Re: 3002 to 3000 IKE Phase I error

drumrb0y · ‎07-09-2004

I know this can't be a difficult problem, but this is a first-time set up for me; I've been setting up multiple IPsec connections from 1710 routers to our 3000 Concentrator and this is the only 3002 hardware client of the lot. I'm getting a phase I error trying to establish a tunnel in client mode; this is the log:

137 07/08/2004 13:22:38.890 SEV=7 IPSECDBG/14 RPT=6

Sending KEY_ACQUIRE to IKE for src ##.##.##.##, dst ##.##.##.##

138 07/08/2004 13:22:38.890 SEV=8 IKEDBG/0 RPT=16

pitcher: received a key acquire message!

139 07/08/2004 13:22:38.890 SEV=4 IKE/41 RPT=12 ##.##.##.##

IKE Initiator: New Phase 1, Intf 12, IKE Peer ##.##.##.##

local Proxy Address ##.##.##.##, remote Proxy Address ##.##.##.##,

SA (ESP-3DES-MD5)

142 07/08/2004 13:22:38.890 SEV=5 IP/45 RPT=9

Client transmitting TCP SYN pkt to device ##.##.##.## on TCP src port #####, dst port #####

144 07/08/2004 13:22:58.890 SEV=7 IKEDBG/65 RPT=6 ##.##.##.##

IKE AM Initiator FSM error history (struct &0xed2960)

<state>, <event>:

AM_DONE, EV_ERROR_CONT

AM_DONE, EV_ERROR

AM_CTCP_WAIT_REPLY, EV_CTCP_LINK_FAIL

AM_CTCP_WAIT_REPLY, EV_TIMEOUT

149 07/08/2004 13:22:58.890 SEV=9 IKEDBG/0 RPT=17 ##.##.##.##

IKE SA AM:6cf0d0d5 terminating:

flags 0x01000021, refcnt 0, tuncnt 0

150 07/08/2004 13:22:58.890 SEV=9 IKEDBG/0 RPT=18

sending delete/delete with reason message

151 07/08/2004 13:22:58.890 SEV=5 IP/36 RPT=9

Client fails to connect to headend device ##.##.##.## on TCP port #####.

I haven't been able to locate any documentation that breaks down this error string to where I can correct the config - any takers?

Thanks,

Marc

fdessart · ‎07-09-2004

Hello Marc,

Looks like 3002 is trying to use IPSec over TCP.

Is it what you configured on concentrator?

(NB: IOS router can not do that)

If so, then please check:

-port number is the same on both sides.

-this port is open if there is a firewall in between.

-this port is open in filter applied to Public interface of concentrator.

Hope this helps.

Francois.

drumrb0y · ‎07-12-2004

Yes, the concentrator is using TCP (would enabling UDP disable TCP?);

I'm using the default port (10000) on both the concentrator and the hardware client;

The concentrator is on the public VLAN and I'm not sure if traffic to it hits the firewall or not (checking on it now);

The public interface filter on the concentrator only specifies default action (drop) or whether or not to allow IP source-routed packets - there is no provision for port permission.

Thanks for your interest and assistance,

Marc

fdessart · ‎07-12-2004

Marc,

>The public interface filter on the concentrator >only specifies default action (drop) or whether >or not to allow IP source-routed packets - there >is no provision for port permission.

Click on the "Assign rules to filter" button, you will then see all rules within the filter.

fr.

drumrb0y · ‎07-12-2004

I applied the IPSEC-ESP, IKE and GRE filters, in that order; no change.

I created a new group and user from scratch in order to start over and I'm not even reaching now:

"Failed to connect to remote network; IKE negotiation failed."

At least I'm not getting the original error strings...

Ugh.