Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec - show crypto crypto isakmp / ipsec sa result - no proposal chosen

Any ideas on my show isakmp sa and debug on my cisco 870 router?

Setup:

3840 router--Internet--Sonicwall FW--870 router.

dst src state conn-id slot status

x.x.x.x x.x.x.x QM_IDLE 1011 0 ACTIVE

x.x.x.x x.x.x.x MM_NO_STATE 1009 0 ACTIVE (deleted)

x.x.x.x x.x.x.x QM_IDLE 1012 0 ACTIVE

x.x.x.x x.x.x.x MM_NO_STATE 1010 0 ACTIVE (deleted)

debug on cryptp isa

03:54:51: ISAKMP (0:1018): received packet from 12.164.193.212 dport 500 sport 500 Global (I) QM_IDLE

03:54:51: ISAKMP: set new node 1878465810 to QM_IDLE

03:54:51: ISAKMP:(1018): processing HASH payload. message ID = 1878465810

03:54:51: ISAKMP:(1018): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 3495907581, message ID = 1878465810, sa = 838BFBB0

03:54:51: ISAKMP:(1018): deleting spi 3495907581 message ID = -683647967

03:54:51: ISAKMP:(1018):deleting node -683647967 error TRUE reason "Delete Larval"

03:54:51: ISAKMP:(1018):deleting node 1878465810 error FALSE reason "Informational (in) state 1"

03:54:51: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

03:54:51: ISAKMP:(1018):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Any reason why I am getting:

03:55:20: ISAKMP:(1018): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

I checked the IPSEC/ISAKMP policy several times, they are the same on both side. It appears to be an issue with ESP thru the FW.

Any suggestions,

Brandon

2 REPLIES
Cisco Employee

Re: IPSec - show crypto crypto isakmp / ipsec sa result - no pro

Brandon,

Couple of things to check:

1. Make sure that the Sonic Firewall is allowing UDP 500 and Protocol 50 - ESP.

2. Type in the pre-shared key again to make sure that are no typos.

3. Check the Access-List for the crypto map to make sure they are mirror images of each other.

For example:

If you have a local network of 10.1.1.0 255.255.255.0 and a remote network of 192.168.1.0 255.255.255.0. Then the configuration on the local router should have a local network of 192.168.1.0 255.255.255.0 and a remote network of 10.1.1.0 255.255.255.0.

If you are still having issues, then please do post the running configuration from the routers and make sure that remove all sensitive information.

I hope it helps.

Regards,

Arul

New Member

Re: IPSec - show crypto crypto isakmp / ipsec sa result - no pro

Arul,

Could there is an issue with IPSEC and the SonicWALL. Our router configurations are very standard and we have deploy over 200+ routers with similiar configuration (automated configs). I verify steps 1,2,3 already. This is my "show cry isa sa ":

XXXXX CU#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

63.114.195.212 10.1.1.31 QM_IDLE 1005 0 ACTIVE

63.114.195.212 10.1.1.31 MM_NO_STATE 1006 0 ACTIVE (deleted)

12.164.193.212 10.1.1.31 QM_IDLE 1003 0 ACTIVE

12.164.193.212 10.1.1.31 MM_NO_STATE 1002 0 ACTIVE (deleted)

This is DMVPN, I added the "cry ipsec nat spi" to the router, still does not help. I am concern that it is the NATing on the Sonicwall.

Brandon

4064
Views
0
Helpful
2
Replies
CreatePlease login to create content