ASA# debug cry ASA# debug crypto ike ASA# debug crypto ikev1 127 ASA# Dec 24 14:30:39 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0 Dec 24 14:30:39 [IKEv1]IP = 203.0.113.1, IKE Initiator: New Phase 1, Intf inside, IKE Peer 203.0.113.1 local Proxy Address 10.10.9.0, remote Proxy Address 10.11.11.0, Crypto map (CM) Dec 24 14:30:39 [IKEv1 DEBUG]IP = 203.0.113.1, constructing ISAKMP SA payload Dec 24 14:30:39 [IKEv1 DEBUG]IP = 203.0.113.1, constructing NAT-Traversal VID ver 02 payload Dec 24 14:30:39 [IKEv1 DEBUG]IP = 203.0.113.1, constructing NAT-Traversal VID ver 03 payload Dec 24 14:30:39 [IKEv1 DEBUG]IP = 203.0.113.1, constructing NAT-Traversal VID ver RFC payload Dec 24 14:30:39 [IKEv1 DEBUG]IP = 203.0.113.1, constructing Fragmentation VID + extended capabilities payload Dec 24 14:30:39 [IKEv1]IP = 203.0.113.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168 Dec 24 14:30:40 [IKEv1]IKE Receiver: Packet received on 190.0.1.1:500 from 203.0.113.1:500 Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104 Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing SA payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Oakley proposal is acceptable Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing VID payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Received NAT-Traversal RFC VID Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, constructing ke payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, constructing nonce payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, constructing Cisco Unity VID payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, constructing xauth V6 VID payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Send IOS VID Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, constructing VID payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, constructing NAT-Discovery payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, computing NAT Discovery hash Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, constructing NAT-Discovery payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, computing NAT Discovery hash Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296 Dec 24 14:30:40 [IKEv1]IKE Receiver: Packet received on 190.0.1.1:500 from 203.0.113.1:500 Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 296 Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing ke payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing ISA_KE payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing nonce payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing VID payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Received Cisco Unity client VID Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing VID payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Received DPD VID Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing VID payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f) Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing VID payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Received xauth V6 VID Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing NAT-Discovery payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, computing NAT Discovery hash Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, processing NAT-Discovery payload Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, computing NAT Discovery hash Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, Connection landed on tunnel_group 203.0.113.1 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Generating keys for Initiator... Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing ID payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing hash payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Computing hash for ISAKMP Dec 24 14:30:40 [IKEv1 DEBUG]IP = 203.0.113.1, Constructing IOS keep alive payload: proposal=32767/32767 sec. Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing dpd vid payload Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92 Dec 24 14:30:40 [IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device Dec 24 14:30:40 [IKEv1]IKE Receiver: Packet received on 190.0.1.1:500 from 203.0.113.1:500 Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 100 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, processing ID payload Dec 24 14:30:40 [IKEv1 DECODE]Group = 203.0.113.1, IP = 203.0.113.1, ID_IPV4_ADDR ID received 203.0.113.1 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, processing hash payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Computing hash for ISAKMP Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, processing notify payload Dec 24 14:30:40 [IKEv1 DECODE]Responder Lifetime decode follows (outb SPI[4]|attributes): Dec 24 14:30:40 [IKEv1 DECODE]0000: 3EB6ED91 978FBE71 322F91D2 ECF9D65B >......q2/.....[ 0010: 800B0001 000C0004 00015180 ..........Q. Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, Connection landed on tunnel_group 203.0.113.1 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Oakley begin quick mode Dec 24 14:30:40 [IKEv1 DECODE]Group = 203.0.113.1, IP = 203.0.113.1, IKE Initiator starting QM: msg id = f4455213 Dec 24 14:30:40 [IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, PHASE 1 COMPLETED Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, Keep-alive type for this connection: DPD Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Starting P1 rekey timer: 82080 seconds. Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, IKE got SPI from key engine: SPI = 0x008b4b7c Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, oakley constucting quick mode Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing blank hash payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing IPSec SA payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing IPSec nonce payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing proxy ID Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Transmitting Proxy Id: Local subnet: 10.10.9.0 mask 255.255.255.0 Protocol 0 Port 0 Remote subnet: 10.11.11.0 Mask 255.255.255.0 Protocol 0 Port 0 Dec 24 14:30:40 [IKEv1 DECODE]Group = 203.0.113.1, IP = 203.0.113.1, IKE Initiator sending Initial Contact Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing qm hash payload Dec 24 14:30:40 [IKEv1 DECODE]Group = 203.0.113.1, IP = 203.0.113.1, IKE Initiator sending 1st QM pkt: msg id = f4455213 Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE SENDING Message (msgid=f4455213) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192 Dec 24 14:30:40 [IKEv1]IKE Receiver: Packet received on 190.0.1.1:500 from 203.0.113.1:500 Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE RECEIVED Message (msgid=f4455213) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 192 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, processing hash payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, processing SA payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, processing nonce payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, processing ID payload Dec 24 14:30:40 [IKEv1 DECODE]Group = 203.0.113.1, IP = 203.0.113.1, ID_IPV4_ADDR_SUBNET ID received--10.10.9.0--255.255.255.0 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, processing ID payload Dec 24 14:30:40 [IKEv1 DECODE]Group = 203.0.113.1, IP = 203.0.113.1, ID_IPV4_ADDR_SUBNET ID received--10.11.11.0--255.255.255.0 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, processing notify payload Dec 24 14:30:40 [IKEv1 DECODE]Responder Lifetime decode follows (outb SPI[4]|attributes): Dec 24 14:30:40 [IKEv1 DECODE]0000: 6FB6A10F 80010001 00020004 00000E10 o............... Dec 24 14:30:40 [IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, Responder forcing change of IPSec rekeying duration from 28800 to 3600 seconds Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, loading all IPSEC SAs Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Generating Quick Mode Key! Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, NP encrypt rule look up for crypto map CM 10 matching ACL CSR1: returned cs_id=801980d8; encrypt_rule=8019ad00; tunnelFlow_rule=8019b230 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Generating Quick Mode Key! Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, NP encrypt rule look up for crypto map CM 10 matching ACL CSR1: returned cs_id=801980d8; encrypt_rule=8019ad00; tunnelFlow_rule=8019b230 Dec 24 14:30:40 [IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, Security negotiation complete for LAN-to-LAN Group (203.0.113.1) Initiator, Inbound SPI = 0x008b4b7c, Outbound SPI = 0x6fb6a10f Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, oakley constructing final quick mode Dec 24 14:30:40 [IKEv1 DECODE]Group = 203.0.113.1, IP = 203.0.113.1, IKE Initiator sending 3rd QM pkt: msg id = f4455213 Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE SENDING Message (msgid=f4455213) with payloads : HDR + HASH (8) + NONE (0) total length : 72 Dec 24 14:30:40 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x0 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, IKE got a KEY_ADD msg for SA: SPI = 0x6fb6a10f Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Pitcher: received KEY_UPDATE, spi 0x8b4b7c Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Failed to update IPSec SA. Tearing down SA. Dec 24 14:30:40 [IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, QM FSM error (P2 struct &0x802a7fe8, mess id 0xf4455213)! Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, IKE QM Initiator FSM error history (struct &0x802a7fe8) , : QM_DONE, EV_ERROR-->QM_BLD_MSG3, EV_IPSEC_FAIL-->QM_BLD_MSG3, NullEvent-->QM_BLD_MSG3, EV_ENCRYPT_OK-->QM_BLD_MSG3, NullEvent-->QM_BLD_MSG3, EV_RESET_LIFETIME-->QM_BLD_MSG3, NullEvent-->QM_BLD_MSG3, EV_ENCRYPT_MSG Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, sending delete/delete with reason message Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing blank hash payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing IPSec delete payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing qm hash payload Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE SENDING Message (msgid=4794a516) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, IKE Deleting SA: Remote Proxy 10.11.11.0, Local Proxy 10.10.9.0 Dec 24 14:30:40 [IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, Removing peer from correlator table failed, no match! Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, IKE SA MM:91edb63e rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, tuncnt 0 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, IKE SA MM:91edb63e terminating: flags 0x0100c022, refcnt 0, tuncnt 0 Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, sending delete/delete with reason message Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing blank hash payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing IKE delete payload Dec 24 14:30:40 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, constructing qm hash payload Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, IKE_DECODE SENDING Message (msgid=58e81a54) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76 Dec 24 14:30:40 [IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, Session is being torn down. Reason: Unknown Dec 24 14:30:40 [IKEv1]Ignoring msg to mark SA with dsID 4096 dead because SA deleted Dec 24 14:30:40 [IKEv1]IKE Receiver: Packet received on 190.0.1.1:500 from 203.0.113.1:500 Dec 24 14:30:40 [IKEv1]IP = 203.0.113.1, Received encrypted packet with no matching SA, dropping