Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN not coming up between Nortel contivity and Cisco ASA 5520

Hello,

One of my vendors has a cisco ASA5520 and we are trying to build a VPN tunnel between ASA 5520 and Nortel 4500 contivity box.

It passes phase 1 and during phase 2 i get this error message

----------

3|Dec 06 2006|11:51:39|713119|||Group = 1.1.1.1 IP = 1.1.1.1PHASE 1 COMPLETED

6|Dec 06 2006|11:51:39|113009|||AAA retrieved default group policy (DfltGrpPolicy) for user = 1.1.1.1

4|Dec 06 2006|11:51:39|113019|||Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:03s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected

4|Dec 06 2006|11:51:39|713903|||Group = 1.1.1.1, IP = 1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes

4|Dec 06 2006|11:51:36|713903|||Group = 1.1.1.1, IP = 1.1.1.1, Information Exchange processing failed

5|Dec 06 2006|11:51:36|713904|||Group = 1.1.1.1, IP = 1.1.1.1, Received an un-encrypted INVALID_ID_INFO notify message, dropping

----------------

Similarly when we check at the remote Contivity box, we get the similar error and it says as

----------

11/16/2006 12:43:39 0 Branch Office [01] IPSEC branch office connection initiated to rem[2.2.2.200-255.255.255.255]@[2.2.2.2] loc[10.50.61.0-255.255.255.0]

11/16/2006 12:43:39 0 Security [11] Session: IPSEC[2.2.2.2] attempting login

11/16/2006 12:43:39 0 Security [01] Session: IPSEC[2.2.2.2] has no active sessions

11/16/2006 12:43:39 0 Security [01] Session: IPSEC[2.2.2.2] Customer has no active accounts

11/16/2006 12:43:39 0 ISAKMP [13] Invalid ID information in message from 2.2.2.2

11/16/2006 12:43:39 0 tIsakmp [34] Failed Login Attempt: Username=2.2.2.2: Date/Time=11/16/2006 12:43:39

11/16/2006 12:43:39 0 ISAKMP [02] Deleting ISAKMP SA with 2.2.2.2

---------

Invalid ID info generally means when the networks are not matching else when we use different routing where one end is static or other end is dynamic. But in tihs case we check that as well and still we get the same error.

any clue how to troubleshoot further.

2 REPLIES
New Member

Re: VPN not coming up between Nortel contivity and Cisco ASA 552

Hello,

any updates for me since i get the same issue again and again, i'm not an expert in cisco ASA 5520 and hence not sure what the problem is

New Member

Re: VPN not coming up between Nortel contivity and Cisco ASA 552

I fixed this issue myself after changing the IKE parameters in Cisco ASA box

"isakmp identity automatic" from

"isakmp identity address" in the global settings.

every thing started working fine now

1145
Views
0
Helpful
2
Replies