- Cisco Community
- Technology and Support
- Networking
- Switching
- Re: VPN errors
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN errors
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2013 08:05 PM - edited 03-07-2019 01:33 PM
Hi all!
I have trouble with VPN access. I have search I-net but can't quite fine the solution. Please HELP!!!! below is the debug info
May 25 02:34:31.599: ISAKMP (0): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (N) NEW SA
May 25 02:34:31.599: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 17348
May 25 02:34:31.599: ISAKMP: New peer created peer = 0x2BA1981C peer_handle = 0x80000003
May 25 02:34:31.599: ISAKMP: Locking peer struct 0x2BA1981C, refcount 1 for crypto_isakmp_process_block
May 25 02:34:31.599: ISAKMP: local port 500, remote port 17348
May 25 02:34:31.599: ISAKMP:(0):insert sa successfully sa = 2BD65240
May 25 02:34:31.599: ISAKMP:(0): processing SA payload. message ID = 0
May 25 02:34:31.599: ISAKMP:(0): processing ID payload. message ID = 0
May 25 02:34:31.599: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : ECOCION-VPN
protocol : 17
port : 500
length : 19
May 25 02:34:31.603: ISAKMP:(0):: peer matches vpn-ike-profile-1 profile
May 25 02:34:31.603: ISAKMP:(0):Setting client config settings 2BA19490
May 25 02:34:31.603: ISAKMP:(0):(Re)Setting client xauth list and state
May 25 02:34:31.603: ISAKMP/xauth: initializing AAA request
May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload
May 25 02:34:31.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
May 25 02:34:31.603: ISAKMP:(0): vendor ID is XAUTH
May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload
May 25 02:34:31.603: ISAKMP:(0): vendor ID is DPD
May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload
May 25 02:34:31.603: ISAKMP:(0): processing IKE frag vendor id payload
May 25 02:34:31.603: ISAKMP:(0):Support for IKE Fragmentation not enabled
May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload
May 25 02:34:31.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May 25 02:34:31.603: ISAKMP:(0): vendor ID is NAT-T v2
May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload
May 25 02:34:31.603: ISAKMP:(0): vendor ID is Unity
May 25 02:34:31.603: ISAKMP:(0): Authentication by xauth preshared
May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
May 25 02:34:31.603: ISAKMP: encryption AES-CBC
May 25 02:34:31.603: ISAKMP: hash SHA
May 25 02:34:31.603: ISAKMP: default group 2
May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared
May 25 02:34:31.603: ISAKMP: life type in seconds
May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 25 02:34:31.603: ISAKMP: keylength of 256
May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
May 25 02:34:31.603: ISAKMP: encryption AES-CBC
May 25 02:34:31.603: ISAKMP: hash MD5
May 25 02:34:31.603: ISAKMP: default group 2
May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared
May 25 02:34:31.603: ISAKMP: life type in seconds
May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 25 02:34:31.603: ISAKMP: keylength of 256
May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
May 25 02:34:31.603: ISAKMP: encryption AES-CBC
May 25 02:34:31.603: ISAKMP: hash SHA
May 25 02:34:31.603: ISAKMP: default group 2
May 25 02:34:31.603: ISAKMP: auth pre-share
May 25 02:34:31.603: ISAKMP: life type in seconds
May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 25 02:34:31.603: ISAKMP: keylength of 256
May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
May 25 02:34:31.603: ISAKMP: encryption AES-CBC
May 25 02:34:31.603: ISAKMP: hash MD5
May 25 02:34:31.603: ISAKMP: default group 2
May 25 02:34:31.603: ISAKMP: auth pre-share
May 25 02:34:31.603: ISAKMP: life type in seconds
May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 25 02:34:31.603: ISAKMP: keylength of 256
May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
May 25 02:34:31.603: ISAKMP: encryption AES-CBC
May 25 02:34:31.603: ISAKMP: hash SHA
May 25 02:34:31.603: ISAKMP: default group 2
May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared
May 25 02:34:31.603: ISAKMP: life type in seconds
May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 25 02:34:31.603: ISAKMP: keylength of 128
May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
May 25 02:34:31.603: ISAKMP: encryption AES-CBC
May 25 02:34:31.603: ISAKMP: hash MD5
May 25 02:34:31.603: ISAKMP: default group 2
May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared
May 25 02:34:31.603: ISAKMP: life type in seconds
May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 25 02:34:31.603: ISAKMP: keylength of 128
May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
May 25 02:34:31.603: ISAKMP: encryption AES-CBC
May 25 02:34:31.603: ISAKMP: hash SHA
May 25 02:34:31.603: ISAKMP: default group 2
May 25 02:34:31.603: ISAKMP: auth pre-share
May 25 02:34:31.603: ISAKMP: life type in seconds
May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 25 02:34:31.603: ISAKMP: keylength of 128
May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
May 25 02:34:31.603: ISAKMP: encryption AES-CBC
May 25 02:34:31.603: ISAKMP: hash MD5
May 25 02:34:31.603: ISAKMP: default group 2
May 25 02:34:31.603: ISAKMP: auth pre-share
May 25 02:34:31.603: ISAKMP: life type in seconds
May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 25 02:34:31.603: ISAKMP: keylength of 128
May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!
May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3
May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
May 25 02:34:31.603: ISAKMP: encryption 3DES-CBC
May 25 02:34:31.603: ISAKMP: hash SHA
May 25 02:34:31.603: ISAKMP: default group 2
May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared
May 25 02:34:31.603: ISAKMP: life type in seconds
May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
May 25 02:34:31.603: ISAKMP:(0):atts are acceptable. Next payload is 3
May 25 02:34:31.603: ISAKMP:(0):Acceptable atts:actual life: 86400
May 25 02:34:31.603: ISAKMP:(0):Acceptable atts:life: 0
May 25 02:34:31.603: ISAKMP:(0):Fill atts in sa vpi_length:4
May 25 02:34:31.603: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
May 25 02:34:31.603: ISAKMP:(0):Returning Actual lifetime: 86400
May 25 02:34:31.603: ISAKMP:(0)::Started lifetime timer: 86400.
May 25 02:34:31.603: ISAKMP:(0): processing KE payload. message ID = 0
May 25 02:34:31.623: ISAKMP:(0): processing NONCE payload. message ID = 0
May 25 02:34:31.623: ISAKMP:(0): vendor ID is NAT-T v2
May 25 02:34:31.623: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
May 25 02:34:31.623: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
May 25 02:34:31.623: ISAKMP:(1002): constructed NAT-T vendor-02 ID
May 25 02:34:31.623: ISAKMP:(1002):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
May 25 02:34:31.623: ISAKMP (1002): ID payload
next-payload : 10
type : 1
address : xxx.xxx.xxx.xxx
protocol : 0
port : 0
length : 12
May 25 02:34:31.623: ISAKMP:(1002):Total payload length: 12
May 25 02:34:31.627: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH
May 25 02:34:31.627: ISAKMP:(1002):Sending an IKE IPv4 Packet.
May 25 02:34:31.627: ISAKMP:(1002):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
May 25 02:34:31.627: ISAKMP:(1002):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
May 25 02:34:36.971: ISAKMP (1002): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (R) AG_INIT_EXCH
May 25 02:34:36.971: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.
May 25 02:34:36.971: ISAKMP:(1002): retransmitting due to retransmit phase 1
May 25 02:34:37.471: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...
May 25 02:34:37.471: ISAKMP (1002): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 25 02:34:37.471: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH
May 25 02:34:37.471: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH
May 25 02:34:37.471: ISAKMP:(1002):Sending an IKE IPv4 Packet.
May 25 02:34:42.043: ISAKMP (1002): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (R) AG_INIT_EXCH
May 25 02:34:42.043: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.
May 25 02:34:42.043: ISAKMP:(1002): retransmitting due to retransmit phase 1
May 25 02:34:42.543: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...
May 25 02:34:42.543: ISAKMP (1002): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
May 25 02:34:42.543: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH
May 25 02:34:42.543: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH
May 25 02:34:42.543: ISAKMP:(1002):Sending an IKE IPv4 Packet.
May 25 02:34:47.135: ISAKMP (1002): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (R) AG_INIT_
May 25 02:34:47.135: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.
May 25 02:34:47.135: ISAKMP:(1002): retransmitting due to retransmit phase 1
May 25 02:34:47.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...
May 25 02:34:47.635: ISAKMP (1002): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 25 02:34:47.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH
May 25 02:34:47.635: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH
May 25 02:34:47.635: ISAKMP:(1002):Sending an IKE IPv4 Packet.
May 25 02:34:57.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...
May 25 02:34:57.635: ISAKMP (1002): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
May 25 02:34:57.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH
May 25 02:34:57.635: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH
May 25 02:34:57.635: ISAKMP:(1002):Sending an IKE IPv4 Packet.no debug all
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 05:51 PM
I found what is the issue. So, I have 3 WAN ports. when I just have one T1 plugged in everything works fine. when I have 2 other WAN ports (other WAN ports using DSL) on that when I get the issue. Same thing with the ftp server. sometimes you can connect to ftp sometimes you can't but if I use one WAN port at a time everything works fine. once I plug 2 of them or all three of them that is when I start getting problems. Does any one know how to fix it?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-04-2013 05:55 PM
So, If I'm connected as VPN client, it shows connected but I can't ping anything on the network. Once I unplug those two DSL WAN ports I can access anything on the network... Once I plug them back in, it does not work again... Does this make sence?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-05-2013 06:58 PM
Laura
If it works with only the T1 connected and does not work when you have two DSL connections in addition, then it suggests that there is some routing confusion or ambiguity when there are multiple outbound interfaces. Or that perhaps there is some overlap in the address translation. There was one post in this thread with some configuration details, but so much of the detail was masked with xxx that it is difficult for us to figure out the details of the problem. For example, now that I know to look for routing issues I see that there are three static default routes and all have the same administrative distance. So it gets hard to know which traffic will use which outbound interface.
HTH
Rick
Rick
- « Previous
- Next »
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide