Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec debug ouput

Can anyone decipher the debug output I get from the router in a router to PIX IPSec tunnel setup?

I can't find examples of this output anywhere on Cisco's web site.

Debug output follows, the bit I need help with is the last four lines right at the end with a timestamp 03:03:57:- I've included the rest of the debug output for completeness:

03:03:55: ISAKMP: received ke message (1/1)

03:03:55: ISAKMP: local port 500, remote port 500

03:03:55: ISAKMP (0:1): beginning Main Mode exchange

03:03:55: ISAKMP (0:1): sending packet to w.x.y.z (I) MM_NO_STATE

03:03:55: ISAKMP (0:1): received packet from w.x.y.z (I) MM_NO_STATE

03:03:55: ISAKMP (0:1): processing SA payload. message ID = 0

03:03:55: ISAKMP (0:1): found peer pre-shared key matching w.x.y.z

03:03:55: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy

03:03:55: ISAKMP: encryption DES-CBC

03:03:55: ISAKMP: hash MD5

03:03:55: ISAKMP: default group 1

03:03:55: ISAKMP: auth pre-share

03:03:55: ISAKMP: life type in seconds

03:03:55: ISAKMP: life duration (basic) of 2000

03:03:55: ISAKMP (0:1): atts are acceptable. Next payload is 0

03:03:55: ISAKMP (0:1): SA is doing pre-shared key authentication using id type

ID_IPV4_ADDR

03:03:55: ISAKMP (0:1): sending packet to w.x.y.z (I) MM_SA_SETUP

03:03:56: ISAKMP (0:1): received packet from w.x.y.z (I) MM_SA_SETUP

03:03:56: ISAKMP (0:1): processing KE payload. message ID = 0

03:03:56: ISAKMP (0:1): processing NONCE payload. message ID = 0

03:03:56: ISAKMP (0:1): found peer pre-shared key matching w.x.y.z

03:03:56: ISAKMP (0:1): SKEYID state generated.

03:03:56: ISAKMP (0:1): processing vendor id payload

03:03:56: ISAKMP (0:1): processing vendor id payload

03:03:56: ISAKMP (0:1): processing vendor id payload

03:03:56: ISAKMP (0:1): speaking to another IOS box!

03:03:56: ISAKMP (1): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

03:03:56: ISAKMP (1): Total payload length: 12

03:03:56: ISAKMP (0:1): sending packet to w.x.y.z (I) MM_KEY_EXCH

03:03:56: ISAKMP (0:1): received packet from w.x.y.z (I) MM_KEY_EXCH

03:03:56: ISAKMP (0:1): processing ID payload. message ID = 0

03:03:56: ISAKMP (0:1): processing HASH payload. message ID = 0

03:03:56: ISAKMP (0:1): SA has been authenticated with w.x.y.z

03:03:56: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -261342366

03:03:56: ISAKMP (0:1): sending packet to w.x.y.z (I) QM_IDLE

03:03:57: ISAKMP (0:1): received packet from w.x.y.z (I) QM_IDLE

03:03:57: ISAKMP (0:1): processing HASH payload. message ID = 1348448192

03:03:57: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 327960102, message ID = 1348448192, sa = 6228D7C4

03:03:57: ISAKMP (0:1): deleting spi 327960102 message ID = -261342366

03:03:57: ISAKMP (0:1): deleting node -261342366 error TRUE reason "delete_larva

l"

03:03:57: ISAKMP (0:1): deleting node 1348448192 error FALSE reason "information

al (in) state 1"....

Success rate is 0 percent (0/5)

1 REPLY
New Member

Re: IPSec debug ouput

I hope someone else will also reply that can perhaps offer a better explination then myself, but I think I can offer some insights.

The key line here is:

03:03:57: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

The PROPOSAL_NOT_CHOSEN tells me that either your policy or your transform-set does not match exactly. Also, verify that your access-lists are perfect mirrors of each other. Check the SA lifetimes?

Any one else?

159
Views
0
Helpful
1
Replies
CreatePlease login to create content