08:51:52.315: ISAKMP: (1227): provider ID is DPD
08:51:52.315 on 6 Dec: ISAKMP: (1227): SA authentication status:
authenticated
08:51:52.315 on 6 Dec: ISAKMP: (1227): SA has been authenticated with A.A.A.A
08:51:52.315 on 6 Dec: ISAKMP: try to insert a B.B.B.B/A.A.A.A/500/ peer and inserted 2B79E8BC successfully.
08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM5 = IKE_I_MM608:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM6 = IKE_I_MM608:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_I_MM6 = IKE_P1_COMPLETE08:51:52.315 on 6 Dec: ISAKMP: (1227): start Quick Mode Exchange, M - ID 1511581970
08:51:52.315 on 6 Dec: ISAKMP: (1227): initiator QM gets spi
DEC 6 08:51:52.315: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) QM_IDLE
08:51:52.315 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
08:51:52.315 on 6 Dec: ISAKMP: (1227): entrance, node 1511581970 = IKE_MESG_INTERNAL, IKE_INIT_QM
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_QM_READY = IKE_QM_I_QM1
08:51:52.315 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
08:51:52.315 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE08:51:52.455 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) QM_IDLE A.A.A.A
08:51:52.455 on 6 Dec: ISAKMP: node set-1740216573 to QM_IDLE
DEC 6 08:51:52.455: ISAKMP: (1227): HASH payload processing. Message ID = 2554750723
DEC 6 08:51:52.455: ISAKMP: (1227): treatment protocol NOTIFIER PROPOSAL_NOT_CHOSEN 3
0, message ID SPI = 2554750723, a = 0x2B78D574
08:51:52.455 on 6 Dec: ISAKMP: (1227): node-1740216573 error suppression FALSE reason 'informational (en) State 1.
08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE08:51:52.455 on 6 Dec: ISAKMP (1227): packet received dport 500 sport Global 500 (I) QM_IDLE A.A.A.A
08:51:52.455 on 6 Dec: ISAKMP: node set 1297146574 to QM_IDLE
DEC 6 08:51:52.455: ISAKMP: (1227): HASH payload processing. Message ID = 1297146574
DEC 6 08:51:52.455: ISAKMP: (1227): treatment of payload to DELETE. Message ID = 1297146574
08:51:52.455 on 6 Dec: ISAKMP: (1227): peer does not paranoid KeepAlive.08:51:52.455 on 6 Dec: ISAKMP: (1227): removal of HIS State "No reason" why (I) QM_IDLE (post A.A.A.A)
08:51:52.455 on 6 Dec: ISAKMP: (1227): error suppression node 1297146574 FALSE reason 'informational (en) State 1.
08:51:52.455 on 6 Dec: ISAKMP: node set-1178304129 to QM_IDLE
DEC 6 08:51:52.455: ISAKMP: (1227): A packet is sent. A.A.A my_port 500 peer_port 500 (I) QM_IDLE
08:51:52.455 on 6 Dec: ISAKMP: (1227): sending a packet IPv4 IKE.
08:51:52.455 on 6 Dec: ISAKMP: (1227): purge the node-1178304129
08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA08:51:52.455 on 6 Dec: ISAKMP: (1227): removal of HIS State "No reason" why (I) QM_IDLE (post A.A.A.A)
08:51:52.455 on 6 Dec: ISAKMP: Unlocking counterpart struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
08:51:52.455 on 6 Dec: ISAKMP: delete peer node by peer_reap for A.A.A.A: 2B79E8BC
08:51:52.455 on 6 Dec: ISAKMP: (1227): error suppression node 1511581970 FALSE reason 'IKE deleted.
08:51:52.455 on 6 Dec: ISAKMP: (1227): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
08:51:52.455 on 6 Dec: ISAKMP: (1227): former State = new State IKE_DEST_SA = IKE_DEST_SAWould appreciate any help you can provide.
Kind regards
Sidney Dsouza
The phase 2 does not complete since there is no visible SPI value. In addition, depending on your configuration Transport mode is configured for phase 2 However, debug displays the tunnel mode.
Thus, as suggested earlier to debug this further and find the root cause we need to match the configuration settings in Phase 2 with regard to the remote device.
Hope that helps.
Kind regards
Anuj
Maybe you are looking for
-
Photobucket or flickr to work again?
Looks like we have recurring problems with that hopes?
-
Reset Safari Version 9.0.2 (11601.3.9)
I use on my MacBook Pro (early 2011) running Mac OS 10.11.2 Reset Safari Version 9.0.2 (11601.3.9). Safari has acted a bit wonky lately. It happened at the wrong url, suspended for several minutes (beachball), etc. In older versions of Safari, I c
-
I downloaded the drivers needed from the Dell site and the burner will not work. The computer was again in March 2009. Not sure where the drivers should be located. I downloaded on: win\syswow64\drivers\afc.sys. I've looked everywhere and tried to fi
-
I live alone and I use this computer for personal use, it also weighs too heavy to carry. It's a pain to have to put the password whenever he falls asleep
-
A window will appear saying... The processer DCOM server then has no windows will have to stop. This happens once a day.