Ipsec not working after password recovery

Unanswered Question
May 20th, 2010
User Badges:

Hello,


I have used the password recovery procedure on a Cisco 831, with success (password changed), however the ipsec vpn is not working anymore.


I have the folloqwing message : %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer xxx


I haven't modified the configuration during the process (apart shutdown / no shutdown on interfaces).


Any hint ?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 05/20/2010 - 14:30
User Badges:
  • Cisco Employee,

Please try to clear the SA on both sides of the tunnels:

- clear cry isa

- clear cry ipsec


Try to establish the VPN tunnel again, and if it still doesn't work, you might want to grab the debug output to further investigate the issue:

- debug cry isa

- debug cry ipsec


Hope that helps.

telo.erttoi Fri, 05/21/2010 - 01:18
User Badges:

I've tried to clear on the both sides, still not working, here is the debug


debug ipsec :


IPSEC(validate_transform_proposal): invalid local address xxx


debug isakmp :


ISAKMP (0:4): IPSec policy invalidated proposal
00:22:14: ISAKMP (0:4): phase 2 SA policy not acceptable! (local xxx remote xxx)

Marcin Latosiewicz Fri, 05/21/2010 - 02:17
User Badges:
  • Cisco Employee,

Can we see configs from both sides for crypto?


Who's initiating the tunnel?


Looks to me like PFS/ transform set mismatch, obviously :-)

telo.erttoi Fri, 05/21/2010 - 02:32
User Badges:

crypto on site A :


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ***** address ipsiteC
crypto isakmp key ***** address ipsiteB
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac
!
crypto map sites-distants local-address Loopback0
crypto map sites-distants 1 ipsec-isakmp
set peer ipsiteC
set security-association lifetime kilobytes 1000000
set transform-set default-ts
set pfs group1
match address traffic-tarare-comcom
crypto map sites-distants 2 ipsec-isakmp
set peer ipsiteB
set security-association lifetime kilobytes 1000000
set transform-set default-ts
set pfs group1
match address traffic-siteA-siteB



crypto on site B (the one that display error messages)


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 0 ***** address ipsiteA
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac
!
crypto map sites-distants 1 ipsec-isakmp
set peer ipsiteA
set security-association lifetime kilobytes 1000000
set transform-set default-ts
set pfs group1
match address traffic-siteB-siteA



I'm not sure wich one initiate the tunnel, i haven't modify the crypto and it was working before

Marcin Latosiewicz Fri, 05/21/2010 - 02:38
User Badges:
  • Cisco Employee,

Christian,


What are the versions?


I very much doubt that password recovery was the trigger, but just in case did you put the config register back the way it was?


Can you also attach full debugs from both sides at the same time? (IP addresses changed/ommited if needed).


Marcin

telo.erttoi Fri, 05/21/2010 - 02:53
User Badges:

I put the conf register to 0x2102, not sure it was this way before


I'll provide you full conf and debug soon, how can i show you the debug more easely than copy/paste ?

Marcin Latosiewicz Fri, 05/21/2010 - 02:57
User Badges:
  • Cisco Employee,

The way we do it is we enable logging of putty/secure CRT  session to a file and enable debugs.


(you might need to do "debug crypto condition peer ipv4 $IP_ADDRESS_OF_OTHER_SIDE")


Marcin

telo.erttoi Fri, 05/21/2010 - 05:49
User Badges:

Here is what i've got after debug on ipsec and isakmp, only the site B (the one that have trouble) is displaying something, site A doesn't display anything after debug


I hope this will help

Attachment: 
Marcin Latosiewicz Fri, 05/21/2010 - 06:51
User Badges:
  • Cisco Employee,

00:23:48: ISAKMP (0:2): atts are acceptable.
00:23:48: ISAKMP (0:2): IPSec policy invalidated proposal
00:23:48: ISAKMP (0:2): phase 2 SA policy not acceptable! (local ipsiteB remote ipsiteA)


Is interesting. Normally there should be an ipsec error thrown but you collected isakmp and ipsec debugs separately and from one side only so it's hard to judge :-)


Can I suggest this procedure:

1. Remove and add crypto map.

2. Reload.

3. Upgrade to latest image in your current train.

(Break at any point if the situation is resolved :-] )

Unless you're using isakmp profile or specyfiuing local-address somwhere that is out of whack


Helpful outputs:

--------

sh run | s crypto

sh crypto map

--------


One maybe useful debug:

--------

debug crypto kmi

-------

Marcin Latosiewicz Tue, 05/25/2010 - 03:48
User Badges:
  • Cisco Employee,
00:33:45: ISAKMP (0:14): atts are acceptable.
00:33:45: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 172.22.44.1, remote= 172.22.255.247,
    local_proxy= 172.22.44.16/255.255.255.240/0/0 (type=4),
    remote_proxy= 126.71.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x12
00:33:45: IPSEC(validate_transform_proposal): invalid local address 172.22.44.1
00:33:45: ISAKMP (0:14): IPSec policy invalidated proposal
00:33:45: ISAKMP (0:14): phase 2 SA policy not acceptable! (local 172.22.44.1 remote 172.22.255.247)



Many possiblities :-)


Hard to say without knowning exact configs - could be also buggy. What's the version?

Actions

This Discussion