Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
1
Replies

IPSec debug ouput

J.BROWN
Level 1
Level 1

‎04-02-2002 04:42 AM - edited ‎02-21-2020 11:40 AM

Can anyone decipher the debug output I get from the router in a router to PIX IPSec tunnel setup?

I can't find examples of this output anywhere on Cisco's web site.

Debug output follows, the bit I need help with is the last four lines right at the end with a timestamp 03:03:57:- I've included the rest of the debug output for completeness:

03:03:55: ISAKMP: received ke message (1/1)

03:03:55: ISAKMP: local port 500, remote port 500

03:03:55: ISAKMP (0:1): beginning Main Mode exchange

03:03:55: ISAKMP (0:1): sending packet to w.x.y.z (I) MM_NO_STATE

03:03:55: ISAKMP (0:1): received packet from w.x.y.z (I) MM_NO_STATE

03:03:55: ISAKMP (0:1): processing SA payload. message ID = 0

03:03:55: ISAKMP (0:1): found peer pre-shared key matching w.x.y.z

03:03:55: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy

03:03:55: ISAKMP: encryption DES-CBC

03:03:55: ISAKMP: hash MD5

03:03:55: ISAKMP: default group 1

03:03:55: ISAKMP: auth pre-share

03:03:55: ISAKMP: life type in seconds

03:03:55: ISAKMP: life duration (basic) of 2000

03:03:55: ISAKMP (0:1): atts are acceptable. Next payload is 0

03:03:55: ISAKMP (0:1): SA is doing pre-shared key authentication using id type

ID_IPV4_ADDR

03:03:55: ISAKMP (0:1): sending packet to w.x.y.z (I) MM_SA_SETUP

03:03:56: ISAKMP (0:1): received packet from w.x.y.z (I) MM_SA_SETUP

03:03:56: ISAKMP (0:1): processing KE payload. message ID = 0

03:03:56: ISAKMP (0:1): processing NONCE payload. message ID = 0

03:03:56: ISAKMP (0:1): found peer pre-shared key matching w.x.y.z

03:03:56: ISAKMP (0:1): SKEYID state generated.

03:03:56: ISAKMP (0:1): processing vendor id payload

03:03:56: ISAKMP (0:1): processing vendor id payload

03:03:56: ISAKMP (0:1): processing vendor id payload

03:03:56: ISAKMP (0:1): speaking to another IOS box!

03:03:56: ISAKMP (1): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

03:03:56: ISAKMP (1): Total payload length: 12

03:03:56: ISAKMP (0:1): sending packet to w.x.y.z (I) MM_KEY_EXCH

03:03:56: ISAKMP (0:1): received packet from w.x.y.z (I) MM_KEY_EXCH

03:03:56: ISAKMP (0:1): processing ID payload. message ID = 0

03:03:56: ISAKMP (0:1): processing HASH payload. message ID = 0

03:03:56: ISAKMP (0:1): SA has been authenticated with w.x.y.z

03:03:56: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -261342366

03:03:56: ISAKMP (0:1): sending packet to w.x.y.z (I) QM_IDLE

03:03:57: ISAKMP (0:1): received packet from w.x.y.z (I) QM_IDLE

03:03:57: ISAKMP (0:1): processing HASH payload. message ID = 1348448192

03:03:57: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 327960102, message ID = 1348448192, sa = 6228D7C4

03:03:57: ISAKMP (0:1): deleting spi 327960102 message ID = -261342366

03:03:57: ISAKMP (0:1): deleting node -261342366 error TRUE reason "delete_larva

l"

03:03:57: ISAKMP (0:1): deleting node 1348448192 error FALSE reason "information

al (in) state 1"....

Success rate is 0 percent (0/5)

Labels:
0 Helpful
1 Reply 1

brad
Level 1
Level 1

‎04-02-2002 07:36 AM

I hope someone else will also reply that can perhaps offer a better explination then myself, but I think I can offer some insights.

The key line here is:

03:03:57: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

The PROPOSAL_NOT_CHOSEN tells me that either your policy or your transform-set does not match exactly. Also, verify that your access-lists are perfect mirrors of each other. Check the SA lifetimes?

Any one else?

0 Helpful
Customers Also Viewed These Support Documents