VPN problem one way - help!

Unanswered Question
Jun 5th, 2008

Hi All,

I'm having problems with our VPN between a Cisco 2801 and a Fortigate. Basically we (2801) can't bring the tunnel up when we try to initiate a connection. We see send errors increase (and no traffic be encrypted or decrypted), and the following message is logged:

*Jun 5 09:14:55.715: %CRYPTO-6-IKMP_BAD_DOI_NOTIFY: DOI of 0 in notify message from x.x.x.x

We believe this is related to dead peer protection, which is not support on the 2800 series, so the engineer deactivated DPD on the other end but there was no change.

2801#sh crypto ipsec sa peer x.x.x.x

interface: FastEthernet0/1

Crypto map tag: rtp, local addr y.y.y.y

protected vrf: (none)

local ident (addr/mask/prot/port): (10.3.30.40/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer x.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 133542, #pkts encrypt: 133542, #pkts digest: 133542

#pkts decaps: 248476, #pkts decrypt: 248476, #pkts verify: 248476

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 79, #recv errors 0

local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

2801#sh crypto isakmp sa

dst src state conn-id slot status

x.x.x.x y.y.y.y MM_NO_STATE 1 0 ACTIVE (deleted)

Interesting traffic being matched:

Extended IP access list 103

10 permit ip host 10.3.30.40 10.10.10.0 0.0.0.255 (382097 matches)

Here's the config our side:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 5

lifetime 28800

crypto isakmp key aaa address x.x.x.x

crypto ipsec transform-set rtpset3dessha esp-3des esp-sha-hmac

crypto map rtp 5 ipsec-isakmp

description ### AG

set peer x.x.x.x

set security-association lifetime seconds 1800

set transform-set rtpset3dessha

match address 103

access-list 103 remark AG interesting traffic

access-list 103 permit ip host 10.3.30.40 10.10.10.0 0.0.0.255

ip nat inside source route-map nonat interface FastEthernet0/1 overload

access-list 101 deny ip 10.3.0.0 0.0.255.255 10.10.10.0 0.0.0.255

route-map nonat permit 10

match ip address 101

Does anyone have any idea where I'm going wrong??? Any help would be much appreciated.

Many thanks,

J

Also forgot to mention that when the tunnel is initiated from their end we can route traffic normally and access servers their end.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jigsaw2026 Thu, 06/05/2008 - 05:39

For anyone interested, this was fixed by a DH group mismatch on phase 2

Actions

This Discussion