07-09-2004 09:17 AM - edited 03-09-2019 08:00 AM
I know this can't be a difficult problem, but this is a first-time set up for me; I've been setting up multiple IPsec connections from 1710 routers to our 3000 Concentrator and this is the only 3002 hardware client of the lot. I'm getting a phase I error trying to establish a tunnel in client mode; this is the log:
137 07/08/2004 13:22:38.890 SEV=7 IPSECDBG/14 RPT=6
Sending KEY_ACQUIRE to IKE for src ##.##.##.##, dst ##.##.##.##
138 07/08/2004 13:22:38.890 SEV=8 IKEDBG/0 RPT=16
pitcher: received a key acquire message!
139 07/08/2004 13:22:38.890 SEV=4 IKE/41 RPT=12 ##.##.##.##
IKE Initiator: New Phase 1, Intf 12, IKE Peer ##.##.##.##
local Proxy Address ##.##.##.##, remote Proxy Address ##.##.##.##,
SA (ESP-3DES-MD5)
142 07/08/2004 13:22:38.890 SEV=5 IP/45 RPT=9
Client transmitting TCP SYN pkt to device ##.##.##.## on TCP src port #####, dst port #####
144 07/08/2004 13:22:58.890 SEV=7 IKEDBG/65 RPT=6 ##.##.##.##
IKE AM Initiator FSM error history (struct &0xed2960)
<state>, <event>:
AM_DONE, EV_ERROR_CONT
AM_DONE, EV_ERROR
AM_CTCP_WAIT_REPLY, EV_CTCP_LINK_FAIL
AM_CTCP_WAIT_REPLY, EV_TIMEOUT
149 07/08/2004 13:22:58.890 SEV=9 IKEDBG/0 RPT=17 ##.##.##.##
IKE SA AM:6cf0d0d5 terminating:
flags 0x01000021, refcnt 0, tuncnt 0
150 07/08/2004 13:22:58.890 SEV=9 IKEDBG/0 RPT=18
sending delete/delete with reason message
151 07/08/2004 13:22:58.890 SEV=5 IP/36 RPT=9
Client fails to connect to headend device ##.##.##.## on TCP port #####.
I haven't been able to locate any documentation that breaks down this error string to where I can correct the config - any takers?
Thanks,
Marc
07-09-2004 11:59 PM
Hello Marc,
Looks like 3002 is trying to use IPSec over TCP.
Is it what you configured on concentrator?
(NB: IOS router can not do that)
If so, then please check:
-port number is the same on both sides.
-this port is open if there is a firewall in between.
-this port is open in filter applied to Public interface of concentrator.
Hope this helps.
Francois.
07-12-2004 07:00 AM
Yes, the concentrator is using TCP (would enabling UDP disable TCP?);
I'm using the default port (10000) on both the concentrator and the hardware client;
The concentrator is on the public VLAN and I'm not sure if traffic to it hits the firewall or not (checking on it now);
The public interface filter on the concentrator only specifies default action (drop) or whether or not to allow IP source-routed packets - there is no provision for port permission.
Thanks for your interest and assistance,
Marc
07-12-2004 11:10 AM
Marc,
>The public interface filter on the concentrator >only specifies default action (drop) or whether >or not to allow IP source-routed packets - there >is no provision for port permission.
Click on the "Assign rules to filter" button, you will then see all rules within the filter.
fr.
07-12-2004 11:59 AM
I applied the IPSEC-ESP, IKE and GRE filters, in that order; no change.
I created a new group and user from scratch in order to start over and I'm not even reaching now:
"Failed to connect to remote network; IKE negotiation failed."
At least I'm not getting the original error strings...
Ugh.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide