03-21-2013 04:25 PM
I am getting these errors:
*Mar 21 22:43:08.871: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
*Mar 21 22:44:18.379: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
Kinldy check below the config of ROUTER and ASA.
CISCO ASA CONFIG:
interface Ethernet0/0
nameif outside
NO SH
security-level 0
ip address 192.168.11.2 255.255.255.0
interface Ethernet0/1
ip add 192.168.14.1
nameif inside
NO SH
access-list orig extended permit ip 192.168.14.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list nat0 extended permit ip 192.168.14.0 255.255.255.0 192.168.17.0 255.255.255.0
access-list 100 extended permit ip any any
access-group 100 in interface outside
global (outside) 1 interface
nat (inside) 1 0 0
nat (inside) 0 access-list nat0
route outside 0.0.0.0 0.0.0.0 192.168.10.11
phase 2:
crypto ipsec transform-set transac esp-des esp-sha-hmac
crypto map outside_map 1 match address orig
crypto map outside_map 1 set peer 192.168.11.1
crypto map outside_map 1 set transform-set transac
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map interface outside
phase 1:
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
tunnel-group 192.168.11.1 type ipsec-l2l
tunnel-group 192.168.11.1 ipsec-attributes
pre-shared-key Cock<Tial>PRtee
===============cisco router=============================
interface FastEthernet0/0
ip address 192.168.11.1 255.255.255.0
no sh
interface FastEthernet0/1
ip address 192.168.17.1 255.255.255.0
no sh
access-list 101 permit ip 192.168.17.0 0.0.0.255 192.168.14.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 192.168.11.2
Phase 1:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp key Cock<Tial>PRtee address 192.168.11.2
Phase 2:
crypto ipsec transform-set transac esp-des esp-sha-hmac
crypto map cryptmap 1 ipsec-isakmp
set security-association lifetime seconds 3600
set peer 192.168.11.2
match address 101
interface FastEthernet0/0
crypto map cryptmap
Router(config-crypto-map)#set security-association lifetime sec
Router(config-crypto-map)#set security-association lifetime seconds 3600
Router(config-crypto-map)#
*Mar 21 21:29:25.591: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
*Mar 21 21:30:30.579: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
*Mar 21 21:31:35.587: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
*Mar 21 21:32:41.059: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
*Mar 21 21:33:51.067: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
*Mar 21 21:34:57.027: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
*Mar 21 21:36:07.495: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
=========================================
*Mar 21 22:43:03.423: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar 21 22:43:03.823: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p
acket.
(ip) vrf/dest_addr= /192.168.17.4, src_addr= 192.168.14.4, prot= 1
*Mar 21 22:43:08.871: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
*Mar 21 22:44:18.379: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode fail
ed with peer at 192.168.11.2
Router# sh crypto isakmp sa
dst src state conn-id slot status
192.168.11.1 192.168.11.2 QM_IDLE 9 0 ACTIVE
192.168.11.1 192.168.11.2 MM_NO_STATE 8 0 ACTIVE (deleted)
192.168.11.1 192.168.11.2 MM_NO_STATE 7 0 ACTIVE (deleted)
Router#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: cryptmap, local addr 192.168.11.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.17.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0)
current_peer 192.168.11.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 59, #recv errors 0
local crypto endpt.: 192.168.11.1, remote crypto endpt.: 192.168.11.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
ciscoasa# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.11.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ciscoasa# sh crypto ipsec sa
ciscoasa#
ciscoasa# debug crypto isakmp
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# conf t
ciscoasa(config)# int e0/0
ciscoasa(config-if)#
ciscoasa(config-if)# sh
ciscoasa(config-if)# Jan 01 02:32:21 [IKEv1]: Group = 192.168.11.1, IP = 192.168
.11.1, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jan 01 02:32:21 [IKEv1]: Group = 192.168.11.1, IP = 192.168.11.1, Removing peer
from correlator table failed, no match!
03-21-2013 04:30 PM
Check this link for troubleshooting-
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide