Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN crypto sa is active but it doesn't work

Hi guys,

My router is Cisco 2811 with IOS version 12.4(22)T1. It had established IPSec with another peer (203.*.*.250 shown below) for long until recently we make it re-establish IPSec VPN with another peer (203.*.*.30 shown below). It showed that the new sa is active but the result still showed there were 4 deleted SAs. The 4 obsolete sa entries won't vanish no matter what I do i.e. reset the interface, re-create crypto map, clear all sa and etc.

From numerous testings we knew that the VPN doesn't work even the desired sa is there remaining active. I reckon it has something to do with those deleted sas ( i mean it is supposed to show only the last one if it is working fine ).  I don't know how it would be come like this as we did pretty much the samething on other VPN routers with no problems.

1033.jpg

The relevant configuration is here:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30

!

!

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer 203.*.*.30

set transform-set ESP_3DES_SHA

match address 105

!

access-list 105 permit ip 192.168.21.0 0.0.0.255 any

Please help! Thanks!

Regards,

Alex

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: IPSec VPN crypto sa is active but it doesn't work

Alex,

Thanks for confirming back! Have you checked the FW rules if UDP port 500 is open in the fortigate for the peering IP on the 2811?

Sent from Cisco Technical Support iPhone App

20 REPLIES
New Member

IPSec VPN crypto sa is active but it doesn't work

By the way, on the other end, the peer (a firewall working as VPN concentrator) of this IPSec VPN indicates that this VPN is up and running.

IPSec VPN crypto sa is active but it doesn't work

hi alex,

kindly post the config of the remote FW/VPN device.

perform a 'clear crypto sa' on your 2811 and try to send a ping from a host on the192.168.21.0/24 subnet towards a LAN IP on the other remote side.

post both show crypto isakmp sa and show crypto ipsec sa commands from your 2811 afterwards.

New Member

IPSec VPN crypto sa is active but it doesn't work

Hi John,

Thanks for your reply, Firstly the FW/VPN device is a fortigate device which has set up another 3 similar IPSec with other routers at the other sites, only this one got a problem after peering with this firewall. I've done what you have instructed, please see the output:

router#clear crypto sa

router#ping 192.168.68.88 sour

router#ping 192.168.68.88 source 192.168.21.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.68.88, timeout is 2 seconds:

Packet sent with a source address of 192.168.21.1

.....

Success rate is 0 percent (0/5)

router#sh cryp

router#sh crypto isa

router#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

123.209.169.23  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)

123.209.169.23  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)

123.209.169.23  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)

123.209.169.23  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)

123.209.169.23  203.*.*.30   QM_IDLE           1143 ACTIVE

IPv6 Crypto ISAKMP SA

router#sh cryp

router#sh crypto ipsec sa

     PFS (Y/N): Y, DH group: group1

     PFS (Y/N): Y, DH group: group1

interface: Dialer1

    Crypto map tag: VPN, local addr 123.209.169.23

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 203.*.*.30 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 123.209.169.23, remote crypto endpt.: 203.*.*.30

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1

     current outbound spi: 0x8DDB100E(2379943950)

     inbound esp sas:

      spi: 0x3861CB(3695051)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3099, flow_id: NETGX:1099, sibling_flags 80000046, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4424991/1773)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x8DDB100E(2379943950)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3100, flow_id: NETGX:1100, sibling_flags 80000046, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4424990/1773)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Cellular0/3/0

    Crypto map tag: VPN, local addr 123.209.169.23

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 203.*.*.30 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 123.209.169.23, remote crypto endpt.: 203.*.*.30

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1

     current outbound spi: 0x8DDB100E(2379943950)

     inbound esp sas:

      spi: 0x3861CB(3695051)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3099, flow_id: NETGX:1099, sibling_flags 80000046, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4424991/1773)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x8DDB100E(2379943950)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3100, flow_id: NETGX:1100, sibling_flags 80000046, crypto map: VPN

        sa timing: remaining key lifetime (k/sec): (4424990/1773)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Cheers.
Regards,
Alex

Re: IPSec VPN crypto sa is active but it doesn't work

hi alex,

thanks for the update! could you post the 2811 running-config (remove sensitive info)?

it would be helpful to see the remove device's VPN config (IKE policies) for troubleshooting. VPN errors are most of the time due to config issue. also, when you re-created the VPN on the router did you issue the command 'crypto isakmp enable' from global config mode?

2811(config)#crypto isakmp enable

New Member

IPSec VPN crypto sa is active but it doesn't work

Hi John,

I tried the command crypto isakmp enable but the result of show crypto isakmp sa is still the same. Anyway, I'll post the config here:

router#sh run

Building configuration...

Current configuration : 7439 bytes

!

! Last configuration change at 01:51:52 UTC Tue Jul 17 2012 by alexadmin

! NVRAM config last updated at 10:42:33 UTC Tue Jul 10 2012 by alexadmin

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service internal

service sequence-numbers

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login default group radius local

aaa authentication login console-auth local

aaa authorization exec default group radius local

!

!

aaa session-id common

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

ip host members.dyndns.org 204.*.*.112

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name myfw icmp

ip ddns update method cheltddns

HTTP

  add http://*:*@members.dyndns.org/nic/update?hostname=*&myip=*@members.dyndns.org/nic/update?hostname=*&myip=

interval maximum 28 0 0 0

interval minimum 28 0 0 0

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

chat-script internet "" "*" TIMEOUT 30 "CONNECT"

!

!

!

!

!

!

!

!

!

!

voice-card 0

!

!

crypto pki trustpoint TP-self-signed-3295771654

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3295771654

revocation-check none

rsakeypair TP-self-signed-3295771654

!

!

crypto pki certificate chain TP-self-signed-3295771654

certificate self-signed 01

  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323935 37373136 3534301E 170D3132 30353131 31313132

  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393537

  37313635 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B864 A0926D93 086AE410 F324E1E1 F299BD77 9CACE140 6DE62D06 F79691D6

  19E81F19 3315E0AD 17293593 8626B56B 0EE7D3C8 D4168408 B38C8C60 40BBC6B0

  EAE2115A CE01A332 5187122B 70166FA1 80542BA9 16E1F965 EC30C71C B9E487FE

  9222FDF5 D537AAD2 7E96820C 2081AA73 CF208CC0 69380BE0 73C09F16 5F83A24E

  AF510203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603

  551D1104 11300F82 0D4D454C 312D5352 2D52542D 3032301F 0603551D 23041830

  16801413 C8890547 F3C80863 0DE8A451 BD1560EE 60B0FA30 1D060355 1D0E0416

  041413C8 890547F3 C808630D E8A451BD 1560EE60 B0FA300D 06092A86 4886F70D

  01010405 00038181 008D7ECC B2E9A6B8 5D99C38D E362350C C88A0870 B12ADAB2

  EAA20D30 0F11D749 8338753F 4371858E D31AFC2C 25C51676 4E3C091A BBDB1E74

  64D67D48 A6808E8D DF3CA7DD 7F66BDBD EE96B083 0EC8F92C 1B93F727 7C319A6F

  F26AD911 8C58B3B0 60066AD9 1D24A594 FCC6B783 7CCCD52C B83E946B 7265EB71

  AC00760D D94ED56E 87

        quit

!

!

username root privilege 15 password 7 09601F0D0F55460219

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30

!

!

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer 203.*.*.30

set transform-set ESP_3DES_SHA

match address 105

!

!

!

!

track 1 ip sla 1 reachability

delay down 180 up 60

!

track 2 ip sla 2 reachability

delay down 60 up 60

!

!

!

!

interface FastEthernet0/0

ip address 172.28.8.13 255.255.255.0

ip flow egress

duplex full

speed 100

!

interface FastEthernet0/1

bandwidth 2048

ip address 192.168.21.1 255.255.255.0

ip helper-address 192.168.20.3

ip flow egress

ip nat inside

no ip virtual-reassembly

duplex full

speed 100

!

interface ATM0/2/0

no ip address

no atm ilmi-keepalive

dsl bitswap both

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

!

!

interface Cellular0/3/0

no ip address

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 60

dialer in-band

dialer pool-member 1

dialer-group 1

async mode interactive

crypto map VPN

!

interface Dialer1

ip ddns update hostname *.dyndns.org

ip ddns update cheltddns

ip address negotiated

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer string internet

dialer persistent

dialer-group 1

ppp chap hostname ""

ppp chap password 7 08630E

crypto map VPN

!

interface Dialer2

description ADSL2+

ip address negotiated

ip access-group 104 in

ip flow egress

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer idle-timeout 0

dialer persistent

dialer-group 2

ppp chap hostname *@dsl.*

ppp chap password 7 121B0816000A0A0F27

!

router ospf 100

router-id 13.13.13.13

log-adjacency-changes

redistribute connected subnets route-map OSPFRedi

network 172.28.8.0 0.0.0.255 area 0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 200

ip route 192.168.68.33 255.255.255.255 Dialer1

ip route 192.168.68.88 255.255.255.255 Dialer1

ip route 203.*.*.30 255.255.255.255 Dialer1

ip route 203.*.*.250 255.255.255.255 Dialer1

ip route 204.13.248.112 255.255.255.255 Dialer1

ip http server

ip http authentication aaa login-authentication default

ip http secure-server

!

ip flow-cache timeout inactive 250

ip flow-export source FastEthernet0/1

ip flow-export version 5

ip flow-export destination 192.168.66.130 9996

!

ip nat inside source list 103 interface Dialer1 overload

!

ip radius source-interface FastEthernet0/1

ip sla 2

icmp-echo 8.8.8.8 source-interface Dialer2

timeout 1500

frequency 5

ip sla schedule 2 life forever start-time now

logging facility local5

access-list 5 permit 192.168.21.0 0.0.0.255

access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny   ip 192.168.20.0 0.0.0.255 172.28.1.0 0.0.0.15

access-list 101 deny   ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

access-list 103 deny   ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 103 deny   ip 192.168.21.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 103 deny   ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 103 permit ip 192.168.21.0 0.0.0.255 any

access-list 104 deny   tcp any any

access-list 104 deny   udp any any

access-list 104 permit icmp any any echo

access-list 104 permit icmp any any echo-reply

access-list 104 permit icmp any any time-exceeded

access-list 104 permit icmp any any packet-too-big

access-list 104 permit icmp any any traceroute

access-list 104 permit icmp any any unreachable

access-list 105 permit ip 192.168.21.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community GraysPriv RO 20

snmp-server ifindex persist

snmp-server host 192.168.66.130 version 2c GraysPriv

!

!

!

!

route-map OSPFRedi permit 10

match ip address 5

!

!

!

radius-server host 192.168.66.2 auth-port 1645 acct-port 1646 key 7 107A214A3743161E0551

!

control-plane

!

!

!

voice-port 0/0/0

!

voice-port 0/0/1

!

voice-port 0/0/2

!

voice-port 0/0/3

!

ccm-manager fax protocol cisco

!

mgcp fax t38 ecm

!

!

!

!

!

!

line con 0

login authentication console-auth

line aux 0

line 0/3/0

exec-timeout 0 0

script dialer internet

no exec

transport input all

rxspeed 3600000

txspeed 384000

line vty 0 4

exec-timeout 0 0

!

scheduler allocate 20000 1000

ntp server 192.168.66.2

end

router#sh run

Building configuration...

Current configuration : 7439 bytes

!

! Last configuration change at 01:51:52 UTC Tue Jul 17 2012 by alexadmin

! NVRAM config last updated at 10:42:33 UTC Tue Jul 10 2012 by alexadmin

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service internal

service sequence-numbers

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login default group radius local

aaa authentication login console-auth local

aaa authorization exec default group radius local

!

!

aaa session-id common

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

ip host members.dyndns.org 204.*.*.112

ip inspect name myfw tcp

ip inspect name myfw udp

ip inspect name myfw icmp

ip ddns update method cheltddns

HTTP

  add http://*:*@members.dyndns.org/nic/update?hostname=*&myip=*@members.dyndns.org/nic/update?hostname=*&myip=

interval maximum 28 0 0 0

interval minimum 28 0 0 0

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

chat-script internet "" "*" TIMEOUT 30 "CONNECT"

!

!

!

!

!

!

!

!

!

!

voice-card 0

!

!

crypto pki trustpoint TP-self-signed-3295771654

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3295771654

revocation-check none

rsakeypair TP-self-signed-3295771654

!

!

crypto pki certificate chain TP-self-signed-3295771654

certificate self-signed 01

  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33323935 37373136 3534301E 170D3132 30353131 31313132

  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32393537

  37313635 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B864 A0926D93 086AE410 F324E1E1 F299BD77 9CACE140 6DE62D06 F79691D6

  19E81F19 3315E0AD 17293593 8626B56B 0EE7D3C8 D4168408 B38C8C60 40BBC6B0

  EAE2115A CE01A332 5187122B 70166FA1 80542BA9 16E1F965 EC30C71C B9E487FE

  9222FDF5 D537AAD2 7E96820C 2081AA73 CF208CC0 69380BE0 73C09F16 5F83A24E

  AF510203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603

  551D1104 11300F82 0D4D454C 312D5352 2D52542D 3032301F 0603551D 23041830

  16801413 C8890547 F3C80863 0DE8A451 BD1560EE 60B0FA30 1D060355 1D0E0416

  041413C8 890547F3 C808630D E8A451BD 1560EE60 B0FA300D 06092A86 4886F70D

  01010405 00038181 008D7ECC B2E9A6B8 5D99C38D E362350C C88A0870 B12ADAB2

  EAA20D30 0F11D749 8338753F 4371858E D31AFC2C 25C51676 4E3C091A BBDB1E74

  64D67D48 A6808E8D DF3CA7DD 7F66BDBD EE96B083 0EC8F92C 1B93F727 7C319A6F

  F26AD911 8C58B3B0 60066AD9 1D24A594 FCC6B783 7CCCD52C B83E946B 7265EB71

  AC00760D D94ED56E 87

        quit

!

!

username root privilege 15 password 7 09601F0D0F55460219

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30

!

!

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer 203.*.*.30

set transform-set ESP_3DES_SHA

match address 105

!

!

!

!

track 1 ip sla 1 reachability

delay down 180 up 60

!

track 2 ip sla 2 reachability

delay down 60 up 60

!

!

!

!

interface FastEthernet0/0

ip address 172.28.8.13 255.255.255.0

ip flow egress

duplex full

speed 100

!

interface FastEthernet0/1

bandwidth 2048

ip address 192.168.21.1 255.255.255.0

ip helper-address 192.168.20.3

ip flow egress

ip nat inside

no ip virtual-reassembly

duplex full

speed 100

!

interface ATM0/2/0

no ip address

no atm ilmi-keepalive

dsl bitswap both

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 2

!

!

interface Cellular0/3/0

no ip address

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 60

dialer in-band

dialer pool-member 1

dialer-group 1

async mode interactive

crypto map VPN

!

interface Dialer1

ip ddns update hostname *.dyndns.org

ip ddns update cheltddns

ip address negotiated

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer string internet

dialer persistent

dialer-group 1

ppp chap hostname ""

ppp chap password 7 08630E

crypto map VPN

!

interface Dialer2

description ADSL2+

ip address negotiated

ip access-group 104 in

ip flow egress

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer idle-timeout 0

dialer persistent

dialer-group 2

ppp chap hostname *@dsl.*

ppp chap password 7 121B0816000A0A0F27

!

router ospf 100

router-id 13.13.13.13

log-adjacency-changes

redistribute connected subnets route-map OSPFRedi

network 172.28.8.0 0.0.0.255 area 0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 200

ip route 192.168.68.33 255.255.255.255 Dialer1

ip route 192.168.68.88 255.255.255.255 Dialer1

ip route 203.*.*.30 255.255.255.255 Dialer1

ip route 203.*.*.250 255.255.255.255 Dialer1

ip route 204.13.248.112 255.255.255.255 Dialer1

ip http server

ip http authentication aaa login-authentication default

ip http secure-server

!

ip flow-cache timeout inactive 250

ip flow-export source FastEthernet0/1

ip flow-export version 5

ip flow-export destination 192.168.66.130 9996

!

ip nat inside source list 103 interface Dialer1 overload

!

ip radius source-interface FastEthernet0/1

ip sla 2

icmp-echo 8.8.8.8 source-interface Dialer2

timeout 1500

frequency 5

ip sla schedule 2 life forever start-time now

logging facility local5

access-list 5 permit 192.168.21.0 0.0.0.255

access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny   ip 192.168.20.0 0.0.0.255 172.28.1.0 0.0.0.15

access-list 101 deny   ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.20.0 0.0.0.255 any

access-list 102 permit ip 192.168.20.0 0.0.0.255 any

access-list 103 deny   ip 192.168.21.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 103 deny   ip 192.168.21.0 0.0.0.255 172.28.0.0 0.0.255.255

access-list 103 deny   ip 192.168.21.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 103 permit ip 192.168.21.0 0.0.0.255 any

access-list 104 deny   tcp any any

access-list 104 deny   udp any any

access-list 104 permit icmp any any echo

access-list 104 permit icmp any any echo-reply

access-list 104 permit icmp any any time-exceeded

access-list 104 permit icmp any any packet-too-big

access-list 104 permit icmp any any traceroute

access-list 104 permit icmp any any unreachable

access-list 105 permit ip 192.168.21.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community GraysPriv RO 20

snmp-server ifindex persist

snmp-server host 192.168.66.130 version 2c GraysPriv

!

!

!

!

route-map OSPFRedi permit 10

match ip address 5

!

!

!

radius-server host 192.168.66.2 auth-port 1645 acct-port 1646 key 7 107A214A3743161E0551

!

control-plane

!

!

!

voice-port 0/0/0

!

voice-port 0/0/1

!

voice-port 0/0/2

!

voice-port 0/0/3

!

ccm-manager fax protocol cisco

!

mgcp fax t38 ecm

!

!

!

!

!

!

line con 0

login authentication console-auth

line aux 0

line 0/3/0

exec-timeout 0 0

script dialer internet

no exec

transport input all

rxspeed 3600000

txspeed 384000

line vty 0 4

exec-timeout 0 0

!

scheduler allocate 20000 1000

ntp server 192.168.66.2

end

Thanks very much!

Regards,
Alex

New Member

IPSec VPN crypto sa is active but it doesn't work

And a portion of the debuging message of debug crypto isakmp is here:

641068: Jul 17 01:01:02.352: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)

641069: Jul 17 01:01:02.352: ISAKMP: Unlocking peer struct 0x4A0A1934 for isadb_mark_sa_deleted(), count 0

641070: Jul 17 01:01:02.352: ISAKMP: Deleting peer node by peer_reap for 203.*.*.250: 4A0A1934

641071: Jul 17 01:01:02.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

641072: Jul 17 01:01:02.356: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

641073: Jul 17 01:01:02.356: ISAKMP:(0):purging SA., sa=49CDF344, delme=49CDF344

641074: Jul 17 01:01:02.356: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 203.*.*.250)

641075: Jul 17 01:01:02.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

641076: Jul 17 01:01:02.356: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

641077: Jul 17 01:01:05.920: ISAKMP:(1143):purging node 1283483346

641078: Jul 17 01:01:06.488: ISAKMP (1143): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE

641079: Jul 17 01:01:06.488: ISAKMP: set new node -809730676 to QM_IDLE

641080: Jul 17 01:01:06.488: ISAKMP:(1143): processing HASH payload. message ID = -809730676

641081: Jul 17 01:01:06.488: ISAKMP:(1143): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = -809730676, sa = 4A10A708

641082: Jul 17 01:01:06.488: ISAKMP:(1143):deleting node -809730676 error FALSE reason "Informational (in) state 1"

641083: Jul 17 01:01:06.488: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

641084: Jul 17 01:01:06.488: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

641085: Jul 17 01:01:06.492: ISAKMP:(1143):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x1879E

641086: Jul 17 01:01:06.492: ISAKMP: set new node 640495429 to QM_IDLE

641087: Jul 17 01:01:06.492: ISAKMP:(1143):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 1211805536, message ID = 640495429

641088: Jul 17 01:01:06.492: ISAKMP:(1143): seq. no 0x1879E

641089: Jul 17 01:01:06.492: ISAKMP:(1143): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE

641090: Jul 17 01:01:06.492: ISAKMP:(1143):Sending an IKE IPv4 Packet.

641091: Jul 17 01:01:06.492: ISAKMP:(1143):purging node 640495429

641092: Jul 17 01:01:06.492: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

641093: Jul 17 01:01:06.492: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

641094: Jul 17 01:01:08.380: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (R) MM_NO_STATE

641095: Jul 17 01:01:11.460: ISAKMP:(1143):purging node -1289646938

641096: Jul 17 01:01:12.181: ISAKMP (1143): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE

641097: Jul 17 01:01:12.181: ISAKMP: set new node 438076132 to QM_IDLE

641098: Jul 17 01:01:12.181: ISAKMP:(1143): processing HASH payload. message ID = 438076132

641099: Jul 17 01:01:12.181: ISAKMP:(1143): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = 438076132, sa = 4A10A708

641100: Jul 17 01:01:12.181: ISAKMP:(1143):deleting node 438076132 error FALSE reason "Informational (in) state 1"

641101: Jul 17 01:01:12.181: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

641102: Jul 17 01:01:12.181: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

641103: Jul 17 01:01:12.185: ISAKMP:(1143):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x1879F

641104: Jul 17 01:01:12.185: ISAKMP: set new node -846002752 to QM_IDLE

641105: Jul 17 01:01:12.185: ISAKMP:(1143):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 1211805536, message ID = -846002752

641106: Jul 17 01:01:12.185: ISAKMP:(1143): seq. no 0x1879F

641107: Jul 17 01:01:12.185: ISAKMP:(1143): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE

641108: Jul 17 01:01:12.185: ISAKMP:(1143):Sending an IKE IPv4 Packet.

641109: Jul 17 01:01:12.185: ISAKMP:(1143):purging node -846002752

641110: Jul 17 01:01:12.189: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

641111: Jul 17 01:01:12.189: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

no d

641112: Jul 17 01:01:17.013: ISAKMP:(1143):purging node -730203910

641113: Jul 17 01:01:17.357: ISAKMP:(0):purging SA., sa=4A2D442C, delme=4A2D442C

641114: Jul 17 01:01:17.409: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (N) NEW SA

641115: Jul 17 01:01:17.409: ISAKMP: Created a peer struct for 203.*.*.250, peer port 500

641116: Jul 17 01:01:17.409: ISAKMP: New peer created peer = 0x4A0AE4DC peer_handle = 0x80013F42

641117: Jul 17 01:01:17.409: ISAKMP: Locking peer struct 0x4A0AE4DC, refcount 1 for crypto_isakmp_process_block

641118: Jul 17 01:01:17.409: ISAKMP: local port 500, remote port 500

641119: Jul 17 01:01:17.409: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A2D442C

641120: Jul 17 01:01:17.409: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

641121: Jul 17 01:01:17.409: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

641122: Jul 17 01:01:17.413: ISAKMP:(0): processing SA payload. message ID = 0

641123: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641124: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

641125: Jul 17 01:01:17.413: ISAKMP (0): vendor ID is NAT-T RFC 3947

641126: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641127: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

641128: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID is NAT-T v3

641129: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641130: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch

641131: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641132: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

641133: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID is NAT-T v2

641134: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641135: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch

641136: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641137: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch

641138: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641139: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID is DPD

641140: Jul 17 01:01:17.413: ISAKMP:(0): processing vendor id payload

641141: Jul 17 01:01:17.413: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch

641142: Jul 17 01:01:17.413: ISAKMP:(0):No pre-shared key with 203.*.*.250!

641143: Jul 17 01:01:17.413: ISAKMP : Scanning profiles for xauth ...

641144: Jul 17 01:01:17.413: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

641145: Jul 17 01:01:17.413: ISAKMP:      life type in seconds

641146: Jul 17 01:01:17.413: ISAKMP:      life duration (basic) of 28800

641147: Jul 17 01:01:17.413: ISAKMP:      encryption 3DES-CBC

641148: Jul 17 01:01:17.413: ISAKMP:      auth pre-share

641149: Jul 17 01:01:17.413: ISAKMP:      hash SHA

641150: Jul 17 01:01:17.413: ISAKMP:      default group 5

641151: Jul 17 01:01:17.413: ISAKMP:(0):Preshared authentication offered but does not match policy!

641152: Jul 17 01:01:17.417: ISAKMP:(0):atts are not acceptable. Next payload is 0

641153: Jul 17 01:01:17.417: ISAKMP:(0):no offers accepted!

641154: Jul 17 01:01:17.417: ISAKMP:(0): phase 1 SA policy not acceptable! (local 123.209.169.23 remote 203.*.*.250)

641155: Jul 17 01:01:17.417: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

641156: Jul 17 01:01:17.417: ISAKMP:(0): Failed to construct AG informational message.

641157: Jul 17 01:01:17.417: ISAKMP:(0): sending packet to 203.*.*.250 my_port 500 peer_port 500 (R) MM_NO_STATE

641158: Jul 17 01:01:17.417: ISAKMP:(0):Sending an IKE IPv4 Packet.

641159: Jul 17 01:01:17.417: ISAKMP:(0):peer does not do paranoid keepalives.

641160: Jul 17 01:01:17.417: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)

641161: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641162: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

641163: Jul 17 01:01:17.417: ISAKMP (0): vendor ID is NAT-T RFC 3947

641164: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641165: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

641166: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID is NAT-T v3

641167: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641168: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch

641169: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641170: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

641171: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID is NAT-T v2

641172: Jul 17 01:01:17.417: ISAKMP:(0): processing vendor id payload

641173: Jul 17 01:01:17.417: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch

641174: Jul 17 01:01:17.421: ISAKMP:(0): processing vendor id payload

641175: Jul 17 01:01:17.421: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch

641176: Jul 17 01:01:17.421: ISAKMP:(0): processing vendor id payload

641177: Jul 17 01:01:17.421: ISAKMP:(0): vendor ID is DPD

641178: Jul 17 01:01:17.421: ISAKMP:(0): processing vendor id payload

641179: Jul 17 01:01:17.421: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch

641180: Jul 17 01:01:17.421: ISAKMP (0): FSM action returned error: 2

641181: Jul 17 01:01:17.421: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

641182: Jul 17 01:01:17.421: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

641183: Jul 17 01:01:17.421: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)

641184: Jul 17 01:01:17.421: ISAKMP: Unlocking peer struct 0x4A0AE4DC for isadb_mark_sa_deleted(), count 0

641185: Jul 17 01:01:17.421: ISAKMP: Deleting peer node by peer_reap for 203.*.*.250: 4A0AE4DC

641186: Jul 17 01:01:17.421: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

641187: Jul 17 01:01:17.421: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

641188: Jul 17 01:01:17.425: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 203.*.*.250) ebug c

641189: Jul 17 01:01:17.425: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

641190: Jul 17 01:01:17.425: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

641191: Jul 17 01:01:17.829: ISAKMP (1143): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE

641192: Jul 17 01:01:17.829: ISAKMP: set new node -2063194255 to QM_IDLE

641193: Jul 17 01:01:17.829: ISAKMP:(1143): processing HASH payload. message ID = -2063194255

641194: Jul 17 01:01:17.829: ISAKMP:(1143): processing NOTIFY DPD/R_U_THERE protocol 1

        spi 0, message ID = -2063194255, sa = 4A10A708

641195: Jul 17 01:01:17.829: ISAKMP:(1143):deleting node -2063194255 error FALSE reason "Informational (in) state 1"

641196: Jul 17 01:01:17.829: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

641197: Jul 17 01:01:17.829: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

641198: Jul 17 01:01:17.829: ISAKMP:(1143):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x187A0

641199: Jul 17 01:01:17.833: ISAKMP: set new node -2050772453 to QM_IDLE

641200: Jul 17 01:01:17.833: ISAKMP:(1143):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

        spi 1211805536, message ID = -2050772453

641201: Jul 17 01:01:17.833: ISAKMP:(1143): seq. no 0x187A0ryp

Sandringham_VPLS#no debug crypto

641202: Jul 17 01:01:17.833: ISAKMP:(1143): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE

641203: Jul 17 01:01:17.833: ISAKMP:(1143):Sending an IKE IPv4 Packet.

641204: Jul 17 01:01:17.833: ISAKMP:(1143):purging node -2050772453

641205: Jul 17 01:01:17.833: ISAKMP:(1143):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

641206: Jul 17 01:01:17.833: ISAKMP:(1143):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

IPSec VPN crypto sa is active but it doesn't work

hi alex,

based from your debugs, i noticed 203.*.*.250 is still trying to establish IKE phase 1 with the remote peer but was rejected.

641068: Jul 17 01:01:02.352: ISAKMP:(0):deleting SA reason "Phase1 SA  policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)

on the other hand, the new 203.*.*.30 has sucessfully established IKE phase 1.

IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

could you retest your VPN connectivity and issue a 'debug crypto ipsec' (for IKE phase 2) and post it here? i would appreciate if you could also post the relevant VPN config from your FW/VPN device as well.

New Member

IPSec VPN crypto sa is active but it doesn't work

Hi John,

Thanks for your reply. I've reset the interface and the debugging result is here:

router(config-if)#do debug crypto ipsec

Crypto IPSEC debugging is on

router(config-if)#no shut

router(config-if)#end

router#

641220: Jul 17 02:45:15.233: %LINK-3-UPDOWN: Interface Dialer1, changed state to up

641221: Jul 17 02:45:16.381: %SYS-5-CONFIG_I: Configured from console by alexadmin on vty0 (192.168.66.233)

641222: Jul 17 02:45:16.481: %LINK-3-UPDOWN: Interface Cellular0/3/0, changed state to up

641223: Jul 17 02:45:16.481: %DIALER-6-BIND: Interface Ce0/3/0 bound to profile Di1

641224: Jul 17 02:45:17.497: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0/3/0, changed state to up

641225: Jul 17 02:45:19.265: IPSEC(recalculate_mtu): reset sadb_root 49B5E178 mtu to 1500

641226: Jul 17 02:46:32.099: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641227: Jul 17 02:46:34.247: IPSEC(validate_proposal_request): proposal part #1

641228: Jul 17 02:46:34.247: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.250,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641229: Jul 17 02:46:34.247: IPSEC(ipsec_process_proposal): proxy identities not supported

641230: Jul 17 02:46:34.419: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641231: Jul 17 02:46:36.159: IPSEC(validate_proposal_request): proposal part #1

641232: Jul 17 02:46:36.159: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.30,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641233: Jul 17 02:46:36.159: IPSEC(ipsec_process_proposal): proxy identities not supported

641234: Jul 17 02:47:36.868: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641235: Jul 17 02:47:38.172: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641236: Jul 17 02:47:38.860: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641237: Jul 17 02:47:39.196: IPSEC(validate_proposal_request): proposal part #1

641238: Jul 17 02:47:39.196: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.250,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641239: Jul 17 02:47:39.196: IPSEC(ipsec_process_proposal): proxy identities not supported

641240: Jul 17 02:47:41.168: IPSEC(validate_proposal_request): proposal part #1

641241: Jul 17 02:47:41.168: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.30,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641242: Jul 17 02:47:41.168: IPSEC(ipsec_process_proposal): proxy identities not supported

641243: Jul 17 02:48:41.202: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641244: Jul 17 02:48:41.890: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641245: Jul 17 02:48:43.170: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641246: Jul 17 02:48:43.858: IPSEC(key_engine): got a queue event with 1 KMI message(s)

641247: Jul 17 02:48:44.210: IPSEC(validate_proposal_request): proposal part #1

641248: Jul 17 02:48:44.210: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.250,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641249: Jul 17 02:48:44.210: IPSEC(ipsec_process_proposal): proxy identities not supported

641250: Jul 17 02:48:46.170: IPSEC(validate_proposal_request): proposal part #1

641251: Jul 17 02:48:46.170: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 123.209.60.106, remote= 203.*.*.30,

    local_proxy= 192.168.21.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

641252: Jul 17 02:48:46.170: IPSEC(ipsec_process_proposal): proxy identities not supported

On the other hand, I'll post the screenhshot of the VPN config in the next reply

New Member

IPSec VPN crypto sa is active but it doesn't work

on the firewall configuration of phase 1

phase 2

regards,

Alex

IPSec VPN crypto sa is active but it doesn't work

alex,

thanks for the debug output and fortigate config screenshot. observing the debug output, it appears an ACL (for IPSEC traffic) could be your issue.

641242: Jul 17 02:47:41.168: IPSEC(ipsec_process_proposal): proxy identities not supported

could you re-configure your device ACLs as below:

2811:

no access-list 105

access-list 105 permit ip 192.168.21.0 0.0.0.255 192.168.68.0 0.0.0.255

FORTIGATE:

edit phase 2 > source address: 192.168.68.0/24

New Member

IPSec VPN crypto sa is active but it doesn't work

Hi John,

I'll try your suggestion and see how it goes. However I have to let you know that the ACL setup is the same way we setup for the other VPN routers to this firewall. Anyway, I'll see how it goes to narrow down the possibilities.


Regards,
Alex

New Member

IPSec VPN crypto sa is active but it doesn't work

Hi John,

I tried your suggestion but with no luck:

crypto map VPN 10 ipsec-isakmp

set peer 203.176.96.30

set transform-set ESP_3DES_SHA

match address 106

I created a new ACL 106 and its definition followed yours:

access-list 106 permit ip 192.168.21.0 0.0.0.255 192.168.68.0 0.0.0.255

and I change the phase 2 configuration on firewall to suit the ACL change as well. The VPN is up but I just can't use ping to justify that!

#ping 192.168.68.33 source 192.168.21.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.68.33, timeout is 2 seconds:
Packet sent with a source address of 192.168.21.1
.
642975: Jul 17 06:08:35.517: IPSEC(key_engine): got a queue event with 1 KMI message(s)....
Success rate is 0 percent (0/5)
Sandringham_VPLS#

Cheers.

Regards,
Alex

IPSec VPN crypto sa is active but it doesn't work

hi alex,

could you perform a ping test from host or a PC from the 192.168.21.0/24? post again the output of:

show crypto isakmp sa

show crypto ipsec sa

debug crypto isakmp

debug crypto ipsec

New Member

IPSec VPN crypto sa is active but it doesn't work

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
123.209.60.106  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250 MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.30   QM_IDLE           1473 ACTIVE

#sh crypto ipsec sa
     PFS (Y/N): Y, DH group: group1
     PFS (Y/N): N, DH group: none

interface: Dialer1
    Crypto map tag: VPN, local addr 123.209.60.106

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
   current_peer 203.*.*.30 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 123.209.60.106, remote crypto endpt.: 203.*.*.30
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x8DDB10D2(2379944146)

     inbound esp sas:
      spi: 0xED59B319(3982078745)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3113, flow_id: NETGX:1113, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4571804/258)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8DDB10D2(2379944146)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3114, flow_id: NETGX:1114, sibling_flags 80000046, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4571800/258)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Cellular0/3/0
    Crypto map tag: VPN, local addr 0.0.0.0

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)
   current_peer 203.*.*.30 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 0.0.0.0, remote crypto endpt.: 203.*.*.30
     path mtu 1500, ip mtu 1500, ip mtu idb Cellular0/3/0
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


I'll post the debugging informationo in another reply. Thanks!


Regards,
Alex

New Member

Re: IPSec VPN crypto sa is active but it doesn't work

Hi John,

Here is a portion of the debugging info:

643931: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID is NAT-T v2
643932: Jul 17 06:41:06.744: ISAKMP:(0): processing vendor id payload
643933: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 168                                                               mismatch
643934: Jul 17 06:41:06.744: ISAKMP:(0): processing vendor id payload
643935: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 221                                                               mismatch
643936: Jul 17 06:41:06.744: ISAKMP:(0): processing vendor id payload
643937: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID is DPD
643938: Jul 17 06:41:06.744: ISAKMP:(0): processing vendor id payload
643939: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 m                                                              ismatch
643940: Jul 17 06:41:06.744: ISAKMP:(0):No pre-shared key with 203.*.*.250!
643941: Jul 17 06:41:06.744: ISAKMP : Scanning profiles for xauth ...
643942: Jul 17 06:41:06.744: ISAKMP:(0):Checking ISAKMP transform 1 against prio                                                              rity 10 policy
643943: Jul 17 06:41:06.744: ISAKMP:      life type in seconds
643944: Jul 17 06:41:06.744: ISAKMP:      life duration (basic) of 28800
643945: Jul 17 06:41:06.744: ISAKMP:      encryption 3DES-CBC
643946: Jul 17 06:41:06.744: ISAKMP:      auth pre-share
643947: Jul 17 06:41:06.744: ISAKMP:      hash SHA
643948: Jul 17 06:41:06.744: ISAKMP:      default group 5
643949: Jul 17 06:41:06.744: ISAKMP:(0):Preshared authentication offered but doe                                                              s not match policy!
643950: Jul 17 06:41:06.744: ISAKMP:(0):atts are not acceptable. Next payload is                                                               0
643951: Jul 17 06:41:06.744: ISAKMP:(0):no offers accepted!
643952: Jul 17 06:41:06.744: ISAKMP:(0): phase 1 SA policy not acceptable! (loca                                                              l 123.209.60.106 remote 203.*.*.250)
643953: Jul 17 06:41:06.748: ISAKMP (0): incrementing error counter on sa, attem                                                              pt 1 of 5: construct_fail_ag_init
643954: Jul 17 06:41:06.748: ISAKMP:(0): Failed to construct AG informational me                                                              ssage.
643955: Jul 17 06:41:06.748: ISAKMP:(0): sending packet to 203.*.*.250 my_po                                                              rt 500 peer_port 500 (R) MM_NO_STATE
643956: Jul 17 06:41:06.748: ISAKMP:(0):Sending an IKE IPv4 Packet.
643957: Jul 17 06:41:06.748: ISAKMP:(0):peer does not do paranoid keepalives.

643958: Jul 17 06:41:06.748: ISAKMP:(0):deleting SA reason "Phase1 SA policy pro                                                              posal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
643959: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643960: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 69                                                               mismatch
643961: Jul 17 06:41:06.748: ISAKMP (0): vendor ID is NAT-T RFC 3947
643962: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643963: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 157                                                               mismatch
643964: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID is NAT-T v3
643965: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643966: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 164                                                               mismatch
643967: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643968: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 123                                                               mismatch
643969: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID is NAT-T v2
643970: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643971: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 168                                                               mismatch
643972: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643973: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 221                                                               mismatch
643974: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643975: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID is DPD
643976: Jul 17 06:41:06.752: ISAKMP:(0): processing vendor id payload
643977: Jul 17 06:41:06.752: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 m                                                              ismatch
643978: Jul 17 06:41:06.752: ISAKMP (0): FSM action returned error: 2
643979: Jul 17 06:41:06.752: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M                                                              AIN_MODE
643980: Jul 17 06:41:06.752: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R                                                              _MM1

643981: Jul 17 06:41:06.752: ISAKMP:(0):deleting SA reason "Phase1 SA policy pro                                                              posal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
643982: Jul 17 06:41:06.752: ISAKMP: Unlocking peer struct 0x4A0AE4DC for isadb_                                                              mark_sa_deleted(), count 0
643983: Jul 17 06:41:06.752: ISAKMP: Deleting peer node by peer_reap for 203.176                                                              .110.250: 4A0AE4DC
643984: Jul 17 06:41:06.752: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DE                                                              L
643985: Jul 17 06:41:06.752: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_D                                                              EST_SA

643986: Jul 17 06:41:06.752: IPSEC(key_engine): got a queue event with 1 KMI mes                                                              sage(s)
643987: Jul 17 06:41:06.756: ISAKMP:(0):deleting SA reason "No reason" state (R)                                                               MM_NO_STATE (peer 203.*.*.250)
643988: Jul 17 06:41:06.756: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_E                                                              RROR
643989: Jul 17 06:41:06.756: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE                                                              _DEST_SA

643990: Jul 17 06:41:06.784: ISAKMP:(0):purging SA., sa=49C04424, delme=49C04424
643991: Jul 17 06:41:11.032: ISAKMP:(1473):purging node -67900904
643992: Jul 17 06:41:12.308: ISAKMP (1473): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE
643993: Jul 17 06:41:12.308: ISAKMP: set new node -969740779 to QM_IDLE
643994: Jul 17 06:41:12.308: ISAKMP:(1473): processing HASH payload. message ID = -969740779
643995: Jul 17 06:41:12.308: ISAKMP:(1473): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -969740779, sa = 497A0AEC
643996: Jul 17 06:41:12.308: ISAKMP:(1473):deleting node -969740779 error FALSE reason "Informational (in) state 1"
643997: Jul 17 06:41:12.308: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
643998: Jul 17 06:41:12.308: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

643999: Jul 17 06:41:12.312: ISAKMP:(1473):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x195C0
644000: Jul 17 06:41:12.312: ISAKMP: set new node 2127039641 to QM_IDLE
644001: Jul 17 06:41:12.312: ISAKMP:(1473):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1211805536, message ID = 2127039641
644002: Jul 17 06:41:12.312: ISAKMP:(1473): seq. no 0x195C0
644003: Jul 17 06:41:12.312: ISAKMP:(1473): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE
644004: Jul 17 06:41:12.312: ISAKMP:(1473):Sending an IKE IPv4 Packet.
644005: Jul 17 06:41:12.312: ISAKMP:(1473):purging node 2127039641
644006: Jul 17 06:41:12.312: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
644007: Jul 17 06:41:12.312: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

644008: Jul 17 06:41:12.748: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (R) MM_NO_STATE
644009: Jul 17 06:41:16.672: ISAKMP:(1473):purging node 82586520
644010: Jul 17 06:41:18.176: ISAKMP (1473): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE
644011: Jul 17 06:41:18.176: ISAKMP: set new node -761462733 to QM_IDLE
644012: Jul 17 06:41:18.180: ISAKMP:(1473): processing HASH payload. message ID = -761462733
644013: Jul 17 06:41:18.180: ISAKMP:(1473): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -761462733, sa = 497A0AEC
644014: Jul 17 06:41:18.180: ISAKMP:(1473):deleting node -761462733 error FALSE reason "Informational (in) state 1"
644015: Jul 17 06:41:18.180: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
644016: Jul 17 06:41:18.180: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

644017: Jul 17 06:41:18.180: ISAKMP:(1473):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x195C1
644018: Jul 17 06:41:18.180: ISAKMP: set new node 1872903738 to QM_IDLE
644019: Jul 17 06:41:18.180: ISAKMP:(1473):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1211805536, message ID = 1872903738
644020: Jul 17 06:41:18.180: ISAKMP:(1473): seq. no 0x195C1
644021: Jul 17 06:41:18.180: ISAKMP:(1473): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE
644022: Jul 17 06:41:18.180: ISAKMP:(1473):Sending an IKE IPv4 Packet.
644023: Jul 17 06:41:18.184: ISAKMP:(1473):purging node 1872903738
644024: Jul 17 06:41:18.184: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
644025: Jul 17 06:41:18.184: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

644026: Jul 17 06:41:21.736: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (N) NEW SA
644027: Jul 17 06:41:21.736: ISAKMP: Created a peer struct for 203.*.*.250, peer port 500
644028: Jul 17 06:41:21.736: ISAKMP: New peer created peer = 0x49B1167C peer_handle = 0x800206BC
644029: Jul 17 06:41:21.740: ISAKMP: Locking peer struct 0x49B1167C, refcount 1 for crypto_isakmp_process_block
644030: Jul 17 06:41:21.740: ISAKMP: local port 500, remote port 500
644031: Jul 17 06:41:21.740: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 49D03C1C
644032: Jul 17 06:41:21.740: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
644033: Jul 17 06:41:21.740: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

644034: Jul 17 06:41:21.740: ISAKMP:(0): processing SA payload. message ID = 0
644035: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644036: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
644037: Jul 17 06:41:21.740: ISAKMP (0): vendor ID is NAT-T RFC 3947
644038: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644039: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
644040: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID is NAT-T v3
644041: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644042: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
644043: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644044: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
644045: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID is NAT-T v2
644046: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644047: Jul 17 06:41:21.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch
644048: Jul 17 06:41:21.744: ISAKMP:(0): processing vendor id payload
644049: Jul 17 06:41:21.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
644050: Jul 17 06:41:21.744: ISAKMP:(0): processing vendor id payload
644051: Jul 17 06:41:21.744: ISAKMP:(0): vendor ID is DPD
644052: Jul 17 06:41:21.744: ISAKMP:(0): processing vendor id payload
644053: Jul 17 06:41:21.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch
644054: Jul 17 06:41:21.744: ISAKMP:(0):No pre-shared key with 203.*.*.250!
644055: Jul 17 06:41:21.744: ISAKMP : Scanning profiles for xauth ...
644056: Jul 17 06:41:21.744: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
644057: Jul 17 06:41:21.744: ISAKMP:      life type in seconds
644058: Jul 17 06:41:21.744: ISAKMP:      life duration (basic) of 28800
644059: Jul 17 06:41:21.744: ISAKMP:      encryption 3DES-CBC
644060: Jul 17 06:41:21.744: ISAKMP:      auth pre-share
644061: Jul 17 06:41:21.744: ISAKMP:      hash SHA
644062: Jul 17 06:41:21.744: ISAKMP:      default group 5
644063: Jul 17 06:41:21.744: ISAKMP:(0):Preshared authentication offered but does not match policy!
644064: Jul 17 06:41:21.744: ISAKMP:(0):atts are not acceptable. Next payload is 0
644065: Jul 17 06:41:21.744: ISAKMP:(0):no offers accepted!
644066: Jul 17 06:41:21.744: ISAKMP:(0): phase 1 SA policy not acceptable! (local 123.209.60.106 remote 203.*.*.250)
644067: Jul 17 06:41:21.744: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
644068: Jul 17 06:41:21.744: ISAKMP:(0): Failed to construct AG informational message.
644069: Jul 17 06:41:21.744: ISAKMP:(0): sending packet to 203.*.*.250 my_port 500 peer_port 500 (R) MM_NO_STATE
644070: Jul 17 06:41:21.744: ISAKMP:(0):Sending an IKE IPv4 Packet.
644071: Jul 17 06:41:21.744: ISAKMP:(0):peer does not do paranoid keepalives.

644072: Jul 17 06:41:21.744: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
644073: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644074: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
644075: Jul 17 06:41:21.748: ISAKMP (0): vendor ID is NAT-T RFC 3947
644076: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644077: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
644078: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID is NAT-T v3
644079: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644080: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
644081: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644082: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
644083: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID is NAT-T v2
644084: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644085: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch
644086: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644087: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
644088: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644089: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID is DPD
644090: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644091: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch
644092: Jul 17 06:41:21.748: ISAKMP (0): FSM action returned error: 2
644093: Jul 17 06:41:21.748: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
644094: Jul 17 06:41:21.748: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

644095: Jul 17 06:41:21.748: ISAKMP:(0):purging SA., sa=49C4D2D4, delme=49C4D2D4
644096: Jul 17 06:41:21.752: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
644097: Jul 17 06:41:21.752: ISAKMP: Unlocking peer struct 0x49B1167C for isadb_mark_sa_deleted(), count 0
644098: Jul 17 06:41:21.752: ISAKMP: Deleting peer node by peer_reap for 203.*.*.250: 49B1167C
644099: Jul 17 06:41:21.752: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
644100: Jul 17 06:41:21.752: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

644101: Jul 17 06:41:21.752: IPSEC(key_engine): got a queue event with 1 KMI message(s)
644102: Jul 17 06:41:21.752: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 203.*.*.250)
644103: Jul 17 06:41:21.752: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
644104: Jul 17 06:41:21.752: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

644105: Jul 17 06:41:22.312: ISAKMP:(1473):purging node 547235705
644106: Jul 17 06:41:23.916: ISAKMP (1473): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE
644107: Jul 17 06:41:23.916: ISAKMP: set new node -949489298 to QM_IDLE
644108: Jul 17 06:41:23.920: ISAKMP:(1473): processing HASH payload. message ID = -949489298
644109: Jul 17 06:41:23.920: ISAKMP:(1473): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -949489298, sa = 497A0AEC
644110: Jul 17 06:41:23.920: ISAKMP:(1473):deleting node -949489298 error FALSE reason "Informational (in) state 1"
644111: Jul 17 06:41:23.920: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
644112: Jul 17 06:41:23.920: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

644113: Jul 17 06:41:23.920: ISAKMP:(1473):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x195C2
644114: Jul 17 06:41:23.920: ISAKMP: set new node -741730227 to QM_IDLE
644115: Jul 17 06:41:23.920: ISAKMP:(1473):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1211805536, message ID = -741730227
644116: Jul 17 06:41:23.920: ISAKMP:(1473): seq. no 0x195C2
644117: Jul 17 06:41:23.920: ISAKMP:(1473): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE
644118: Jul 17 06:41:23.920: ISAKMP:(1473):Sending an IKE IPv4 Packet.n
644119: Jul 17 06:41:23.924: ISAKMP:(1473):purging node -741730227
644120: Jul 17 06:41:23.924: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
644121: Jul 17 06:41:23.924: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Thanks for that.

Regards,

Alex

Re: IPSec VPN crypto sa is active but it doesn't work

alex,

could you verify again if peer IP addresses were configured correctly on both devices?

on your 2811, your local (dialer) IP address is 123.209.60.106 and remote peer (fortigate) is 203.176.96.30 but the show crypto isakmp sa is showing the reverse.

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                        src             state                           conn-id status
123.209.60.106  203.*.*.250  MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250  MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250  MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250  MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.30   QM_IDLE                    1473 ACTIVE

#sh crypto ipsec sa
     PFS (Y/N): Y, DH group: group1
     PFS (Y/N): N, DH group: none

interface: Dialer1
    Crypto map tag: VPN, local addr 123.209.60.106    <<<

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)

   current_peer 203.*.*.30 port 500     <<<

New Member

Re: IPSec VPN crypto sa is active but it doesn't work

Hi John,

I am pretty sure the ip addresses are correct. When I issue the command show crypto session, the result looks like this.

# sh crypto session
Crypto session current status

Interface: Cellular0/3/0
Session status: DOWN
Peer: 203.*.*.30 port 500
  IPSEC FLOW: permit ip 192.168.21.0/255.255.255.0 192.168.68.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Interface: Dialer1
Session status: UP-ACTIVE
Peer: 203.*.*.30 port 500
  IKE SA: local 123.209.60.106/500 remote 203.*.*.30/500 Active
  IPSEC FLOW: permit ip 192.168.21.0/255.255.255.0 192.168.68.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Interface: Dialer1
Session status: DOWN-NEGOTIATING
Peer: 203.*.*.250 port 500
  IKE SA: local 123.209.60.106/500 remote 203.*.*.250/500 Inactive
  IKE SA: local 123.209.60.106/500 remote 203.*.*.250/500 Inactive
  IKE SA: local 123.209.60.106/500 remote 203.*.*.250/500 Inactive

Can this ring you a bell?


Regards,

Alex

Re: IPSec VPN crypto sa is active but it doesn't work

Alex,

Thanks for confirming back! Have you checked the FW rules if UDP port 500 is open in the fortigate for the peering IP on the 2811?

Sent from Cisco Technical Support iPhone App

New Member

Re: IPSec VPN crypto sa is active but it doesn't work

Hi John,

It turned out that the firewall has an policy which contains incorrect subnet (where the router is). And it is fixed. Thank you very much for your help!


Regards,

Alex

Re: IPSec VPN crypto sa is active but it doesn't work

Alex,

I'm glad your issue is already fixed. Please help rate useful posts and marked the thread as reaolved. Thanks!

Sent from Cisco Technical Support iPhone App

20876
Views
0
Helpful
20
Replies
CreatePlease to create content