cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4470
Views
0
Helpful
1
Replies

Logging question

jasonw
Level 1
Level 1

Are logs like this kind of normal to see?

 

We have a complex network and I'm seeing logs like this a lot. I had to change the public IP's to bogus numbers.

I just wonder if our current vender that set things up has done everything right.

 

002-ASA     11-19-2014 05:30:41     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
001-ASA     11-19-2014 05:30:40     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
002-ASA     11-19-2014 05:30:40     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:30:38     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:30:38     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:30:32     %ASA-4-713903: Group = 002.002.002.002, IP = 002.002.002.002, Can't find a valid tunnel group, aborting...!
002-ASA     11-19-2014 05:30:32     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:30:32     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
002-ASA     11-19-2014 05:30:32     %ASA-5-713041: IP = 001.001.001.001, IKE Initiator: New Phase 1, Intf inside, IKE Peer 001.001.001.001 local Proxy Address 192.168.13.32, remote Proxy Address 192.168.52.0, Crypto map (outside_map)
002-ASA     11-19-2014 05:30:22     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:30:22     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:30:14     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:30:14     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:30:14     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
002-ASA     11-19-2014 05:30:06     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:30:06     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:30:06     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
001-ASA     11-19-2014 05:30:04     %ASA-5-713041: IP = 003.003.003.003, IKE Initiator: New Phase 1, Intf inside, IKE Peer 003.003.003.003 local Proxy Address 192.168.52.0, remote Proxy Address 192.168.13.32, Crypto map (outside_map)
001-ASA     11-19-2014 05:30:04     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
001-ASA     11-19-2014 05:30:03     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:29:58     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:29:58     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:29:58     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
001-ASA     11-19-2014 05:29:56     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:29:56     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:29:50     %ASA-4-713903: Group = 002.002.002.002, IP = 002.002.002.002, Can't find a valid tunnel group, aborting...!
002-ASA     11-19-2014 05:29:50     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
002-ASA     11-19-2014 05:29:50     %ASA-5-713041: IP = 001.001.001.001, IKE Initiator: New Phase 1, Intf inside, IKE Peer 001.001.001.001 local Proxy Address 192.168.13.32, remote Proxy Address 192.168.52.0, Crypto map (outside_map)
002-ASA     11-19-2014 05:29:50     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:29:44     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:29:43     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:29:36     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:29:36     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:29:36     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
002-ASA     11-19-2014 05:29:26     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
002-ASA     11-19-2014 05:29:26     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
001-ASA     11-19-2014 05:29:26     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
001-ASA     11-19-2014 05:29:24     %ASA-5-713041: IP = 003.003.003.003, IKE Initiator: New Phase 1, Intf inside, IKE Peer 003.003.003.003 local Proxy Address 192.168.52.0, remote Proxy Address 192.168.13.32, Crypto map (outside_map)
001-ASA     11-19-2014 05:29:24     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
001-ASA     11-19-2014 05:29:24     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:29:18     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:29:18     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:29:18     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
001-ASA     11-19-2014 05:29:13     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:29:13     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:29:10     %ASA-4-713903: Group = 002.002.002.002, IP = 002.002.002.002, Can't find a valid tunnel group, aborting...!
002-ASA     11-19-2014 05:29:10     %ASA-5-713041: IP = 001.001.001.001, IKE Initiator: New Phase 1, Intf inside, IKE Peer 001.001.001.001 local Proxy Address 192.168.13.32, remote Proxy Address 192.168.52.0, Crypto map (outside_map)
002-ASA     11-19-2014 05:29:10     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
002-ASA     11-19-2014 05:29:10     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:29:02     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:29:02     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:28:54     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:28:54     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:28:54     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
002-ASA     11-19-2014 05:28:46     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:28:46     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:28:46     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
001-ASA     11-19-2014 05:28:41     %ASA-5-713041: IP = 003.003.003.003, IKE Initiator: New Phase 1, Intf inside, IKE Peer 003.003.003.003 local Proxy Address 192.168.52.0, remote Proxy Address 192.168.13.32, Crypto map (outside_map)
001-ASA     11-19-2014 05:28:41     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
001-ASA     11-19-2014 05:28:41     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:28:38     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:28:38     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:28:38     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
001-ASA     11-19-2014 05:28:31     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:28:31     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:28:31     %ASA-4-713903: Group = 002.002.002.002, IP = 002.002.002.002, Can't find a valid tunnel group, aborting...!
002-ASA     11-19-2014 05:28:31     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:28:31     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
002-ASA     11-19-2014 05:28:31     %ASA-5-713041: IP = 001.001.001.001, IKE Initiator: New Phase 1, Intf inside, IKE Peer 001.001.001.001 local Proxy Address 192.168.13.32, remote Proxy Address 192.168.52.0, Crypto map (outside_map)
002-ASA     11-19-2014 05:28:23     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:28:23     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:28:14     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:28:14     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:28:14     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
002-ASA     11-19-2014 05:28:06     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:28:06     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:28:06     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
001-ASA     11-19-2014 05:27:59     %ASA-5-713041: IP = 003.003.003.003, IKE Initiator: New Phase 1, Intf inside, IKE Peer 003.003.003.003 local Proxy Address 192.168.52.0, remote Proxy Address 192.168.13.32, Crypto map (outside_map)
001-ASA     11-19-2014 05:27:59     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
001-ASA     11-19-2014 05:27:59     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:27:58     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:27:58     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:27:58     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
001-ASA     11-19-2014 05:27:54     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:27:54     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
001-ASA     11-19-2014 05:27:50     %ASA-4-713903: Group = 002.002.002.002, IP = 002.002.002.002, Can't find a valid tunnel group, aborting...!
002-ASA     11-19-2014 05:27:50     %ASA-5-713041: IP = 001.001.001.001, IKE Initiator: New Phase 1, Intf inside, IKE Peer 001.001.001.001 local Proxy Address 192.168.13.32, remote Proxy Address 192.168.52.0, Crypto map (outside_map)
002-ASA     11-19-2014 05:27:50     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
002-ASA     11-19-2014 05:27:50     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:27:42     %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:27:42     %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 20.
002-ASA     11-19-2014 05:27:34     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:27:34     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:27:34     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
002-ASA     11-19-2014 05:27:26     %ASA-4-713903: IP = 001.001.001.001, Information Exchange processing failed
002-ASA     11-19-2014 05:27:26     %ASA-5-713904: IP = 001.001.001.001, Received an un-encrypted INVALID_COOKIE notify message, dropping
001-ASA     11-19-2014 05:27:26     %ASA-4-713903: IP = 002.002.002.002, Header invalid, missing SA payload! (next payload = 4)
001-ASA     11-19-2014 05:27:22     %ASA-5-713041: IP = 003.003.003.003, IKE Initiator: New Phase 1, Intf inside, IKE Peer 003.003.003.003 local Proxy Address 192.168.52.0, remote Proxy Address 192.168.13.32, Crypto map (outside_map)
001-ASA     11-19-2014 05:27:22     %ASA-4-752010: IKEv2 Doesn't have a proposal specified
001-ASA     11-19-2014 05:27:22     %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 20.

 

1 Accepted Solution

Accepted Solutions

 Hello Jason,

 

According to this logs, the crypto map with sequence number 20 is havng issues to establish the site to site IPsec, so they indicate phase 1 is not completed yet.

 

Usually this is an issue with the encryption algorithms defined, and also issues in the middle <ISP>.

 

This should not affect the performance of your ASA, or routing on your ASA.

 

You can confirm with --> show crypto isakmp sa

 

To see if the tunnel can establish phase 1.

 

If you have another question let me know,

 

Please don´t forget to rate the helpful Post!

 

David Castro,

 

Regards,

View solution in original post

1 Reply 1

 Hello Jason,

 

According to this logs, the crypto map with sequence number 20 is havng issues to establish the site to site IPsec, so they indicate phase 1 is not completed yet.

 

Usually this is an issue with the encryption algorithms defined, and also issues in the middle <ISP>.

 

This should not affect the performance of your ASA, or routing on your ASA.

 

You can confirm with --> show crypto isakmp sa

 

To see if the tunnel can establish phase 1.

 

If you have another question let me know,

 

Please don´t forget to rate the helpful Post!

 

David Castro,

 

Regards,

Review Cisco Networking for a $25 gift card