Hello Community.
I am not a native English speaker, so sorry for that.
I have a strange problem running a site2site IPSec tunnel which work well on a 2821 on a ASR1002X AES License.
First what i know, eg. have done.
The IOS-XE 16.9.4 dont work on dynamic remote vpn because crypto map CMAP isakmp authorization list GROUPAUTHOR dont work. There is a new way to configure ISAKMP groups via profiles which require an not documented "password" parameter. Okay i downgraded to 16.7.1 and the VPN part for dialin user (OSX, HO-Router etc.) is back in service. The above crypto statement is available. The site2site problem i am facing is pretty strange. The remote end, Verizon IPSec Tunnel runing since 7 years without problems. Config follow.
Behavior is easy to explain. I clear the sessions on the 2821 and shut the interface. I no shut the new interface on the ASR and i trigger the remote end to establish the tunnel wit a phone call (SIP Interconnect). The tunnel imediately start to come up on the ASR. IKE P1 complete IPSec P1 will use the ACL to insert the protected network in the routing database. That fails. Errormessages not really appear (deb cry isa, deb cry ips) will paste it later. After the tunnel is up and active i tried to ping remote end. No resonse because routing ends on the ASR.
My questions are, what went wrong in the IOS-XE with ACLs?
Why the config is ignored?
Do i miss some global configuration statements to activate the ACL route installation?
The config is far from a complicated one.
I have tried 16.7.1, 16.3.5 same config, also same main behaviour.
Here the config from the ASR (interesting part plus all globals. IPs are masked to 10.0.0.0/8 but consistent)
version 16.7
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 5000000
!
hostname ASR1002X
!
boot-start-marker
boot system bootflash:asr1002x-universalk9.16.07.01.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 xxxxxxxxxxxxxxx
!
!
transport-map type persistent webui https-webui
secure-server
!
transport-map type persistent ssh sshhandler
authentication-retries 1
rsa keypair-name sshkeys
transport interface GigabitEthernet0
connection wait allow interruptible
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authentication ppp default local
aaa authorization network groupauthor local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
ip nbar http-services
!
!
!
ip name-server x.x.x.x y.y.y.y
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
!
domain domain.net
!
!
!
!
!
!
!
ivr prompt buffers 2
license udi pid ASR1002-X sn ABC123456
no license smart enable
!
spanning-tree extend system-id
diagnostic bootup level minimal
!
!
!
username user .....!*Few Remote User
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
no crypto isakmp default policy
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 3600
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 12
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 13
encr 3des
authentication pre-share
group 2
crypto isakmp key preshared-key-secret address 10.10.1.238
crypto isakmp key preshared-key-secret address 10.10.2.238
crypto isakmp key preshared-key-secret address 10.10.3.238
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60 periodic
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group VPNGROUP
key xxxxx
dns x.x.x.x y.y.y.y
domain domain.net
pool IPPool
save-password
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association replay window-size 512
!
crypto ipsec transform-set ipcom esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynvpn 1
set nat demux
set transform-set ipcom
!
!
crypto map CRYMAP local-address GigabitEthernet0/0/1
crypto map CRYMAP 1 ipsec-isakmp
description VzB DTM
set peer 10.10.1.238
set transform-set ipcom
set pfs group2
match address 120
crypto map CRYMAP 2 ipsec-isakmp
description VzB AMS
set peer 10.10.2.238
set transform-set ipcom
set pfs group2
match address 121
crypto map CRYMAP 3 ipsec-isakmp
description VzB LND
set peer 10.10.3.238
set transform-set ipcom
set pfs group2
match address 122
!
crypto map VPN local-address GigabitEthernet0/0/2
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauthor
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic dynmap
crypto map VPN 20 ipsec-isakmp dynamic dynvpn
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 10.1.1.10 255.255.255.192
no ip redirects
ip nbar protocol-discovery
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 10.1.2.219 255.255.255.192
no ip redirects
ip nbar protocol-discovery
ip tcp adjust-mss 1260
shutdown
negotiation auto
crypto map CRYMAP
!
interface GigabitEthernet0/0/2
ip address 10.1.3.10 255.255.255.240
no ip redirects
ip nbar protocol-discovery
ip tcp adjust-mss 1260
negotiation auto
ipv6 nd ra suppress
crypto map DUSVPN
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.10.10.251 255.255.255.0
negotiation auto
!
no ip forward-protocol nd
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 1
ip http session-idle-timeout 1200
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.10.10.1
!
ip ssh server algorithm authentication password
!
access-list 10 permit 10.1.1.7 log
access-list 10 deny any log
access-list 11 permit 10.1.10.0 0.0.0.255
access-list 11 permit 10.1.1.0 0.0.0.16
access-list 11 permit 10.1.2.0 0.0.0.255
access-list 11 deny any log
access-list 120 permit ip 10.1.1.0 0.0.0.255 10.11.1.192 0.0.0.31
access-list 121 permit ip 10.1.1.0 0.0.0.255 10.11.2.192 0.0.0.31
access-list 122 permit ip 10.1.1.0 0.0.0.255 10.11.3.192 0.0.0.31
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
transport type persistent webui input https-webui
!
end
So thats the router config.
Is there any missing in cause of the different systems between the C2821 and the ASR1002X?
Here a full establishing log, all is fine except traffic thru the tunnel. No routing is installed :( I marked intersting parts BOLD:
Nov 3 04:02:02 acr-xe-0-0-15 3984: Nov 3 03:02:02.541: ISAKMP-PAK: (0):received packet from 10.10.1.238 dport 500 sport 500 Global (N) NEW SA
Nov 3 04:02:02 acr-xe-0-0-15 3985: Nov 3 03:02:02.541: ISAKMP: (0):Created a peer struct for 10.10.1.238, peer port 500
Nov 3 04:02:02 acr-xe-0-0-15 3986: Nov 3 03:02:02.541: ISAKMP: (0):New peer created peer = 0x7F837B5F7060 peer_handle = 0x8000000A
Nov 3 04:02:02 acr-xe-0-0-15 3987: Nov 3 03:02:02.541: ISAKMP: (0):Locking peer struct 0x7F837B5F7060, refcount 1 for crypto_isakmp_process_block
Nov 3 04:02:02 acr-xe-0-0-15 3988: Nov 3 03:02:02.541: ISAKMP: (0):local port 500, remote port 500
Nov 3 04:02:02 acr-xe-0-0-15 3989: Nov 3 03:02:02.541: crypto_engine_select_crypto_engine: can't handle any more
Nov 3 04:02:02 acr-xe-0-0-15 3990: Nov 3 03:02:02.541: ISAKMP: (0):insert sa successfully sa = 7F837B6AE320
Nov 3 04:02:02 acr-xe-0-0-15 3991: Nov 3 03:02:02.541: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 3 04:02:02 acr-xe-0-0-15 3992: Nov 3 03:02:02.541: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1
Nov 3 04:02:02 acr-xe-0-0-15 3993: crypto_isadb_stuff_vrf_instance, ike_fsm_proc_mm1: sa->f_vrf = 0 sa->i_vrf = 0 sa=0x7F837B6AE320
Nov 3 04:02:02 acr-xe-0-0-15 3994: Nov 3 03:02:02.541: ISAKMP: (0):processing SA payload. message ID = 0
Nov 3 04:02:02 acr-xe-0-0-15 3995: Nov 3 03:02:02.541: ISAKMP: (0):processing vendor id payload
Nov 3 04:02:02 acr-xe-0-0-15 3996: Nov 3 03:02:02.541: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatch
Nov 3 04:02:02 acr-xe-0-0-15 3997: Nov 3 03:02:02.541: ISAKMP: (0):processing vendor id payload
Nov 3 04:02:02 acr-xe-0-0-15 3998: Nov 3 03:02:02.541: ISAKMP: (0):vendor ID is DPD
Nov 3 04:02:02 acr-xe-0-0-15 3999: Nov 3 03:02:02.541: ISAKMP: (0):processing vendor id payload
Nov 3 04:02:02 acr-xe-0-0-15 4000: Nov 3 03:02:02.541: ISAKMP: (0):processing IKE frag vendor id payload
Nov 3 04:02:02 acr-xe-0-0-15 4001: Nov 3 03:02:02.541: ISAKMP: (0):Support for IKE Fragmentation not enabled
Nov 3 04:02:02 acr-xe-0-0-15 4002: Nov 3 03:02:02.541: ISAKMP: (0):found peer pre-shared key matching 10.10.1.238
Nov 3 04:02:02 acr-xe-0-0-15 4003: Nov 3 03:02:02.541: ISAKMP: (0):local preshared key found
Nov 3 04:02:02 acr-xe-0-0-15 4004: Nov 3 03:02:02.541: ISAKMP: (0):Scanning profiles for xauth ...
Nov 3 04:02:02 acr-xe-0-0-15 4005: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
Nov 3 04:02:02 acr-xe-0-0-15 4006: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC
Nov 3 04:02:02 acr-xe-0-0-15 4007: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5
Nov 3 04:02:02 acr-xe-0-0-15 4008: Nov 3 03:02:02.541: ISAKMP: (0): default group 2
Nov 3 04:02:02 acr-xe-0-0-15 4009: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share
Nov 3 04:02:02 acr-xe-0-0-15 4010: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds
Nov 3 04:02:02 acr-xe-0-0-15 4011: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800
Nov 3 04:02:02 acr-xe-0-0-15 4012: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Nov 3 04:02:02 acr-xe-0-0-15 4013: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Nov 3 04:02:02 acr-xe-0-0-15 4014: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 2 policy
Nov 3 04:02:02 acr-xe-0-0-15 4015: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC
Nov 3 04:02:02 acr-xe-0-0-15 4016: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5
Nov 3 04:02:02 acr-xe-0-0-15 4017: Nov 3 03:02:02.541: ISAKMP: (0): default group 2
Nov 3 04:02:02 acr-xe-0-0-15 4018: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share
Nov 3 04:02:02 acr-xe-0-0-15 4019: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds
Nov 3 04:02:02 acr-xe-0-0-15 4020: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800
Nov 3 04:02:02 acr-xe-0-0-15 4021: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Nov 3 04:02:02 acr-xe-0-0-15 4022: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Nov 3 04:02:02 acr-xe-0-0-15 4023: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 3 policy
Nov 3 04:02:02 acr-xe-0-0-15 4024: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC
Nov 3 04:02:02 acr-xe-0-0-15 4025: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5
Nov 3 04:02:02 acr-xe-0-0-15 4026: Nov 3 03:02:02.541: ISAKMP: (0): default group 2
Nov 3 04:02:02 acr-xe-0-0-15 4027: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share
Nov 3 04:02:02 acr-xe-0-0-15 4028: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds
Nov 3 04:02:02 acr-xe-0-0-15 4029: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800
Nov 3 04:02:02 acr-xe-0-0-15 4030: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Nov 3 04:02:02 acr-xe-0-0-15 4031: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Nov 3 04:02:02 acr-xe-0-0-15 4032: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 5 policy
Nov 3 04:02:02 acr-xe-0-0-15 4033: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC
Nov 3 04:02:02 acr-xe-0-0-15 4034: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5
Nov 3 04:02:02 acr-xe-0-0-15 4035: Nov 3 03:02:02.541: ISAKMP: (0): default group 2
Nov 3 04:02:02 acr-xe-0-0-15 4036: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share
Nov 3 04:02:02 acr-xe-0-0-15 4037: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds
Nov 3 04:02:02 acr-xe-0-0-15 4038: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800
Nov 3 04:02:02 acr-xe-0-0-15 4039: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
Nov 3 04:02:02 acr-xe-0-0-15 4040: Nov 3 03:02:02.541: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
Nov 3 04:02:02 acr-xe-0-0-15 4041: Nov 3 03:02:02.541: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
Nov 3 04:02:02 acr-xe-0-0-15 4042: Nov 3 03:02:02.541: ISAKMP: (0): encryption 3DES-CBC
Nov 3 04:02:02 acr-xe-0-0-15 4043: Nov 3 03:02:02.541: ISAKMP: (0): hash MD5
Nov 3 04:02:02 acr-xe-0-0-15 4044: Nov 3 03:02:02.541: ISAKMP: (0): default group 2
Nov 3 04:02:02 acr-xe-0-0-15 4045: Nov 3 03:02:02.541: ISAKMP: (0): auth pre-share
Nov 3 04:02:02 acr-xe-0-0-15 4046: Nov 3 03:02:02.541: ISAKMP: (0): life type in seconds
Nov 3 04:02:02 acr-xe-0-0-15 4047: Nov 3 03:02:02.541: ISAKMP: (0): life duration (basic) of 28800
Nov 3 04:02:02 acr-xe-0-0-15 4048: Nov 3 03:02:02.541: ISAKMP: (0):atts are acceptable. Next payload is 0
Nov 3 04:02:02 acr-xe-0-0-15 4049: Nov 3 03:02:02.541: ISAKMP: (0):Acceptable atts:actual life: 86400
Nov 3 04:02:02 acr-xe-0-0-15 4050: Nov 3 03:02:02.541: ISAKMP: (0):Acceptable atts:life: 0
Nov 3 04:02:02 acr-xe-0-0-15 4051: Nov 3 03:02:02.541: ISAKMP: (0):Basic life_in_seconds:28800
Nov 3 04:02:02 acr-xe-0-0-15 4052: Nov 3 03:02:02.541: ISAKMP: (0):Returning Actual lifetime: 28800
Nov 3 04:02:02 acr-xe-0-0-15 4053: Nov 3 03:02:02.541: ISAKMP: (0):Started lifetime timer: 28800.
Nov 3 04:02:02 acr-xe-0-0-15 4054: Nov 3 03:02:02.541: crypto_engine_select_crypto_engine: can't handle any more
Nov 3 04:02:02 acr-xe-0-0-15 4055: Nov 3 03:02:02.541: crypto_engine: Create DH
Nov 3 04:02:02 acr-xe-0-0-15 4056: Nov 3 03:02:02.544: ISAKMP: (0):processing vendor id payload
Nov 3 04:02:02 acr-xe-0-0-15 4057: Nov 3 03:02:02.544: ISAKMP: (0):vendor ID seems Unity/DPD but major 190 mismatch
Nov 3 04:02:02 acr-xe-0-0-15 4058: Nov 3 03:02:02.544: ISAKMP: (0):processing vendor id payload
Nov 3 04:02:02 acr-xe-0-0-15 4059: Nov 3 03:02:02.544: ISAKMP: (0):vendor ID is DPD
Nov 3 04:02:02 acr-xe-0-0-15 4060: Nov 3 03:02:02.544: ISAKMP: (0):processing vendor id payload
Nov 3 04:02:02 acr-xe-0-0-15 4061: Nov 3 03:02:02.544: ISAKMP: (0):processing IKE frag vendor id payload
Nov 3 04:02:02 acr-xe-0-0-15 4062: Nov 3 03:02:02.544: ISAKMP: (0):Support for IKE Fragmentation not enabled
Nov 3 04:02:02 acr-xe-0-0-15 4063: Nov 3 03:02:02.544: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 3 04:02:02 acr-xe-0-0-15 4064: Nov 3 03:02:02.544: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Nov 3 04:02:02 acr-xe-0-0-15 4065: Nov 3 03:02:02.544: ISAKMP-PAK: (0):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) MM_SA_SETUP
Nov 3 04:02:02 acr-xe-0-0-15 4066: Nov 3 03:02:02.544: ISAKMP: (0):Sending an IKE IPv4 Packet.
Nov 3 04:02:02 acr-xe-0-0-15 4067: Nov 3 03:02:02.544: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 3 04:02:02 acr-xe-0-0-15 4068: Nov 3 03:02:02.544: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Nov 3 04:02:02 acr-xe-0-0-15 4069: Nov 3 03:02:02.554: ISAKMP-PAK: (0):received packet from 10.10.1.238 dport 500 sport 500 Global (R) MM_SA_SETUP
Nov 3 04:02:02 acr-xe-0-0-15 4070: Nov 3 03:02:02.554: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 3 04:02:02 acr-xe-0-0-15 4071: Nov 3 03:02:02.554: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Nov 3 04:02:02 acr-xe-0-0-15 4072: Nov 3 03:02:02.554: ISAKMP: (0):processing KE payload. message ID = 0
Nov 3 04:02:02 acr-xe-0-0-15 4073: Nov 3 03:02:02.554: crypto_engine: Create DH shared secret
Nov 3 04:02:02 acr-xe-0-0-15 4074: Nov 3 03:02:02.556: ISAKMP: (0):processing NONCE payload. message ID = 0
Nov 3 04:02:02 acr-xe-0-0-15 4075: Nov 3 03:02:02.556: ISAKMP: (0):found peer pre-shared key matching 10.10.1.238
Nov 3 04:02:02 acr-xe-0-0-15 4076: Nov 3 03:02:02.556: crypto_engine: Create IKE SA
Nov 3 04:02:02 acr-xe-0-0-15 4077: Nov 3 03:02:02.556: crypto engine: deleting DH phase 2 SW:23
Nov 3 04:02:02 acr-xe-0-0-15 4078: Nov 3 03:02:02.556: crypto_engine: Delete DH shared secret
Nov 3 04:02:02 acr-xe-0-0-15 4079: Nov 3 03:02:02.556: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 3 04:02:02 acr-xe-0-0-15 4080: Nov 3 03:02:02.556: ISAKMP: (1013):Old State = IKE_R_MM3 New State = IKE_R_MM3
Nov 3 04:02:02 acr-xe-0-0-15 4081: Nov 3 03:02:02.556: ISAKMP-PAK: (1013):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Nov 3 04:02:02 acr-xe-0-0-15 4082: Nov 3 03:02:02.556: ISAKMP: (1013):Sending an IKE IPv4 Packet.
Nov 3 04:02:02 acr-xe-0-0-15 4083: Nov 3 03:02:02.556: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 3 04:02:02 acr-xe-0-0-15 4084: Nov 3 03:02:02.556: ISAKMP: (1013):Old State = IKE_R_MM3 New State = IKE_R_MM4
Nov 3 04:02:02 acr-xe-0-0-15 4085: Nov 3 03:02:02.567: ISAKMP-PAK: (1013):received packet from 10.10.1.238 dport 500 sport 500 Global (R) MM_KEY_EXCH
Nov 3 04:02:02 acr-xe-0-0-15 4086: Nov 3 03:02:02.567: crypto_engine: Decrypt IKE packet
Nov 3 04:02:02 acr-xe-0-0-15 4087: Nov 3 03:02:02.567: ISAKMP: (1013):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 3 04:02:02 acr-xe-0-0-15 4088: Nov 3 03:02:02.567: ISAKMP: (1013):Old State = IKE_R_MM4 New State = IKE_R_MM5
Nov 3 04:02:02 acr-xe-0-0-15 4089: Nov 3 03:02:02.567: ISAKMP: (1013):processing ID payload. message ID = 0
Nov 3 04:02:02 acr-xe-0-0-15 4090: Nov 3 03:02:02.567: ISAKMP: (1013):ID payload
Nov 3 04:02:02 acr-xe-0-0-15 4091: next-payload : 8
Nov 3 04:02:02 acr-xe-0-0-15 4092: type : 1
Nov 3 04:02:02 acr-xe-0-0-15 4093: Nov 3 03:02:02.567: ISAKMP: (1013): address : 10.10.1.238
Nov 3 04:02:02 acr-xe-0-0-15 4094: Nov 3 03:02:02.567: ISAKMP: (1013): protocol : 17
Nov 3 04:02:02 acr-xe-0-0-15 4095: port : 500
Nov 3 04:02:02 acr-xe-0-0-15 4096: length : 12
Nov 3 04:02:02 acr-xe-0-0-15 4097: Nov 3 03:02:02.567: ISAKMP: (0):peer matches *none* of the profilescrypto_isadb_stuff_vrf_instance, crypto_isakmp_assign_profile: sa->f_vrf = 0 sa->i_vrf = 0 sa=0x7F837B6AE320
Nov 3 04:02:02 acr-xe-0-0-15 4098: Nov 3 03:02:02.567: ISAKMP: (1013):processing HASH payload. message ID = 0
Nov 3 04:02:02 acr-xe-0-0-15 4099: Nov 3 03:02:02.567: crypto_engine: Generate IKE hash
Nov 3 04:02:02 acr-xe-0-0-15 4100: Nov 3 03:02:02.567: ISAKMP: (1013):SA authentication status:
Nov 3 04:02:02 acr-xe-0-0-15 4101: authenticated
Nov 3 04:02:02 acr-xe-0-0-15 4102: Nov 3 03:02:02.567: ISAKMP: (1013):SA has been authenticated with 10.10.1.238
Nov 3 04:02:02 acr-xe-0-0-15 4103: Nov 3 03:02:02.567: ISAKMP: (0):Trying to insert a peer 10.1.2.219/10.10.1.238/500/,
Nov 3 04:02:02 acr-xe-0-0-15 4104: Nov 3 03:02:02.567: ISAKMP: (0): and inserted successfully 7F837B5F7060.
Nov 3 04:02:02 acr-xe-0-0-15 4105: Nov 3 03:02:02.567: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 3 04:02:02 acr-xe-0-0-15 4106: Nov 3 03:02:02.567: ISAKMP: (1013):Old State = IKE_R_MM5 New State = IKE_R_MM5
Nov 3 04:02:02 acr-xe-0-0-15 4107: Nov 3 03:02:02.567: ISAKMP: (1013):SA is doing
Nov 3 04:02:02 acr-xe-0-0-15 4108: Nov 3 03:02:02.568: ISAKMP: (1013):pre-shared key authentication using id type ID_IPV4_ADDR
Nov 3 04:02:02 acr-xe-0-0-15 4109: Nov 3 03:02:02.568: ISAKMP: (1013):ID payload
Nov 3 04:02:02 acr-xe-0-0-15 4110: next-payload : 8
Nov 3 04:02:02 acr-xe-0-0-15 4111: type : 1
Nov 3 04:02:02 acr-xe-0-0-15 4112: Nov 3 03:02:02.568: ISAKMP: (1013): address : 10.1.2.219
Nov 3 04:02:02 acr-xe-0-0-15 4113: Nov 3 03:02:02.568: ISAKMP: (1013): protocol : 17
Nov 3 04:02:02 acr-xe-0-0-15 4114: port : 500
Nov 3 04:02:02 acr-xe-0-0-15 4115: length : 12
Nov 3 04:02:02 acr-xe-0-0-15 4116: Nov 3 03:02:02.568: ISAKMP: (1013):Total payload length: 12
Nov 3 04:02:02 acr-xe-0-0-15 4117: Nov 3 03:02:02.568: crypto_engine: Generate IKE hash
Nov 3 04:02:02 acr-xe-0-0-15 4118: Nov 3 03:02:02.568: crypto_engine: Encrypt IKE packet
Nov 3 04:02:02 acr-xe-0-0-15 4119: Nov 3 03:02:02.568: ISAKMP-PAK: (1013):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Nov 3 04:02:02 acr-xe-0-0-15 4120: Nov 3 03:02:02.568: ISAKMP: (1013):Sending an IKE IPv4 Packet.
Nov 3 04:02:02 acr-xe-0-0-15 4121: Nov 3 03:02:02.568: IKE active tunnels 4
Nov 3 04:02:02 acr-xe-0-0-15 4122: scmIkeTunnelCreate ikeidx:13
Nov 3 04:02:02 acr-xe-0-0-15 4123: Nov 3 03:02:02.568: scmIkeTunnelCreated: Default context, vdi_ptr=gdi_ptr=140202611746552/140202611746552
Nov 3 04:02:02 acr-xe-0-0-15 4124: Nov 3 03:02:02.568: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 3 04:02:02 acr-xe-0-0-15 4125: Nov 3 03:02:02.568: ISAKMP: (1013):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Nov 3 04:02:02 acr-xe-0-0-15 4126: Nov 3 03:02:02.568: ISAKMP: (1013):IKE_DPD is enabled, initializing timers
Nov 3 04:02:02 acr-xe-0-0-15 4127: Nov 3 03:02:02.568: ISAKMP: (1013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 3 04:02:02 acr-xe-0-0-15 4128: Nov 3 03:02:02.568: ISAKMP: (1013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Nov 3 04:02:02 acr-xe-0-0-15 4129: Nov 3 03:02:02.578: ISAKMP-PAK: (1013):received packet from 10.10.1.238 dport 500 sport 500 Global (R) QM_IDLE
Nov 3 04:02:02 acr-xe-0-0-15 4130: Nov 3 03:02:02.578: ISAKMP: (1013):set new node 2448060722 to QM_IDLE
Nov 3 04:02:02 acr-xe-0-0-15 4131: Nov 3 03:02:02.578: crypto_engine: Decrypt IKE packet
Nov 3 04:02:02 acr-xe-0-0-15 4132: Nov 3 03:02:02.578: crypto_engine: Generate IKE hash
Nov 3 04:02:02 acr-xe-0-0-15 4133: Nov 3 03:02:02.578: ISAKMP: (1013):processing HASH payload. message ID = 2448060722
Nov 3 04:02:02 acr-xe-0-0-15 4134: Nov 3 03:02:02.578: ISAKMP: (1013):processing SA payload. message ID = 2448060722
Nov 3 04:02:02 acr-xe-0-0-15 4135: Nov 3 03:02:02.578: ISAKMP: (1013):Checking IPSec proposal 1
Nov 3 04:02:02 acr-xe-0-0-15 4136: Nov 3 03:02:02.578: ISAKMP: (1013):transform 1, ESP_3DES
Nov 3 04:02:02 acr-xe-0-0-15 4137: Nov 3 03:02:02.578: ISAKMP: (1013): attributes in transform:
Nov 3 04:02:02 acr-xe-0-0-15 4138: Nov 3 03:02:02.578: ISAKMP: (1013): SA life type in seconds
Nov 3 04:02:02 acr-xe-0-0-15 4139: Nov 3 03:02:02.578: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
Nov 3 04:02:02 acr-xe-0-0-15 4140: Nov 3 03:02:02.578: ISAKMP: (1013): encaps is 1 (Tunnel)
Nov 3 04:02:02 acr-xe-0-0-15 4141: Nov 3 03:02:02.578: ISAKMP: (1013): authenticator is HMAC-MD5
Nov 3 04:02:02 acr-xe-0-0-15 4142: Nov 3 03:02:02.578: ISAKMP: (1013): group is 2
Nov 3 04:02:02 acr-xe-0-0-15 4143: Nov 3 03:02:02.578: ISAKMP: (1013):atts are acceptable.
Nov 3 04:02:02 acr-xe-0-0-15 4144: Nov 3 03:02:02.578: IPSEC(validate_proposal_request): proposal part #1
Nov 3 04:02:02 acr-xe-0-0-15 4145: Nov 3 03:02:02.578: IPSEC(validate_proposal_request): proposal part #1,
Nov 3 04:02:02 acr-xe-0-0-15 4146: (key eng. msg.) INBOUND local= 10.1.2.219:0, remote= 10.10.1.238:0,
Nov 3 04:02:02 acr-xe-0-0-15 4147: local_proxy= 10.1.1.0/255.255.255.0/256/0,
Nov 3 04:02:02 acr-xe-0-0-15 4148: remote_proxy= 10.11.1.192/255.255.255.224/256/0,
Nov 3 04:02:02 acr-xe-0-0-15 4149: protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
Nov 3 04:02:02 acr-xe-0-0-15 4150: lifedur= 0s and 0kb,
Nov 3 04:02:02 acr-xe-0-0-15 4151: spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Nov 3 04:02:02 acr-xe-0-0-15 4152: Nov 3 03:02:02.578: Crypto mapdb : proxy_match
Nov 3 04:02:02 acr-xe-0-0-15 4153: src addr : 10.1.1.0
Nov 3 04:02:02 acr-xe-0-0-15 4154: dst addr : 10.11.1.192
Nov 3 04:02:02 acr-xe-0-0-15 4155: protocol : 0
Nov 3 04:02:02 acr-xe-0-0-15 4156: src port : 0
Nov 3 04:02:02 acr-xe-0-0-15 4157: dst port : 0
Nov 3 04:02:02 acr-xe-0-0-15 4158: Nov 3 03:02:02.578: (ipsec_process_proposal)Map Accepted: CRYMAP, 1
Nov 3 04:02:02 acr-xe-0-0-15 4159: Nov 3 03:02:02.578: crypto_engine: Create DH
Nov 3 04:02:02 acr-xe-0-0-15 4160: Nov 3 03:02:02.580: ISAKMP: (1013):processing NONCE payload. message ID = 2448060722
Nov 3 04:02:02 acr-xe-0-0-15 4161: Nov 3 03:02:02.580: ISAKMP: (1013):processing KE payload. message ID = 2448060722
Nov 3 04:02:02 acr-xe-0-0-15 4162: Nov 3 03:02:02.580: crypto_engine: Create DH shared secret
Nov 3 04:02:02 acr-xe-0-0-15 4163: Nov 3 03:02:02.582: ISAKMP: (1013):processing ID payload. message ID = 2448060722
Nov 3 04:02:02 acr-xe-0-0-15 4164: Nov 3 03:02:02.582: ISAKMP: (1013):processing ID payload. message ID = 2448060722
Nov 3 04:02:02 acr-xe-0-0-15 4165: Nov 3 03:02:02.582: ISAKMP: (1013):QM Responder gets spi
Nov 3 04:02:02 acr-xe-0-0-15 4166: Nov 3 03:02:02.582: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Nov 3 04:02:02 acr-xe-0-0-15 4167: Nov 3 03:02:02.582: ISAKMP: (1013):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Nov 3 04:02:02 acr-xe-0-0-15 4168: Nov 3 03:02:02.582: crypto_engine: Generate IKE hash
Nov 3 04:02:02 acr-xe-0-0-15 4169: Nov 3 03:02:02.582: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Nov 3 04:02:02 acr-xe-0-0-15 4170: Nov 3 03:02:02.582: ISAKMP: (1013):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
Nov 3 04:02:02 acr-xe-0-0-15 4171: Nov 3 03:02:02.582: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Nov 3 04:02:02 acr-xe-0-0-15 4172: Nov 3 03:02:02.582: Crypto mapdb : proxy_match
Nov 3 04:02:02 acr-xe-0-0-15 4173: src addr : 10.1.1.0
Nov 3 04:02:02 acr-xe-0-0-15 4174: dst addr : 10.11.1.192
Nov 3 04:02:02 acr-xe-0-0-15 4175: protocol : 256
Nov 3 04:02:02 acr-xe-0-0-15 4176: src port : 0
Nov 3 04:02:02 acr-xe-0-0-15 4177: dst port : 0
Nov 3 04:02:02 acr-xe-0-0-15 4178: Nov 3 03:02:02.582: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CRYMAP, 1
Nov 3 04:02:02 acr-xe-0-0-15 4179: Nov 3 03:02:02.582: crypto_engine: Generate IKE QM keys
Nov 3 04:02:02 acr-xe-0-0-15 4180: Nov 3 03:02:02.582: crypto_engine: Create IPSec SA (by keys)
Nov 3 04:02:02 acr-xe-0-0-15 4181: Nov 3 03:02:02.582: crypto_engine: Generate IKE QM keys
Nov 3 04:02:02 acr-xe-0-0-15 4182: Nov 3 03:02:02.582: crypto_engine: Create IPSec SA (by keys)
Nov 3 04:02:02 acr-xe-0-0-15 4183: Nov 3 03:02:02.582: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7F837699F4D8
Nov 3 04:02:02 acr-xe-0-0-15 4184: Nov 3 03:02:02.582: IPSEC(create_sa): sa created
Nov 3 04:02:02 acr-xe-0-0-15 4185: ,
Nov 3 04:02:02 acr-xe-0-0-15 4186: (sa) sa_dest= 10.1.2.219, sa_proto= 50,
Nov 3 04:02:02 acr-xe-0-0-15 4187: sa_spi= 0xA2641181(2724467073),
Nov 3 04:02:02 acr-xe-0-0-15 4188: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2013
Nov 3 04:02:02 acr-xe-0-0-15 4189: sa_lifetime(k/sec)= (4608000/3600),
Nov 3 04:02:02 acr-xe-0-0-15 4190: (identity) local= 10.1.2.219:0, remote= 10.10.1.238:0,
Nov 3 04:02:02 acr-xe-0-0-15 4191: local_proxy= 10.1.1.0/255.255.255.0/256/0,
Nov 3 04:02:02 acr-xe-0-0-15 4192: remote_proxy= 10.11.1.192/255.255.255.224/256/0
Nov 3 04:02:02 acr-xe-0-0-15 4193: Nov 3 03:02:02.582: IPSEC(create_sa): sa created,
Nov 3 04:02:02 acr-xe-0-0-15 4194: (sa) sa_dest= 10.10.1.238, sa_proto= 50,
Nov 3 04:02:02 acr-xe-0-0-15 4195: sa_spi= 0xF92C186B(4180416619),
Nov 3 04:02:02 acr-xe-0-0-15 4196: sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2014
Nov 3 04:02:02 acr-xe-0-0-15 4197: sa_lifetime(k/sec)= (4608000/3600),
Nov 3 04:02:02 acr-xe-0-0-15 4198: (identity) local= 10.1.2.219:0, remote= 10.10.1.238:0
Nov 3 04:02:02 acr-xe-0-0-15 4199: ,
Nov 3 04:02:02 acr-xe-0-0-15 4200: local_proxy= 10.1.1.0/255.255.255.0/256/0,
Nov 3 04:02:02 acr-xe-0-0-15 4201: remote_proxy= 10.11.1.192/255.255.255.224/256/0
Nov 3 04:02:02 acr-xe-0-0-15 4202: Nov 3 03:02:02.586: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_listinc_ipsec_active_tunnels : IPSec active tunnels : 4
Nov 3 04:02:02 acr-xe-0-0-15 4203: notify_mib_ipsec_tunnel_activation: peer has vdi ptr set 0x7F8376DEA6F8
Nov 3 04:02:02 acr-xe-0-0-15 4204: scmIpSecTunnelCreated (IKE SA:13), (IPSEC SA:3)
Nov 3 04:02:02 acr-xe-0-0-15 4205: ...new ipsidx:6
Nov 3 04:02:02 acr-xe-0-0-15 4206: Nov 3 03:02:02.586: scmIPSecTunnelCreated: Default context, vdi_ptr=gdi_ptr=140202611746552/140202611746552
Nov 3 04:02:02 acr-xe-0-0-15 4207: Nov 3 03:02:02.586: ISAKMP: (1013):Received IPSec Install callback... proceeding with the negotiation
Nov 3 04:02:02 acr-xe-0-0-15 4208: Nov 3 03:02:02.586: ISAKMP: (1013):Successfully installed IPSEC SA (SPI:0xA2641181) on GigabitEthernet0/0/1
Nov 3 04:02:02 acr-xe-0-0-15 4209: Nov 3 03:02:02.586: crypto engine: deleting DH phase 2 SW:25
Nov 3 04:02:02 acr-xe-0-0-15 4210: Nov 3 03:02:02.586: crypto_engine: Delete DH shared secret
Nov 3 04:02:02 acr-xe-0-0-15 4211: Nov 3 03:02:02.586: crypto engine: deleting DH SW:24
Nov 3 04:02:02 acr-xe-0-0-15 4212: Nov 3 03:02:02.586: crypto_engine: Encrypt IKE packet
Nov 3 04:02:02 acr-xe-0-0-15 4213: Nov 3 03:02:02.586: ISAKMP-PAK: (1013):sending packet to 10.10.1.238 my_port 500 peer_port 500 (R) QM_IDLE
Nov 3 04:02:02 acr-xe-0-0-15 4214: Nov 3 03:02:02.586: ISAKMP: (1013):Sending an IKE IPv4 Packet.
Nov 3 04:02:02 acr-xe-0-0-15 4215: Nov 3 03:02:02.586: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Nov 3 04:02:02 acr-xe-0-0-15 4216: Nov 3 03:02:02.586: ISAKMP: (1013):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
Nov 3 04:02:02 acr-xe-0-0-15 4217: Nov 3 03:02:02.586: crypto_engine: Delete DH
Nov 3 04:02:02 acr-xe-0-0-15 4218: Nov 3 03:02:02.598: ISAKMP-PAK: (1013):received packet from 10.10.1.238 dport 500 sport 500 Global (R) QM_IDLE
Nov 3 04:02:02 acr-xe-0-0-15 4219: Nov 3 03:02:02.598: crypto_engine: Decrypt IKE packet
Nov 3 04:02:02 acr-xe-0-0-15 4220: Nov 3 03:02:02.598: crypto_engine: Generate IKE hash
Nov 3 04:02:02 acr-xe-0-0-15 4221: Nov 3 03:02:02.598: ISAKMP: (1013):deleting node 2448060722 error FALSE reason "QM done (await)"
Nov 3 04:02:02 acr-xe-0-0-15 4222: Nov 3 03:02:02.598: ISAKMP: (1013):Node 2448060722, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Nov 3 04:02:02 acr-xe-0-0-15 4223: Nov 3 03:02:02.598: ISAKMP: (1013):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
So any tipp or hint what can resolve this isse would be appreciated.
Thanks in advance,
kind regards,
Udo