*Jun 2 2014 11:47:25.429 UTC: IKEv2:Received Packet [From 10.28.200.2:52247/To 172.16.4.1:500/VRF i0:f0] Initiator SPI : AB8541D7BCE82625 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST *Jun 2 2014 11:47:25.429 UTC: IKEv2:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 747 Payload contents: SA Next payload: KE, reserved: 0x0, length: 316 last proposal: 0x2, reserved: 0x0, length: 140 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 15 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: None last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_256_MODP/Group 24 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 last proposal: 0x0, reserved: 0x0, length: 172 Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 19 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 1, reserved: 0x0, id: 3DES last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_256_MODP/Group 24 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 KE Next payload: N, reserved: 0x0, length: 136 DH group: 2, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: VID, reserved: 0x0, length: 59 VID Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 20 VID Next payload: NOTIFY, reserved: 0x0, length: 19 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP VID Next payload: CFG, reserved: 0x0, length: 20 CFG Next payload: NOTIFY, reserved: 0x0, length: 14 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0 *Jun 2 2014 11:47:25.433 UTC: attrib type: Unknown - 28728, length: 2 NOTIFY(REDIRECT_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: Unknown - 0, spi size: 0, type: REDIRECT_SUPPORTED *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Verify SA init message *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Insert SA *Jun 2 2014 11:47:25.433 UTC: IKEv2:Searching Policy with fvrf 0, local address 172.16.4.1 *Jun 2 2014 11:47:25.433 UTC: IKEv2:Found Policy 'IKEv2_Policy' *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Processing IKE_SA_INIT message *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):: The peer's KE payload contained the wrong DH group *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Sending invalid ke notification, peer sent group 2, local policy prefers group 20 *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Sending Packet [To 10.28.200.2:52247/From 172.16.4.1:500/VRF i0:f0] Initiator SPI : AB8541D7BCE82625 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Next payload: NOTIFY, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 38 Payload contents: NOTIFY(INVALID_KE_PAYLOAD) Next payload: NONE, reserved: 0x0, length: 10 Security protocol id: IKE, spi size: 0, type: INVALID_KE_PAYLOAD *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Failed SA init exchange *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Initial exchange failed: Initial exchange failed *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Abort exchange *Jun 2 2014 11:47:25.433 UTC: IKEv2:(SESSION ID = 49,SA ID = 1):Deleting SA *Jun 2 2014 11:47:25.469 UTC: IKEv2:Received Packet [From 10.28.200.2:52247/To 172.16.4.1:500/VRF i0:f0] Initiator SPI : AB8541D7BCE82625 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST *Jun 2 2014 11:47:25.469 UTC: IKEv2:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 715 Payload contents: SA Next payload: KE, reserved: 0x0, length: 316 last proposal: 0x2, reserved: 0x0, length: 140 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 15 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: None last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_256_MODP/Group 24 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 last proposal: 0x0, reserved: 0x0, length: 172 Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 19 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 1, reserved: 0x0, id: 3DES last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_256_MODP/Group 24 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 KE Next payload: N, reserved: 0x0, length: 104 DH group: 20, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: VID, reserved: 0x0, length: 59 VID Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 20 VID Next payload: NOTIFY, reserved: 0x0, length: 19 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP VID Next payload: CFG, reserved: 0x0, length: 20 CFG Next payload: NOTIFY, reserved: 0x0, length: 14 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0 *Jun 2 2014 11:47:25.469 UTC: attrib type: Unknown - 28728, length: 2 NOTIFY(REDIRECT_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: Unknown - 0, spi size: 0, type: REDIRECT_SUPPORTED *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Verify SA init message *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Insert SA *Jun 2 2014 11:47:25.469 UTC: IKEv2:Searching Policy with fvrf 0, local address 172.16.4.1 *Jun 2 2014 11:47:25.469 UTC: IKEv2:Found Policy 'IKEv2_Policy' *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Processing IKE_SA_INIT message *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Received valid config mode data *Jun 2 2014 11:47:25.469 UTC: IKEv2:Config data recieved: *Jun 2 2014 11:47:25.469 UTC: Config-type: Config-request *Jun 2 2014 11:47:25.469 UTC: Attrib type: unknown, length: 2, data: 0x2 0x40 *Jun 2 2014 11:47:25.469 UTC: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Set received config mode data *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'ROUTER_EC_TRUSTPOINT' 'TRUSTPOINT_ROUTER_CERT' *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session *Jun 2 2014 11:47:25.469 UTC: CRYPTO_PKI: (A0019) Session started - identity not specified *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 20 *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Request queued for computation of DH key *Jun 2 2014 11:47:25.469 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20 *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Request queued for computation of DH secret *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Jun 2 2014 11:47:25.493 UTC: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Generating IKE_SA_INIT message *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA384 SHA384 DH_GROUP_384_ECP/Group 20 *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s) *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'ROUTER_EC_TRUSTPOINT' 'TRUSTPOINT_ROUTER_CERT' *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Sending Packet [To 10.28.200.2:52247/From 172.16.4.1:500/VRF i0:f0] Initiator SPI : AB8541D7BCE82625 - Responder SPI : 9423F6359136AE42 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 388 Payload contents: SA Next payload: KE, reserved: 0x0, length: 48 last proposal: 0x0, reserved: 0x0, length: 44 Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA384 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20 KE Next payload: N, reserved: 0x0, length: 104 DH group: 20, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: VID, reserved: 0x0, length: 59 VID Next payload: NOTIFY, reserved: 0x0, length: 21 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP CERTREQ Next payload: NONE, reserved: 0x0, length: 25 Cert encoding X.509 Certificate - signature *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Completed SA init exchange *Jun 2 2014 11:47:25.493 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Starting timer (30 sec) to wait for auth message *Jun 2 2014 11:47:25.645 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Received Packet [From 10.28.200.2:52248/To 172.16.4.1:500/VRF i0:f0] Initiator SPI : AB8541D7BCE82625 - Responder SPI : 9423F6359136AE42 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST *Jun 2 2014 11:47:25.645 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 2264 Payload contents: VID Next payload: IDi, reserved: 0x0, length: 20 IDi Next payload: CERT, reserved: 0x0, length: 25 Id type: DER ASN1 DN, Reserved: 0x0 0x0 CERT Next payload: CERT, reserved: 0x0, length: 995 Cert encoding X.509 Certificate - signature CERT Next payload: CERTREQ, reserved: 0x0, length: 532 Cert encoding X.509 Certificate - signature CERTREQ Next payload: AUTH, reserved: 0x0, length: 25 Cert encoding X.509 Certificate - signature AUTH Next payload: CFG, reserved: 0x0, length: 104 Auth method RSA, reserved: 0x0, reserved 0x0 CFG Next payload: SA, reserved: 0x0, length: 240 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0 *Jun 2 2014 11:47:25.649 UTC: attrib type: internal IP4 address, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: internal IP4 netmask, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: internal IP4 DNS, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: internal IP4 NBNS, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: internal address expiry, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: application version, length: 28 attrib type: internal IP6 address, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: internal IP4 subnet, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: internal IP6 DNS, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: internal IP6 subnet, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28682, length: 4 attrib type: Unknown - 28704, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28705, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28706, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28707, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28708, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28709, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28710, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28672, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28684, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28711, length: 2 attrib type: Unknown - 28674, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28712, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28675, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28679, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28683, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28717, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28718, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28719, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28720, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28721, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28722, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28723, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28724, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28725, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28726, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28727, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28729, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28730, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28731, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28732, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28733, length: 4 attrib type: Unknown - 28734, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28735, length: 4 attrib type: Unknown - 28736, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28737, length: 0 *Jun 2 2014 11:47:25.649 UTC: attrib type: Unknown - 28738, length: 2 SA Next payload: NOTIFY, reserved: 0x0, length: 164 last proposal: 0x2, reserved: 0x0, length: 64 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 5 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-GCM last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: None last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN last proposal: 0x0, reserved: 0x0, length: 96 Proposal: 2, Protocol id: ESP, SPI size: 4, #trans: 9 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 1, reserved: 0x0, id: 3DES last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN NOTIFY(IPCOMP_SUPPORTED) Next payload: TSi, reserved: 0x0, length: 11 Security protocol id: IKE, spi size: 0, type: IPCOMP_SUPPORTED TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255 TSr Next payload: NOTIFY, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16 start port: 0, end port: 65535 start addr: 0.0.0.0, end addr: 255.255.255.255 NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS *Jun 2 2014 11:47:25.649 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Stopping timer to wait for auth message *Jun 2 2014 11:47:25.649 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Checking NAT discovery *Jun 2 2014 11:47:25.649 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):NAT OUTSIDE found *Jun 2 2014 11:47:25.649 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):NAT detected float to init port 52248, resp port 4500 *Jun 2 2014 11:47:25.649 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Searching policy based on peer's identity 'cn=GNS3' of type 'DER ASN1 DN' *Jun 2 2014 11:47:25.653 UTC: IKEv2:Optional profile description not updated in PSH *Jun 2 2014 11:47:25.653 UTC: IKEv2:Searching Policy with fvrf 0, local address 172.16.4.1 *Jun 2 2014 11:47:25.653 UTC: IKEv2:Found Policy 'IKEv2_Policy' *Jun 2 2014 11:47:25.653 UTC: IKEv2:Found matching IKEv2 profile 'IKEv2_RSA_Profile' *Jun 2 2014 11:47:25.653 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Verify peer's policy *Jun 2 2014 11:47:25.653 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Peer's policy verified *Jun 2 2014 11:47:25.653 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es) *Jun 2 2014 11:47:25.653 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE *Jun 2 2014 11:47:25.653 UTC: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: locked trustpoint ROUTER_EC_TRUSTPOINT, refcount is 1 *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: Identity bound (ROUTER_EC_TRUSTPOINT) for session A0019 *Jun 2 2014 11:47:25.653 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint ROUTER_EC_TRUSTPOINT *Jun 2 2014 11:47:25.653 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED *Jun 2 2014 11:47:25.653 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Get peer's authentication method *Jun 2 2014 11:47:25.653 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Peer's authentication method is 'RSA' *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: (A0019) Adding peer certificate *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: Added x509 peer certificate - (990) bytes *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: (A0019) Adding peer certificate *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: Added x509 peer certificate - (527) bytes *Jun 2 2014 11:47:25.653 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: ip-ext-val: IP extension validation not required *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 6 *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: (A0019)validation path has 1 certs *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: (A0019) Check for identical certs *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI : (A0019) Validating non-trusted cert *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: (A0019) Create a list of suitable trustpoints *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: Found a issuer match *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: (A0019) Suitable trustpoints are: ROUTER_EC_TRUSTPOINT, *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: (A0019) Attempting to validate certificate using ROUTER_EC_TRUSTPOINT policy *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: (A0019) Using ROUTER_EC_TRUSTPOINT to validate certificate *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: Added 1 certs to trusted chain. *Jun 2 2014 11:47:25.653 UTC: CRYPTO_PKI: Prepare session revocation service providers *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: (A0019) Certificate is verified *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: Remove session revocation service providers *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: Remove session revocation service providers *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: (A0019) Certificate validated without revocation check *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: Populate AAA auth data *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: Unable to get configured attribute for primary AAA list authorization. *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: (A0019)chain cert was anchored to trustpoint ROUTER_EC_TRUSTPOINT, and chain validation result was: CRYPTO_VALID_CERT_WITH_WARNING *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: destroy ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 6 *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: (A0019) Validation TP is ROUTER_EC_TRUSTPOINT *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: (A0019) Certificate validation succeeded *Jun 2 2014 11:47:25.741 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain PASSED *Jun 2 2014 11:47:25.741 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Save pubkey *Jun 2 2014 11:47:25.741 UTC: CRYPTO_PKI: Deleting cached key having key id 12 *Jun 2 2014 11:47:25.749 UTC: CRYPTO_PKI: Attempting to insert the peer's public key into cache *Jun 2 2014 11:47:25.749 UTC: CRYPTO_PKI:Peer's public inserted successfully with key id 13 *Jun 2 2014 11:47:25.749 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Verify peer's authentication data *Jun 2 2014 11:47:25.749 UTC: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Jun 2 2014 11:47:25.749 UTC: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Jun 2 2014 11:47:25.749 UTC: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data *Jun 2 2014 11:47:25.777 UTC: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED *Jun 2 2014 11:47:25.777 UTC: CRYPTO_PKI: Application requested to expire the key *Jun 2 2014 11:47:25.777 UTC: CRYPTO_PKI: Expiring peer's cached key with key id 13 *Jun 2 2014 11:47:25.777 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Processing INITIAL_CONTACT *Jun 2 2014 11:47:25.777 UTC: IKEv2:Using mlist default and username IKEv2_Auth_Policy for group author request *Jun 2 2014 11:47:25.777 UTC: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent *Jun 2 2014 11:47:25.777 UTC: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response *Jun 2 2014 11:47:25.777 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Received valid config mode data *Jun 2 2014 11:47:25.777 UTC: IKEv2:Config data recieved: *Jun 2 2014 11:47:25.777 UTC: Config-type: Config-request *Jun 2 2014 11:47:25.777 UTC: Attrib type: ipv4-addr, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: ipv4-netmask, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: ipv4-dns, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: ipv4-nbns, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: unknown, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: app-version, length: 28, data: AnyConnect Windows 3.1.05160 *Jun 2 2014 11:47:25.777 UTC: Attrib type: ipv6-addr, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: ipv4-subnet, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: ipv6-dns, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: ipv6-subnet, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: unknown, length: 4, data: 0x470x4E0x530x33 *Jun 2 2014 11:47:25.777 UTC: Attrib type: unknown, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: unknown, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: reconnect-cleanup-interval, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: unknown, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: unknown, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: reconnect-dpd-interval, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: unknown, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: banner, length: 0 *Jun 2 2014 11:47:25.777 UTC: Attrib type: smartcard-removal-disconnect, length: 0 VPNGW# *Jun 2 2014 11:47:25.797 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Checking for duplicate IKEv2 SA *Jun 2 2014 11:47:25.797 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):No duplicate IKEv2 SA found *Jun 2 2014 11:47:25.797 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Starting timer (8 sec) to delete negotiation context VPNGW# *Jun 2 2014 11:47:37.573 UTC: %SEC-6-IPACCESSLOGP: list BLOCK_NON_VPN permitted udp 10.28.200.2(51812) -> 172.16.4.1(4500), 1 packet VPNGW# *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Received Packet [From 10.28.200.2:52248/To 172.16.4.1:4500/VRF i0:f0] Initiator SPI : AB8541D7BCE82625 - Responder SPI : 9423F6359136AE42 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 2, length: 104 Payload contents: DELETE Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, num of spi: 0 NOTIFY(DELETE_REASON) Next payload: NONE, reserved: 0x0, length: 16 Security protocol id: IKE, spi size: 0, type: DELETE_REASON *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Building packet for encryption. Payload contents: DELETE Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, num of spi: 0 *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Sending Packet [To 10.28.200.2:52248/From 172.16.4.1:4500/VRF i0:f0] Initiator SPI : AB8541D7BCE82625 - Responder SPI : 9423F6359136AE42 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE Message id: 2, length: 88 Payload contents: ENCR Next payload: DELETE, reserved: 0x0, length: 60 *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Process delete request from peer *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0xAB8541D7BCE82625 RSPI: 0x9423F6359136AE42] *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Check for existing active SA *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Delete all IKE SAs *Jun 2 2014 11:47:42.297 UTC: IKEv2:(SESSION ID = 50,SA ID = 1):Deleting SA *Jun 2 2014 11:47:42.301 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jun 2 2014 11:47:42.301 UTC: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5056 *Jun 2 2014 11:47:42.301 UTC: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Jun 2 2014 11:47:42.301 UTC: [Delete SA]: state = Delete SA Initialization *Jun 2 2014 11:47:42.301 UTC: IPSEC:(SESSION ID = 50) still in use sa: 0x1573DD98 *Jun 2 2014 11:47:42.301 UTC: [Delete SA]: state = Enable outbound *Jun 2 2014 11:47:42.301 UTC: [Delete SA]: state = Delete SA *Jun 2 2014 11:47:42.301 UTC: IPSEC:(SESSION ID = 50) (key_engine_delete_sas) delete SA with spi 0x82D15F90 proto 50 for 172.16.4.1 *Jun 2 2014 11:47:42.301 UTC: [Sibling 82D15F90]: state = Notify Ident *Jun 2 2014 11:47:42.301 UTC: IPSEC:(SESSION ID = 50) (delete_sa) deleting SA, (sa) sa_dest= 172.16.4.1, sa_proto= 50, sa_spi= 0x82D15F90(2194759568), sa_trans= esp-gcm 256 , sa_conn_id= 11 sa_lifetime(k/sec)= (4608000/28800), (identity) local= 172.16.4.1:0, remote= 10.28.200.2:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 192.168.8.21/255.255.255.255/256/0 *Jun 2 2014 11:47:42.301 UTC: IPSEC:(SESSION ID = 50) (delete_sa) deleting SA, (sa) sa_dest= 10.28.200.2, sa_proto= 50, sa_spi= 0x841DFF0D(2216558349), sa_trans= esp-gcm 256 , sa_conn_id= 12 sa_lifetime(k/sec)= (4608000/28800), (identity) local= 172.16.4.1:0, remote= 10.28.200.2:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 192.168.8.21/255.255.255.255/256/0 *Jun 2 2014 11:47:42.301 UTC: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS *Jun 2 2014 11:47:42.301 UTC: IPSEC:(SESSION ID = 50) (sibling_delete_notify_ident_action) Info: Reverse Route ID Mismatch between Sibling and Ident *Jun 2 2014 11:47:42.301 UTC: IPSEC(rte_mgr): ID: 6 Event: Ident delete sa : Remove RRI route *Jun 2 2014 11:47:42.301 UTC: IPSEC(rte_mgr): Delete Route found ID 6 *Jun 2 2014 11:47:42.301 UTC: IPSEC(rte_mgr) Route delete: peer 0.0.0.0 , destination 192.168.8.21, rt_type 0 *Jun 2 2014 11:47:42.301 UTC: IPSEC(rte_mgr): VPN Route Refcount 0 Virtual-Access2 *Jun 2 2014 11:47:42.301 UTC: [Ident 8000000D]: state = Delete Select Outbound SA *Jun 2 2014 11:47:42.301 UTC: [Ident 8000000D]: state = Ident has no SAs *Jun 2 2014 11:47:42.301 UTC: [Ident 8000000D]: state = Delete SA *Jun 2 2014 11:47:42.301 UTC: [Sibling 82D15F90]: state = Delete SPI *Jun 2 2014 11:47:42.301 UTC: [Sibling 82D15F90]: state = Save Stats *Jun 2 2014 11:47:42.301 UTC: [Sibling 82D15F90]: state = Delete SA *Jun 2 2014 11:47:42.301 UTC: [Sibling 82D15F90]: state = Notify Session *Jun 2 2014 11:47:42.301 UTC: [Session]: state = Decr refcount, remove sibling from list *Jun 2 2014 11:47:42.301 UTC: [Session]: state = Check refcount *Jun 2 2014 11:47:42.301 UTC: [Session]: state = Session Delete *Jun 2 2014 11:47:42.301 UTC: [Session]: state = Session Teardown *Jun 2 2014 11:47:42.301 UTC: [Session]: state = Session End *Jun 2 2014 11:47:42.301 UTC: [Session]: deleting state machine *Jun 2 2014 11:47:42.301 UTC: [Sibling 82D15F90]: state = Sibling End *Jun 2 2014 11:47:42.301 UTC: [Sibling 82D15F90]: deleting state machine *Jun 2 2014 11:47:42.301 UTC: [Delete SA]: state = Delete SA complete *Jun 2 2014 11:47:42.301 UTC: [Delete SA]: deleting state machine *Jun 2 2014 11:47:42.301 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jun 2 2014 11:47:42.301 UTC: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5056 *Jun 2 2014 11:47:42.301 UTC: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP *Jun 2 2014 11:47:42.301 UTC: [Delete SA]: state = Delete SA Initialization *Jun 2 2014 11:47:42.301 UTC: IPSEC: still in use sa: 0x0 *Jun 2 2014 11:47:42.301 UTC: IPSEC: sa null *Jun 2 2014 11:47:42.301 UTC: [Delete SA]: state = Delete SA complete *Jun 2 2014 11:47:42.301 UTC: [Delete SA]: deleting state machine *Jun 2 2014 11:47:42.301 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jun 2 2014 11:47:42.301 UTC: [Conn-SM-(8000006B)]: state = CRYPTO SS CONN Delete Map *Jun 2 2014 11:47:42.301 UTC: [Ident 8000000D]: state = Unset flow_installed *Jun 2 2014 11:47:42.301 UTC: [Ident 8000000D]: state = Delete Sibling *Jun 2 2014 11:47:42.301 UTC: [Ident 8000000D] -> ??? : attempted to send message (destination deleted) *Jun 2 2014 11:47:42.301 UTC: [Ident 8000000D]: state = Delete Outbound SA *Jun 2 2014 11:47:42.309 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down *Jun 2 2014 11:47:42.309 UTC: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Delete notify KMI from ident *Jun 2 2014 11:47:42.309 UTC: IPSEC(ident_delete_notify_kmi): Failed to send KEY_ENG_DELETE_SAS *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Update Stats *Jun 2 2014 11:47:42.309 UTC: IPSEC(ident_update_final_flow_stats): Collect Final Stats and update MIB IPSEC get IKMP peer index from peer 0x2832D68 ikmp handle 0x0 [ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x1400000B,peer index 0 *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Destroy: Mark Flow *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Destroy: Save KMI *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Destroy: Delete SAs *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Destroy: Remove Flow *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Destroy: Free Outbound SAs *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Destroy: Notify KMI DECR/DELETE *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Ident Destroy Update Stats *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Destroy: Delete Session *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Destroy: Delete TBAR *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: state = Destroy: End *Jun 2 2014 11:47:42.309 UTC: [Ident 8000000D]: deleting state machine *Jun 2 2014 11:47:42.309 UTC: [Conn-SM-(8000006B)]: state = CM State Change *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): SADB_ROOT_SM (sadb_root_action_cm_state) static_seqno 65537 *Jun 2 2014 11:47:42.309 UTC: [ACL automatic] -> ??? : attempted to send message (destination deleted) *Jun 2 2014 11:47:42.309 UTC: [ACL automatic]: state = remove crypto ACL tcam *Jun 2 2014 11:47:42.309 UTC: [ACL automatic]: state = remove crypto ACL *Jun 2 2014 11:47:42.309 UTC: [ACL automatic]: state = delete ACL SM *Jun 2 2014 11:47:42.309 UTC: [ACL automatic]: deleting state machine *Jun 2 2014 11:47:42.309 UTC: [SADB Virtual-Access2-head-0:172]: state = Update SADB about multicast *Jun 2 2014 11:47:42.309 UTC: [SADB Virtual-Access2-head-0:172]: state = Check on failclose *Jun 2 2014 11:47:42.309 UTC: [Conn-SM-(8000006B)]: state = Send P1 Delete *Jun 2 2014 11:47:42.309 UTC: [Conn-SM-(8000006B)]: state = Delete Conn Info *Jun 2 2014 11:47:42.309 UTC: [Conn-SM-(8000006B)]: deleting state machine *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): INTF_SM (interface_action_msg_check_policy) Crypto config being deleted *Jun 2 2014 11:47:42.309 UTC: [Intf Virtual-Access2]: state = Check for SADB *Jun 2 2014 11:47:42.309 UTC: [Intf Virtual-Access2]: state = Check for SADB (step 2) *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): INTF_SM (interface_action_sadb_check) called *Jun 2 2014 11:47:42.309 UTC: [Intf Virtual-Access2]: state = Delete policy *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): INTF_SM (interface_action_delete_policy) called *Jun 2 2014 11:47:42.309 UTC: [Intf Virtual-Access2]: state = Delete SADB *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): INTF_SM (interface_action_delete_sadb) called for interface Virtual-Access2 *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): SADB_ROOT_SM (sadb_root_action_not_inuse) SADB 0x2998480 inuse_count 0 *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): SADB_ROOT_SM (sadb_root_action_not_inuse) SADB 0x2998480 inuse_count 0 *Jun 2 2014 11:47:42.309 UTC: [SADB Virtual-Access2-head-0:172]: state = Destroy SADB ACLs *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): SADB_ROOT_SM (sadb_root_action_destroy) called *Jun 2 2014 11:47:42.309 UTC: [SADB Virtual-Access2-head-0:172]: state = Destroy SADB *Jun 2 2014 11:47:42.309 UTC: [SADB Virtual-Access2-head-0:172]: state = End SADB state machine *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): SADB_ROOT_SM (sadb_root_action_end) called *Jun 2 2014 11:47:42.309 UTC: [SADB ???]: deleting state machine *Jun 2 2014 11:47:42.309 UTC: [Intf Virtual-Access2]: state = END state Machine *Jun 2 2014 11:47:42.309 UTC: IPSEC(STATES): INTF_SM (interface_action_end) killing state machine 0x1572BC0C *Jun 2 2014 11:47:42.309 UTC: [Intf Virtual-Access2]: deleting state machine *Jun 2 2014 11:47:42.313 UTC: [Listen-SM-(80000037)]: state = Delete Listener map *Jun 2 2014 11:47:42.313 UTC: [Listen-SM-(80000037)]: state = Check listen SM Count *Jun 2 2014 11:47:42.313 UTC: [Listen-SM-(80000037)]: state = Listen SM end *Jun 2 2014 11:47:42.313 UTC: [Listen-SM-(80000037)]: deleting state machine VPNGW# *Jun 2 2014 11:47:42.313 UTC: Interface (Vi2) is getting freed. crypto_int_process_message (), 602 *Jun 2 2014 11:47:42.313 UTC: CRYPTO_PKI: Initializing renewal timers *Jun 2 2014 11:47:42.313 UTC: [Crypto-SS-SM(80000036)]: state = Crypto SS SM End *Jun 2 2014 11:47:42.313 UTC: [Crypto-SS-SM(80000036)]: deleting state machine VPNGW#