I'LL CHANGE ACL TO PERMIT IP 192.168.6.0 0.0.0.255 3.0.0.0 0.255.255.255 PTIME#debug crypto ipsec Crypto IPSEC debugging is on PTIME#debug crypto isakmp Crypto ISAKMP debugging is on PTIME#term mon PTIME#conf t Enter configuration commands, one per line. End with CNTL/Z. PTIME(config)#no access-list 114 IP packet debugging is off Turning off all possible debugging on ACL 114 PTIME(config)# *May 13 20:30:44.878: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 212.115.54.9, sa_proto= 50, sa_spi= 0x5473B21E(1416868382), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2129, (identity) local= 212.115.54.9, remote= 195.58.69.242, local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4), remote_proxy= 3.0.0.0/255.0.0.0/0/0 (type=4) *May 13 20:30:44.882: IPSEC(update_current_outbound_sa): updated peer 195.58.69. 242 current outbound sa to SPI 0 *May 13 20:30:44.882: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 195.58.69.242, sa_proto= 50, sa_spi= 0xE07C0572(3766224242), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2130, (identity) local= 212.115.54.9, remote= 195.58.69.242, local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4), remote_proxy= 3.0.0.0/255.0.0.0/0/0 (type=4) *May 13 20:30:44.886: ISAKMP: set new node -14678125 to QM_IDLE *May 13 20:30:44.886: ISAKMP:(1034): sending packet to 195.58.69.242 my_port 500 peer_port 500 (I) QM_IDLE *May 13 20:30:44.886: ISAKMP:(1034):Sending an IKE IPv4 Packet. *May 13 20:30:44.886: ISAKMP:(1034):purging node -14678125 *May 13 20:30:44.886: ISAKMP:(1034):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL *May 13 20:30:44.886: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE _P1_COMPLETE PTIME(config)#$ 114 permit ip 192.168.6.0 0.0.0.255 3.0.0.0 0.255.255.255 PTIME(config)#exit PTIME# *May 13 20:31:09.130: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (24.215.100.18)ping 3.0.3.242 source 192.168.6.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.0.3.242, timeout is 2 seconds: Packet sent with a source address of 192.168.6.254 *May 13 20:31:20.702: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 212.115.54.9, remote= 195.58.69.242, local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4), remote_proxy= 3.0.0.0/255.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 1800s and 50000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *May 13 20:31:20.702: ISAKMP: set new node 0 to QM_IDLE *May 13 20:31:20.702: SA has outstanding requests (local 72.84.226.236 port 500 , remote 72.84.226.208 port 500) *May 13 20:31:20.702: ISAKMP:(1034): sitting IDLE. Starting QM immediately (QM_I DLE ) *May 13 20:31:20.702: ISAKMP:(1034):beginning Quick Mode exchange, M-ID of 20792 07243 *May 13 20:31:20.702: ISAKMP:(1034):QM Initiator gets spi *May 13 20:31:20.706: ISAKMP:(1034): sending packet to 195.58.69.242 my_port 500 peer_port 500 (I) QM_IDLE *May 13 20:31:20.706: ISAKMP:(1034):Sending an IKE IPv4 Packet. *May 13 20:31:20.706: ISAKMP:(1034):Node 2079207243, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *May 13 20:31:20.706: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM _I_QM1 *May 13 20:31:20.782: ISAKMP (0:1034): received packet from 195.58.69.242 dport 500 sport 500 Global (I) QM_IDLE *May 13 20:31:20.782: ISAKMP:(1034): processing HASH payload. message ID = 20792 07243 *May 13 20:31:20.782: ISAKMP:(1034): processing SA payload. message ID = 2079207 243 *May 13 20:31:20.782: ISAKMP:(1034):Checking IPSec proposal 1 *May 13 20:31:20.782: ISAKMP: transform 1, ESP_AES *May 13 20:31:20.782: ISAKMP: attributes in transform: *.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 72/78/84 ms PTIME#May 13 20:31:20.782: ISAKMP: SA life type in seconds *May 13 20:31:20.782: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x7 0x8 *May 13 20:31:20.786: ISAKMP: SA life type in kilobytes *May 13 20:31:20.786: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xC3 0x50 *May 13 20:31:20.786: ISAKMP: encaps is 1 (Tunnel) *May 13 20:31:20.786: ISAKMP: authenticator is HMAC-SHA *May 13 20:31:20.786: ISAKMP: group is 2 *May 13 20:31:20.786: ISAKMP: key length is 256 *May 13 20:31:20.786: ISAKMP:(1034):atts are acceptable. *May 13 20:31:20.786: IPSEC(validate_proposal_request): proposal part #1 *May 13 20:31:20.786: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 212.115.54.9, remote= 195.58.69.242, local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4), remote_proxy= 3.0.0.0/255.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *May 13 20:31:20.786: Crypto mapdb : proxy_match src addr : 192.168.6.0 dst addr : 3.0.0.0 protocol : 0 src port : 0 dst port : 0 *May 13 20:31:20.786: ISAKMP:(1034): processing NONCE payload. message ID = 2079 207243 *May 13 20:31:20.786: ISAKMP:(1034): processing KE payload. message ID = 2079207 243 *May 13 20:31:20.834: ISAKMP:(1034): processing ID payload. message ID = 2079207 243 *May 13 20:31:20.834: ISAKMP:(1034): processing ID payload. message ID = 2079207 243 *May 13 20:31:20.834: ISAKMP:(1034): processing NOTIFY RESPONDER_LIFETIME protoc ol 3 spi 3766224243, message ID = 2079207243, sa = 4854E188 *May 13 20:31:20.834: ISAKMP:(1034):SA authentication status: authenticated *May 13 20:31:20.834: ISAKMP:(1034): processing responder lifetime *May 13 20:31:20.834: ISAKMP (1034): responder lifetime of 0kb *May 13 20:31:20.838: ISAKMP:(1034): Creating IPSec SAs *May 13 20:31:20.838: inbound SA from 195.58.69.242 to 212.115.54.9 (f/i ) 0/ 0 (proxy 3.0.0.0 to 192.168.6.0) *May 13 20:31:20.838: has spi 0xF396437 and conn_id 0 *May 13 20:31:20.838: lifetime of 1800 seconds *May 13 20:31:20.838: outbound SA from 212.115.54.9 to 195.58.69.242 (f/ i) 0/0 (proxy 192.168.6.0 to 3.0.0.0) *May 13 20:31:20.838: has spi 0xE07C0573 and conn_id 0 *May 13 20:31:20.838: lifetime of 1800 seconds *May 13 20:31:20.838: ISAKMP:(1034): sending packet to 195.58.69.242 my_port 500 peer_port 500 (I) QM_IDLE *May 13 20:31:20.838: ISAKMP:(1034):Sending an IKE IPv4 Packet. *May 13 20:31:20.838: ISAKMP:(1034):deleting node 2079207243 error FALSE reason "No Error" *May 13 20:31:20.838: ISAKMP:(1034):Node 2079207243, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *May 13 20:31:20.838: ISAKMP:(1034):Old State = IKE_QM_I_QM1 New State = IKE_QM _PHASE2_COMPLETE *May 13 20:31:20.842: IPSEC(key_engine): got a queue event with 1 KMI message(s) *May 13 20:31:20.842: Crypto mapdb : proxy_match src addr : 192.168.6.0 dst addr : 3.0.0.0 protocol : 0 src port : 0 dst port : 0 *May 13 20:31:20.842: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 195.58.69.242 *May 13 20:31:20.842: IPSEC(policy_db_add_ident): src 192.168.6.0, dest 3.0.0.0, dest_port 0 *May 13 20:31:20.842: IPSEC(create_sa): sa created, (sa) sa_dest= 212.115.54.9, sa_proto= 50, sa_spi= 0xF396437(255419447), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2131 *May 13 20:31:20.842: IPSEC(create_sa): sa created, (sa) sa_dest= 195.58.69.242, sa_proto= 50, sa_spi= 0xE07C0573(3766224243), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2132 *May 13 20:31:20.842: IPSEC(update_current_outbound_sa): updated peer 195.58.69. 242 current outbound sa to SPI E07C0573 NOW I'LL ACL CHANGED TO PERMIT IP ANY 3.0.0.0 0.255.255.255 PTIME# *May 13 20:32:10.838: ISAKMP:(1034):purging node 2079207243 PTIME#conf t Enter configuration commands, one per line. End with CNTL/Z. PTIME(config)#no access-list 114 PTIME(config)# *May 13 20:33:09.894: IPSEC(delete_sa): deleting SA, (sa) sa_dest= 212.115.54.9, sa_proto= 50, sa_spi= 0xF396437(255419447), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2131, (identity) local= 212.115.54.9, remote= 195.58.69.242, local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4), remote_proxy= 3.0.0.0/255.0.0.0/0/0 (type=4) *May 13 20:33:09.894: IPSEC(update_current_outbound_sa): updated peer 195.58.69. 242 current outbound sa to SPI 0 *May 13 20:33:09.894: IPSEC(delete_sa): deleting SA, acc(sa) sa_dest= 195.58.69.242, sa_proto= 50, sa_spi= 0xE07C0573(3766224243), sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 2132, (identity) local= 212.115.54.9, remote= 195.58.69.242, local_proxy= 192.168.6.0/255.255.255.0/0/0 (type=4), remote_proxy= 3.0.0.0/255.0.0.0/0/0 (type=4) *May 13 20:33:09.898: ISAKMP: set new node 1197840035 to QM_IDLE *May 13 20:33:09.898: ISAKMP:(1034): sending packet to 195.58.69.242 my_port 500 peer_port 500 (I) QM_IDLE *May 13 20:33:09.898: ISAKMP:(1034):Sending an IKE IPv4 Packet. *May 13 20:33:09.902: ISAKMP:(1034):purging node 1197840035 *May 13 20:33:09.902: ISAKMP:(1034):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL *May 13 20:33:09.902: ISAKMP:(1034):Old State = IKE_P1_COMPLETE New State = IKE _P1_COMPLETE ess-list 114 permit ip any 3.0.0.0 0.255.255.255 PTIME(config)#exit PTIME#ping 3.0.3.242 source 192.168.6.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.0.3.242, timeout is 2 seconds: Packet sent with a source address of 192.168.6.254 *May 13 20:33:35.654: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 212.115.54.9, remote= 195.58.69.242, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 3.0.0.0/255.0.0.0/0/0 (type=4), protocol= ESP, transform= NONE (Tunnel), lifedur= 1800s and 50000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 *May 13 20:33:35.654: ISAKMP: set new node 0 to QM_IDLE *May 13 20:33:35.654: SA has outstanding requests (local 72.84.226.236 port 500 , remote 72.84.226.208 port 500) *May 13 20:33:35.658: ISAKMP:(1034): sitting IDLE. Starting QM immediately (QM_I DLE ) *May 13 20:33:35.658: ISAKMP:(1034):beginning Quick Mode exchange, M-ID of -6118 73961 *May 13 20:33:35.658: ISAKMP:(1034):QM Initiator gets spi *May 13 20:33:35.658: ISAKMP:(1034): sending packet to 195.58.69.242 my_port 500 peer_port 500 (I) QM_IDLE *May 13 20:33:35.658: ISAKMP:(1034):Sending an IKE IPv4 Packet. *May 13 20:33:35.658: ISAKMP:(1034):Node -611873961, Input = IKE_MESG_INTERNAL, IKE_INIT_QM *May 13 20:33:35.658: ISAKMP:(1034):Old State = IKE_QM_READY New State = IKE_QM _I_QM1..... Success rate is 0 percent (0/5) PTIME# *May 13 20:33:45.658: ISAKMP:(1034): retransmitting phase 2 QM_IDLE -61187 3961 ... *May 13 20:33:45.658: ISAKMP (0:1034): incrementing error counter on node, attem pt 1 of 5: retransmit phase 2 *May 13 20:33:45.658: ISAKMP (0:1034): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2 *May 13 20:33:45.658: ISAKMP:(1034): retransmitting phase 2 -611873961 QM_IDLE *May 13 20:33:45.658: ISAKMP:(1034): sending packet to 195.58.69.242 my_port 500 peer_port 500 (I) QM_IDLE *May 13 20:33:45.658: ISAKMP:(1034):Sending an IKE IPv4 Packet. *May 13 20:33:55.658: ISAKMP:(1034): retransmitting phase 2 QM_IDLE -61187 3961 ... *May 13 20:33:55.658: ISAKMP (0:1034): incrementing error counter on node, attem pt 2 of 5: retransmit phase 2 *May 13 20:33:55.658: ISAKMP (0:1034): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2 *May 13 20:33:55.658: ISAKMP:(1034): retransmitting phase 2 -611873961 QM_IDLE *May 13 20:33:55.658: ISAKMP:(1034): sending packet to 195.58.69.242 my_port 500 peer_port 500 (I) QM_IDLE *May 13 20:33:55.658: ISAKMP:(1034):Sending an IKE IPv4 Packet. PTIME# PTIME#