cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10830
Views
0
Helpful
5
Replies

IPSEC SETUP FAILED message on 2911 Router

a.alessandri
Level 1
Level 1

Hello, 

I have a site-to-site VPN topology on my network between a 2911 and a 1800 routers, works properly and there are no communications problem.

But in the show logging on the 2911 I can see a lot of these messages:

 

 %CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:<local_IP> local_id:<local_ID> remote:<remote_IP> remote_id:<remote_ID> IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:1

%CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:<local_IP> local_id:<local_ID> remote:<remote_IP> remote_id:<remote_ID> IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:2

What you suggest to do to resolve this issue? 

 

 

5 Replies 5

pjain2
Cisco Employee
Cisco Employee

can you check if the crypto acl on both the routers are configured with the same entries.

looks like the local router is trying to setup a phase 2 sa for the local and the remote id specified in the logs and it is not able to establish that sa.

please check if you want to or not setup the ipsec sa between those subnets

Pjain2

I have the same problem, as stated by OP, the tunnel is up PH1 & PS2 with Active SA.

also I can reach the remote end. I see encryption/decryption  and no inc on the error packets.

but this thing keeps displaying on the screen

its 3800 router with a sonicwall firewall(cant remember the IOS on the device tho )

thanks in advice

lance

Lance

Can you post the crypto configuration from your router? This might help us to identify the issue. Certainly one thing to look for is the possibility mentioned by Pjain2 that the router is attempting to negotiate a SA for a second address in the crypto access list. If we look at the config and do not find an explanation then the next step would be to run debug for crypto IPsec which may supply information about what is going on.

It would be helpful if you would post examples of a couple of the log messages that you are seeing. The original poster carefully blanked out all of the identifying information. If we could see that information it may relate to what we are looking at in the config.

HTH

Rick

HTH

Rick

Hi Richard,

Ignore this, I just got the customer to clear the session wolla no error any more :D

awww

thanks for the response though, much appreciated it

regards,

the cool lancellot

Glad you were able to clear it. Thanks for letting us know.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: