RA-VPN and All SA proposals found unacceptable

Unanswered Question
Jan 8th, 2008
User Badges:

Hi all. I'm at a loss of what I've done to screw up this RA VPN. I had it all configured and working properly, then made some changes via ASDM which seemed to muck everything up.


Anyone willing to take a look at this and see where I screwed up? I left all the config in, including the other tunnel-groups. The one I'm concerned with though is the ipsec-ra tunnel.


I appreciate it, thanks.


Jan 08 08:07:57 [IKEv1]: IP = 64.x.x.x, Connection landed on tunnel_group caleavpn

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, processing IKE SA payload

Jan 08 08:07:57 [IKEv1]: IP = 64.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, All SA proposals found unacceptable

Jan 08 08:07:57 [IKEv1]: IP = 64.x.x.x, All IKE SA proposals found unacceptable!

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, IKE AM Responder FSM error history (struct &0x39f8c00) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, IKE SA AM:1e56eabb terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Jan 08 08:07:57 [IKEv1 DEBUG]: Group = caleavpn, IP = 64.x.x.x, sending delete/delete with reason message

Jan 08 08:07:57 [IKEv1]: Group = caleavpn, IP = 64.x.x.x, Removing peer from peer table failed, no match!

Jan 08 08:07:57 [IKEv1]: Group = caleavpn, IP = 64.x.x.x, Error: Unable to remove PeerTblEntry






Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dominic.caron Tue, 01/08/2008 - 08:54
User Badges:
  • Silver, 250 points or more

Hi,


It's in your IKE config...


In asdm, in Remote Access VPN/advanced/ipsec/Ike policies


If I remember correctly, the IPsec vpn client work with md5 and not sha



Please rate helpful post

whanson Wed, 01/09/2008 - 13:01
User Badges:

I don't believe the vpn client can support isakmp policy group 5. You need to add one with group 2. too much cpu churning

Actions

This Discussion