Debug output for Tunnel failure

Unanswered Question
Jan 30th, 2007

What does it mean when the debug output shows "retransmitting Config Mode request"??. I am trying to deciper the following message from a client's PIX 501 Firewall. I have been running "debug ipsec sa" and "debug isa sa" on the PIX as I attempt to build a site to site tunnel to a remote location.

What does the attached output mean to me?

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:74.93.118.41, dest:70.89.234.69 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for 74.93.118.41, peer port 62465

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:74.93.118.41/500 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:74.93.118.41/500 Ref cnt incremented to:1 Total VPN P

ers:2

crypto_isakmp_process_block:src:74.93.118.41, dest:70.89.234.69 spt:500 dpt:500

OAK_QM exchange

ISAKMP (0:0): Need config/address

ISAKMP (0:0): initiating peer config to 74.93.118.41. ID = 1019677185 (0x3cc70a

1)

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting Config Mode Request...

ISAKMP (0): retransmitting Config Mode Request...

crypto_isakmp_process_block:src:74.93.118.41, dest:70.89.234.69 spt:500 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

ISAKMP (0): retransmitting Config Mode Request...

ISAKMP (0): retransmitting Config Mode Request...

ISAKMP (0): retransmitting Config Mode Request...

ISAKMP (0): retransmitting Config Mode Request...

ISAKMP (0): retransmitting Config Mode Request...

ISAKMP (0): retransmitting Config Mode Request...

ISAKMP (0): retransmitting Config Mode Request...

ISAKMP (0): retransmitting Config Mode Request...

crypto_isakmp_process_block:src:74.93.118.41, dest:70.89.234.69 spt:500 dpt:500

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Andy Robinson Tue, 01/30/2007 - 08:35

It might be caused by IKE mode config if you have remote access VPN connections on the same PIX. It might be worth adding "no-xauth no-config-mode" to the end of the isakmp key for the site-to-site tunnel to disable extended authentication and IKE mode config for that particular connection.

Actions

This Discussion