cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5533
Views
0
Helpful
5
Replies

Debugging the IKE Phase 1 of a VPN

whiteford
Level 1
Level 1

Hi,

I have an ASA and my syslog server keeps saying a VPN is failing as there is no match!

I have setup many before but this just won't connect. How do I few more detailed crypto logs?

Any commands what be most welcome.

Thanks

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

Patrick0711
Level 3
Level 3

debug crypto isak 254

Will show you the IKE negotiation per the RFC. If you'd like, you can post the debugs here and I'll be happy to tell you what the problem is.

Hi Patrick

Can you help me with this? There are no mismatch on both sides as confirmed. This has been working for a long time then suddenly the phase 1 tunnel is not going up


Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, constructing ISAKMP SA payload
Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, constructing Fragmentation VID + extended capabilities payload
Mar 05 02:38:05 [IKEv1]: IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 480
Mar 05 02:38:05 [IKEv1]: IP = 3.3.3.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, processing SA payload
Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, Oakley proposal is acceptable
Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, processing VID payload
Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, Received Fragmentation VID
Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Mar 05 02:38:05 [IKEv1]: IP = 3.3.3.3, Unable to compute DH pair while processing SA!
Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, IKE MM Initiator FSM error history (struct &0xda2f5740) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, IKE SA MM:15c72516 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Mar 05 02:38:05 [IKEv1 DEBUG]: IP = 3.3.3.3, sending delete/delete with reason message
Mar 05 02:38:08 [IKEv1]: IP = 3.3.3.3, Invalid packet detected!
Additional Information:

Paste the output for "show run crypto ikev1" or "show run crypto isakmp".

 

Error message of relevance is:

Mar 05 02:38:05 [IKEv1]: IP = 3.3.3.3, Unable to compute DH pair while processing SA!

 

The ASA does not seem to like the DH group setting in the IKE negotiations. Try different combinations and see which works for you. 

 

Dennis Mink
VIP Alumni
VIP Alumni

debug crypto isakmp and debug cry ipsec are most common.  has this VPN ever worked from your end?

 

 

I would start with that

Please remember to rate useful posts, by clicking on the stars below.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: