RA-VPN and All SA proposals found unacceptable

Unanswered Question
Jan 8th, 2008

Hi all. I'm at a loss of what I've done to screw up this RA VPN. I had it all configured and working properly, then made some changes via ASDM which seemed to muck everything up.

Anyone willing to take a look at this and see where I screwed up? I left all the config in, including the other tunnel-groups. The one I'm concerned with though is the ipsec-ra tunnel.

I appreciate it, thanks.

Jan 08 08:07:57 [IKEv1]: IP = 64.x.x.x, Connection landed on tunnel_group caleavpn

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, processing IKE SA payload

Jan 08 08:07:57 [IKEv1]: IP = 64.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, All SA proposals found unacceptable

Jan 08 08:07:57 [IKEv1]: IP = 64.x.x.x, All IKE SA proposals found unacceptable!

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, IKE AM Responder FSM error history (struct &0x39f8c00) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, IKE SA AM:1e56eabb terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, sending delete/delete with reason message

Jan 08 08:07:57 [IKEv1]: Group = caleavpn, IP = 64.x.x.x, Removing peer from peer table failed, no match!

Jan 08 08:07:57 [IKEv1]: Group = caleavpn, IP = 64.x.x.x, Error: Unable to remove PeerTblEntry

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dominic.caron Tue, 01/08/2008 - 08:54

Hi,

It's in your IKE config...

In asdm, in Remote Access VPN/advanced/ipsec/Ike policies

If I remember correctly, the IPsec vpn client work with md5 and not sha

Please rate helpful post

whanson Wed, 01/09/2008 - 13:01

I don't believe the vpn client can support isakmp policy group 5. You need to add one with group 2. too much cpu churning

Actions

This Discussion