Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
49809
Views
0
Helpful
20
Replies

IPSec VPN crypto sa is active but it doesn't work

Go to solution
sydflyer2011
Level 1
Level 1

‎07-16-2012 04:53 PM - edited ‎03-04-2019 04:59 PM

Hi guys,

My router is Cisco 2811 with IOS version 12.4(22)T1. It had established IPSec with another peer (203.*.*.250 shown below) for long until recently we make it re-establish IPSec VPN with another peer (203.*.*.30 shown below). It showed that the new sa is active but the result still showed there were 4 deleted SAs. The 4 obsolete sa entries won't vanish no matter what I do i.e. reset the interface, re-create crypto map, clear all sa and etc.

From numerous testings we knew that the VPN doesn't work even the desired sa is there remaining active. I reckon it has something to do with those deleted sas ( i mean it is supposed to show only the last one if it is working fine ).  I don't know how it would be come like this as we did pretty much the samething on other VPN routers with no problems.

1033.jpg

The relevant configuration is here:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 5

crypto isakmp key 6 r3D4xwwR$m address 203.*.*.30

!

!

crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac

!

crypto map VPN 10 ipsec-isakmp

set peer 203.*.*.30

set transform-set ESP_3DES_SHA

match address 105

!

access-list 105 permit ip 192.168.21.0 0.0.0.255 any

Please help! Thanks!

Regards,

Alex

3 people had this problem
Labels:
0 Helpful
20 Replies 20

Go to solution
sydflyer2011
Level 1
Level 1
In response to sydflyer2011

‎07-16-2012 11:43 PM

Hi John,

Here is a portion of the debugging info:

643931: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID is NAT-T v2
643932: Jul 17 06:41:06.744: ISAKMP:(0): processing vendor id payload
643933: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 168                                                               mismatch
643934: Jul 17 06:41:06.744: ISAKMP:(0): processing vendor id payload
643935: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 221                                                               mismatch
643936: Jul 17 06:41:06.744: ISAKMP:(0): processing vendor id payload
643937: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID is DPD
643938: Jul 17 06:41:06.744: ISAKMP:(0): processing vendor id payload
643939: Jul 17 06:41:06.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 m                                                              ismatch
643940: Jul 17 06:41:06.744: ISAKMP:(0):No pre-shared key with 203.*.*.250!
643941: Jul 17 06:41:06.744: ISAKMP : Scanning profiles for xauth ...
643942: Jul 17 06:41:06.744: ISAKMP:(0):Checking ISAKMP transform 1 against prio                                                              rity 10 policy
643943: Jul 17 06:41:06.744: ISAKMP:      life type in seconds
643944: Jul 17 06:41:06.744: ISAKMP:      life duration (basic) of 28800
643945: Jul 17 06:41:06.744: ISAKMP:      encryption 3DES-CBC
643946: Jul 17 06:41:06.744: ISAKMP:      auth pre-share
643947: Jul 17 06:41:06.744: ISAKMP:      hash SHA
643948: Jul 17 06:41:06.744: ISAKMP:      default group 5
643949: Jul 17 06:41:06.744: ISAKMP:(0):Preshared authentication offered but doe                                                              s not match policy!
643950: Jul 17 06:41:06.744: ISAKMP:(0):atts are not acceptable. Next payload is                                                               0
643951: Jul 17 06:41:06.744: ISAKMP:(0):no offers accepted!
643952: Jul 17 06:41:06.744: ISAKMP:(0): phase 1 SA policy not acceptable! (loca                                                              l 123.209.60.106 remote 203.*.*.250)
643953: Jul 17 06:41:06.748: ISAKMP (0): incrementing error counter on sa, attem                                                              pt 1 of 5: construct_fail_ag_init
643954: Jul 17 06:41:06.748: ISAKMP:(0): Failed to construct AG informational me                                                              ssage.
643955: Jul 17 06:41:06.748: ISAKMP:(0): sending packet to 203.*.*.250 my_po                                                              rt 500 peer_port 500 (R) MM_NO_STATE
643956: Jul 17 06:41:06.748: ISAKMP:(0):Sending an IKE IPv4 Packet.
643957: Jul 17 06:41:06.748: ISAKMP:(0):peer does not do paranoid keepalives.

643958: Jul 17 06:41:06.748: ISAKMP:(0):deleting SA reason "Phase1 SA policy pro                                                              posal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
643959: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643960: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 69                                                               mismatch
643961: Jul 17 06:41:06.748: ISAKMP (0): vendor ID is NAT-T RFC 3947
643962: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643963: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 157                                                               mismatch
643964: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID is NAT-T v3
643965: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643966: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 164                                                               mismatch
643967: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643968: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 123                                                               mismatch
643969: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID is NAT-T v2
643970: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643971: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 168                                                               mismatch
643972: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643973: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 221                                                               mismatch
643974: Jul 17 06:41:06.748: ISAKMP:(0): processing vendor id payload
643975: Jul 17 06:41:06.748: ISAKMP:(0): vendor ID is DPD
643976: Jul 17 06:41:06.752: ISAKMP:(0): processing vendor id payload
643977: Jul 17 06:41:06.752: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 m                                                              ismatch
643978: Jul 17 06:41:06.752: ISAKMP (0): FSM action returned error: 2
643979: Jul 17 06:41:06.752: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M                                                              AIN_MODE
643980: Jul 17 06:41:06.752: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R                                                              _MM1

643981: Jul 17 06:41:06.752: ISAKMP:(0):deleting SA reason "Phase1 SA policy pro                                                              posal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
643982: Jul 17 06:41:06.752: ISAKMP: Unlocking peer struct 0x4A0AE4DC for isadb_                                                              mark_sa_deleted(), count 0
643983: Jul 17 06:41:06.752: ISAKMP: Deleting peer node by peer_reap for 203.176                                                              .110.250: 4A0AE4DC
643984: Jul 17 06:41:06.752: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DE                                                              L
643985: Jul 17 06:41:06.752: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_D                                                              EST_SA

643986: Jul 17 06:41:06.752: IPSEC(key_engine): got a queue event with 1 KMI mes                                                              sage(s)
643987: Jul 17 06:41:06.756: ISAKMP:(0):deleting SA reason "No reason" state (R)                                                               MM_NO_STATE (peer 203.*.*.250)
643988: Jul 17 06:41:06.756: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_E                                                              RROR
643989: Jul 17 06:41:06.756: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE                                                              _DEST_SA

643990: Jul 17 06:41:06.784: ISAKMP:(0):purging SA., sa=49C04424, delme=49C04424
643991: Jul 17 06:41:11.032: ISAKMP:(1473):purging node -67900904
643992: Jul 17 06:41:12.308: ISAKMP (1473): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE
643993: Jul 17 06:41:12.308: ISAKMP: set new node -969740779 to QM_IDLE
643994: Jul 17 06:41:12.308: ISAKMP:(1473): processing HASH payload. message ID = -969740779
643995: Jul 17 06:41:12.308: ISAKMP:(1473): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -969740779, sa = 497A0AEC
643996: Jul 17 06:41:12.308: ISAKMP:(1473):deleting node -969740779 error FALSE reason "Informational (in) state 1"
643997: Jul 17 06:41:12.308: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
643998: Jul 17 06:41:12.308: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

643999: Jul 17 06:41:12.312: ISAKMP:(1473):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x195C0
644000: Jul 17 06:41:12.312: ISAKMP: set new node 2127039641 to QM_IDLE
644001: Jul 17 06:41:12.312: ISAKMP:(1473):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1211805536, message ID = 2127039641
644002: Jul 17 06:41:12.312: ISAKMP:(1473): seq. no 0x195C0
644003: Jul 17 06:41:12.312: ISAKMP:(1473): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE
644004: Jul 17 06:41:12.312: ISAKMP:(1473):Sending an IKE IPv4 Packet.
644005: Jul 17 06:41:12.312: ISAKMP:(1473):purging node 2127039641
644006: Jul 17 06:41:12.312: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
644007: Jul 17 06:41:12.312: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

644008: Jul 17 06:41:12.748: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (R) MM_NO_STATE
644009: Jul 17 06:41:16.672: ISAKMP:(1473):purging node 82586520
644010: Jul 17 06:41:18.176: ISAKMP (1473): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE
644011: Jul 17 06:41:18.176: ISAKMP: set new node -761462733 to QM_IDLE
644012: Jul 17 06:41:18.180: ISAKMP:(1473): processing HASH payload. message ID = -761462733
644013: Jul 17 06:41:18.180: ISAKMP:(1473): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -761462733, sa = 497A0AEC
644014: Jul 17 06:41:18.180: ISAKMP:(1473):deleting node -761462733 error FALSE reason "Informational (in) state 1"
644015: Jul 17 06:41:18.180: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
644016: Jul 17 06:41:18.180: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

644017: Jul 17 06:41:18.180: ISAKMP:(1473):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x195C1
644018: Jul 17 06:41:18.180: ISAKMP: set new node 1872903738 to QM_IDLE
644019: Jul 17 06:41:18.180: ISAKMP:(1473):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1211805536, message ID = 1872903738
644020: Jul 17 06:41:18.180: ISAKMP:(1473): seq. no 0x195C1
644021: Jul 17 06:41:18.180: ISAKMP:(1473): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE
644022: Jul 17 06:41:18.180: ISAKMP:(1473):Sending an IKE IPv4 Packet.
644023: Jul 17 06:41:18.184: ISAKMP:(1473):purging node 1872903738
644024: Jul 17 06:41:18.184: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
644025: Jul 17 06:41:18.184: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

644026: Jul 17 06:41:21.736: ISAKMP (0): received packet from 203.*.*.250 dport 500 sport 500 Global (N) NEW SA
644027: Jul 17 06:41:21.736: ISAKMP: Created a peer struct for 203.*.*.250, peer port 500
644028: Jul 17 06:41:21.736: ISAKMP: New peer created peer = 0x49B1167C peer_handle = 0x800206BC
644029: Jul 17 06:41:21.740: ISAKMP: Locking peer struct 0x49B1167C, refcount 1 for crypto_isakmp_process_block
644030: Jul 17 06:41:21.740: ISAKMP: local port 500, remote port 500
644031: Jul 17 06:41:21.740: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 49D03C1C
644032: Jul 17 06:41:21.740: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
644033: Jul 17 06:41:21.740: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

644034: Jul 17 06:41:21.740: ISAKMP:(0): processing SA payload. message ID = 0
644035: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644036: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
644037: Jul 17 06:41:21.740: ISAKMP (0): vendor ID is NAT-T RFC 3947
644038: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644039: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
644040: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID is NAT-T v3
644041: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644042: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
644043: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644044: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
644045: Jul 17 06:41:21.740: ISAKMP:(0): vendor ID is NAT-T v2
644046: Jul 17 06:41:21.740: ISAKMP:(0): processing vendor id payload
644047: Jul 17 06:41:21.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch
644048: Jul 17 06:41:21.744: ISAKMP:(0): processing vendor id payload
644049: Jul 17 06:41:21.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
644050: Jul 17 06:41:21.744: ISAKMP:(0): processing vendor id payload
644051: Jul 17 06:41:21.744: ISAKMP:(0): vendor ID is DPD
644052: Jul 17 06:41:21.744: ISAKMP:(0): processing vendor id payload
644053: Jul 17 06:41:21.744: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch
644054: Jul 17 06:41:21.744: ISAKMP:(0):No pre-shared key with 203.*.*.250!
644055: Jul 17 06:41:21.744: ISAKMP : Scanning profiles for xauth ...
644056: Jul 17 06:41:21.744: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
644057: Jul 17 06:41:21.744: ISAKMP:      life type in seconds
644058: Jul 17 06:41:21.744: ISAKMP:      life duration (basic) of 28800
644059: Jul 17 06:41:21.744: ISAKMP:      encryption 3DES-CBC
644060: Jul 17 06:41:21.744: ISAKMP:      auth pre-share
644061: Jul 17 06:41:21.744: ISAKMP:      hash SHA
644062: Jul 17 06:41:21.744: ISAKMP:      default group 5
644063: Jul 17 06:41:21.744: ISAKMP:(0):Preshared authentication offered but does not match policy!
644064: Jul 17 06:41:21.744: ISAKMP:(0):atts are not acceptable. Next payload is 0
644065: Jul 17 06:41:21.744: ISAKMP:(0):no offers accepted!
644066: Jul 17 06:41:21.744: ISAKMP:(0): phase 1 SA policy not acceptable! (local 123.209.60.106 remote 203.*.*.250)
644067: Jul 17 06:41:21.744: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
644068: Jul 17 06:41:21.744: ISAKMP:(0): Failed to construct AG informational message.
644069: Jul 17 06:41:21.744: ISAKMP:(0): sending packet to 203.*.*.250 my_port 500 peer_port 500 (R) MM_NO_STATE
644070: Jul 17 06:41:21.744: ISAKMP:(0):Sending an IKE IPv4 Packet.
644071: Jul 17 06:41:21.744: ISAKMP:(0):peer does not do paranoid keepalives.

644072: Jul 17 06:41:21.744: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
644073: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644074: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
644075: Jul 17 06:41:21.748: ISAKMP (0): vendor ID is NAT-T RFC 3947
644076: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644077: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
644078: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID is NAT-T v3
644079: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644080: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
644081: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644082: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
644083: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID is NAT-T v2
644084: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644085: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 168 mismatch
644086: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644087: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 221 mismatch
644088: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644089: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID is DPD
644090: Jul 17 06:41:21.748: ISAKMP:(0): processing vendor id payload
644091: Jul 17 06:41:21.748: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch
644092: Jul 17 06:41:21.748: ISAKMP (0): FSM action returned error: 2
644093: Jul 17 06:41:21.748: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
644094: Jul 17 06:41:21.748: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

644095: Jul 17 06:41:21.748: ISAKMP:(0):purging SA., sa=49C4D2D4, delme=49C4D2D4
644096: Jul 17 06:41:21.752: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 203.*.*.250)
644097: Jul 17 06:41:21.752: ISAKMP: Unlocking peer struct 0x49B1167C for isadb_mark_sa_deleted(), count 0
644098: Jul 17 06:41:21.752: ISAKMP: Deleting peer node by peer_reap for 203.*.*.250: 49B1167C
644099: Jul 17 06:41:21.752: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
644100: Jul 17 06:41:21.752: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

644101: Jul 17 06:41:21.752: IPSEC(key_engine): got a queue event with 1 KMI message(s)
644102: Jul 17 06:41:21.752: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 203.*.*.250)
644103: Jul 17 06:41:21.752: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
644104: Jul 17 06:41:21.752: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

644105: Jul 17 06:41:22.312: ISAKMP:(1473):purging node 547235705
644106: Jul 17 06:41:23.916: ISAKMP (1473): received packet from 203.*.*.30 dport 500 sport 500 Global (R) QM_IDLE
644107: Jul 17 06:41:23.916: ISAKMP: set new node -949489298 to QM_IDLE
644108: Jul 17 06:41:23.920: ISAKMP:(1473): processing HASH payload. message ID = -949489298
644109: Jul 17 06:41:23.920: ISAKMP:(1473): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = -949489298, sa = 497A0AEC
644110: Jul 17 06:41:23.920: ISAKMP:(1473):deleting node -949489298 error FALSE reason "Informational (in) state 1"
644111: Jul 17 06:41:23.920: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
644112: Jul 17 06:41:23.920: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

644113: Jul 17 06:41:23.920: ISAKMP:(1473):DPD/R_U_THERE received from peer 203.*.*.30, sequence 0x195C2
644114: Jul 17 06:41:23.920: ISAKMP: set new node -741730227 to QM_IDLE
644115: Jul 17 06:41:23.920: ISAKMP:(1473):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
        spi 1211805536, message ID = -741730227
644116: Jul 17 06:41:23.920: ISAKMP:(1473): seq. no 0x195C2
644117: Jul 17 06:41:23.920: ISAKMP:(1473): sending packet to 203.*.*.30 my_port 500 peer_port 500 (R) QM_IDLE
644118: Jul 17 06:41:23.920: ISAKMP:(1473):Sending an IKE IPv4 Packet.n
644119: Jul 17 06:41:23.924: ISAKMP:(1473):purging node -741730227
644120: Jul 17 06:41:23.924: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
644121: Jul 17 06:41:23.924: ISAKMP:(1473):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Thanks for that.

Regards,

Alex

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to sydflyer2011

‎07-17-2012 12:36 AM

alex,

could you verify again if peer IP addresses were configured correctly on both devices?

on your 2811, your local (dialer) IP address is 123.209.60.106 and remote peer (fortigate) is 203.176.96.30 but the show crypto isakmp sa is showing the reverse.

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                        src             state                           conn-id status
123.209.60.106  203.*.*.250  MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250  MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250  MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.250  MM_NO_STATE          0 ACTIVE (deleted)
123.209.60.106  203.*.*.30   QM_IDLE                    1473 ACTIVE

#sh crypto ipsec sa
     PFS (Y/N): Y, DH group: group1
     PFS (Y/N): N, DH group: none

interface: Dialer1
    Crypto map tag: VPN, local addr 123.209.60.106    <<<

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.21.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.68.0/255.255.255.0/0/0)

   current_peer 203.*.*.30 port 500     <<<

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1
In response to johnlloyd_13

‎07-17-2012 04:46 PM

Hi John,

I am pretty sure the ip addresses are correct. When I issue the command show crypto session, the result looks like this.

# sh crypto session
Crypto session current status

Interface: Cellular0/3/0
Session status: DOWN
Peer: 203.*.*.30 port 500
  IPSEC FLOW: permit ip 192.168.21.0/255.255.255.0 192.168.68.0/255.255.255.0
        Active SAs: 0, origin: crypto map

Interface: Dialer1
Session status: UP-ACTIVE
Peer: 203.*.*.30 port 500
  IKE SA: local 123.209.60.106/500 remote 203.*.*.30/500 Active
  IPSEC FLOW: permit ip 192.168.21.0/255.255.255.0 192.168.68.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Interface: Dialer1
Session status: DOWN-NEGOTIATING
Peer: 203.*.*.250 port 500
  IKE SA: local 123.209.60.106/500 remote 203.*.*.250/500 Inactive
  IKE SA: local 123.209.60.106/500 remote 203.*.*.250/500 Inactive
  IKE SA: local 123.209.60.106/500 remote 203.*.*.250/500 Inactive

Can this ring you a bell?


Regards,

Alex

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to sydflyer2011

‎07-18-2012 01:06 AM

Alex,

Thanks for confirming back! Have you checked the FW rules if UDP port 500 is open in the fortigate for the peering IP on the 2811?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
sydflyer2011
Level 1
Level 1
In response to johnlloyd_13

‎07-18-2012 02:54 PM

Hi John,

It turned out that the firewall has an policy which contains incorrect subnet (where the router is). And it is fixed. Thank you very much for your help!


Regards,

Alex

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to sydflyer2011

‎07-18-2012 04:25 PM

Alex,

I'm glad your issue is already fixed. Please help rate useful posts and marked the thread as reaolved. Thanks!

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card