05-18-2008 11:24 PM - edited 03-09-2019 08:43 PM
I have a been having problems setting up a LAN-to-LAN IPSec tunnel between Cisco Router 181X and a Cisco VPN Concentrator 300. All configuration are correct but, the tunnels fails to pass IKE Phase 1. IKE status remains at MM_NO_STATE.
Viewing my debug (Cisco Router), it shows IKE phase 1 completing with QM_IDLE status, then keys gets deleted shortly after.
Partial debug out (see attachment for cisco181 & VPN Concentrator300)
*May 12 09:04:27.063: ISAKMP:(0:32:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 12 09:04:27.063: ISAKMP:(0:32:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*May 12 09:04:28.235: ISAKMP (0:268435488): received packet from 1.2.3.4 dport 500 sport 500 Global (I) QM_IDLE
*May 12 09:04:28.235: ISAKMP: set new node -585097 to QM_IDLE
*May 12 09:04:28.235: ISAKMP:(0:32:HW:2): processing HASH payload. message ID = -585097
Any ideas what exactly is going on here and what might be wrong?
05-19-2008 06:39 AM
In your concentrator logs:-
61588 05/13/2008 14:57:15.910 SEV=8 IKEDBG/79 RPT=5668
Phase 1 failure against global IKE proposal # 4:
Mismatched attr types for class DH Group:
Rcv'd: Oakley Group 2
Cfg'd: Oakley Group 1
61591 05/13/2008 14:57:15.910 SEV=8 IKEDBG/79 RPT=5669
Phase 1 failure against global IKE proposal # 5:
Mismatched attr types for class DH Group:
Rcv'd: Oakley Group 2
Cfg'd: Oakley Group 7
61594 05/13/2008 14:57:15.910 SEV=8 IKEDBG/79 RPT=5670
Phase 1 failure against global IKE proposal # 6:
Mismatched attr types for class Hash Alg:
Rcv'd: SHA
Cfg'd: MD5
61596 05/13/2008 14:57:15.910 SEV=8 IKEDBG/79 RPT=5671
Phase 1 failure against global IKE proposal # 7:
Mismatched attr types for class DH Group:
Rcv'd: Oakley Group 2
Cfg'd: Oakley Group 5
in your 181x:-
*May 12 09:04:55.771: ISAKMP:(0:33:HW:2): processing vendor id payload
*May 12 09:04:55.771: ISAKMP:(0:33:HW:2): vendor ID seems Unity/DPD but major 4 mismatch
*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):Send initial contact
*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 12 09:04:55.771: ISAKMP (0:268435489): ID payload
next-payload : 8
type : 1
address : 4.5.6.7
protocol : 17
port : 500
length : 12
*May 12 09:04:55.771: ISAKMP:(0:33:HW:2):Total payload length: 12
*May 12 09:04:55.775: ISAKMP:(0:33:HW:2): sending packet to 1.2.3.4 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*May 12 09:04:55.775: ISAKMP:(0:33:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 12 09:04:55.775: ISAKMP:(0:33:HW:2):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 12 09:04:57.063: ISAKMP (0:268435489): received packet from 1.2.3.4 dport 500 sport 500 Global (I) MM_KEY_EXCH
*May 12 09:04:57.067: ISAKMP:(0:33:HW:2): processing ID payload. message ID = 0
*May 12 09:04:57.067: ISAKMP (0:268435489): ID payload
next-payload : 8
type : 1
address : 1.2.3.4
protocol : 17
port : 500
length : 12
*May 12 09:04:57.067: ISAKMP:(0:33:HW:2):: peer matches *none* of the profiles
I would double all IKE & IPSEC configurations, you appear to have a settings mis-match.
HTH.
05-19-2008 06:40 AM
.
05-21-2008 02:12 AM
From the debug, it does show that the is a mismatch but doesn't exactly tell you what it is. Further investigation, you can see {ISAKMP:(0:33:HW:2): processing DELETE_WITH_REASON payload, message ID = 613874337, reason: Unknown delete reason!} IKE deleting the establish SA
I found a similar post on commercial forum but, the solution are not provided for free.
Could it be a hardware/software (IOS) problem? between Cisco VPN concentrator 3000 and Cisco Router 181x?
Regards,
Elly
05-21-2008 04:41 AM
compare the configured ipsec trransform set on the router with the IPSec SA configured on the concentrator.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide