Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7341
Views
0
Helpful
4
Replies

Major mismatch in debug for isakmp

Go to solution
jasonww04
Level 1
Level 1

‎10-20-2010 04:05 PM

This is the fifth router that has been set up to work with a remote firewall for VPN service. All five routers have the exact same crypto configurations except for the IP differences. The remote firewall has the same settings for each router except for IP differences.

One router refuses to complete phase 1 for no discernable reason. It finds the peer with the pre-shared key. It accepts the attributes and then fails to make an SA. The remote firewall's logs just say the peer timed out. The only thing I see in debug is major 25 mismatch, major 237 mismatch, etc. What do the major mismatch debug lines mean?

Here is a sample of the debug:

processing vendor id payload

vendor ID seems Unity/DPD but major 38 mismatch

processing vendor id payload

vendor ID seems Unity/DPD but major 215 mismatch

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jasonww04

‎10-28-2010 05:24 AM

do you mind sharing the router's config?

You also mention that it found the preshared key, can you please share the output of "show cry isa sa".

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-20-2010 05:49 PM

Is the remote firewall a Cisco firewall or other vendor firewall?

Also, are all the 5 routers running the same version of IOS?

Can you share the configuration pls?

0 Helpful

Go to solution
jasonww04
Level 1
Level 1
In response to Jennifer Halim

‎10-27-2010 07:23 AM

The remote device is not a Cisco router/firewall.

All the routers are 1841s running the same IOS. They were all purchased at the same time even.


These are the crypto settings that all the routers have:

crypto isakmp policy 30
encr aes 256
hash sha
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ######### address 96.57.xxx.xxx
!
!
crypto ipsec transform-set VPNAES256 esp-aes 256 esp-sha-hmac
!
crypto map to_vpn 15 ipsec-isakmp
set peer 96.57.xxx.xxx
set transform-set VPNAES256
match address VPNCFC

ip access-list extended NAT
deny   ip 192.168.2.0 0.0.0.255 10.11.0.0 0.0.255.255
deny   ip 172.18.31.0 0.0.0.255 10.11.0.0 0.0.255.255
deny   ip 172.18.31.0 0.0.0.255 192.168.254.0 0.0.0.255
permit ip 172.18.31.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended VPNCFC
permit ip 172.18.31.0 0.0.0.255 192.168.254.0 0.0.0.255

The only difference between this router and the ones that work is this router has a bunch of static NATs. However, the only static NAT attached to the WAN interface is using TCP port 100 only.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jasonww04

‎10-28-2010 05:24 AM

do you mind sharing the router's config?

You also mention that it found the preshared key, can you please share the output of "show cry isa sa".

0 Helpful

Go to solution
jasonww04
Level 1
Level 1
In response to Jennifer Halim

‎10-28-2010 09:37 AM

I'm a moron. Thanks to your suggestion of posting the full config, I found the problem. It was a routing issue. Thanks for the help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents