Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX to Router IPSEC VPN - ISAKMP fail?

Hi -

Consider the following error from a isakmp debug on the PIX:

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 21 policy

ISAKMP: encryption DES-CBC


ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): Unable to generate DH phase I values!

return status is IKMP_ERR_RETRANS

key exchange never makes it out of MM_NO_STATE

As you can see, my isakmp attributes are good, but all of a sudden I get that last error message about phase I.

Never heard of this before. Any ideas?

Cisco PIX Firewall Version 6.1(1)

C2600 Software (C2600-IK8S-M), Version 12.2(8)T

Standard config as per <A HREF="javascript:newWin('')"></A>

I've varied that i am running a transform set of esp-des only. I'm not making it to ipsec, so I don't think that's my problem.


New Member

Re: PIX to Router IPSEC VPN - ISAKMP fail?

It looks like it may be having a problem calculating the Diffie-Hellmen values? Maybe you should try making the transform set esp-des esp-md5-hmac like in the doc. If that still does not work it could be a bug. Try a different version of code on your 2600. Good luck.

New Member

Re: PIX to Router IPSEC VPN - ISAKMP fail?

Ok. That's what I thought. Diffie-Helmen values not working. On the PIX side.

Changed my isakmp policy to use md5 hash, but get same error. Router has other tunnels to other routers, that cannot be changed, so my configuration is not exactly as the configuration guide.

My router is Version 12.2(8)T. Just upgraded.

Any other ideas?

New Member

Re: PIX to Router IPSEC VPN - ISAKMP fail?

Don't bother modifying your transform sets they are only for negotiating the phase 2 tunnel establishments. If your problem lies in phase one group issues, you may wanna use DH group 2

this is a 1024-bit group identifier

link to config on pix is')">

and on the router')">

IKE is what you should be Troubleshooting not Transform sets

Since you have other tunnels creat a brand new ISA policy for the problem tunnel and trouble shoot with the test policy.

New Member

Re: PIX to Router IPSEC VPN - ISAKMP fail?

Thanks for the comments. I, too, thought that the adjustments to my policies would not make a difference. It didn't.

But I did fix it!

Rebooted the PIX. Everything came up fine.

I expect that my CA's were bad? I don't know that I ever ran any clear crypto type commands.

Thanks again! Problems solved with reboot!

CreatePlease login to create content