04-02-2002 04:42 AM - edited 02-21-2020 11:40 AM
Can anyone decipher the debug output I get from the router in a router to PIX IPSec tunnel setup?
I can't find examples of this output anywhere on Cisco's web site.
Debug output follows, the bit I need help with is the last four lines right at the end with a timestamp 03:03:57:- I've included the rest of the debug output for completeness:
03:03:55: ISAKMP: received ke message (1/1)
03:03:55: ISAKMP: local port 500, remote port 500
03:03:55: ISAKMP (0:1): beginning Main Mode exchange
03:03:55: ISAKMP (0:1): sending packet to w.x.y.z (I) MM_NO_STATE
03:03:55: ISAKMP (0:1): received packet from w.x.y.z (I) MM_NO_STATE
03:03:55: ISAKMP (0:1): processing SA payload. message ID = 0
03:03:55: ISAKMP (0:1): found peer pre-shared key matching w.x.y.z
03:03:55: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
03:03:55: ISAKMP: encryption DES-CBC
03:03:55: ISAKMP: hash MD5
03:03:55: ISAKMP: default group 1
03:03:55: ISAKMP: auth pre-share
03:03:55: ISAKMP: life type in seconds
03:03:55: ISAKMP: life duration (basic) of 2000
03:03:55: ISAKMP (0:1): atts are acceptable. Next payload is 0
03:03:55: ISAKMP (0:1): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
03:03:55: ISAKMP (0:1): sending packet to w.x.y.z (I) MM_SA_SETUP
03:03:56: ISAKMP (0:1): received packet from w.x.y.z (I) MM_SA_SETUP
03:03:56: ISAKMP (0:1): processing KE payload. message ID = 0
03:03:56: ISAKMP (0:1): processing NONCE payload. message ID = 0
03:03:56: ISAKMP (0:1): found peer pre-shared key matching w.x.y.z
03:03:56: ISAKMP (0:1): SKEYID state generated.
03:03:56: ISAKMP (0:1): processing vendor id payload
03:03:56: ISAKMP (0:1): processing vendor id payload
03:03:56: ISAKMP (0:1): processing vendor id payload
03:03:56: ISAKMP (0:1): speaking to another IOS box!
03:03:56: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
03:03:56: ISAKMP (1): Total payload length: 12
03:03:56: ISAKMP (0:1): sending packet to w.x.y.z (I) MM_KEY_EXCH
03:03:56: ISAKMP (0:1): received packet from w.x.y.z (I) MM_KEY_EXCH
03:03:56: ISAKMP (0:1): processing ID payload. message ID = 0
03:03:56: ISAKMP (0:1): processing HASH payload. message ID = 0
03:03:56: ISAKMP (0:1): SA has been authenticated with w.x.y.z
03:03:56: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -261342366
03:03:56: ISAKMP (0:1): sending packet to w.x.y.z (I) QM_IDLE
03:03:57: ISAKMP (0:1): received packet from w.x.y.z (I) QM_IDLE
03:03:57: ISAKMP (0:1): processing HASH payload. message ID = 1348448192
03:03:57: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 327960102, message ID = 1348448192, sa = 6228D7C4
03:03:57: ISAKMP (0:1): deleting spi 327960102 message ID = -261342366
03:03:57: ISAKMP (0:1): deleting node -261342366 error TRUE reason "delete_larva
l"
03:03:57: ISAKMP (0:1): deleting node 1348448192 error FALSE reason "information
al (in) state 1"....
Success rate is 0 percent (0/5)
04-02-2002 07:36 AM
I hope someone else will also reply that can perhaps offer a better explination then myself, but I think I can offer some insights.
The key line here is:
03:03:57: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
The PROPOSAL_NOT_CHOSEN tells me that either your policy or your transform-set does not match exactly. Also, verify that your access-lists are perfect mirrors of each other. Check the SA lifetimes?
Any one else?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide