deleting SA reason "Recevied fatal informational" message

jimontoro · ‎12-22-2011

Hello,

We are trying to establish a vpn tunnel and we get the message of the matter, you know that it is due?

Thanks in advance

00:20:40: ISAKMP:(2029):purging node 1377634609
00:20:40: ISAKMP:(2029):purging node -829528593
00:20:49: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 80.33.74.77, remote= 147.84.200.240,
    local_proxy= 10.166.204.36/255.255.255.255/0/0 (type=1),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
00:20:49: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 80.33.74.77, remote= 147.84.200.240,
    local_proxy= 10.166.204.36/255.255.255.255/0/0 (type=1),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
00:20:49: ISAKMP:(0): SA request profile is (NULL)
00:20:49: ISAKMP: Created a peer struct for 147.84.200.240, peer port 500
00:20:49: ISAKMP: New peer created peer = 0x81F9B410 peer_handle = 0x80000020
00:20:49: ISAKMP: Locking peer struct 0x81F9B410, refcount 1 for isakmp_initiator
00:20:49: ISAKMP: local port 500, remote port 500
00:20:49: ISAKMP: set new node 0 to QM_IDLE
00:20:49: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82DB798C
00:20:49: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
00:20:49: ISAKMP:(0):found peer pre-shared key matching 147.84.200.240
00:20:49: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
00:20:49: ISAKMP:(0): constructed NAT-T vendor-07 ID
00:20:49: ISAKMP:(0): constructed NAT-T vendor-03 ID
00:20:49: ISAKMP:(0): constructed NAT-T vendor-02 ID
00:20:49: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
00:20:49: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

00:20:49: ISAKMP:(0): beginning Main Mode exchange
00:20:49: ISAKMP:(0): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) MM_NO_STATE
00:20:49: ISAKMP:(0):Sending an IKE IPv4 Packet.
00:20:50: ISAKMP (0:0): received packet from 147.84.200.240 dport 500 sport 500 Global (I) MM_NO_STATE
00:20:50: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:20:50: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

00:20:50: ISAKMP:(0): processing SA payload. message ID = 0
00:20:50: ISAKMP:(0): processing vendor id payload
00:20:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
00:20:50: ISAKMP:(0): vendor ID is NAT-T v2
00:20:50: ISAKMP:(0): processing vendor id payload
00:20:50: ISAKMP:(0): processing IKE frag vendor id payload
00:20:50: ISAKMP:(0):Support for IKE Fragmentation not enabled
00:20:50: ISAKMP:(0):found peer pre-shared key matching 147.84.200.240
00:20:50: ISAKMP:(0): local preshared key found
00:20:50: ISAKMP : Scanning profiles for xauth ...
00:20:50: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
00:20:50: ISAKMP:      encryption AES-CBC
00:20:50: ISAKMP:      keylength of 256
00:20:50: ISAKMP:      hash SHA
00:20:50: ISAKMP:      default group 5
00:20:50: ISAKMP:      auth pre-share
00:20:50: ISAKMP:      life type in seconds
00:20:50: ISAKMP:      life duration (basic) of 28800
00:20:50: ISAKMP:(0):atts are acceptable. Next payload is 0
00:20:50: ISAKMP:(0):Acceptable atts:actual life: 0
00:20:50: ISAKMP:(0):Acceptable atts:life: 0
00:20:50: ISAKMP:(0):Basic life_in_seconds:28800
00:20:50: ISAKMP:(0):Returning Actual lifetime: 28800
00:20:50: ISAKMP:(0)::Started lifetime timer: 28800.

00:20:50: ISAKMP:(0): processing vendor id payload
00:20:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
00:20:50: ISAKMP:(0): vendor ID is NAT-T v2
00:20:50: ISAKMP:(0): processing vendor id payload
00:20:50: ISAKMP:(0): processing IKE frag vendor id payload
00:20:50: ISAKMP:(0):Support for IKE Fragmentation not enabled
00:20:50: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:20:50: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

00:20:50: ISAKMP:(0): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) MM_SA_SETUP
00:20:50: ISAKMP:(0):Sending an IKE IPv4 Packet.
00:20:50: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:20:50: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

00:20:50: ISAKMP:(2029):purging SA., sa=81F99704, delme=81F99704
00:20:50: ISAKMP (0:0): received packet from 147.84.200.240 dport 500 sport 500 Global (I) MM_SA_SETUP
00:20:50: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:20:50: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

00:20:50: ISAKMP:(0): processing KE payload. message ID = 0
00:20:50: ISAKMP:(0): processing NONCE payload. message ID = 0
00:20:50: ISAKMP:(0):found peer pre-shared key matching 147.84.200.240
00:20:50: ISAKMP:(2031): processing vendor id payload
00:20:50: ISAKMP:(2031): vendor ID is Unity
00:20:50: ISAKMP:(2031): processing vendor id payload
00:20:50: ISAKMP:(2031): vendor ID seems Unity/DPD but major 54 mismatch
00:20:50: ISAKMP:(2031): vendor ID is XAUTH
00:20:50: ISAKMP:(2031): processing vendor id payload
00:20:50: ISAKMP:(2031): speaking to another IOS box!
00:20:50: ISAKMP:(2031): processing vendor id payload
00:20:50: ISAKMP:(2031):vendor ID seems Unity/DPD but hash mismatch
00:20:50: ISAKMP:received payload type 20
00:20:50: ISAKMP:received payload type 20
00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:20:50: ISAKMP:(2031):Old State = IKE_I_MM4  New State = IKE_I_MM4

00:20:50: ISAKMP:(2031):Send initial contact
00:20:50: ISAKMP:(2031):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:20:50: ISAKMP (0:2031): ID payload
        next-payload : 8
        type         : 1
        address      : 80.33.74.77
        protocol     : 17
        port         : 500
        length       : 12
00:20:50: ISAKMP:(2031):Total payload length: 12
00:20:50: ISAKMP:(2031): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) MM_KEY_EXCH
00:20:50: ISAKMP:(2031):Sending an IKE IPv4 Packet.
00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:20:50: ISAKMP:(2031):Old State = IKE_I_MM4  New State = IKE_I_MM5

00:20:50: ISAKMP (0:2031): received packet from 147.84.200.240 dport 500 sport 500 Global (I) MM_KEY_EXCH
00:20:50: ISAKMP:(2031): processing ID payload. message ID = 0
00:20:50: ISAKMP (0:2031): ID payload
        next-payload : 8
        type         : 1
        address      : 147.84.200.240
        protocol     : 17
        port         : 0
        length       : 12
00:20:50: ISAKMP:(0):: peer matches *none* of the profiles
00:20:50: ISAKMP:(2031): processing HASH payload. message ID = 0
00:20:50: ISAKMP:received payload type 17
00:20:50: ISAKMP:(2031): processing vendor id payload
00:20:50: ISAKMP:(2031): vendor ID is DPD
00:20:50: ISAKMP:(2031):SA authentication status:
        authenticated
00:20:50: ISAKMP:(2031):SA has been authenticated with 147.84.200.240
00:20:50: ISAKMP: Trying to insert a peer 80.33.74.77/147.84.200.240/500/,  and inserted successfully 81F9B410.
00:20:50: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:20:50: ISAKMP:(2031):Old State = IKE_I_MM5  New State = IKE_I_MM6

00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
00:20:50: ISAKMP:(2031):Old State = IKE_I_MM6  New State = IKE_I_MM6

00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
00:20:50: ISAKMP:(2031):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

00:20:50: ISAKMP:(2031):beginning Quick Mode exchange, M-ID of -548268726
00:20:50: ISAKMP:(2031):QM Initiator gets spi
00:20:50: ISAKMP:(2031): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) QM_IDLE
00:20:50: ISAKMP:(2031):Sending an IKE IPv4 Packet.
00:20:50: ISAKMP:(2031):Node -548268726, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
00:20:50: ISAKMP:(2031):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
00:20:50: ISAKMP:(2031):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

00:20:50: ISAKMP (0:2031): received packet from 147.84.200.240 dport 500 sport 500 Global (I) QM_IDLE
00:20:50: ISAKMP: set new node -1767254880 to QM_IDLE
00:20:50: ISAKMP:(2031): processing HASH payload. message ID = -1767254880
00:20:50: ISAKMP:(2031): processing NOTIFY INVALID_ID_INFO protocol 1
        spi 0, message ID = -1767254880, sa = 82DB798C
00:20:50: ISAKMP:(2031):peer does not do paranoid keepalives.

00:20:50: ISAKMP:(2031):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 147.84.200.240)
00:20:50: ISAKMP:(2031):deleting node -1767254880 error FALSE reason "Informational (in) state 1"
00:20:50: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
00:20:50: ISAKMP:(2031):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

00:20:50: ISAKMP (0:2031): received packet from 147.84.200.240 dport 500 sport 500 Global (I) QM_IDLE
00:20:50: ISAKMP: set new node 1603059088 to QM_IDLE
00:20:50: ISAKMP:(2031): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) QM_IDLE
00:20:50: ISAKMP:(2031):Sending an IKE IPv4 Packet.
00:20:50: ISAKMP:(2031):purging node 1603059088
00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
00:20:50: ISAKMP:(2031):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

00:20:50: ISAKMP:(2031):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 147.84.200.240)
00:20:50: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
00:20:50: ISAKMP: Unlocking peer struct 0x81F9B410 for isadb_mark_sa_deleted(), count 0
00:20:50: ISAKMP: Deleting peer node by peer_reap for 147.84.200.240: 81F9B410
00:20:50: ISAKMP:(2031):deleting node -548268726 error FALSE reason "IKE deleted"
00:20:50: ISAKMP:(2031):deleting node -1767254880 error FALSE reason "IKE deleted"
00:20:50: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
00:20:50: ISAKMP:(2031):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

00:20:50: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Marcin Latosiewicz · ‎12-22-2011

It looks like this end is sending phase 2 parameters the other side doesn't work.

Check debugs on the other end to understand what the problem is.

Dan Schauss · ‎08-20-2013

FYI I had a site to site tunnel that would not come up on Phase 1 with the following debug warning:

deleting SA reason "Recevied fatal informational" state

Device: VPN Service Module blade

199.173.227.18 149.168.1.164 MM_NO_STATE 78536 ACTIVE (deleted)

199.173.227.18 149.168.1.164 MM_NO_STATE 78577 ACTIVE (deleted)

!

Aug 20 11:54:11.870: ISAKMP:(77730): sending packet to 199.173.227.18 my_port 500 peer_port 500 (I) QM_IDLE

Aug 20 11:54:11.894: ISAKMP (77730): received packet from 199.173.227.18 dport 500 sport 500 Global (I) QM_IDLE

Aug 20 11:54:11.894: ISAKMP:(77730):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 199.173.227.18)

Aug 20 11:54:11.898: ISAKMP:(77730): sending packet to 199.173.227.18 my_port 500 peer_port 500 (I) QM_IDLE

Aug 20 11:54:11.898: ISAKMP:(77730):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 199.173.227.18)

Until I realized I had left out 'PFS group 2', when I added it the tunnel popped right up.

crypto map DHHS-SF-map 25 ipsec-isakmp

set peer 199.173.227.18

set transform-set aes256

set isakmp-profile DHHSSF

set pfs group2

match address DHHS6112-SSA

Dan

Chris Penny · ‎01-29-2015

I had this exact same issue and was pulling my hair out trying to figure out what I was missing. Ended up being the "PFS Group2" was missing. Thanks!