05-20-2010 12:44 PM - edited 02-21-2020 04:39 PM
Hello,
I have used the password recovery procedure on a Cisco 831, with success (password changed), however the ipsec vpn is not working anymore.
I have the folloqwing message : %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer xxx
I haven't modified the configuration during the process (apart shutdown / no shutdown on interfaces).
Any hint ?
Thanks.
05-20-2010 02:30 PM
Please try to clear the SA on both sides of the tunnels:
- clear cry isa
- clear cry ipsec
Try to establish the VPN tunnel again, and if it still doesn't work, you might want to grab the debug output to further investigate the issue:
- debug cry isa
- debug cry ipsec
Hope that helps.
05-21-2010 01:18 AM
I've tried to clear on the both sides, still not working, here is the debug
debug ipsec :
IPSEC(validate_transform_proposal): invalid local address xxx
debug isakmp :
ISAKMP (0:4): IPSec policy invalidated proposal
00:22:14: ISAKMP (0:4): phase 2 SA policy not acceptable! (local xxx remote xxx)
05-21-2010 02:17 AM
Can we see configs from both sides for crypto?
Who's initiating the tunnel?
Looks to me like PFS/ transform set mismatch, obviously :-)
05-21-2010 02:32 AM
crypto on site A :
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ***** address ipsiteC
crypto isakmp key ***** address ipsiteB
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac
!
crypto map sites-distants local-address Loopback0
crypto map sites-distants 1 ipsec-isakmp
set peer ipsiteC
set security-association lifetime kilobytes 1000000
set transform-set default-ts
set pfs group1
match address traffic-tarare-comcom
crypto map sites-distants 2 ipsec-isakmp
set peer ipsiteB
set security-association lifetime kilobytes 1000000
set transform-set default-ts
set pfs group1
match address traffic-siteA-siteB
crypto on site B (the one that display error messages)
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 0 ***** address ipsiteA
!
!
crypto ipsec transform-set default-ts esp-3des esp-sha-hmac
!
crypto map sites-distants 1 ipsec-isakmp
set peer ipsiteA
set security-association lifetime kilobytes 1000000
set transform-set default-ts
set pfs group1
match address traffic-siteB-siteA
I'm not sure wich one initiate the tunnel, i haven't modify the crypto and it was working before
05-21-2010 02:38 AM
Christian,
What are the versions?
I very much doubt that password recovery was the trigger, but just in case did you put the config register back the way it was?
Can you also attach full debugs from both sides at the same time? (IP addresses changed/ommited if needed).
Marcin
05-21-2010 02:53 AM
I put the conf register to 0x2102, not sure it was this way before
I'll provide you full conf and debug soon, how can i show you the debug more easely than copy/paste ?
05-21-2010 02:57 AM
The way we do it is we enable logging of putty/secure CRT session to a file and enable debugs.
(you might need to do "debug crypto condition peer ipv4 $IP_ADDRESS_OF_OTHER_SIDE")
Marcin
05-21-2010 05:49 AM
05-21-2010 06:51 AM
00:23:48: ISAKMP (0:2): atts are acceptable.
00:23:48: ISAKMP (0:2): IPSec policy invalidated proposal
00:23:48: ISAKMP (0:2): phase 2 SA policy not acceptable! (local ipsiteB remote ipsiteA)
Is interesting. Normally there should be an ipsec error thrown but you collected isakmp and ipsec debugs separately and from one side only so it's hard to judge :-)
Can I suggest this procedure:
1. Remove and add crypto map.
2. Reload.
3. Upgrade to latest image in your current train.
(Break at any point if the situation is resolved :-] )
Unless you're using isakmp profile or specyfiuing local-address somwhere that is out of whack
Helpful outputs:
--------
sh run | s crypto
sh crypto map
--------
One maybe useful debug:
--------
debug crypto kmi
-------
05-21-2010 10:05 AM
05-25-2010 03:48 AM
00:33:45: ISAKMP (0:14): atts are acceptable.
00:33:45: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.22.44.1, remote= 172.22.255.247,
local_proxy= 172.22.44.16/255.255.255.240/0/0 (type=4),
remote_proxy= 126.71.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x12
00:33:45: IPSEC(validate_transform_proposal): invalid local address 172.22.44.1
00:33:45: ISAKMP (0:14): IPSec policy invalidated proposal
00:33:45: ISAKMP (0:14): phase 2 SA policy not acceptable! (local 172.22.44.1 remote 172.22.255.247)
Many possiblities :-)
Hard to say without knowning exact configs - could be also buggy. What's the version?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide