Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1955
Views
0
Helpful
2
Replies

VPN not coming up between Nortel contivity and Cisco ASA 5520

trackme
Level 1
Level 1

‎12-08-2006 03:17 AM - edited ‎03-11-2019 02:05 AM

Hello,

One of my vendors has a cisco ASA5520 and we are trying to build a VPN tunnel between ASA 5520 and Nortel 4500 contivity box.

It passes phase 1 and during phase 2 i get this error message

----------

3|Dec 06 2006|11:51:39|713119|||Group = 1.1.1.1 IP = 1.1.1.1PHASE 1 COMPLETED

6|Dec 06 2006|11:51:39|113009|||AAA retrieved default group policy (DfltGrpPolicy) for user = 1.1.1.1

4|Dec 06 2006|11:51:39|113019|||Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:03s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected

4|Dec 06 2006|11:51:39|713903|||Group = 1.1.1.1, IP = 1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes

4|Dec 06 2006|11:51:36|713903|||Group = 1.1.1.1, IP = 1.1.1.1, Information Exchange processing failed

5|Dec 06 2006|11:51:36|713904|||Group = 1.1.1.1, IP = 1.1.1.1, Received an un-encrypted INVALID_ID_INFO notify message, dropping

----------------

Similarly when we check at the remote Contivity box, we get the similar error and it says as

----------

11/16/2006 12:43:39 0 Branch Office [01] IPSEC branch office connection initiated to rem[2.2.2.200-255.255.255.255]@[2.2.2.2] loc[10.50.61.0-255.255.255.0]

11/16/2006 12:43:39 0 Security [11] Session: IPSEC[2.2.2.2] attempting login

11/16/2006 12:43:39 0 Security [01] Session: IPSEC[2.2.2.2] has no active sessions

11/16/2006 12:43:39 0 Security [01] Session: IPSEC[2.2.2.2] Customer has no active accounts

11/16/2006 12:43:39 0 ISAKMP [13] Invalid ID information in message from 2.2.2.2

11/16/2006 12:43:39 0 tIsakmp [34] Failed Login Attempt: Username=2.2.2.2: Date/Time=11/16/2006 12:43:39

11/16/2006 12:43:39 0 ISAKMP [02] Deleting ISAKMP SA with 2.2.2.2

---------

Invalid ID info generally means when the networks are not matching else when we use different routing where one end is static or other end is dynamic. But in tihs case we check that as well and still we get the same error.

any clue how to troubleshoot further.

Labels:
0 Helpful
2 Replies 2

trackme
Level 1
Level 1

‎12-10-2006 09:42 PM

Hello,

any updates for me since i get the same issue again and again, i'm not an expert in cisco ASA 5520 and hence not sure what the problem is

0 Helpful

trackme
Level 1
Level 1
In response to trackme

‎12-11-2006 08:50 PM

I fixed this issue myself after changing the IKE parameters in Cisco ASA box

"isakmp identity automatic" from

"isakmp identity address" in the global settings.

every thing started working fine now

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card