Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

problem with vpn

Hi everyone,

I have got a problem in configuring a vpn from a pix to a router. phase 1 and phase 2 is getting established and after that it is getting deleted. I cannot find anything unusual except a message saying that "throw:aborting runt ".I dont know how runt came into picture up here.Im pasting the debug output.

thanks in advance

Lainc-0014# sh crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

195.229.115.67 217.164.3.12 QM_IDLE 0 0

VPN Peer: ISAKMP: Deleted peer: ip:217.164.3.12 Total VPN peers:0

crypto_isakmp_process_block: src 217.164.3.12, dest 195.229.115.67

VPN Peer: ISAKMP: Added new peer: ip:217.164.3.12 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:217.164.3.12 Ref cnt incremented to:1 Total VPN Peers:

1

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 3600

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 217.164.3.12, dest 195.229.115.67

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 217.164.3.12, dest 195.229.115.67

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 15

ISAKMP (0): Total payload length: 19

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

crypto_isakmp_process_block: src 217.164.3.12, dest 195.229.115.67

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 2927748787

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 3600

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part

#1,

(key eng. msg.) dest= 195.229.115.67, src= 217.164.3.12,

dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

src_proxy= 192.168.7.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 2927748787

ISAKMP (0): processing ID payload. message ID = 2927748787

ISAKMP (0): ID_IPV4_ADDR_SUBNET src 192.168.7.0/255.255.255.0 prot 0 port 0

ISAKMP (0): processing ID payload. message ID = 2927748787

ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.2.0/255.255.255.0 prot 0 port 0IPSEC

(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x7e389955(2117638485) for SA

from 217.164.3.12 to 195.229.115.67 for prot 3

return status is IKMP_NO_ERROR

throw: aborting runt response

crypto_isakmp_process_block: src 217.164.3.12, dest 195.229.115.67

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 2117638485, message ID = 2165430808

ISAKMP (0): deleting spi 1436104830 message ID = 2927748787

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 217.164.3.12, dest 195.229.115.67

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1755603730

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 3600

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part

#1,

(key eng. msg.) dest= 195.229.115.67, src= 217.164.3.12,

dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),

src_proxy= 192.168.7.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 1755603730

ISAKMP (0): processing ID payload. message ID = 1755603730

ISAKMP (0): ID_IPV4_ADDR_SUBNET src 192.168.7.0/255.255.255.0 prot 0 port 0

ISAKMP (0): processing ID payload. message ID = 1755603730

ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.2.0/255.255.255.0 prot 0 port 0IPSEC

(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x80ae241a(2158896154) for SA

from 217.164.3.12 to 195.229.115.67 for prot 3

return status is IKMP_NO_ERROR

throw: aborting runt response

crypto_isakmp_process_block: src 217.164.3.12, dest 195.229.115.67

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 2158896154, message ID = 1577862784

ISAKMP (0): deleting spi 438611584 message ID = 1755603730

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 217.164.3.12, dest 195.229.115.67

ISAKMP (0): processing DELETE payload. message ID = 3857767929

ISAKMP (0): deleting SA: src 217.164.3.12, dst 195.229.115.67

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x80d066e0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:217.164.3.12 Ref cnt decremented to:0 Total VPN Peers:

1

VPN Peer: ISAKMP: Deleted peer: ip:217.164.3.12 Total VPN peers:0

crypto_isakmp_process_block: src 217.164.3.12, dest 195.229.115.67

VPN Peer: ISAKMP: Added new peer: ip:217.164.3.12 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:217.164.3.12 Ref cnt incremented to:1 Total VPN Peers:

1

2 REPLIES
Bronze

Re: problem with vpn

Hi there,

If I recall it right payload 14 in RFC means, attributes not accepted.

Can you add the VPN client logs as well?

Jazib

New Member

Re: problem with vpn

Hi!

I also faced a similar problem couple of days back and found out the solution. Disable any sort of AH or ESP-HMAC from the transform-set and the tunnle will come up with the encryption-decryption of the packets. The issue seems to be with some intermittent devices that are fragmentating the IPSec packets leading to mismatch of the Packet integrity number calculated by the AH at the time of encryption and decryption.

91
Views
0
Helpful
2
Replies