Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

What is wrong ? PIX515 <--> W2K server (tunnel)

Hi ,

Who can tell me what's wrong with the following debug on a PIX 515? It looks OK (till PHASE 2 I think) but I can't go/see to the other site of the tunnel.

Thanks,

**********************************************************************************************************

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 203.44.79.66, remote= 193.121.52.69,

local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 89.0.0.0/255.0.0.0/0/0 (type=4)

VPN Peer: ISAKMP: Added new peer: ip:193.121.52.69 Total VPN Peers:2

VPN Peer: ISAKMP: Peer ip:193.121.52.69 Ref cnt incremented to:1 Total VPN Peers:2

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src 193.121.52.69, dest 203.44.79.66

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 193.121.52.69, dest 203.44.79.66

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 193.121.52.69, dest 203.44.79.66

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1798836666:94c7ee46IPSEC(key_engine): got a queu

e event...

IPSEC(spi_response): getting spi 0x8654cc5d(2253704285) for SA

from 193.121.52.69 to 203.44.79.66 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 193.121.52.69, dest 203.44.79.66

ISAKMP (0): processing NOTIFY payload 18 protocol 3

spi 0, message ID = 3265250599IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 193.121.52.69

return status is IKMP_NO_ERR_NO_TRANS

Intelfw#

ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 203.44.79.66, remote= 193.121.52.69,

local_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 89.0.0.0/255.0.0.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

crypto_isakmp_process_block: src 193.121.52.69, dest 203.44.79.66

ISAKMP (0): processing NOTIFY payload 18 protocol 3

spi 0, message ID = 2114280501IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 193.121.52.69

return status is IKMP_NO_ERR_NO_TRANS

Intelfw#

Intelfw#

**********************************************************************************************************

Thanks,

Dieter

1 REPLY

Re: What is wrong ? PIX515 <--> W2K server (tunnel)

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

143
Views
0
Helpful
1
Replies
CreatePlease to create content