Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Lots of IKE proposals

Hi,

I'm having problems with a VPN between a Cisco PIX 501 and a Fortinet. It was working 2 days ago but now it doesn't come up. When executing the sh crypto isakmp sa command, a lot of proposals appear for the same VPN, with same source and destination with MM_NO_STATE

        dst               src                       state     pending     created

      192.168.1.2   xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

     192.168.1.2    xx.xx.xx.xx    MM_NO_STATE   0           0

sh crypto ipsec sa shows a lot of send errors but no packet encapsulated or decapsulated.

Any ideas please?

  • VPN
1 REPLY
Bronze

Lots of IKE proposals

Turn the debugs on to see what's going on.

Suspecting that the Fortinet is sending numerous IKE P1 packets with separate cookie values. 

290
Views
0
Helpful
1
Replies
This widget could not be displayed.