Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3002 NAT to IOS 2651xm-vpnK9 - ISAKMP failing

I am trying to connect a 3002 in network extension mode to a 2651xm VPN-k9. I am following the directions of :

http://www.cisco.com/warp/public/471/vpn-3k2-ios-nem-lea.html

My debug shows an apparent problem with the ISAKMP negotiation ... I notice that the problem may be with the NAT on the 3002 ... this is not something addresses in the cisco example config.

here is the ios debug ... i can provide the 3002 end as well but it doesn't have the same level of detail

x.603: ISAKMP: Locking peer struct 0x830F8F30, IKE refcount 1 for

crypto_ikmp_config_initialize_sa

x.603: ISAKMP (0:0): Setting client config settings 830DA758

x.603: ISAKMP (0:0): (Re)Setting client xauth list and state

x.603: ISAKMP: local port 500, remote port 500

x.603: ISAKMP (0:7): processing SA payload. message ID = 0

x.607: ISAKMP (0:7): processing ID payload. message ID = 0

x.607: ISAKMP (0:7): processing vendor id payload

x.607: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.607: ISAKMP (0:7): vendor ID is XAUTH

x.607: ISAKMP (0:7): processing vendor id payload

x.607: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.607: ISAKMP (0:7): vendor ID is NAT-T

x.607: ISAKMP (0:7): processing vendor id payload

x.607: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.607: ISAKMP (0:7): vendor ID is NAT-T

x.607: ISAKMP (0:7): processing vendor id payload

x.607: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.607: ISAKMP (0:7) Authentication by xauth preshared

x.607: ISAKMP (0:7): Checking ISAKMP transform 1 against priority 3 policy

x.607: ISAKMP: default group 2

x.607: ISAKMP: encryption 3DES-CBC

x.607: ISAKMP: hash SHA

x.607: ISAKMP: auth XAUTHInitPreShared

x.611: ISAKMP: life type in seconds

x.611: ISAKMP: life duration (VPI) of 0x7F 0xFF 0xFF 0xFF

x.611: ISAKMP (0:7): atts are acceptable. Next payload is 3

x.647: ISAKMP (0:7): processing KE payload. message ID = 0

x.687: ISAKMP (0:7): processing NONCE payload. message ID = 0

x.687: ISAKMP (0:7): processing vendor id payload

x.687: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.687: ISAKMP (0:7): vendor ID is XAUTH

x.687: ISAKMP (0:7): processing vendor id payload

x.687: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.691: ISAKMP (0:7): vendor ID is NAT-T

x.691: ISAKMP (0:7): processing vendor id payload

x.691: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.691: ISAKMP (0:7): vendor ID is NAT-T

x.691: ISAKMP (0:7): processing vendor id payload

x.691: ISAKMP (0:7): vendor ID seems Unity/DPD but bad major

x.691: ISAKMP (0:7): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

x.691: ISAKMP (0:7): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

x.695: ISAKMP: got callback 1

x.727: ISAKMP (0:7): SKEYID state generated

x.727: ISAKMP (0:7): constructed NAT-T vendor-03 ID

x.727: ISAKMP (0:7): SA is doing pre-shared key authentication pl

us XAUTH using id type ID_IPV4_ADDR

x.727: ISAKMP (7): ID payload

next-payload : 10

type : 1

addr : 63.207.169.194

protocol : 17

port : 0

length : 8

x.727: ISAKMP (7): Total payload length: 12

x.735: ISAKMP (0:7): constructed HIS NAT-D

x.735: ISAKMP (0:7): constructed MINE NAT-D

x.735: ISAKMP (0:7): sending packet to 200.67.53.192 my_port 500 peer_port 500 (R) AG_INIT_EXCH

x.739: ISAKMP (0:7): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

x.739: ISAKMP (0:7): Old State = IKE_R_AM_AAA_AWAIT New State =IKE_R_AM2

x.204: ISAKMP (0:6): retransmitting phase 1 AG_INIT_EXCH...

x.204: ISAKMP (0:6): incrementing error counter on sa: retransmit phase 1

x.204: ISAKMP (0:6): retransmitting phase 1 AG_INIT_EXCH

x.204: ISAKMP (0:6): sending packet to 200.67.53.192 my_port 500 peer_port 500 (R) AG_INIT_EXCH

x.568: ISAKMP (0:5): retransmitting phase 1 AG_INIT_EXCH...

x.568: ISAKMP (0:5): incrementing error counter on sa: retransmit phase 1

x.568: ISAKMP (0:5): retransmitting phase 1 AG_INIT_EXCH

x.568: ISAKMP (0:5): sending packet to 200.67.53.192 my_port 500 peer_port 500 (R) AG_INIT_EXCH

x.981: ISAKMP (0:4): retransmitting phase 1 AG_INIT_EXCH...

x.981: ISAKMP (0:4): peer does not do paranoid keepalives.

x.981: ISAKMP (0:4): deleting SA reason "death by retransmission P1" state (R) AG_INIT_EXCH (peer 200.67.53.192) input queue 0

x.981: ISAKMP (0:4): deleting SA reason "death by retransmission P1" state (R) AG_INIT_EXCH (peer 200.67.53.192) input queue 0

x.981: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

x.981: ISAKMP (0:4): Old State = IKE_R_AM2 New State = IKE_DEST_SA

ISAKMP (0:1): purging SA., sa=830F187C, delme=830F187C

ISAKMP: Unlocking IKE struct 0x830E8324 for declare_sa_dead(), count 0

2 REPLIES
Silver

Re: 3002 NAT to IOS 2651xm-vpnK9 - ISAKMP failing

May be you can try to setup nat inside statement to point to route-map.

New Member

Re: 3002 NAT to IOS 2651xm-vpnK9 - ISAKMP failing

strangely, I left the problem alone for the weekend and when I tried it again yesterday it worked. I don't know why, but now it is working

here's the debug

*Mar 6 21:55:00.776: ISAKMP (0:1): received packet from 200.67.53.192 dport 4500 sport 60291 (R) QM_IDLE

*Mar 6 21:55:00.776: ISAKMP: set new node -1803135908 to QM_IDLE

*Mar 6 21:55:00.784: ISAKMP (0:1): processing HASH payload. message ID = -1803135908

*Mar 6 21:55:00.788: ISAKMP (0:1): processing NOTIFY R_U_THERE protocol 1

spi 0, message ID = -1803135908, sa = 830FDF7C

*Mar 6 21:55:00.788: ISAKMP (0:1): deleting node -1803135908 error FALSE reason "informational (in) state 1"

*Mar 6 21:55:00.788: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Mar 6 21:55:00.788: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 6 21:55:00.788: ISAKMP (0:1): DPD/R_U_THERE received from peer 200.67.53.192, sequence 0x51597854

*Mar 6 21:55:00.788: ISAKMP: set new node -1778019418 to QM_IDLE

*Mar 6 21:55:00.800: ISAKMP (0:1): sending packet to 200.67.53.192 my_port 4500 peer_port 60291 (R) QM_IDLE

*Mar 6 21:55:00.800: ISAKMP (0:1): purging node -1778019418

*Mar 6 21:55:00.800: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

*Mar 6 21:55:00.800: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

267
Views
0
Helpful
2
Replies