12-22-2011 05:42 AM
Hello,
We are trying to establish a vpn tunnel and we get the message of the matter, you know that it is due?
Thanks in advance
00:20:40: ISAKMP:(2029):purging node 1377634609 00:20:40: ISAKMP:(2029):purging node -829528593 00:20:49: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 80.33.74.77, remote= 147.84.200.240, local_proxy= 10.166.204.36/255.255.255.255/0/0 (type=1), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) 00:20:49: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 80.33.74.77, remote= 147.84.200.240, local_proxy= 10.166.204.36/255.255.255.255/0/0 (type=1), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 00:20:49: ISAKMP:(0): SA request profile is (NULL) 00:20:49: ISAKMP: Created a peer struct for 147.84.200.240, peer port 500 00:20:49: ISAKMP: New peer created peer = 0x81F9B410 peer_handle = 0x80000020 00:20:49: ISAKMP: Locking peer struct 0x81F9B410, refcount 1 for isakmp_initiator 00:20:49: ISAKMP: local port 500, remote port 500 00:20:49: ISAKMP: set new node 0 to QM_IDLE 00:20:49: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82DB798C 00:20:49: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. 00:20:49: ISAKMP:(0):found peer pre-shared key matching 147.84.200.240 00:20:49: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID 00:20:49: ISAKMP:(0): constructed NAT-T vendor-07 ID 00:20:49: ISAKMP:(0): constructed NAT-T vendor-03 ID 00:20:49: ISAKMP:(0): constructed NAT-T vendor-02 ID 00:20:49: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM 00:20:49: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 00:20:49: ISAKMP:(0): beginning Main Mode exchange 00:20:49: ISAKMP:(0): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) MM_NO_STATE 00:20:49: ISAKMP:(0):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP (0:0): received packet from 147.84.200.240 dport 500 sport 500 Global (I) MM_NO_STATE 00:20:50: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:20:50: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 00:20:50: ISAKMP:(0): processing SA payload. message ID = 0 00:20:50: ISAKMP:(0): processing vendor id payload 00:20:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch 00:20:50: ISAKMP:(0): vendor ID is NAT-T v2 00:20:50: ISAKMP:(0): processing vendor id payload 00:20:50: ISAKMP:(0): processing IKE frag vendor id payload 00:20:50: ISAKMP:(0):Support for IKE Fragmentation not enabled 00:20:50: ISAKMP:(0):found peer pre-shared key matching 147.84.200.240 00:20:50: ISAKMP:(0): local preshared key found 00:20:50: ISAKMP : Scanning profiles for xauth ... 00:20:50: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy 00:20:50: ISAKMP: encryption AES-CBC 00:20:50: ISAKMP: keylength of 256 00:20:50: ISAKMP: hash SHA 00:20:50: ISAKMP: default group 5 00:20:50: ISAKMP: auth pre-share 00:20:50: ISAKMP: life type in seconds 00:20:50: ISAKMP: life duration (basic) of 28800 00:20:50: ISAKMP:(0):atts are acceptable. Next payload is 0 00:20:50: ISAKMP:(0):Acceptable atts:actual life: 0 00:20:50: ISAKMP:(0):Acceptable atts:life: 0 00:20:50: ISAKMP:(0):Basic life_in_seconds:28800 00:20:50: ISAKMP:(0):Returning Actual lifetime: 28800 00:20:50: ISAKMP:(0)::Started lifetime timer: 28800. 00:20:50: ISAKMP:(0): processing vendor id payload 00:20:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch 00:20:50: ISAKMP:(0): vendor ID is NAT-T v2 00:20:50: ISAKMP:(0): processing vendor id payload 00:20:50: ISAKMP:(0): processing IKE frag vendor id payload 00:20:50: ISAKMP:(0):Support for IKE Fragmentation not enabled 00:20:50: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:20:50: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 00:20:50: ISAKMP:(0): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) MM_SA_SETUP 00:20:50: ISAKMP:(0):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:20:50: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 00:20:50: ISAKMP:(2029):purging SA., sa=81F99704, delme=81F99704 00:20:50: ISAKMP (0:0): received packet from 147.84.200.240 dport 500 sport 500 Global (I) MM_SA_SETUP 00:20:50: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:20:50: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 00:20:50: ISAKMP:(0): processing KE payload. message ID = 0 00:20:50: ISAKMP:(0): processing NONCE payload. message ID = 0 00:20:50: ISAKMP:(0):found peer pre-shared key matching 147.84.200.240 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031): vendor ID is Unity 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031): vendor ID seems Unity/DPD but major 54 mismatch 00:20:50: ISAKMP:(2031): vendor ID is XAUTH 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031): speaking to another IOS box! 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031):vendor ID seems Unity/DPD but hash mismatch 00:20:50: ISAKMP:received payload type 20 00:20:50: ISAKMP:received payload type 20 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM4 New State = IKE_I_MM4 00:20:50: ISAKMP:(2031):Send initial contact 00:20:50: ISAKMP:(2031):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR 00:20:50: ISAKMP (0:2031): ID payload next-payload : 8 type : 1 address : 80.33.74.77 protocol : 17 port : 500 length : 12 00:20:50: ISAKMP:(2031):Total payload length: 12 00:20:50: ISAKMP:(2031): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) MM_KEY_EXCH 00:20:50: ISAKMP:(2031):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM4 New State = IKE_I_MM5 00:20:50: ISAKMP (0:2031): received packet from 147.84.200.240 dport 500 sport 500 Global (I) MM_KEY_EXCH 00:20:50: ISAKMP:(2031): processing ID payload. message ID = 0 00:20:50: ISAKMP (0:2031): ID payload next-payload : 8 type : 1 address : 147.84.200.240 protocol : 17 port : 0 length : 12 00:20:50: ISAKMP:(0):: peer matches *none* of the profiles 00:20:50: ISAKMP:(2031): processing HASH payload. message ID = 0 00:20:50: ISAKMP:received payload type 17 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031): vendor ID is DPD 00:20:50: ISAKMP:(2031):SA authentication status: authenticated 00:20:50: ISAKMP:(2031):SA has been authenticated with 147.84.200.240 00:20:50: ISAKMP: Trying to insert a peer 80.33.74.77/147.84.200.240/500/, and inserted successfully 81F9B410. 00:20:50: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM5 New State = IKE_I_MM6 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM6 New State = IKE_I_MM6 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE 00:20:50: ISAKMP:(2031):beginning Quick Mode exchange, M-ID of -548268726 00:20:50: ISAKMP:(2031):QM Initiator gets spi 00:20:50: ISAKMP:(2031): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) QM_IDLE 00:20:50: ISAKMP:(2031):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP:(2031):Node -548268726, Input = IKE_MESG_INTERNAL, IKE_INIT_QM 00:20:50: ISAKMP:(2031):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 00:20:50: ISAKMP:(2031):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:20:50: ISAKMP (0:2031): received packet from 147.84.200.240 dport 500 sport 500 Global (I) QM_IDLE 00:20:50: ISAKMP: set new node -1767254880 to QM_IDLE 00:20:50: ISAKMP:(2031): processing HASH payload. message ID = -1767254880 00:20:50: ISAKMP:(2031): processing NOTIFY INVALID_ID_INFO protocol 1 spi 0, message ID = -1767254880, sa = 82DB798C 00:20:50: ISAKMP:(2031):peer does not do paranoid keepalives. 00:20:50: ISAKMP:(2031):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 147.84.200.240) 00:20:50: ISAKMP:(2031):deleting node -1767254880 error FALSE reason "Informational (in) state 1" 00:20:50: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 00:20:50: ISAKMP:(2031):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:20:50: ISAKMP (0:2031): received packet from 147.84.200.240 dport 500 sport 500 Global (I) QM_IDLE 00:20:50: ISAKMP: set new node 1603059088 to QM_IDLE 00:20:50: ISAKMP:(2031): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) QM_IDLE 00:20:50: ISAKMP:(2031):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP:(2031):purging node 1603059088 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 00:20:50: ISAKMP:(2031):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA 00:20:50: ISAKMP:(2031):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 147.84.200.240) 00:20:50: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0. 00:20:50: ISAKMP: Unlocking peer struct 0x81F9B410 for isadb_mark_sa_deleted(), count 0 00:20:50: ISAKMP: Deleting peer node by peer_reap for 147.84.200.240: 81F9B410 00:20:50: ISAKMP:(2031):deleting node -548268726 error FALSE reason "IKE deleted" 00:20:50: ISAKMP:(2031):deleting node -1767254880 error FALSE reason "IKE deleted" 00:20:50: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:20:50: ISAKMP:(2031):Old State = IKE_DEST_SA New State = IKE_DEST_SA 00:20:50: IPSEC(key_engine): got a queue event with 1 KMI message(s)
12-22-2011 09:01 AM
It looks like this end is sending phase 2 parameters the other side doesn't work.
Check debugs on the other end to understand what the problem is.
08-20-2013 09:53 AM
FYI I had a site to site tunnel that would not come up on Phase 1 with the following debug warning:
deleting SA reason "Recevied fatal informational" state
Device: VPN Service Module blade
199.173.227.18 149.168.1.164 MM_NO_STATE 78536 ACTIVE (deleted)
199.173.227.18 149.168.1.164 MM_NO_STATE 78577 ACTIVE (deleted)
!
Aug 20 11:54:11.870: ISAKMP:(77730): sending packet to 199.173.227.18 my_port 500 peer_port 500 (I) QM_IDLE
Aug 20 11:54:11.894: ISAKMP (77730): received packet from 199.173.227.18 dport 500 sport 500 Global (I) QM_IDLE
Aug 20 11:54:11.894: ISAKMP:(77730):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 199.173.227.18)
Aug 20 11:54:11.898: ISAKMP:(77730): sending packet to 199.173.227.18 my_port 500 peer_port 500 (I) QM_IDLE
Aug 20 11:54:11.898: ISAKMP:(77730):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 199.173.227.18)
Until I realized I had left out 'PFS group 2', when I added it the tunnel popped right up.
crypto map DHHS-SF-map 25 ipsec-isakmp
set peer 199.173.227.18
set transform-set aes256
set isakmp-profile DHHSSF
set pfs group2
match address DHHS6112-SSA
Dan
01-29-2015 02:50 PM
I had this exact same issue and was pulling my hair out trying to figure out what I was missing. Ended up being the "PFS Group2" was missing. Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: