Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Site-to-site VPN. Can you spot the problem in this debug?

neilrmessick
Level 1
Level 1

‎03-14-2013 08:36 AM

I did a site-to-site VPN that worked for about a week and won't come back up. Can anyone spot the problem? Its an IOS router on one side, and an ASA on the other. There are 5 VPN's on the box, the others are working fine. I tried to isolate the commands for this tunnel but some others maybe mixed in.

000443: *Mar 14 15:28:47: ISAKMP:(0:3:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000444: *Mar 14 15:28:50: ISAKMP (0:0): received packet from 199.x.x. dport 500 sport 500 Global (N) NEW SA

000445: *Mar 14 15:28:50: ISAKMP: Created a peer struct for 199.x.x.x, peer port 500

000446: *Mar 14 15:28:50: ISAKMP: New peer created peer = 0x640CB9E0 peer_handle = 0x80000015

000447: *Mar 14 15:28:50: ISAKMP: Locking peer struct 0x640CB9E0, IKE refcount 1 for crypto_isakmp_process_block

000448: *Mar 14 15:28:50: ISAKMP: local port 500, remote port 500

000449: *Mar 14 15:28:50: insert sa successfully sa = 64040BD8

000450: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

000451: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State =IKE_R_MM1

000452: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing SA payload. message ID= 0

000453: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing vendor id payload

000454: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

000455: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

000456: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing vendor id payload

000457: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

000458: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

000459: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing vendor id payload

000460: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch

000461: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing vendor id payload

000462: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch

000463: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Looking for a matching key for 199.x.x.x in default

000464: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): : success

000465: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 199.x.x.x

000466: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): local preshared key found

000467: *Mar 14 15:28:50: ISAKMP : Scanning profiles for xauth ...

000468: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy

000469: *Mar 14 15:28:50: ISAKMP:      default group 2

000470: *Mar 14 15:28:50: ISAKMP:      encryption AES-CBC

000471: *Mar 14 15:28:50: ISAKMP:      keylength of 256

000472: *Mar 14 15:28:50: ISAKMP:      hash SHA

000473: *Mar 14 15:28:50: ISAKMP:      auth pre-share

000474: *Mar 14 15:28:50: ISAKMP:      life type in seconds

000475: *Mar 14 15:28:50: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

000476: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

000477: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

000478: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 1 policy

000479: *Mar 14 15:28:50: ISAKMP:      default group 2

000480: *Mar 14 15:28:50: ISAKMP:      encryption AES-CBC

000481: *Mar 14 15:28:50: ISAKMP:      keylength of 192

000482: *Mar 14 15:28:50: ISAKMP:      hash SHA

000483: *Mar 14 15:28:50: ISAKMP:      auth pre-share

000484: *Mar 14 15:28:50: ISAKMP:      life type in seconds

000485: *Mar 14 15:28:50: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

000486: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

000487: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

000488: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 1 policy

000489: *Mar 14 15:28:50: ISAKMP:      default group 2

000490: *Mar 14 15:28:50: ISAKMP:      encryption AES-CBC

000491: *Mar 14 15:28:50: ISAKMP:      keylength of 128

000492: *Mar 14 15:28:50: ISAKMP:      hash SHA

000493: *Mar 14 15:28:50: ISAKMP:      auth pre-share

000494: *Mar 14 15:28:50: ISAKMP:      life type in seconds

000495: *Mar 14 15:28:50: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

000496: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

000497: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

000498: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 1 policy

000499: *Mar 14 15:28:50: ISAKMP:      default group 2

000500: *Mar 14 15:28:50: ISAKMP:      encryption 3DES-CBC

000501: *Mar 14 15:28:50: ISAKMP:      hash SHA

000502: *Mar 14 15:28:50: ISAKMP:      auth pre-share

000503: *Mar 14 15:28:50: ISAKMP:      life type in seconds

000504: *Mar 14 15:28:50: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

000505: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3

000506: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload

000507: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

000508: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v2

000509: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload

000510: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

000511: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v3

000512: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload

000513: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 69 mismatch

000514: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload

000515: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 194 mismatch

000516: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

000517: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1

000518: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): constructed NAT-T vendor-03 ID

000519: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): sending packet to 199.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP

000520: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

000521: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

000522: *Mar 14 15:28:51: ISAKMP (0:134217732): received packet from 199.x.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP

000523: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

000524: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3

000525: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing KE payload. message ID = 0

000526: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing NONCE payload. message ID = 0

000527: *Mar 14 15:28:51: ISAKMP:(0:0:N/A:0):Looking for a matching key for 199.x.x.x in default

000528: *Mar 14 15:28:51: ISAKMP:(0:0:N/A:0): : success

000529: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):found peer pre-shared key matching 199.x.x.x.

000530: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):SKEYID state generated

000531: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload

000532: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is Unity

000533: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload

000534: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 206 mismatch

000535: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is XAUTH

000536: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload

000537: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): speaking to another IOS box!

000538: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload

000539: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):vendor ID seems Unity/DPD but hash mismatch

000540: *Mar 14 15:28:51: ISAKMP:received payload type 20

000541: *Mar 14 15:28:51: ISAKMP (0:134217732): NAT found, the node inside NAT

000542: *Mar 14 15:28:51: ISAKMP:received payload type 20

000543: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

000544: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3

000545: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): sending packet to 199.x.x.x. my_port 500 peer_port 500 (R) MM_KEY_EXCH

000546: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

000547: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4

000548: *Mar 14 15:28:51: ISAKMP (0:134217732): received packet from 199.xx..x.x dport 4500 sport 4500 Global (R) MM_KEY_EXCH

000549: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

000550: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

000551: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing ID payload. message ID = 0

000552: *Mar 14 15:28:51: ISAKMP (0:134217732): ID payload

        next-payload : 8

        type         : 1

        address      : 199.x.x.x

        protocol     : 17

        port         : 0

        length       : 12

000553: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):: peer matches *none* of the profiles

000554: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 0

000555: *Mar 14 15:28:51: ISAKMP:received payload type 17

000556: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload

000557: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is DPD

000558: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):SA authentication status:        authenticated

000559: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):SA has been authenticated with 199.x.x.x

000560: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Detected port floating to port = 4500

000561: *Mar 14 15:28:51: ISAKMP: Trying to insert a peer 10.1.10.185/199.x.x..x/4500/,  and inserted successfully 640CB9E0.

000562: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Setting UDP ENC peer struct 0x63EC9A58 sa= 0x64040BD8

000563: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

000564: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

000565: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

000566: *Mar 14 15:28:51: ISAKMP (0:134217732): ID payload

        next-payload : 8

        type         : 1

        address      : 10.1.10.185

        protocol     : 17

        port         : 0

        length       : 12

000567: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Total payload length: 12

000568: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): sending packet to 199.x.x.x my_port 4500 peer_port 4500 (R) MM_KEY_EXCH

000569: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

000570: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

000571: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

000572: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

000573: *Mar 14 15:28:51: ISAKMP (0:134217732): received packet from 199.x.x..x dport 4500 sport 4500 Global (R) QM_IDLE

000574: *Mar 14 15:28:51: ISAKMP: set new node 397879553 to QM_IDLE

000575: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 397879553

000576: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing DELETE payload. messageID = 397879553

000577: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):peer does not do paranoid keepalives.

000578: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):deleting SA reason "No reason" state (R) QM_IDLE       (peer 199.x.x.x)

000579: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):deleting node 397879553 error FALSEreason "Informational (in) state 1"

000580: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

000581: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

000582: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):deleting SA reason "No reason" state (R) QM_IDLE       (peer 199.x.x.x)

000583: *Mar 14 15:28:51: ISAKMP: Unlocking IKE struct 0x640CB9E0 for isadb_mark_sa_deleted(), count 0

000584: *Mar 14 15:28:51: ISAKMP: Deleting peer node by peer_reap for 199.x.x.x.x: 640CB9E0

000585: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):deleting node 397879553 error FALSEreason "IKE deleted"

000586: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

000587: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic