08-01-2014 01:17 PM
Hi everybody,
i have an ASA 8.4
Recently i have setup an "L2tp Vpn" connection, but i´m facing lot of issue
actually i´m not able to connect any windows client ( windows 7 & 8)
bellow is all my configuration and also the debug i made
Any help, will be very welcome, thank you in advance
MY L2TP CONFIGURATION
~~~~~~~~~~~~~~~~~~~~~~
2. Configure ISAKMP policy
-----------------------------
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
3. Setup an address pool
--------------------------------
ip local pool L2TP_POOL-OMS 10.30.255.1-10.30.255.6 mask 255.255.255.248
4. Configure authentication method
--------------------------------------
Local on ASA
------------------
username l2tp password oms mschap privilege 0
username l2tp attrib
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol l2tp-ipsec
4.Define Group Policy
------------------------
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
address-pools value L2TP_POOL-OMS
vpn-tunnel-protocol l2tp-ipsec
5. Define tunnel group
------------------------
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP_POOL-OMS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
6. Setup ipsec parameters
------------------------------
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set myset mode transport
7. Setup dynamic crypto map
---------------------------------
crypto dynamic-map dynmap 1 set ikev1 transform-set myset
8. Create crypto map entry and associate dynamic map with it
------------------------------------------------------------
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
9. Attach crypto map to interface
-----------------------------------
crypto map mymap interface outside
10. Enable isakmp on interface
------------------------------
crypto isakmp enable outside
******************
Debug crypto ikev1
******************
FWASA-VICT1(config)# Aug 01 20:54:25 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, QM FSM error (P2 struct &0xb074f010, mess id 0x4)!
Aug 01 20:54:25 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Removing peer from correlator table failed, no match!
Aug 01 20:54:30 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, QM FSM error (P2 struct &0xb074f010, mess id 0x4)!
Aug 01 20:54:30 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Removing peer from correlator table failed, no match!
Aug 01 20:54:34 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, QM FSM error (P2 struct &0xb074f010, mess id 0x4)!
Aug 01 20:54:34 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Removing peer from correlator table failed, no match!
Aug 01 20:54:43 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, QM FSM error (P2 struct &0xb074f010, mess id 0x4)!
Aug 01 20:54:43 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Removing peer from correlator table failed, no match!
*****************************
Debug debug crypto isakmp 7
debug crypto ipsec 7
*****************************
FWASA-VICT1(config)# Aug 01 20:35:00 [IKEv1]IP = 197.217.68.99, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, processing SA payload
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, Oakley proposal is acceptable
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, processing VID payload
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, processing VID payload
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, Received NAT-Traversal RFC VID
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, processing VID payload
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, Received NAT-Traversal ver 02 VID
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, processing VID payload
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, Received Fragmentation VID
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, processing VID payload
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, processing VID payload
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, processing VID payload
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, processing IKE SA payload
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 3
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, constructing ISAKMP SA payload
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, constructing NAT-Traversal VID ver RFC payload
Aug 01 20:35:00 [IKEv1 DEBUG]IP = 197.217.68.99, constructing Fragmentation VID + extended capabilities payload
Aug 01 20:35:00 [IKEv1]IP = 197.217.68.99, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Aug 01 20:35:01 [IKEv1]IP = 197.217.68.99, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 260
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, processing ke payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, processing ISA_KE payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, processing nonce payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, processing NAT-Discovery payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, computing NAT Discovery hash
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, processing NAT-Discovery payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, computing NAT Discovery hash
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, constructing ke payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, constructing nonce payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, constructing Cisco Unity VID payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, constructing xauth V6 VID payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, Send IOS VID
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, constructing VID payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, constructing NAT-Discovery payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, computing NAT Discovery hash
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, constructing NAT-Discovery payload
Aug 01 20:35:01 [IKEv1 DEBUG]IP = 197.217.68.99, computing NAT Discovery hash
Aug 01 20:35:01 [IKEv1]IP = 197.217.68.99, Connection landed on tunnel_group DefaultRAGroup
Aug 01 20:35:01 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, Generating keys for Responder...
Aug 01 20:35:01 [IKEv1]IP = 197.217.68.99, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Aug 01 20:35:02 [IKEv1]IP = 197.217.68.99, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Aug 01 20:35:02 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing ID payload
Aug 01 20:35:02 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing hash payload
Aug 01 20:35:02 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, Computing hash for ISAKMP
Aug 01 20:35:02 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Automatic NAT Detection Status: Remote end IS behind a NAT device This end IS behind a NAT device
Aug 01 20:35:02 [IKEv1]IP = 197.217.68.99, Connection landed on tunnel_group DefaultRAGroup
Aug 01 20:35:02 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing ID payload
Aug 01 20:35:02 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing hash payload
Aug 01 20:35:02 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, Computing hash for ISAKMP
Aug 01 20:35:02 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing dpd vid payload
Aug 01 20:35:02 [IKEv1]IP = 197.217.68.99, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Aug 01 20:35:02 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, PHASE 1 COMPLETED
Aug 01 20:35:02 [IKEv1]IP = 197.217.68.99, Keep-alive type for this connection: None
Aug 01 20:35:02 [IKEv1]IP = 197.217.68.99, Keep-alives configured on but peer does not support keep-alives (type = None)
Aug 01 20:35:02 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, Starting P1 rekey timer: 21600 seconds.
Aug 01 20:35:03 [IKEv1]IP = 197.217.68.99, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 324
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing hash payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing SA payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing nonce payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing ID payload
Aug 01 20:35:03 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Received remote Proxy Host data in ID Payload: Address 192.168.5.122, Protocol 17, Port 1701
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing ID payload
Aug 01 20:35:03 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Received local Proxy Host data in ID Payload: Address 41.63.166.15, Protocol 17, Port 1701
Aug 01 20:35:03 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, L2TP/IPSec session detected.
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing NAT-Original-Address payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing NAT-Original-Address payload
Aug 01 20:35:03 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, QM IsRekeyed old sa not found by addr
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Aug 01 20:35:03 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, IKE Remote Peer configured for crypto map: dynmap
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing IPSec SA payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 1
Aug 01 20:35:03 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0xb2b4ef98,
SCB: 0xB1BBEC58,
Direction: inbound
SPI : 0x8DFBC25E
Session ID: 0x01236000
VPIF num : 0x00000002
Tunnel type: ra
Protocol : esp
Lifetime : 240 seconds
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, IKE got SPI from key engine: SPI = 0x8dfbc25e
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, oakley constucting quick mode
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing blank hash payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing IPSec SA payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing IPSec nonce payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing proxy ID
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, Transmitting Proxy Id:
Remote host: 197.217.68.99 Protocol 17 Port 0
Local host: 10.30.21.2 Protocol 17 Port 1701
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing NAT-Original-Address payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing NAT-Original-Address payload
Aug 01 20:35:03 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, NAT-Traversal sending NAT-Original-Address payload
Aug 01 20:35:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, constructing qm hash payload
Aug 01 20:35:03 [IKEv1]IP = 197.217.68.99, IKE_DECODE SENDING Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 188
Aug 01 20:35:04 [IKEv1]IP = 197.217.68.99, IKE_DECODE RECEIVED Message (msgid=2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 324
Aug 01 20:35:04 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing hash payload
Aug 01 20:35:04 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing SA payload
Aug 01 20:35:04 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing nonce payload
Aug 01 20:35:04 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing ID payload
Aug 01 20:35:04 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Received remote Proxy Host data in ID Payload: Address 197.217.68.99, Protocol 17, Port 0
Aug 01 20:35:04 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing ID payload
Aug 01 20:35:04 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Received local Proxy Host data in ID Payload: Address 10.30.21.2, Protocol 17, Port 1701
Aug 01 20:35:04 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, L2TP/IPSec session detected.
Aug 01 20:35:04 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing NAT-Original-Address payload
Aug 01 20:35:04 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing NAT-Original-Address payload
Aug 01 20:35:04 [IKEv1]IP = 197.217.68.99, Rejecting new IPSec SA negotiation for peer 197.217.68.99. A negotiation was already in progress for local Proxy 10.30.21.2/255.255.255.255, remote Proxy 197.217.68.99/255.255.255.255
Aug 01 20:35:04 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, QM FSM error (P2 struct &0xb1fe13a8, mess id 0x2)!
Aug 01 20:35:04 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, IKE QM Responder FSM error history (struct &0xb1fe13a8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
Aug 01 20:35:04 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, sending delete/delete with reason message
Aug 01 20:35:04 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Removing peer from correlator table failed, no match!
Aug 01 20:35:05 [IKEv1]IP = 197.217.68.99, IKE_DECODE RECEIVED Message (msgid=2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 324
Aug 01 20:35:05 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing hash payload
Aug 01 20:35:05 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing SA payload
Aug 01 20:35:05 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing nonce payload
Aug 01 20:35:05 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing ID payload
Aug 01 20:35:05 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Received remote Proxy Host data in ID Payload: Address 197.217.68.99, Protocol 17, Port 0
Aug 01 20:35:05 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing ID payload
Aug 01 20:35:05 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Received local Proxy Host data in ID Payload: Address 10.30.21.2, Protocol 17, Port 1701
Aug 01 20:35:05 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, L2TP/IPSec session detected.
Aug 01 20:35:05 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing NAT-Original-Address payload
Aug 01 20:35:05 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, processing NAT-Original-Address payload
Aug 01 20:35:05 [IKEv1]IP = 197.217.68.99, Rejecting new IPSec SA negotiation for peer 197.217.68.99. A negotiation was already in progress for local Proxy 10.30.21.2/255.255.255.255, remote Proxy 197.217.68.99/255.255.255.255
Aug 01 20:35:05 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, QM FSM error (P2 struct &0xb074f010, mess id 0x2)!
Aug 01 20:35:05 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, IKE QM Responder FSM error history (struct &0xb074f010) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
Aug 01 20:35:05 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 197.217.68.99, sending delete/delete with reason message
Aug 01 20:35:05 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, Removing peer from correlator table failed, no match!
Solved! Go to Solution.
08-02-2014 08:45 AM
Hi Mateus,
As you can see in the output:-
Aug 01 20:35:02 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, PHASE 1 COMPLETED
Phase 1 is getting completed and QM FSM error indicates the issue with transform-set and/or crypto access-list .
Please try using ESP-3DES and ESP-SHA-HMAC for transform set and let us know how it fares.
You might as well try using PAP as authentication.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
08-02-2014 08:45 AM
Hi Mateus,
As you can see in the output:-
Aug 01 20:35:02 [IKEv1]Group = DefaultRAGroup, IP = 197.217.68.99, PHASE 1 COMPLETED
Phase 1 is getting completed and QM FSM error indicates the issue with transform-set and/or crypto access-list .
Please try using ESP-3DES and ESP-SHA-HMAC for transform set and let us know how it fares.
You might as well try using PAP as authentication.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
08-03-2014 04:00 AM
Thank you, very helpfully, it working!
08-03-2014 01:19 PM
Thank you Mateus,
I am glad it is working for you.
Regards,
Dinesh Moudgil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide