Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

phase 2 SA not acceptable

i want to connect to offices via VPN=>

First office - Router 3620

int fa1/1(A.B.C.D) - to ISP

int fa1/0(A.B.C.E) - to LAN

Firewall behind int fa1/0 ( A.B.C.G,10.10.4.1)

Second office - PIX 506E

out int -X.Y.Z.99

in int - 172.20.4.1

client behind PIX - 172.20.7.14 - i try to ping from that client to 10.10.4.1 - failed

----------------------

Configs:

3620

====

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key ****** address X.Y.Z.99 no-xauth

!

!

crypto ipsec transform-set TUNNEL-TRANSFORM esp-des esp-md5-hmac

mode transport

!

!

crypto map VPN 1 ipsec-isakmp

set peer X.Y.Z.99

set transform-set TUNNEL-TRANSFORM

match address 111

!

!

interface Tunnel0

ip address 192.168.101.1 255.255.255.0

tunnel source FastEthernet1/0

tunnel destination X.Y.Z.99

crypto map VPN

!

ip route 172.0.0.0 255.0.0.0 Tunnel0

!

access-list 111 remark # traffic for encryption

access-list 111 permit gre host A.B.C.D host X.Y.Z.99

!

==============================================

PIX 506E

========

name 10.10.0.0 GalaktikaMinsk

access-list outside_cryptomap_20 permit ip 172.0.0.0 255.0.0.0 GalaktikaMinsk 255.255.0.0

sysopt connection permit-ipsec

crypto ipsec transform-set VPNSecure esp-des esp-md5-hmac

crypto dynamic-map DynMap 10 set transform-set VPNSecure

crypto map VPNmap 20 ipsec-isakmp

crypto map VPNmap 20 match address outside_cryptomap_20

crypto map VPNmap 20 set peer A.B.C.D

crypto map VPNmap 20 set transform-set VPNSecure

crypto map VPNmap 65535 ipsec-isakmp dynamic DynMap

crypto map VPNmap client authentication LOCAL

crypto map VPNmap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address A.B.C.D netmask 255.255.255.255 no-xauth no-config-mode

===========================================

3 REPLIES
New Member

Re: phase 2 SA not acceptable

Here debug-

3620

====

1d: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at X.Y.Z.99

1w1d: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at X.Y.Z.99

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): processing HASH payload. message ID = 824022300

1w1d: ISAKMP (0:14): processing SA payload. message ID = 824022300

1w1d: ISAKMP (0:14): Checking IPSec proposal 1

1w1d: ISAKMP: transform 1, ESP_DES

1w1d: ISAKMP: attributes in transform:

1w1d: ISAKMP: encaps is 1

1w1d: ISAKMP: SA life type in seconds

1w1d: ISAKMP: SA life duration (basic) of 28800

1w1d: ISAKMP: SA life type in kilobytes

1w1d: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

1w1d: ISAKMP: authenticator is HMAC-MD5

1w1d: IPSEC(validate_proposal): invalid local address A.B.C.D

1w1d: ISAKMP (0:14): atts not acceptable. Next payload is 0

1w1d: ISAKMP (0:14): phase 2 SA not acceptable!

1w1d: ISAKMP (0:14): sending packet to X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): purging node 797600222

1w1d: ISAKMP (0:14): deleting node 824022300 error FALSE reason "IKMP_NO_ERR_NO_TRANS"

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.

1w1d: ISAKMP (0:14): retransmitting due to retransmit phase 2

1w1d: ISAKMP (0:14): ignoring retransmission,because phase2 node marked dead -271719268

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.

1w1d: ISAKMP (0:14): retransmitting due to retransmit phase 2

1w1d: ISAKMP (0:14): ignoring retransmission,because phase2 node marked dead 824022300

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.

1w1d: ISAKMP (0:14): retransmitting due to retransmit phase 2

1w1d: ISAKMP (0:14): ignoring retransmission,because phase2 node marked dead -271719268

1w1d: ISAKMP (0:13): purging node -1817931318

1w1d: ISAKMP (0:13): purging node -29250788

1w1d: ISAKMP (0:14): purging node 458308425

1w1d: ISAKMP (0:14): purging node -271719268

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): phase 2 packet is a duplicate of a previous packet.

1w1d: ISAKMP (0:14): retransmitting due to retransmit phase 2

1w1d: ISAKMP (0:14): ignoring retransmission,because phase2 node marked dead 824022300

New Member

Re: phase 2 SA not acceptable

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): processing HASH payload. message ID = -1448175660

1w1d: ISAKMP (0:14): processing SA payload. message ID = -1448175660

1w1d: ISAKMP (0:14): Checking IPSec proposal 1

1w1d: ISAKMP: transform 1, ESP_DES

1w1d: ISAKMP: attributes in transform:

1w1d: ISAKMP: encaps is 1

1w1d: ISAKMP: SA life type in seconds

1w1d: ISAKMP: SA life duration (basic) of 28800

1w1d: ISAKMP: SA life type in kilobytes

1w1d: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

1w1d: ISAKMP: authenticator is HMAC-MD5

1w1d: IPSEC(validate_proposal): invalid local address A.B.C.D

1w1d: ISAKMP (0:14): atts not acceptable. Next payload is 0

1w1d: ISAKMP (0:14): phase 2 SA not acceptable!

1w1d: ISAKMP (0:14): sending packet to X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): purging node 1878747710

1w1d: ISAKMP (0:14): deleting node -1448175660 error FALSE reason "IKMP_NO_ERR_NO_TRANS"

1w1d: ISAKMP (0:13): purging SA., sa=62830C18, delme=62830C18

1w1d: ISAKMP (0:14): received packet from X.Y.Z.99 (R) QM_IDLE

1w1d: ISAKMP (0:14): processing HASH payload. message ID = 102085731

1w1d: ISAKMP (0:14): processing DELETE payload. message ID = 102085731

1w1d: ISAKMP (0:14): peer does not do paranoid keepalives.

1w1d: ISAKMP (0:14): deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE (peer X.Y.Z.99) input queue 0

1w1d: ISAKMP (0:14): deleting node 102085731 error FALSE reason "P1 delete notify (in)"

=====================================

Strange message =

1w1d: IPSEC(validate_proposal): invalid local address A.B.C.D

New Member

Re: phase 2 SA not acceptable

=========================================

PIX506E

=======

ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: cou

nt = 2,

(identity) local= X.Y.Z.99, remote= A.B.C.D,

local_proxy= 172.0.0.0/255.0.0.0/0/0 (type=4),

remote_proxy= GalaktikaMinsk/255.255.0.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1546992702:a3cac3c2IPSEC(key

_engine): got a queue event...

IPSEC(spi_response): getting spi 0xb0aaec49(2963991625) for SA

from A.B.C.D to X.Y.Z.99 for prot 3

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

ISAKMP (0): processing NOTIFY payload 14 protocol 0

spi 0, message ID = 2029493691IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with A.B.C.D

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2...

pixfirewall# IPSEC(key_engine): request timer fired: count = 2,

(identity) local= X.Y.Z.99, remote= A.B.C.D,

local_proxy= 172.0.0.0/255.0.0.0/0/0 (type=4),

remote_proxy= GalaktikaMinsk/255.255.0.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1807665318:9441375aIPSEC(key

_engine): got a queue event...

IPSEC(spi_response): getting spi 0x10985e20(278421024) for SA

from A.B.C.D to X.Y.Z.99 for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:A.B.C.D/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:A.B.C.D/500 Ref cnt incremented to:1 Total VPN

Peers:1

crypto_isakmp_process_block:src:A.B.C.D, dest:X.Y.Z.99 spt:500 dpt:5

00

ISAKMP (0): processing NOTIFY payload 14 protocol 0

spi 0, message ID = 3167843399IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with A.B.C.D

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: cou

nt = 1,

========================

Where i'm wrong?

711
Views
0
Helpful
3
Replies
CreatePlease to create content