Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RSA AUTH ISAKMP Debug

Hi,

attached is a debug (debug cry eng, debug cry ip, debug cry isa) from one router connecting to an other via VPN. The other Router is not in our responsibility, so we don´t have access to it. Maybe someone of you can give me a hint why these two routers are not able to communicate via VPN anymore. Our customer say nothing is changed. I can´t find so much details to ISAKMP with RSA SIG debugs.

Bye

Andre

Jan 16 11:50:47.108 MEWZ: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 1 policy

Jan 16 11:50:47.108 MEWZ: ISAKMP: encryption DES-CBC

Jan 16 11:50:47.108 MEWZ: ISAKMP: hash SHA

Jan 16 11:50:47.108 MEWZ: ISAKMP: default group 1

Jan 16 11:50:47.108 MEWZ: ISAKMP: auth RSA sig

Jan 16 11:50:47.108 MEWZ: ISAKMP: life type in seconds

Jan 16 11:50:47.112 MEWZ: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Jan 16 11:50:47.112 MEWZ: ISAKMP (0:1): atts are acceptable. Next payload is 0

Jan 16 11:50:47.112 MEWZ: CryptoEngine0: generate alg parameter

Jan 16 11:50:47.272 MEWZ: CRYPTO_ENGINE: Dh phase 1 status: 0

Jan 16 11:50:47.272 MEWZ: CRYPTO_ENGINE: Dh phase 1 status: 0

Jan 16 11:50:47.272 MEWZ: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jan 16 11:50:47.272 MEWZ: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM1

Jan 16 11:50:47.276 MEWZ: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:50:47.276 MEWZ: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jan 16 11:50:47.276 MEWZ: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM2

Jan 16 11:50:47.553 MEWZ: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up

Jan 16 11:50:47.865 MEWZ: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= yyy.yyy.yyy.yyy, remote= xxx.xxx.xxx.xxx,

local_proxy= yyy.yyy.yyy.yyy/255.255.255.255/47/0 (type=1),

remote_proxy= xxx.xxx.xxx.xxx/255.255.255.255/47/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xA611FD11(2786196753), conn_id= 0, keysize= 0, flags= 0x400C

Jan 16 11:50:47.865 MEWZ: ISAKMP: received ke message (1/1)

Jan 16 11:50:47.869 MEWZ: ISAKMP: local port 500, remote port 500

Jan 16 11:50:47.869 MEWZ: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Jan 16 11:50:47.869 MEWZ: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1

Jan 16 11:50:47.869 MEWZ: ISAKMP (0:2): beginning Main Mode exchange

Jan 16 11:50:47.869 MEWZ: ISAKMP (0:2): sending packet to xxx.xxx.xxx.xxx (I) MM_NO_STATE

Jan 16 11:50:57.129 MEWZ: ISAKMP (0:1): received packet from xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:50:57.129 MEWZ: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

Jan 16 11:50:57.129 MEWZ: ISAKMP (0:1): retransmitting due to retransmit phase 1

Jan 16 11:50:57.129 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:50:57.630 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:50:57.630 MEWZ: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

Jan 16 11:50:57.630 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP

Jan 16 11:50:57.630 MEWZ: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:50:57.874 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...

Jan 16 11:50:57.874 MEWZ: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

Jan 16 11:50:57.874 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE

Jan 16 11:50:57.874 MEWZ: ISAKMP (0:2): sending packet to xxx.xxx.xxx.xxx (I) MM_NO_STATE

Jan 16 11:51:07.189 MEWZ: ISAKMP (0:1): received packet from xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:51:07.189 MEWZ: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

Jan 16 11:51:07.189 MEWZ: ISAKMP (0:1): retransmitting due to retransmit phase 1

Jan 16 11:51:07.189 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:51:07.690 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:51:07.690 MEWZ: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

Jan 16 11:51:07.690 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP

Jan 16 11:51:07.690 MEWZ: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:51:07.875 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...

Jan 16 11:51:07.875 MEWZ: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

Jan 16 11:51:07.875 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE

Jan 16 11:51:07.875 MEWZ: ISAKMP (0:2): sending packet to xxx.xxx.xxx.xxx (I) MM_NO_STATE

Jan 16 11:51:17.094 MEWZ: ISAKMP (0:1): received packet from xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:51:17.094 MEWZ: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

Jan 16 11:51:17.094 MEWZ: ISAKMP (0:1): retransmitting due to retransmit phase 1

Jan 16 11:51:17.098 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:51:17.599 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:51:17.599 MEWZ: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

Jan 16 11:51:17.599 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP

Jan 16 11:51:17.599 MEWZ: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:51:17.867 MEWZ: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= yyy.yyy.yyy.yyy, remote= xxx.xxx.xxx.xxx,

local_proxy= yyy.yyy.yyy.yyy/255.255.255.255/47/0 (type=1),

remote_proxy= xxx.xxx.xxx.xxx/255.255.255.255/47/0 (type=1)

Jan 16 11:51:17.867 MEWZ: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= yyy.yyy.yyy.yyy, remote= xxx.xxx.xxx.xxx,

local_proxy= yyy.yyy.yyy.yyy/255.255.255.255/47/0 (type=1),

remote_proxy= xxx.xxx.xxx.xxx/255.255.255.255/47/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xA69EE2DC(2795430620), conn_id= 0, keysize= 0, flags= 0x400C

Jan 16 11:51:17.871 MEWZ: ISAKMP: received ke message (1/1)

Jan 16 11:51:17.871 MEWZ: ISAKMP (0:2): SA is still budding. Attached new ipsec request to it.

Jan 16 11:51:17.875 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...

Jan 16 11:51:17.875 MEWZ: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

Jan 16 11:51:17.875 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE

Jan 16 11:51:17.875 MEWZ: ISAKMP (0:2): sending packet to xxx.xxx.xxx.xxx (I) MM_NO_STATE

Jan 16 11:51:27.094 MEWZ: ISAKMP (0:1): received packet from xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:51:27.094 MEWZ: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

Jan 16 11:51:27.098 MEWZ: ISAKMP (0:1): retransmitting due to retransmit phase 1

Jan 16 11:51:27.098 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:51:27.599 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:51:27.599 MEWZ: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

Jan 16 11:51:27.599 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP

Jan 16 11:51:27.599 MEWZ: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:51:27.876 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...

Jan 16 11:51:27.876 MEWZ: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

Jan 16 11:51:27.876 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE

Jan 16 11:51:27.876 MEWZ: ISAKMP (0:2): sending packet to xxx.xxx.xxx.xxx (I) MM_NO_STATE

Jan 16 11:51:37.095 MEWZ: ISAKMP (0:1): received packet from xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:51:37.095 MEWZ: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

Jan 16 11:51:37.095 MEWZ: ISAKMP (0:1): retransmitting due to retransmit phase 1

Jan 16 11:51:37.095 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:51:37.596 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jan 16 11:51:37.596 MEWZ: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

Jan 16 11:51:37.596 MEWZ: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP

Jan 16 11:51:37.596 MEWZ: ISAKMP (0:1): sending packet to xxx.xxx.xxx.xxx (R) MM_SA_SETUP

Jan 16 11:51:37.876 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE...

Jan 16 11:51:37.876 MEWZ: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

Jan 16 11:51:37.876 MEWZ: ISAKMP (0:2): retransmitting phase 1 MM_NO_STATE

Jan 16 11:51:37.876 MEWZ: ISAKMP (0:2): sending packet to xxx.xxx.xxx.xxx (I) MM_NO_STATE

Jan 16 11:51:47.264 MEWZ: ISAKMP (0:0): received packet from xxx.xxx.xxx.xxx (N) NEW SA

Jan 16 11:51:47.264 MEWZ: ISAKMP: local port 500, remote port 500

Jan 16 11:51:47.268 MEWZ: ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jan 16 11:51:47.268 MEWZ: ISAKMP (0:3): Old State = IKE_READY New State = IKE_R_MM1

Jan 16 11:51:47.268 MEWZ: ISAKMP (0:3): processing SA payload. message ID = 0

Jan 16 11:51:47.268 MEWZ: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 1 policy

Jan 16 11:51:47.268 MEWZ: ISAKMP: encryption 3DES-CBC

Jan 16 11:51:47.268 MEWZ: ISAKMP: hash SHA

Jan 16 11:51:47.272 MEWZ: ISAKMP: default group 1

Jan 16 11:51:47.272 MEWZ: ISAKMP: auth RSA sig

Jan 16 11:51:47.272 MEWZ: ISAKMP: life type in seconds

Jan 16 11:51:47.272 MEWZ: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

Jan 16 11:51:47.272 MEWZ: ISAKMP (0:3): Encryption algorithm offered does not match policy!

Jan 16 11:51:47.272 MEWZ: ISAKMP (0:3): atts are not acceptable. Next payload is 3

Jan 16 11:51:47.272 MEWZ: ISAKMP (0:3): Checking ISAKMP transform 2 against priority 1 policy

Jan 16 11:51:47.272 MEWZ: ISAKMP: encryption DES-CBC

Jan 16 11:51:47.272 MEWZ: ISAKMP: hash SHA

  • VPN
1 REPLY
Silver

Re: RSA AUTH ISAKMP Debug

If the configuration have not changed, saving the configuration and reloading is possibly the best bet. What I suspect though is that the configurations have changed on one end atleast resulting in a mismatch between the proposals, thus leading to a failure in establishing a tunnel. Also, I think it is normal for a number for a number of proposals to get droppped before one is acccepted.

167
Views
0
Helpful
1
Replies