Crypto ISAKMP debugging is on frontgate3#debug cry ipsec Crypto IPSEC debugging is on frontgate3# 001273: *Sep 11 16:02:11.369 PCTime: %APPFW-3-HTTP_MAX_REQ_EXCEED: Maximum of 10 unanswered HTTP requests exceeded from 192.168.1.209:3526 to 192.206.150.187:80 001274: *Sep 11 16:02:11.965 PCTime: %APPFW-3-HTTP_MAX_REQ_EXCEED: Maximum of 10 unanswered HTTP requests exceeded from 192.168.1.209:3528 to 192.206.150.187:80 001275: *Sep 11 16:02:34.333 PCTime: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 67.69.27.154, remote= 64.37.198.169, local_proxy= 67.69.27.154/255.255.255.255/0/0 (type=1), remote_proxy= 64.37.249.63/255.255.255.255/0/0 (type=1), protocol= ESP, transform= NONE (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 001276: *Sep 11 16:02:34.333 PCTime: ISAKMP:(0): SA request profile is (NULL) 001277: *Sep 11 16:02:34.333 PCTime: ISAKMP: Created a peer struct for 64.37.198 .169, peer port 500 001278: *Sep 11 16:02:34.333 PCTime: ISAKMP: New peer created peer = 0x84F147F8 peer_handle = 0x80000006 001279: *Sep 11 16:02:34.333 PCTime: ISAKMP: Locking peer struct 0x84F147F8, ref count 1 for isakmp_initiator 001280: *Sep 11 16:02:34.333 PCTime: ISAKMP:(0):Setting client config settings 8 508C3F4 001281: *Sep 11 16:02:34.333 PCTime: ISAKMP: local port 500, remote port 500 001282: *Sep 11 16:02:34.333 PCTime: ISAKMP: set new node 0 to QM_IDLE 001283: *Sep 11 16:02:34.333 PCTime: insert sa successfully sa = 83CF37F4 001284: *Sep 11 16:02:34.333 PCTime: ISAKMP:(0):Can not start Aggressive mode, t rying Main mode. 001285: *Sep 11 16:02:34.333 PCTime: ISAKMP:(0):found peer pre-shared key matchi ng 64.37.198.169 001286: *Sep 11 16:02:34.337 PCTime: ISAKMP:(0): constructed NAT-T vendor-07 ID 001287: *Sep 11 16:02:34.337 PCTime: ISAKMP:(0): constructed NAT-T vendor-03 ID 001288: *Sep 11 16:02:34.337 PCTime: ISAKMP:(0): constructed NAT-T vendor-02 ID 001289: *Sep 11 16:02:34.337 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE _SA_REQ_MM 001290: *Sep 11 16:02:34.337 PCTime: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 001291: *Sep 11 16:02:34.337 PCTime: ISAKMP:(0): beginning Main Mode exchange 001292: *Sep 11 16:02:34.337 PCTime: ISAKMP:(0): sending packet to 64.37.198.169 my_port 500 peer_port 500 (I) MM_NO_STATE 001293: *Sep 11 16:02:34.417 PCTime: ISAKMP (0:0): received packet from 64.37.19 8.169 dport 500 sport 500 Global (I) MM_NO_STATE 001294: *Sep 11 16:02:34.417 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_ MM_EXCH 001295: *Sep 11 16:02:34.417 PCTime: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 001296: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0): processing SA payload. message ID = 0 001297: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):found peer pre-shared key matchi ng 64.37.198.169 001298: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0): local preshared key found 001299: *Sep 11 16:02:34.421 PCTime: ISAKMP : Scanning profiles for xauth ... 001300: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):Checking ISAKMP transform 1 agai nst priority 1 policy 001301: *Sep 11 16:02:34.421 PCTime: ISAKMP: encryption 3DES-CBC 001302: *Sep 11 16:02:34.421 PCTime: ISAKMP: hash MD5 001303: *Sep 11 16:02:34.421 PCTime: ISAKMP: default group 2 001304: *Sep 11 16:02:34.421 PCTime: ISAKMP: auth pre-share 001305: *Sep 11 16:02:34.421 PCTime: ISAKMP: life type in seconds 001306: *Sep 11 16:02:34.421 PCTime: ISAKMP: life duration (basic) of 3600 001307: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):Hash algorithm offered does not match policy! 001308: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):atts are not acceptable. Next pa yload is 0 001309: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):Checking ISAKMP transform 1 agai nst priority 2 policy 001310: *Sep 11 16:02:34.421 PCTime: ISAKMP: encryption 3DES-CBC 001311: *Sep 11 16:02:34.421 PCTime: ISAKMP: hash MD5 001312: *Sep 11 16:02:34.421 PCTime: ISAKMP: default group 2 001313: *Sep 11 16:02:34.421 PCTime: ISAKMP: auth pre-share 001314: *Sep 11 16:02:34.421 PCTime: ISAKMP: life type in seconds 001315: *Sep 11 16:02:34.421 PCTime: ISAKMP: life duration (basic) of 3600 001316: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):Diffie-Hellman group offered doe s not match policy! 001317: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):atts are not acceptable. Next pa yload is 0 001318: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):Checking ISAKMP transform 1 agai nst priority 3 policy 001319: *Sep 11 16:02:34.421 PCTime: ISAKMP: encryption 3DES-CBC 001320: *Sep 11 16:02:34.421 PCTime: ISAKMP: hash MD5 001321: *Sep 11 16:02:34.421 PCTime: ISAKMP: default group 2 001322: *Sep 11 16:02:34.421 PCTime: ISAKMP: auth pre-share 001323: *Sep 11 16:02:34.421 PCTime: ISAKMP: life type in seconds 001324: *Sep 11 16:02:34.421 PCTime: ISAKMP: life duration (basic) of 3600 001325: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):atts are acceptable. Next payloa d is 0 001326: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_P ROCESS_MAIN_MODE 001327: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 001328: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0): sending packet to 64.37.198.169 my_port 500 peer_port 500 (I) MM_SA_SETUP 001329: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_P ROCESS_COMPLETE 001330: *Sep 11 16:02:34.421 PCTime: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 001331: *Sep 11 16:02:34.505 PCTime: ISAKMP (0:0): received packet from 64.37.19 8.169 dport 500 sport 500 Global (I) MM_SA_SETUP 001332: *Sep 11 16:02:34.505 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_ MM_EXCH 001333: *Sep 11 16:02:34.505 PCTime: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 001334: *Sep 11 16:02:34.505 PCTime: ISAKMP:(0): processing KE payload. message ID = 0 001335: *Sep 11 16:02:34.509 PCTime: ISAKMP:(0): processing NONCE payload. messa ge ID = 0 001336: *Sep 11 16:02:34.509 PCTime: ISAKMP:(0):found peer pre-shared key matchi ng 64.37.198.169 001337: *Sep 11 16:02:34.509 PCTime: ISAKMP:(2005): processing vendor id payload 001338: *Sep 11 16:02:34.509 PCTime: ISAKMP:(2005): vendor ID is Unity 001339: *Sep 11 16:02:34.509 PCTime: ISAKMP:(2005): processing vendor id payload 001340: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005): vendor ID is DPD 001341: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005): processing vendor id payload 001342: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005): speaking to another IOS box! 001343: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IK E_PROCESS_MAIN_MODE 001344: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005):Old State = IKE_I_MM4 New St ate = IKE_I_MM4 001345: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005):Send initial contact 001346: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005):SA is doing pre-shared key au thentication using id type ID_IPV4_ADDR 001347: *Sep 11 16:02:34.513 PCTime: ISAKMP (0:2005): ID payload next-payload : 8 type : 1 address : 67.69.27.154 protocol : 17 port : 500 length : 12 001348: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005):Total payload length: 12 001349: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005): sending packet to 64.37.198. 169 my_port 500 peer_port 500 (I) MM_KEY_EXCH 001350: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IK E_PROCESS_COMPLETE 001351: *Sep 11 16:02:34.513 PCTime: ISAKMP:(2005):Old State = IKE_I_MM4 New St ate = IKE_I_MM5 001352: *Sep 11 16:02:34.589 PCTime: ISAKMP (0:2005): received packet from 64.37 .198.169 dport 500 sport 500 Global (I) MM_KEY_EXCH 001353: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005): processing ID payload. messa ge ID = 0 001354: *Sep 11 16:02:34.589 PCTime: ISAKMP (0:2005): ID payload next-payload : 8 type : 1 address : 64.37.198.169 protocol : 17 port : 500 length : 12 001355: *Sep 11 16:02:34.589 PCTime: ISAKMP:(0):: peer matches *none* of the pro files 001356: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005): processing HASH payload. mes sage ID = 0 001357: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):SA authentication status: authenticated 001358: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):SA has been authenticated wit h 64.37.198.169 001359: *Sep 11 16:02:34.589 PCTime: ISAKMP: Trying to insert a peer 67.69.27.15 4/64.37.198.169/500/, and inserted successfully 84F147F8. 001360: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, I KE_MM_EXCH 001361: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):Old State = IKE_I_MM5 New St ate = IKE_I_MM6 001362: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IK E_PROCESS_MAIN_MODE 001363: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):Old State = IKE_I_MM6 New St ate = IKE_I_MM6 001364: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IK E_PROCESS_COMPLETE 001365: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):Old State = IKE_I_MM6 New St ate = IKE_P1_COMPLETE 001366: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):beginning Quick Mode exchange , M-ID of -1097553167 001367: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005):QM Initiator gets spi 001368: *Sep 11 16:02:34.589 PCTime: ISAKMP:(2005): sending packet to 64.37.198. 169 my_port 500 peer_port 500 (I) QM_IDLE 001369: *Sep 11 16:02:34.593 PCTime: ISAKMP:(2005):Node -1097553167, Input = IKE _MESG_INTERNAL, IKE_INIT_QM 001370: *Sep 11 16:02:34.593 PCTime: ISAKMP:(2005):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 001371: *Sep 11 16:02:34.593 PCTime: ISAKMP:(2005):Input = IKE_MESG_INTERNAL, IK E_PHASE1_COMPLETE 001372: *Sep 11 16:02:34.593 PCTime: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 001373: *Sep 11 16:02:34.921 PCTime: ISAKMP (0:2005): received packet from 64.37 .198.169 dport 500 sport 500 Global (I) QM_IDLE 001374: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005): processing HASH payload. mes sage ID = -1097553167 001375: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005): processing SA payload. messa ge ID = -1097553167 001376: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005):Checking IPSec proposal 1 001377: *Sep 11 16:02:34.921 PCTime: ISAKMP: transform 1, ESP_3DES 001378: *Sep 11 16:02:34.921 PCTime: ISAKMP: attributes in transform: 001379: *Sep 11 16:02:34.921 PCTime: ISAKMP: encaps is 1 (Tunnel) 001380: *Sep 11 16:02:34.921 PCTime: ISAKMP: SA life type in seconds 001381: *Sep 11 16:02:34.921 PCTime: ISAKMP: SA life duration (basic) of 36 00 001382: *Sep 11 16:02:34.921 PCTime: ISAKMP: SA life type in kilobytes 001383: *Sep 11 16:02:34.921 PCTime: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 001384: *Sep 11 16:02:34.921 PCTime: ISAKMP: authenticator is HMAC-MD5 001385: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005):atts are acceptable. 001386: *Sep 11 16:02:34.921 PCTime: IPSEC(validate_proposal_request): proposal part #1 001387: *Sep 11 16:02:34.921 PCTime: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 67.69.27.154, remote= 64.37.198.169, local_proxy= 67.69.27.154/255.255.255.255/0/0 (type=1), remote_proxy= 64.37.249.63/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 001388: *Sep 11 16:02:34.921 PCTime: Crypto mapdb : proxy_match src addr : 67.69.27.154 dst addr : 64.37.249.63 protocol : 0 src port : 0 dst port : 0 001389: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005): processing NONCE payload. me ssage ID = -1097553167 001390: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005): processing ID payload. messa ge ID = -1097553167 001391: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005): processing ID payload. messa ge ID = -1097553167 001392: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005): Creating IPSec SAs 001393: *Sep 11 16:02:34.921 PCTime: inbound SA from 64.37.198.169 to 67 .69.27.154 (f/i) 0/ 0 (proxy 64.37.249.63 to 67.69.27.154) 001394: *Sep 11 16:02:34.921 PCTime: has spi 0x2728CE07 and conn_id 0 001395: *Sep 11 16:02:34.921 PCTime: lifetime of 3600 seconds 001396: *Sep 11 16:02:34.921 PCTime: lifetime of 4608000 kilobytes 001397: *Sep 11 16:02:34.921 PCTime: outbound SA from 67.69.27.154 to 64 .37.198.169 (f/i) 0/0 (proxy 67.69.27.154 to 64.37.249.63) 001398: *Sep 11 16:02:34.921 PCTime: has spi 0xE8960633 and conn_id 0 001399: *Sep 11 16:02:34.921 PCTime: lifetime of 3600 seconds 001400: *Sep 11 16:02:34.921 PCTime: lifetime of 4608000 kilobytes 001401: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005): sending packet to 64.37.198. 169 my_port 500 peer_port 500 (I) QM_IDLE 001402: *Sep 11 16:02:34.921 PCTime: ISAKMP:(2005):deleting node -1097553167 err or FALSE reason "No Error" 001403: *Sep 11 16:02:34.925 PCTime: ISAKMP:(2005):Node -1097553167, Input = IKE _MESG_FROM_PEER, IKE_QM_EXCH 001404: *Sep 11 16:02:34.925 PCTime: ISAKMP:(2005):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE 001405: *Sep 11 16:02:34.925 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s) 001406: *Sep 11 16:02:34.925 PCTime: Crypto mapdb : proxy_match src addr : 67.69.27.154 dst addr : 64.37.249.63 protocol : 0 src port : 0 dst port : 0 001407: *Sep 11 16:02:34.925 PCTime: IPSEC(crypto_ipsec_sa_find_ident_head): rec onnecting with the same proxies and peer 64.37.198.169 001408: *Sep 11 16:02:34.925 PCTime: IPSEC(policy_db_add_ident): src 67.69.27.15 4, dest 64.37.249.63, dest_port 0 001409: *Sep 11 16:02:34.925 PCTime: IPSEC(create_sa): sa created, (sa) sa_dest= 67.69.27.154, sa_proto= 50, sa_spi= 0x2728CE07(656985607), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 1 001410: *Sep 11 16:02:34.925 PCTime: IPSEC(create_sa): sa created, (sa) sa_dest= 64.37.198.169, sa_proto= 50, sa_spi= 0xE8960633(3902146099), sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2 001411: *Sep 11 16:02:34.925 PCTime: IPSEC(update_current_outbound_sa): updated peer 64.37.198.169 current outbound sa to SPI E8960633show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 64.37.198.169 67.69.27.154 QM_IDLE 2005 0 ACTIVE IPv6 Crypto ISAKMP SA frontgate3#