Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

isakmp policy initiator does not negotiate PIX515e 7.2(1)

PIX515 has the following isakmp policy.

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption des

hash sha

group 1

lifetime 86400

Outside IPSec VPN peers will not connect if the isakmp policy is set to 3DES-SHA. D-LINK, Linksys, SonicWall WatchGuard, etc must have the phase 1 set to 3DES-MD5 which is my highest priority shown above.

Any clue why negotiation isn't happening?

4 REPLIES
Bronze

Re: isakmp policy initiator does not negotiate PIX515e 7.2(1)

hello,

you can turn on debug and check what's happening.

debug crypto ipsec

debug crypto isakmp

HTH, PRI

New Member

Re: isakmp policy initiator does not negotiate PIX515e 7.2(1)

Here's a cut of the error messages.

Feb 07 11:22:31 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:35 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:41 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:50 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:51 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x29f80b0, mess id 0xc0abab34)!

Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-715065: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, IKE QM Initiator FSM error history (struct &0x29f80b0) , : QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

Feb 07 11:22:51 172.16.xx.xx local4.debug %PIX-7-713906: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, sending delete/delete with reason message

Feb 07 11:22:52 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:53 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:22:59 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:04 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:11 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:12 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:20 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:20 172.16.xx.xx local4.notice %PIX-5-713904: IP = 68.85.xxx.xxx, Received encrypted packet with no matching SA, dropping

Feb 07 11:23:23 172.16.xx.xx local4.err %PIX-3-713902: Group = 68.85.xxx.xxx, IP = 68.85.xxx.xxx, QM FSM error (P2 struct &0x31eb6a8, mess id 0xca21d6f7)!

Bronze

Re: isakmp policy initiator does not negotiate PIX515e 7.2(1)

hello,

have you got pfs = yes in your config.

anyways, this error which you are getting could be due to if one of the side have configured IKEv2 instead of IKEv1.

HTH, PRI

Re: isakmp policy initiator does not negotiate PIX515e 7.2(1)

HI .. this sort of errors are generally related to mismatches between the peers .. I suggest making sure that Phase 1 and 2 parameters are the same in the PIX and the other peer.

I hope it helps .. please rate it if it does!!!

513
Views
0
Helpful
4
Replies
CreatePlease to create content