Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Debug Analysis

Can someone tell me what does the attached debug output statement entail? I tried to configure a VPN connection from Windows 2000 client using the native L2TP/IPSec to connect to the PIX via transport mode. I also configured the PIX to use IKE with pre-share key, dynamic map to assign IP addresses to remote clients, and local authentication. I don't know where in the process did it fail to connect, and i was hoping someone can tell me from the debug statement. Was my phase 1 IKE successful or not? What about phase 2? How far did the VPN process go it terminated? Any help is greatly appreciated. Thanks.

Debug statement:

PIX#

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Added new peer: ip:206.100.100.1 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:1 Total VPN Peers:1

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): no offers accepted!

ISAKMP (0): SA not acceptable!

return status is IKMP_ERR_TRANS

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

ISADB: reaper checking SA 0x813d12e0, conn_id = 0

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:1 Total VPN Peers:1

ISAKMP (0): deleting SA: src 206.100.100.1, dst 63.100.100.1

ISADB: reaper checking SA 0x813d12e0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:206.100.100.1 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:206.100.100.1 Total VPN peers:0

crypto_isakmp_process_block: src 206.100.100.1, dest 63.100.100.1

PIX#

1 REPLY
Cisco Employee

Re: VPN Debug Analysis

These two lines:

ISAKMP (0): no offers accepted!

ISAKMP (0): SA not acceptable!

indicate your Phase 1 parameters don't match what the PC is sending, and therefore they failed. The PC is sending this:

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

which shows it's trying to use certs (RSA-SIG), not the pre-shared key that you might have setup. If you follow this (http://www.cisco.com/warp/public/471/vpn3k_l2tp.html) you'll see you have to make a registry change on the PC to force it to use the pre-shared key, even if you put it in its configuration. Note that this sample config is for L2TP/IPSec to a VPN3000, but the client setup is the same which seems to be where your problem lies at this point.

155
Views
0
Helpful
1
Replies