02-17-2003 12:43 PM - edited 02-21-2020 12:21 PM
Hi All,
We are trying to create a VPN tunnel with a PIX 506e and a Netscreen 1000.
Phase 1 seems to go OK and then it dies on phase 2 and just keep retransmitting until the whole thing dies. The Netscreen doesn't seem to give any better details.
Heres is an excerpt from the debug.
VPN Peer: ISAKMP: Added new peer: ip:xxx.228.130.194 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:66.xxx.130.194 Ref cnt incremented to:1 Total VPN Peers:2
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src xxx.228.130.194, dest xxx.173.9.34
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 2 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 7200
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xxx.228.130.194, dest xxx.173.9.34
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xxx.228.130.194, dest xxx.173.9.34
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer node for xxx.228.130.194
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1513388367:a5cb86b1IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x354b0c2c(894110764) for SA
from xxx.228.130.194 to xxx.173.9.34 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= xxx.173.9.34, remote= xxx.228.130.194,
local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1351861563:af6c3ac5IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x7d531ef1(2102599409) for SA
from xxx.228.130.194 to xxx.173.9.34 for prot 3
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2,
(identity) local= xxx.173.9.34, remote= xxx.228.130.194,
local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)
VPN Peer: ISAKMP: Added new peer: ip:xxx.228.130.203 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:xxx.228.130.203 Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): deleting SA: src xxx.173.9.34, dst xxx.228.130.194
ISADB: reaper checking SA 0x8134c458, conn_id = 0
ISADB: reaper checking SA 0x81358780, conn_id = 0
ISADB: reaper checking SA 0x81370780, conn_id = 0 DELETE IT!
Anyone have suggestions? They would be greatly appreciated.
Scott VanGuilder
02-17-2003 05:35 PM
Is this debug from when the Netscreen tried to initiate the tunnel, or when the PIX did? If the PIX tried to initiate, try running the same debugs when the Netscreen tries to initiate it, it'll give you more information as to what's going on.
What version of code do you have on the PIX, and on the Netscreen?
02-18-2003 09:32 AM
Yes the debug was with the PIX iniating the tunnel.
PIX is version 6.2
Netscreen it version 2.6.0r6
Here is the debug from the PIX with the the Netscreen initiating the tunnel.
ISADB: reaper checking SA 0x813543d8, conn_id = 0IPSEC(key_engine): request timer fired: count = 2,
(identity) local= xxx.173.9.34, remote= xxx.228.130.203,
local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)
ISAKMP (0): beginning Quick Mode exchange, M-ID of 945102397:38551e3dIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x778fb0ab(2005905579) for SA
from xxx.228.130.194 to xxx.173.9.34 for prot 3
ISAKMP (0): retransmitting phase 2...
ISAKMP: Deleting peer node for xxx.228.130.194IPSEC(key_engine): request timer fired: count = 1,
(identity) local= xxx.173.9.34, remote= xxx.228.130.194,
local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)
ISAKMP (0): beginning Quick Mode exchange, M-ID of 172971442:a4f55b2IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x392e5013(959336467) for SA
from xxx.228.130.194 to xxx.173.9.34 for prot 3
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2,
(identity) local= xxx.173.9.34, remote= xxx.228.130.194,
local_proxy= 192.168.151.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.250.0.203/255.255.255.255/0/0 (type=1)
VPN Peer: ISAKMP: Added new peer: ip:xxx.228.130.203 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:xxx.228.130.203 Ref cnt incremented to:1 Total VPN Peers:2
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): deleting SA: src xxx.228.130.194, dst xxx.173.9.34
ISADB: reaper checking SA 0x8136e660, conn_id = 0
ISADB: reaper checking SA 0x813606a8, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x8136e660, conn_id = 0
ISADB: reaper checking SA 0x81353c98, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x8136e660, conn_id = 0
ISADB: reaper checking SA 0x8134c458, conn_id = 0
ISADB: reaper checking SA 0x81352c18, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x8136e660, conn_id = 0
ISADB: reaper checking SA 0x8134c458, conn_id = 0
ISADB: reaper checking SA 0x8136c6a0, conn_id = 0
ISADB: reaper checking SA 0x8136ed60, conn_id = 0
ISADB: reaper checking SA 0x81352240, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x8136e660, conn_id = 0
ISADB: reaper checking SA 0x8134c458, conn_id = 0
ISADB: reaper checking SA 0x8136c6a0, conn_id = 0
ISADB: reaper checking SA 0x8136ed60, conn_id = 0
ISADB: reaper checking SA 0x8136cda0, conn_id = 0
ISADB: reaper checking SA 0x81353318, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x8136e660, conn_id = 0
ISADB: reaper checking SA 0x8134c458, conn_id = 0
ISADB: reaper checking SA 0x8136c6a0, conn_id = 0
ISADB: reaper checking SA 0x8136ed60, conn_id = 0
ISADB: reaper checking SA 0x8136cda0, conn_id = 0
ISADB: reaper checking SA 0x8136bf70, conn_id = 0
ISADB: reaper checking SA 0x8136dc60, conn_id = 0
ISADB: reaper checking SA 0x8133df78, conn_id = 0
ISADB: reaper checking SA 0x81359c48, conn_id = 0
ISADB: reaper checking SA 0x81354ad8, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x8136e660, conn_id = 0
ISADB: reaper checking SA 0x8134c458, conn_id = 0
ISADB: reaper checking SA 0x8136c6a0, conn_id = 0
ISADB: reaper checking SA 0x8136ed60, conn_id = 0
ISADB: reaper checking SA 0x8136cda0, conn_id = 0
ISADB: reaper checking SA 0x8136bf70, conn_id = 0
ISADB: reaper checking SA 0x8136dc60, conn_id = 0
ISADB: reaper checking SA 0x8133df78, conn_id = 0
ISADB: reaper checking SA 0x81359c48, conn_id = 0
ISADB: reaper checking SA 0x81359548, conn_id = 0
ISADB: reaper checking SA 0x8135ffa8, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x8136e660, conn_id = 0
ISADB: reaper checking SA 0x8134c458, conn_id = 0
ISADB: reaper checking SA 0x8136c6a0, conn_id = 0
ISADB: reaper checking SA 0x8136ed60, conn_id = 0
ISADB: reaper checking SA 0x8136cda0, conn_id = 0
ISADB: reaper checking SA 0x8136bf70, conn_id = 0
ISADB: reaper checking SA 0x8136dc60, conn_id = 0
ISADB: reaper checking SA 0x8133df78, conn_id = 0
ISADB: reaper checking SA 0x81359c48, conn_id = 0
ISADB: reaper checking SA 0x81359548, conn_id = 0
ISADB: reaper checking SA 0x8136f5d0, conn_id = 0
ISADB: reaper checking SA 0x8136d560, conn_id = 0
ISADB: reaper checking SA 0x813543d8, conn_id = 0
I appreciate any input
Scott VanGuilder
02-18-2003 11:11 AM
Here is the debug log and config from the Netscreen.
Here is the log:
01/31/2003 09:53:47 Generic_Co: Respond to initiate contact notify for p1. 01/31/2003 09:53:16 Generic_Co: Respond to initiate contact notify for
p2 sas.
01/31/2003 09:53:16 Generic_Co: Receive Notify Payload: doi(1),
msg(24578), txt nxt(0)
01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust
(66.228.128.194/500)
01/31/2003 09:53:16 Generic_Co: Phase 2 (x.x.x.x) start (initiator). 01/31/2003 09:53:16 Generic_Co: Phase 1 (x.x.x.x) complete, aggr. mode,
28800sec.
01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust
(66.228.128.194/500)
01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust
(66.228.128.194/500)
01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust
(66.228.128.194/500)
01/31/2003 09:53:16 Receive UDP packets from (x.x.x.x/500) on untrust
(66.228.128.194/500)
01/31/2003 09:53:16 Generic_Co: Phase 1 (x.x.x.x) start (initiator)
aggr. mode.
Here is the SA that I get and then disappears after 15 seconds or so:
005/0, 66.228.130.194->x.x.x.x: PRESHR/grp2/3DES/SHA, xchg(4) usr(d-1/u-1) resent-tmr 0 lifetime 28800 lt-recv 0 nxt_rekey 28739 cert-expire 0
initiator 1, in-out 1, err cnt 11, send dir 0, cond
102f/3, x.x.x.x->y.y.y.y: PRESHR/grp1/3DES/SHA, xchg(2) usr(d-1/u-1) resent-tmr 0 lifetime 7200 lt-recv 7200 nxt_rekey 7154 cert-expire 0
initiator 0, in-out 0, err cnt 0, send dir 1, cond 0
Here is the config:
set ike p1-proposal "pre-g2-3des-sha (Med Pact)" Preshare Group2 esp
3DES SHA second 7200
set ike p2-proposal "nopfs-esp-3des-sha (Med Pact)" no-pfs ESP 3DES SHA
second 7200 kbyte 10000
set ike gateway "Med Pact" ip x.x.x.x aggr preshare "xxxxxx" proposal
"pre-g2-3des-sha (Med Pac)"
x=PIX y=NS-1000
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: