Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SA540 IKE Error - Sendto (Permission Denied)

Group,

Trying to build a site to site IP Sec VPN tunnel and I am getting an error I am not familiar with, I was hoping someone could enlighten me before I come unglued. This SA540 "appears" to be configured the same as the additonal 2 SA540/SA520 that built the tunnels successfully and without any issue at all. The endpoint is a Zywall USG100, from it's logs it is obvious the error is on the SA540 side I'm a bit puzzled. Any insight on this error and resolution would be greatly appreciated.

I have tried the usual bits, deleted the IKE and VPN proposals out, reboot the device, reboot the Zywall, change the configuration name etc. None of it seems to stick.

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  Using IPsec SA configuration: 10.0.2.0/24<->192.168.10.0/27

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  Configuration found for xx.76.78.219.

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  Configuration found for xx.76.78.219.

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  Initiating new phase 1 negotiation: xx.76.78.218[500]<=>xx.76.78.219[500]

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  Beginning Identity Protection mode.

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:   [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 4

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 8

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 9

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] ERROR:  sendto (Permission denied)

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] ERROR:  sendfromto failed

Fri Jan 31 20:37:47 2014 (GMT -0500): [clrctr00fw0100] [IKE] ERROR:  Failed to begin ipsec sa negotiation with xx.76.78.219[500].

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  accept a request to establish IKE-SA: xx.76.78.219

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  Configuration found for xx.76.78.219.

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  Configuration found for xx.76.78.219.

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  Initiating new phase 1 negotiation: xx.76.78.218[500]<=>xx.76.78.219[500]

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:  Beginning Identity Protection mode.

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:   [isakmp_ident.c:185]: XXX: NUMNATTVENDORIDS: 3

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 4

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 8

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] INFO:   [isakmp_ident.c:189]: XXX: setting vendorid: 9

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] ERROR:  sendto (Permission denied)

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] ERROR:  sendfromto failed

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] ERROR:  failed to begin ipsec sa negotiation with xx.76.78.219[500].

Fri Jan 31 20:37:51 2014 (GMT -0500): [clrctr00fw0100] [IKE] ERROR:  Attempt of establishing IKE-SA: Failed: xx.76.78.219

Everyone's tags (5)
2 REPLIES
Community Member

SA540 IKE Error - Sendto (Permission Denied)

Update: Well I wasn't able to fix my problem but I was able to bypass it. The Zywall has a second WAN interface, I pointed the IPSEC policy towards the second IP and the tunnel came right up. So, that being said, it would *appear* that the firewall doesn't like the specific IP address I was trying to point it to. If I can determine specifically what caused this issue I will pass it along.

Gold

SA540 IKE Error - Sendto (Permission Denied)

Ross,

It appears that WAN 1 rejected the IKE-SA so I'm guessing that the tunnel was configured to use WAN 2 on the Zywall.

- Marty

460
Views
0
Helpful
2
Replies
CreatePlease to create content