Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
0
Helpful
3
Replies

Site-to-Site VPN failing (between Services SPA Carrier-400 and ASA5510)

griever060684
Level 1
Level 1

‎06-29-2009 03:54 AM - edited ‎02-21-2020 03:32 AM

Hi there,

I am establishing a Site-to-site VPN connection with one of our clients and this just the first time we are using integrated Services SPA of CISCO installed to our 7609 router.

The configuration and logs is attached in this one. I am basically confused and unsure where exactly we are failing in the VPN parameter negotiations. I am attaching the configuration as well as the logs taken from our router.

Preview file
8 KB
Preview file
1 KB
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎06-29-2009 06:49 AM

ISAKMP phase 1 is failing. Check your ISAKMP config and passwords. They need to match on each side. Here's a link to an excellent VPN troubleshooting guide.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

0 Helpful

griever060684
Level 1
Level 1
In response to Collin Clark

‎07-01-2009 09:34 PM

Hi Collin,

We have checked and it seems we do have an exact match in the VPN parameters. One thing I have noticed though is that I am recieving a duplicate Phase 1 form their end. What are the possible reason for this one?

Jul 2 13:33:38.153: ISAKMP (0): received packet from ***.***.***.*** dport 500 sport 500 Global (R) MM_SA_SETUP

Jul 2 13:33:38.157: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

Jul 2 13:33:38.157: ISAKMP:(0): retransmitting due to retransmit phase 1

Jul 2 13:33:38.157: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

0 Helpful

griever060684
Level 1
Level 1

‎07-09-2009 10:19 PM

Hi We were finally able to get past the first error. However I am now seeing this error.. What could this mean?

Jul 10 14:09:25.999: ISAKMP:(68516):Send initial contact

Jul 10 14:09:25.999: ISAKMP:(68516):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Jul 10 14:09:25.999: ISAKMP (68516): ID payload

next-payload : 8

type : 1

address : yyy.yyy.yyy.yyy

protocol : 17

port : 500

length : 12

Jul 10 14:09:25.999: ISAKMP:(68516):Total payload length: 12

Jul 10 14:09:25.999: crypto_engine: Generate IKE hash

Jul 10 14:09:25.999: crypto_engine: Encrypt IKE packet

Jul 10 14:09:25.999: ISAKMP:(68516): sending packet to ***.***.***.*** my_port 500 peer_port 500 (I) MM_KEY_EXCH

Jul 10 14:09:25.999: ISAKMP:(68516):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jul 10 14:09:25.999: ISAKMP:(68516):Old State = IKE_I_MM4 New State = IKE_I_MM5

Jul 10 14:09:26.127: ISAKMP (68516): received packet from ***.***.***.*** dport 500 sport 500 Global (I) MM_KEY_EXCH

Jul 10 14:09:26.127: crypto_engine: Decrypt IKE packet

Jul 10 14:09:26.127: ISAKMP:(68516): processing ID payload. message ID = 0

Jul 10 14:09:26.127: ISAKMP (68516): ID payload

next-payload : 8

type : 2

FQDN name : easytrip.default.domain.invalid

protocol : 0

port : 0

length : 39

Jul 10 14:09:26.127: ISAKMP:(68516):Expected EasyTripPROFILE profile doesn't match, aborting exchange

Jul 10 14:09:26.127: ISAKMP (68516): FSM action returned error: 2

Jul 10 14:09:26.127: ISAKMP:(68516):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jul 10 14:09:26.127: ISAKMP:(68516):Old State = IKE_I_MM5 New State = IKE_I_MM6

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card