Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2284
Views
0
Helpful
9
Replies

Can't connect Cisco 2621 to AWS EC2 Openswan site to site vpn

Go to solution
Paul Bedorf
Level 1
Level 1

‎04-16-2016 05:34 PM

Hello, I am configuring Site-to-Site vpn between my home Cisco 2621 router and Amazon EC2 instance running openswan.
I keep on getting the following message on the openswan server: " NO_PROPOSAL_CHOSEN "
My Cisco 2621 router config and Openswan config are posted below, I know im missing something small but just can't
figure it out what it is :-) any help would be appreciated.

Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.253'
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=oakley_3des_cbc_192 integ=md5 group=MODP1536}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:17d23abf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1536}
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=160
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: | ISAKMP Notification Payload
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: |   00 00 00 a0  00 00 00 01  03 04 00 0e
Apr 16 20:05:55 ip-172-31-1-142.us-west-2.compute.internal pluto[28503]: "paulaga-home" #1: received and ignored informational message

The diagram looks like this:
192.168.0.0/24:FA0/1[Router]FA0/0 192.168.1.253---------192.168.1.254[Modem]64.231.25.93 ( pub ip assigned to my modem )

Cisco 2621 Router Config:

Current configuration : 2649 bytes
!
version 12.3
no parser cache
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname cisco2600
!
boot-start-marker
boot system flash c2600-ik9o3s3-mz.123-26.bin
boot-end-marker
!
logging buffered 10000 debugging
no logging monitor
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 192.168.0.10
!
ip audit po max-events 100
!

username admin privilege 15 password 7 01100F175804
!

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key mysecretkey address 52.39.49.77
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-3des esp-md5-hmac

!
crypto map INTERNET-CRYPTO 11 ipsec-isakmp
 ! Incomplete
 description Amazon EC2 instance
 set peer 52.39.49.77
 set transform-set AMAZON-TRANSFORM-SET
 match address 111
!
!
!
!
interface FastEthernet0/0
 description Connection to Bell Modem
 ip address 192.168.1.253 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map INTERNET-CRYPTO
!
interface Serial0/0
 no ip address
!
interface FastEthernet0/1
 description Connection to LAN
 ip address 192.168.0.254 255.255.255.0
 ip helper-address 192.168.0.10
 ip nat inside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.2
 description Service Vlan
 encapsulation dot1Q 2
 ip address 10.0.0.254 255.0.0.0
 ip helper-address 192.168.0.10
 ip nat inside
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.47 3389 interface FastEthernet0/0 3389
ip http server
ip http authentication local
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!!
!
!
ip access-list extended ACL-NAT
 permit ip any any
 permit tcp any any
 permit udp any any
logging trap debugging
logging facility syslog
logging 192.168.0.47
access-list 111 permit ip 192.168.0.0 0.0.0.255 172.31.1.0 0.0.0.255
!
!
!
dial-peer cor custom
!
!
!
line con 0
 password 7 05080F1C2243
 login
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
 transport output telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
 transport output telnet
!
!
end

Openswan Configuration:

paulaga.secrets file:

64.231.25.93 192.168.1.253 52.39.49.77: PSK "mysecretkey"

paulaga.conf file:

conn paulaga-home
        left=%defaultroute
        leftsubnet=172.31.0.0/16 # My EC2 subnet
        leftid=52.39.49.77 # My EC2 public ip
        right=64.231.25.93 # My Home Modem public ip
        rightid=192.168.1.253 # My Home Cisco 2621 router outside interface ip
        rightsubnet=192.168.0.0/24 # My Home Cisco 2621 LAN
        authby=secret
        pfs=yes
        auto=start

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-16-2016 09:13 PM

Hi,

Since we are getting the following error NO_PROPOSAL_CHOSEN could you please add the following policies on the router and then check :

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5

crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp policy 30
 encr 3des
 hash sha
 authentication pre-share
 group 2

crypto isakmp policy 40
 encr aes
 hash md5
 authentication pre-share
 group 2

Please test with these and keep us posted with the results.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-16-2016 09:13 PM

Hi,

Since we are getting the following error NO_PROPOSAL_CHOSEN could you please add the following policies on the router and then check :

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 5

crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2

crypto isakmp policy 30
 encr 3des
 hash sha
 authentication pre-share
 group 2

crypto isakmp policy 40
 encr aes
 hash md5
 authentication pre-share
 group 2

Please test with these and keep us posted with the results.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Paul Bedorf
Level 1
Level 1
In response to Aditya Ganjoo

‎04-17-2016 08:56 AM

Hello Aditya, I have added the following policies, see below, but same problem persists... I start to wonder if my IOS is too old, im running:

IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(26), RELEASE SOFTWARE (fc2)
c2600-ik9o3s3-mz.123-26.bin

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 40
 encr aes
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 50
 encr aes
 hash md5
 authentication pre-share
 group 5

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Paul Bedorf

‎04-17-2016 11:23 AM

Hi,

I do not think it is a code issue.

Could you share the debugs again with the fresh config ?

Regards,

Aditya

0 Helpful

Go to solution
Paul Bedorf
Level 1
Level 1
In response to Aditya Ganjoo

‎04-17-2016 12:11 PM

Hi Aditya, I have included the logs from Openswan server and Cisco router:

Openswan:

 998 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: initiating Main Mode
 999 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
1000 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
1001 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
1002 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: STATE_MAIN_I2: sent MI2, expecting MR2
1003 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: received Vendor ID payload [Cisco-Unity]
1004 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: received Vendor ID payload [Dead Peer Detection]
1005 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: ignoring unknown Vendor ID payload [b1fafc36734c8b90291f343754784dee]
1006 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: received Vendor ID payload [XAUTH]
1007 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03 sender port 500: I am behind      NAT+peer behind NAT
1008 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
1009 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
1010 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
1011 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.253'
1012 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
1013 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=oakley_3des_cbc_192 integ     =md5 group=MODP1024}
1014 Apr 17 15:08:29 ip-172-31-1-142 pluto[4756]: "paulaga-home" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_F     RAG_ALLOW {using isakmp#1 msgid:bf46cf4a proposal=3DES(3)_000-MD5(1)_000 pfsgroup=OAKLEY_GROUP_MODP1024}
1015 Apr 17 15:08:30 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=68
1016 Apr 17 15:08:30 ip-172-31-1-142 pluto[4756]: | ISAKMP Notification Payload
1017 Apr 17 15:08:30 ip-172-31-1-142 pluto[4756]: |   00 00 00 44  00 00 00 01  03 04 00 0e
1018 Apr 17 15:08:30 ip-172-31-1-142 pluto[4756]: "paulaga-home" #1: received and ignored informational message

Cisco Router:

04-17-2016 14:56:54 Syslog.Info 192.168.0.254 101: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 52.39.49.77   
04-17-2016 14:51:50 Syslog.Info 192.168.0.254 100: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 52.39.49.77   
04-17-2016 11:43:11 Syslog.Notice 192.168.0.254 99: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.0.47)
04-17-2016 11:42:46 Syslog.Info 192.168.0.254 98: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 52.39.49.77   
04-17-2016 11:41:22 Syslog.Notice 192.168.0.254 97: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.0.47)
04-17-2016 11:40:21 Syslog.Info 192.168.0.254 96: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 52.39.49.77   
04-17-2016 11:39:20 Syslog.Info 192.168.0.254 95: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 52.39.49.77   

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Paul Bedorf

‎04-17-2016 12:17 PM

Hi,

Your Phase 1 is up but Phase 2 is down now.

I see that your are using NAT on the router.

You need to deny the VPN traffic so that it does not get NATTed.

You need to use this ACL so that it is able to deny the VPN traffic to get NATTed.

ip access-list extended ACL-NAT

deny ip 192.168.0.0 0.0.0.255 172.31.1.0 0.0.0.255
 permit ip any any
 permit tcp any any
 permit udp any any

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
Paul Bedorf
Level 1
Level 1
In response to Aditya Ganjoo

‎04-17-2016 12:40 PM

I taught it was really it... but unfortunately it still does the same... I have included mu updated Cisco Config and latest Cisco Debug

Could it be the issue is that im trying to set up site to site vpn on my main router that also serves access to the internet for my lan?

CISCO CONFIG

cisco2600#sh run
Building configuration...

Current configuration : 3136 bytes
!
version 12.3
no parser cache
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname cisco2600
!
boot-start-marker
boot system flash c2600-ik9o3s3-mz.123-26.bin
boot-end-marker
!
logging buffered 10000 debugging
no logging monitor
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server 192.168.0.10
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 password 7 01100F175804
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 30
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 40
 encr aes
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 50
 encr aes
 hash md5
 authentication pre-share
 group 5
crypto isakmp key 123paulaga123 address 52.39.49.77
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-3des esp-md5-hmac
!
crypto map INTERNET-CRYPTO 11 ipsec-isakmp
 description Amazon EC2 instance
 set peer 52.39.49.77
 set transform-set AMAZON-TRANSFORM-SET
 match address 111
!
!
!
!
interface FastEthernet0/0
 description Connection to Bell Modem
 ip address 192.168.1.253 255.255.255.0
 ip nat outside
 duplex auto
 speed auto
 crypto map INTERNET-CRYPTO
!
interface Serial0/0
 no ip address
!
interface FastEthernet0/1
 description Connection to LAN
 ip address 192.168.0.254 255.255.255.0
 ip helper-address 192.168.0.10
 ip nat inside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1.2
 description Service Vlan
 encapsulation dot1Q 2
 ip address 10.0.0.254 255.0.0.0
 ip helper-address 192.168.0.10
 ip nat inside
!
ip nat inside source list ACL-NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.47 3389 interface FastEthernet0/0 3389
ip http server
ip http authentication local
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
!
ip access-list extended ACL-NAT
 deny   ip 192.168.0.0 0.0.0.255 172.31.1.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.0.255 host 52.39.49.77
 permit ip any any
 permit tcp any any
 permit udp any any
logging trap debugging
logging facility syslog
logging 192.168.0.47
access-list 111 permit ip 192.168.0.0 0.0.0.255 host 52.39.49.77
!
!
!
dial-peer cor custom
!
!
!
!
banner motd ^C
====================================================================================
= Welcome to paulaga.com domain, all your activity is being monitored and logged   =
= all un-authorized access to this device is prihibited and will be used against   =
= you in the court of law. Please use this device with permission accordingly      =
====================================================================================
!
^C
!
line con 0
 password 7 05080F1C2243
 login
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
 transport output telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
 transport output telnet
!
!
end

CISCO DEBUG LOGS

2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1744: ISAKMP (0:50): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1745: ISAKMP: set new node 1530401465 to QM_IDLE     
2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1746: CryptoEngine0: generate hmac context for conn id 50
2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1747: ISAKMP (0:50): processing HASH payload. message ID = 1530401465
2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1748: ISAKMP (0:50): processing DELETE payload. message ID = 1530401465
2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1749: ISAKMP (0:50): peer does not do paranoid keepalives.
2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1750:
2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1751: ISAKMP (0:50): deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE       (peer 52.39.49.77) input queue 0
2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1752: ISAKMP (0:50): deleting node 1530401465 error FALSE reason "informational (in) state 1"
2016-04-17 15:27:19 Syslog.Debug 192.168.0.254 1753: ISAKMP (0:50): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
2016-04-17 15:27:20 Syslog.Debug 192.168.0.254 1754: ISAKMP (0:50): Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
2016-04-17 15:27:20 Syslog.Debug 192.168.0.254 1755:
2016-04-17 15:27:20 Syslog.Debug 192.168.0.254 1756: ISAKMP (0:50): deleting SA reason "" state (R) QM_IDLE       (peer 52.39.49.77) input queue 0
2016-04-17 15:27:20 Syslog.Debug 192.168.0.254 1757: ISAKMP: Unlocking IKE struct 0x82AC3D5C for isadb_mark_sa_deleted(), count 0
2016-04-17 15:27:20 Syslog.Debug 192.168.0.254 1758: ISAKMP: Deleting peer node by peer_reap for 52.39.49.77: 82AC3D5C
2016-04-17 15:27:20 Syslog.Debug 192.168.0.254 1759: ISAKMP (0:50): deleting node 1530401465 error FALSE reason ""
2016-04-17 15:27:20 Syslog.Debug 192.168.0.254 1760: ISAKMP (0:50): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
2016-04-17 15:27:20 Syslog.Debug 192.168.0.254 1761: ISAKMP (0:50): Old State = IKE_DEST_SA  New State = IKE_DEST_SA
2016-04-17 15:27:20 Syslog.Debug 192.168.0.254 1762:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1763: ISAKMP (0:0): received packet from 52.39.49.77 dport 500 sport 500 Global (N) NEW SA
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1764: ISAKMP: Created a peer struct for 52.39.49.77, peer port 500
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1765: ISAKMP: Locking peer struct 0x82AC3D5C, IKE refcount 1 for Responding to new initiation
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1766: ISAKMP: local port 500, remote port 500
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1767: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82DBA0B8
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1768: ISAKMP (0:51): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1769: ISAKMP (0:51): Old State = IKE_READY  New State = IKE_R_MM1
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1770:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1771: ISAKMP (0:51): processing SA payload. message ID = 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1772: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1773: ISAKMP (0:51): vendor ID is DPD
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1774: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1775: ISAKMP (0:51): vendor ID seems Unity/DPD but major 194 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1776: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1777: ISAKMP (0:51): vendor ID seems Unity/DPD but major 69 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1778: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1779: ISAKMP (0:51): vendor ID seems Unity/DPD but major 157 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1780: ISAKMP (0:51): vendor ID is NAT-T v3
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1781: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1782: ISAKMP (0:51): vendor ID seems Unity/DPD but major 123 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1783: ISAKMP (0:51): vendor ID is NAT-T v2
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1784: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1785: ISAKMP (0:51): vendor ID seems Unity/DPD but major 164 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1786: ISAKMP: Looking for a matching key for 52.39.49.77 in default : success
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1787: ISAKMP (0:51): found peer pre-shared key matching 52.39.49.77
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1788: ISAKMP (0:51) local preshared key found
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1789: ISAKMP : Scanning profiles for xauth ...
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1790: ISAKMP (0:51): Checking ISAKMP transform 0 against priority 10 policy
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1791: ISAKMP:      life type in seconds
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1792: ISAKMP:      life duration (basic) of 3600
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1793: ISAKMP:      encryption 3DES-CBC
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1794: ISAKMP:      hash MD5
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1795: ISAKMP:      auth pre-share
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1796: ISAKMP:      unknown DH group 14
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1797: ISAKMP (0:51): Diffie-Hellman group offered does not match policy!
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1798: ISAKMP (0:51): atts are not acceptable. Next payload is 3
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1799: ISAKMP (0:51): Checking ISAKMP transform 1 against priority 10 policy
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1800: ISAKMP:      life type in seconds
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1801: ISAKMP:      life duration (basic) of 3600
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1802: ISAKMP:      encryption 3DES-CBC
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1803: ISAKMP:      hash MD5
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1804: ISAKMP:      auth pre-share
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1805: ISAKMP:      default group 5
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1806: ISAKMP (0:51): Diffie-Hellman group offered does not match policy!
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1807: ISAKMP (0:51): atts are not acceptable. Next payload is 3
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1808: ISAKMP (0:51): Checking ISAKMP transform 2 against priority 10 policy
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1809: ISAKMP:      life type in seconds
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1810: ISAKMP:      life duration (basic) of 3600
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1811: ISAKMP:      encryption 3DES-CBC
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1812: ISAKMP:      hash MD5
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1813: ISAKMP:      auth pre-share
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1814: ISAKMP:      default group 2
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1815: ISAKMP (0:51): atts are acceptable. Next payload is 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1816: CryptoEngine0: generate alg parameter
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1817: CRYPTO_ENGINE: Dh phase 1 status: 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1818: CRYPTO_ENGINE: Dh phase 1 status: 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1819: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1820: ISAKMP (0:51): vendor ID is DPD
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1821: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1822: ISAKMP (0:51): vendor ID seems Unity/DPD but major 194 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1823: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1824: ISAKMP (0:51): vendor ID seems Unity/DPD but major 69 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1825: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1826: ISAKMP (0:51): vendor ID seems Unity/DPD but major 157 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1827: ISAKMP (0:51): vendor ID is NAT-T v3
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1828: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1829: ISAKMP (0:51): vendor ID seems Unity/DPD but major 123 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1830: ISAKMP (0:51): vendor ID is NAT-T v2
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1831: ISAKMP (0:51): processing vendor id payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1832: ISAKMP (0:51): vendor ID seems Unity/DPD but major 164 mismatch
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1833: ISAKMP (0:51): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1834: ISAKMP (0:51): Old State = IKE_R_MM1  New State = IKE_R_MM1
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1835:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1836: ISAKMP (0:51): constructed NAT-T vendor-03 ID
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1837: ISAKMP (0:51): sending packet to 52.39.49.77 my_port 500 peer_port 500 (R) MM_SA_SETUP
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1838: ISAKMP (0:51): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1839: ISAKMP (0:51): Old State = IKE_R_MM1  New State = IKE_R_MM2
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1840:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1841: ISAKMP (0:51): received packet from 52.39.49.77 dport 500 sport 500 Global (R) MM_SA_SETUP
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1842: ISAKMP (0:51): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1843: ISAKMP (0:51): Old State = IKE_R_MM2  New State = IKE_R_MM3
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1844:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1845: ISAKMP (0:51): processing KE payload. message ID = 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1846: CryptoEngine0: generate alg parameter
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1847: ISAKMP (0:51): processing NONCE payload. message ID = 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1848: ISAKMP: Looking for a matching key for 52.39.49.77 in default : success
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1849: ISAKMP (0:51): found peer pre-shared key matching 52.39.49.77
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1850: CryptoEngine0: create ISAKMP SKEYID for conn id 51
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1851: ISAKMP (0:51): SKEYID state generated
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1852: ISAKMP:received payload type 20
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1853: ISAKMP (0:51): NAT found, the node inside NAT
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1854: ISAKMP:received payload type 20
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1855: ISAKMP (0:51): NAT found, both nodes are all located inside NAT
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1856: ISAKMP (0:51): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1857: ISAKMP (0:51): Old State = IKE_R_MM3  New State = IKE_R_MM3
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1858:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1859: ISAKMP (0:51): sending packet to 52.39.49.77 my_port 500 peer_port 500 (R) MM_KEY_EXCH
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1860: ISAKMP (0:51): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1861: ISAKMP (0:51): Old State = IKE_R_MM3  New State = IKE_R_MM4
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1862:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1863: ISAKMP (0:51): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1864: ISAKMP (0:51): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1865: ISAKMP (0:51): Old State = IKE_R_MM4  New State = IKE_R_MM5
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1866:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1867: ISAKMP (0:51): processing ID payload. message ID = 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1868: ISAKMP (0:51): ID payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1869:  next-payload : 8
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1870:  type         : 1
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1871:  address      : 52.39.49.77
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1872:  protocol     : 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1873:  port         : 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1874:  length       : 12
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1875: ISAKMP (0:51): peer matches *none* of the profiles
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1876: ISAKMP (0:51): processing HASH payload. message ID = 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1877: CryptoEngine0: generate hmac context for conn id 51
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1878: ISAKMP (0:51): SA authentication status:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1879:  authenticated
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1880: ISAKMP (0:51): SA has been authenticated with 52.39.49.77
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1881: ISAKMP (0:51): Detected port floating to port = 4500
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1882: ISAKMP (0:51): Setting UDP ENC peer struct 0x8276CD60 sa= 0x82DBA0B8
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1883: ISAKMP (0:51): peer matches *none* of the profiles
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1884: ISAKMP (0:51): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1885: ISAKMP (0:51): Old State = IKE_R_MM5  New State = IKE_R_MM5
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1886:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1887: ISAKMP (0:51): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1888: ISAKMP (0:51): ID payload
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1889:  next-payload : 8
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1890:  type         : 1
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1891: 
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1892:  address      : 192.168.1.253
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1893:  protocol     : 17
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1894:  port         : 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1895:  length       : 12
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1896: ISAKMP (51): Total payload length: 12
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1897: CryptoEngine0: generate hmac context for conn id 51
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1898: CryptoEngine0: clear dh number for conn id 1
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1899: ISAKMP (0:51): sending packet to 52.39.49.77 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1900: ISAKMP (0:51): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1901: ISAKMP (0:51): Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1902:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1903: ISAKMP (0:51): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1904: ISAKMP (0:51): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1905:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1906: ISAKMP (0:51): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1907: ISAKMP: set new node -354073724 to QM_IDLE     
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1908: CryptoEngine0: generate hmac context for conn id 51
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1909: ISAKMP (0:51): processing HASH payload. message ID = -354073724
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1910: ISAKMP (0:51): processing SA payload. message ID = -354073724
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1911: ISAKMP (0:51): Checking IPSec proposal 0
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1912: ISAKMP: transform 0, ESP_3DES
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1913: ISAKMP:   attributes in transform:
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1914: ISAKMP:      group is 2
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1915: ISAKMP:      encaps is 61443 (Tunnel-UDP)
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1916: ISAKMP:      SA life type in seconds
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1917: ISAKMP:      SA life duration (basic) of 28800
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1918: ISAKMP:      authenticator is HMAC-MD5
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1919: CryptoEngine0: validate proposal
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1920: ISAKMP (0:51): atts are acceptable.
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1921: IPSEC(validate_proposal_request): proposal part #1,
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1922:   (key eng. msg.) INBOUND
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1923: local= 192.168.1.253, remote= 52.39.49.77,
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1924:     local_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1925:     remote_proxy= 172.31.0.0/255.255.0.0/0/0 (type=4),
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1926:     protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel-UDP),
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1927:     lifedur= 0s and 0kb,
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1928:     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x420
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1929: CryptoEngine0: validate proposal request
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1930: IPSEC(kei_proxy): head = INTERNET-CRYPTO, map->ivrf = , kei->ivrf =
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1931: IPSEC(validate_transform_proposal): proxy identities not supported
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1932: ISAKMP (0:51): IPSec policy invalidated proposal
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1933: ISAKMP (0:51): phase 2 SA policy not acceptable! (local 192.168.1.253 remote 52.39.49.77)
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1934: ISAKMP: set new node 544334612 to QM_IDLE     
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1935: CryptoEngine0: generate hmac context for conn id 51
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1936: ISAKMP (0:51): Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1937:   spi 2197421272, message ID = 544334612
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1938: ISAKMP (0:51): sending packet to 52.39.49.77 my_port 4500 peer_port 4500 (R) QM_IDLE     
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1939: ISAKMP (0:51): purging node 544334612
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1940: ISAKMP (0:51): deleting node -354073724 error TRUE reason "quick mode rejected"
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1941: ISAKMP (0:51): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -354073724: state = IKE_QM_READY
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1942: ISAKMP (0:51): Node -354073724, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
2016-04-17 15:27:21 Syslog.Debug 192.168.0.254 1943: ISAKMP (0:51): Old State = IKE_QM_READY  New State = IKE_QM_READY
2016-04-17 15:27:22 Syslog.Info 192.168.0.254 1944: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 52.39.49.77   
2016-04-17 15:27:23 Syslog.Debug 192.168.0.254 1945: ISAKMP (0:51): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
2016-04-17 15:27:23 Syslog.Debug 192.168.0.254 1946: ISAKMP (0:51): phase 2 packet is a duplicate of a previous packet.
2016-04-17 15:27:23 Syslog.Debug 192.168.0.254 1947: ISAKMP (0:51): retransmitting due to retransmit phase 2
2016-04-17 15:27:23 Syslog.Debug 192.168.0.254 1948: ISAKMP (0:51): ignoring retransmission,because phase2 node marked dead -354073724
2016-04-17 15:27:23 Syslog.Debug 192.168.0.254 1949: ISAKMP (0:51): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
2016-04-17 15:27:23 Syslog.Debug 192.168.0.254 1950: ISAKMP (0:51): phase 2 packet is a duplicate of a previous packet.
2016-04-17 15:27:23 Syslog.Debug 192.168.0.254 1951: ISAKMP (0:51): retransmitting due to retransmit phase 2
2016-04-17 15:27:23 Syslog.Debug 192.168.0.254 1952: ISAKMP (0:51): ignoring retransmission,because phase2 node marked dead -354073724
2016-04-17 15:27:24 Syslog.Debug 192.168.0.254 1953: ISAKMP (0:51): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
2016-04-17 15:27:24 Syslog.Debug 192.168.0.254 1954: ISAKMP (0:51): phase 2 packet is a duplicate of a previous packet.
2016-04-17 15:27:24 Syslog.Debug 192.168.0.254 1955: ISAKMP (0:51): retransmitting due to retransmit phase 2
2016-04-17 15:27:24 Syslog.Debug 192.168.0.254 1956: ISAKMP (0:51): ignoring retransmission,because phase2 node marked dead -354073724
2016-04-17 15:27:26 Syslog.Debug 192.168.0.254 1957: ISAKMP (0:51): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
2016-04-17 15:27:26 Syslog.Debug 192.168.0.254 1958: ISAKMP (0:51): phase 2 packet is a duplicate of a previous packet.
2016-04-17 15:27:26 Syslog.Debug 192.168.0.254 1959: ISAKMP (0:51): retransmitting due to retransmit phase 2
2016-04-17 15:27:26 Syslog.Debug 192.168.0.254 1960: ISAKMP (0:51): ignoring retransmission,because phase2 node marked dead -354073724

0 Helpful

Go to solution
Paul Bedorf
Level 1
Level 1
In response to Paul Bedorf

‎04-21-2016 06:01 AM

Hi Aditya, just a follow up on this, it turned out to be the issue with my image, I rebooted the router and watched the console output, I run into the issue as described on this link:

http://www.cisco.com/c/en/us/support/docs/field-notices/620/fn62030.html

So any way no easy fix but to buy 32MB flash. So I decided to abandon setting up vpn on my 2600 router, and bought Cisco 1921 K9/SEC router, added it to my existing network, configured it, and boom everything works like a charm. In anyway your earlier suggestion about IPsec policies would have solved the issue if it wasn't for my space problem, so im going to accept your answer. Thank You for your help.

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Paul Bedorf

‎04-21-2016 07:04 AM

Hi Paul,

Happy to help.

Regards,

Aditya

0 Helpful

Go to solution
Paul Bedorf
Level 1
Level 1
In response to Paul Bedorf

‎04-17-2016 12:21 PM

Just to add more logs from my Cisco router after enabling crypto debugging:

04-17-2016 15:09:30 Syslog.Debug 192.168.0.254 337: ISAKMP (0:44): ignoring retransmission,because phase2 node marked dead 533848964
04-17-2016 15:09:30 Syslog.Debug 192.168.0.254 336: ISAKMP (0:44): retransmitting due to retransmit phase 2
04-17-2016 15:09:30 Syslog.Debug 192.168.0.254 335: ISAKMP (0:44): phase 2 packet is a duplicate of a previous packet.
04-17-2016 15:09:30 Syslog.Debug 192.168.0.254 334: ISAKMP (0:44): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
04-17-2016 15:09:14 Syslog.Debug 192.168.0.254 333: ISAKMP (0:44): ignoring retransmission,because phase2 node marked dead 533848964
04-17-2016 15:09:14 Syslog.Debug 192.168.0.254 332: ISAKMP (0:44): retransmitting due to retransmit phase 2
04-17-2016 15:09:14 Syslog.Debug 192.168.0.254 331: ISAKMP (0:44): phase 2 packet is a duplicate of a previous packet.
04-17-2016 15:09:14 Syslog.Debug 192.168.0.254 330: ISAKMP (0:44): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
04-17-2016 15:09:06 Syslog.Debug 192.168.0.254 329: ISAKMP (0:44): ignoring retransmission,because phase2 node marked dead 533848964
04-17-2016 15:09:06 Syslog.Debug 192.168.0.254 328: ISAKMP (0:44): retransmitting due to retransmit phase 2
04-17-2016 15:09:06 Syslog.Debug 192.168.0.254 327: ISAKMP (0:44): phase 2 packet is a duplicate of a previous packet.
04-17-2016 15:09:06 Syslog.Debug 192.168.0.254 326: ISAKMP (0:44): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
04-17-2016 15:09:02 Syslog.Debug 192.168.0.254 325: ISAKMP (0:44): ignoring retransmission,because phase2 node marked dead 533848964
04-17-2016 15:09:02 Syslog.Debug 192.168.0.254 324: ISAKMP (0:44): retransmitting due to retransmit phase 2
04-17-2016 15:09:02 Syslog.Debug 192.168.0.254 323: ISAKMP (0:44): phase 2 packet is a duplicate of a previous packet.
04-17-2016 15:09:02 Syslog.Debug 192.168.0.254 322: ISAKMP (0:44): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
04-17-2016 15:09:00 Syslog.Debug 192.168.0.254 321: ISAKMP (0:44): ignoring retransmission,because phase2 node marked dead 533848964
04-17-2016 15:09:00 Syslog.Debug 192.168.0.254 320: ISAKMP (0:44): retransmitting due to retransmit phase 2
04-17-2016 15:09:00 Syslog.Debug 192.168.0.254 319: ISAKMP (0:44): phase 2 packet is a duplicate of a previous packet.
04-17-2016 15:09:00 Syslog.Debug 192.168.0.254 318: ISAKMP (0:44): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
04-17-2016 15:08:59 Syslog.Debug 192.168.0.254 317: ISAKMP (0:44): ignoring retransmission,because phase2 node marked dead 533848964
04-17-2016 15:08:59 Syslog.Debug 192.168.0.254 316: ISAKMP (0:44): retransmitting due to retransmit phase 2
04-17-2016 15:08:59 Syslog.Debug 192.168.0.254 315: ISAKMP (0:44): phase 2 packet is a duplicate of a previous packet.
04-17-2016 15:08:59 Syslog.Debug 192.168.0.254 314: ISAKMP (0:44): received packet from 52.39.49.77 dport 4500 sport 4500 Global (R) QM_IDLE     
04-17-2016 15:08:59 Syslog.Debug 192.168.0.254 313: ISAKMP (0:44): ignoring retransmission,because phase2 node marked dead 533848964

0 Helpful
Customers Also Viewed These Support Documents