Ipses not established between Pix6.3 and 2611(12.4) - Cisco Community

392

Views

0

Helpful

2

Replies

Hi. I want to create a ipsec vpn between 2611 and pix ( pix is not on my side ). I have this configuration on 2611.

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxx address y.y.y.y

!

!

crypto ipsec transform-set ESP-AES-256 esp-aes 256 esp-sha-hmac

!

crypto map First2 10 ipsec-isakmp

set peer y.y.y.y

set transform-set ESP-AES-256

match address 101

!

!

!

interface FastEthernet0/0

description $xxxxxxxxxx$

ip address z.z.z.z

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

no cdp enable

crypto map First2

But the ipsec is stacked and i get this debug.

*Jul 17 19:34:14.953: ISAKMP:(0:204:SW:1):purging node -23803899

*Jul 17 19:34:14.953: ISAKMP:(0:204:SW:1):purging node -1819979460

*Jul 17 19:34:15.966: ISAKMP:(0:205:SW:1): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 19:34:15.966: ISAKMP:(0:205:SW:1):incrementing error counter on sa: retransmit phase 1

*Jul 17 19:34:15.966: ISAKMP:(0:205:SW:1): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 19:34:15.966: ISAKMP:(0:205:SW:1): sending packet to y.y.y.y my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 19:34:24.957: ISAKMP:(0:204:SW:1):purging SA., sa=8299AE80, delme=8299AE80

*Jul 17 19:34:24.957: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 192.168.5.23/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.5.22/255.255.255.255/0/0 (type=1)

*Jul 17 19:34:24.961: ISAKMP: received ke message (3/1)

*Jul 17 19:34:24.961: ISAKMP:(0:205:SW:1):peer does not do paranoid keepalives.

*Jul 17 19:34:24.965: ISAKMP:(0:205:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer y.y.y.y)

*Jul 17 19:34:24.965: ISAKMP:(0:205:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer y.y.y.y)

*Jul 17 19:34:24.969: ISAKMP: Unlocking IKE struct 0x8299C0A4 for isadb_mark_sa_deleted(), count 0

*Jul 17 19:34:24.969: ISAKMP: Deleting peer node by peer_reap for y.y.y.y: 8299C0A4

*Jul 17 19:34:24.969: ISAKMP:(0:205:SW:1):deleting node 1414074541 error FALSE reason "IKE deleted"

*Jul 17 19:34:24.969: ISAKMP:(0:205:SW:1):deleting node -1895397965 error FALSE reason "IKE deleted"

*Jul 17 19:34:24.969: ISAKMP:(0:205:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jul 17 19:34:24.973: ISAKMP:(0:205:SW:1):Old State = IKE_I_MM5 New State = IKE_DEST_SA

*Jul 17 19:34:24.973: IPSEC(key_engine): got a queue event with 1 kei messages

*Jul 17 19:34:34.958: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= x.x.x.x, remote= y.y.y.y,

local_proxy= 192.168.5.23/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.5.22/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x470577EF(1191540719), conn_id= 0, keysize= 256, flags= 0x400A

*Jul 17 19:34:34.962: ISAKMP: received ke message (1/1)

*Jul 17 19:34:34.962: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

*Jul 17 19:34:34.962: ISAKMP: Created a peer struct for y.y.y.y, peer port 500

*Jul 17 19:34:34.966: ISAKMP: New peer created peer = 0x8299C0A4 peer_handle = 0x800006A6

*Jul 17 19:34:34.966: ISAKMP: Locking peer struct 0x8299C0A4, IKE refcount 1 for isakmp_initiator

11 KB

2 Replies 2

This message indicates that IOS is trying to delete dangling IPSEC sa when receiving delete for IKE sa. This should only happen if keepalives is configured. verify your configuration.

Looks like isakmp keepalives do not match at the both ends. You have default and may be at the other end they have configured a different value.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking products for a $25 gift card