Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
5
Helpful
2
Replies

VPN problem one way - help!

jigsaw2026
Level 1
Level 1

‎06-05-2008 01:12 AM - edited ‎02-21-2020 03:45 PM

Hi All,

I'm having problems with our VPN between a Cisco 2801 and a Fortigate. Basically we (2801) can't bring the tunnel up when we try to initiate a connection. We see send errors increase (and no traffic be encrypted or decrypted), and the following message is logged:

*Jun 5 09:14:55.715: %CRYPTO-6-IKMP_BAD_DOI_NOTIFY: DOI of 0 in notify message from x.x.x.x

We believe this is related to dead peer protection, which is not support on the 2800 series, so the engineer deactivated DPD on the other end but there was no change.

2801#sh crypto ipsec sa peer x.x.x.x

interface: FastEthernet0/1

Crypto map tag: rtp, local addr y.y.y.y

protected vrf: (none)

local ident (addr/mask/prot/port): (10.3.30.40/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer x.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 133542, #pkts encrypt: 133542, #pkts digest: 133542

#pkts decaps: 248476, #pkts decrypt: 248476, #pkts verify: 248476

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 79, #recv errors 0

local crypto endpt.: y.y.y.y, remote crypto endpt.: x.x.x.x

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

2801#sh crypto isakmp sa

dst src state conn-id slot status

x.x.x.x y.y.y.y MM_NO_STATE 1 0 ACTIVE (deleted)

Interesting traffic being matched:

Extended IP access list 103

10 permit ip host 10.3.30.40 10.10.10.0 0.0.0.255 (382097 matches)

Here's the config our side:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 5

lifetime 28800

crypto isakmp key aaa address x.x.x.x

crypto ipsec transform-set rtpset3dessha esp-3des esp-sha-hmac

crypto map rtp 5 ipsec-isakmp

description ### AG

set peer x.x.x.x

set security-association lifetime seconds 1800

set transform-set rtpset3dessha

match address 103

access-list 103 remark AG interesting traffic

access-list 103 permit ip host 10.3.30.40 10.10.10.0 0.0.0.255

ip nat inside source route-map nonat interface FastEthernet0/1 overload

access-list 101 deny ip 10.3.0.0 0.0.255.255 10.10.10.0 0.0.0.255

route-map nonat permit 10

match ip address 101

Does anyone have any idea where I'm going wrong??? Any help would be much appreciated.

Many thanks,

J

Also forgot to mention that when the tunnel is initiated from their end we can route traffic normally and access servers their end.

Labels:
0 Helpful
2 Replies 2

jigsaw2026
Level 1
Level 1

‎06-05-2008 05:39 AM

For anyone interested, this was fixed by a DH group mismatch on phase 2

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to jigsaw2026

‎06-05-2008 06:18 AM

Thank you for sharing the solution with everybody :)

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents