Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ISAKMP SA negotiation fails with Watchguard Firebox II

For the past couple weeks, our IPSec tunnel has dropped intermittently with the following debug results below. The IPsec tunnel terminates with a Watchguard Firebox II.

Am I interpreting this correctly? It appears that the Watchguard is trying to negotiate a SA using DES, SHA, and a pre-share key, but eventually times out. The actual policy is for 3DES, MD5, and a pre-shared key. However, when we re-boot the PIX, the two devices connect. Is this a bug problem with the PIX OS?

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): no offers accepted!

ISAKMP (0): SA not acceptable!

return status is IKMP_ERR_TRANS

ISAKMP (0): deleting SA: src 206.142.126.125, dst 67.39.58.130

ISADB: reaper checking SA 0x80d0cfb8, conn_id = 0 DELETE IT!

1 REPLY
Bronze

Re: ISAKMP SA negotiation fails with Watchguard Firebox II

Hi,

it seems that watchguard box is sending :

DES-SHA-Group1-Preshared

and your policy#10 on pix doesn't have that, if you do have that policy, pix should negotiate it, otherwise try loading V6.3.1, if that doesn't help, open up a TAC case to file a possible bug.

Thx

Afaq

1683
Views
0
Helpful
1
Replies
CreatePlease to create content