03-26-2009 01:28 AM - edited 03-09-2019 10:09 PM
Hi Guys,
I have a question that I just can't seem to find an answer for in any of my usual libraries.
Can someone tell me what the the following debug message is trying to tell me?
processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1
Now, to me, it says this router has received a Notify message from the peer advising that a Proposal has not been chosen. But my question is who hasn't chosen it? And what do they mean by proposal not chosen? Did this device not send any proposal or did the receiving device ignore the proposals sent?
I'd love some help on this one. The RFC is doing my head in.
TIA
Cheers
Scott
03-26-2009 02:19 AM
Both peers cannot choose a proposal.
The proposal must match in both peers.
03-26-2009 03:44 AM
Thanks for the prompt reply Aleksey.
Can you refer me to documentation supporting this?
The reason I ask is that when 2 (cisco) devices share proposals you can see the assessment of the proposal. It goes something like this:
ISAKMP (0:134217729): received packet from 10.0.0.2 dport500 sport 500 Global (I) QM_IDLE
ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1587827672
ISAKMP:(0:1:SW:1): processing SA payload. message ID = -1587827672
ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 120
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP:(0:1:SW:1):atts are acceptable.
In the scenario I'm experiencing, I get as far as processing the hash payload, it never looks a the SA payload. See the following debug extract:
ISAKMP (0:116): received packet from 10.1.1.1dport 500 sport 500 Global (I) QM_IDLE
ISAKMP: set new node 1138554522 to QM_IDLE
ISAKMP (0:116): processing HASH payload. message ID = 1138554522
ISAKMP (0:116): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1
So, as I read it, a hash is sent for keying for the quick mode uni-directial SAs, however no security paramaters are received. To me it sounds like information isn't being sent.... almost like there is no 'match transform-set' statement on the crypto map.
Would anyone care to comment on my assessment or the issue in general?
Rgds
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide