cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2927
Views
0
Helpful
14
Replies

Cisco 2651XM EZVPN to ASA5520

                   Hi, My company is using ezvpn to connect from branch (877) to hq (ASA5520). Everything is doing great but when I tried to establish ezvpn connection from Cisco2651XM (emergency using) to ASA5520 but it's surprisingly not working. I compared both config on both 877 and 2651 and it's the same. I really don't know what going on here LOL....Please help

show version: 

Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(4)T, RELEASE SOFTWARE (fc1)

show running-config on Cisco 2651 :

!

!

crypto ipsec client ezvpn XXX_VPN

connect auto

group XXX_ezvpn key cisco123

mode network-extension

peer 203.170.236.194

xauth userid mode interactive

!        

!

interface FastEthernet0/0

description ### ADSL Link ###

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

ip address 192.168.199.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

crypto ipsec client ezvpn XXX_VPN inside

!

interface Dialer0

description ### ADSL Link ###

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname xxxxxxxxx@fttxbiz

ppp chap password 0 xxxxxxxx

ppp pap sent-username xxxxxxx@fttxbiz password 0 xxxxxxxx

crypto ipsec client ezvpn XXX_VPN

!

Please help ......Thank you

14 Replies 14

Hello Polkit,

I hop you go the public IP via PPOE,

can you get the output for

'sh crypto ipsec client ezvpn'

also do a debug as follows and remove and add the crypto ipsec client ezvpn XXX_VPN from dialer interface and get the output

'debug crypto ipsec client ezvpn'

Regards

Harish.

Here is the output.


Test-Router#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6

Tunnel name : BLA_VPN
Inside interface list: FastEthernet0/1
Outside interface: Dialer0
Current State: SS_OPEN
Last Event: SOCKET_READY
Default Domain: xxx.co.th

Save Password: Disallowed
Current EzVPN Peer: 203.170.236.194

---------------------------------------------------------------------------------------------

Here is the output from debug after remove and add crypto to int dialer 0

*Mar  1 15:40:53.375: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): Current State: IDLE
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): Event: VALID_CONFIG_ENTERED
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): ezvpn_check_tunnel_interface_state
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): New State: VALID_CFG
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): Current State: VALID_CFG
*Mar  1 15:40:53.375: EZVPN(BLA_VPN): Event: VALID_CONFIG_ENTERED
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): No state change
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): Current State: VALID_CFG
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): Event: TUNNEL_INTERFACE_UP
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): ezvpn_check_tunnel_interface_address
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): New State: TUNNEL_INT_UP
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): Current State: TUNNEL_INT_UP
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): Event: TUNNEL_HAS_PUBLIC_IP_ADD
*Mar  1 15:40:53.379: EZVPN(BLA_VPN): New State: TRACKING
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Current State: TRACKING
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Event: TRACKED OBJECT UP
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): New State: CONNECT_REQUIRED
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Current State: CONNECT_REQUIRED
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Event: CONNECT
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): ezvpn_connect_request
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Found valid peer 203.170.236.194
*Mar  1 15:40:53.383: EZVPN(BLA_VPN): Added PSK for address 203.170.236.194

*Mar  1 15:40:53.383: EzVPN(BLA_VPN): sleep jitter delay 1645
*Mar  1 15:40:55.029: EZVPN(BLA_VPN): New State: READY
*Mar  1 15:40:55.366: EZVPN(BLA_VPN): Current State: READY
*Mar  1 15:40:55.366: EZVPN(BLA_VPN): Event: IKE_PFS
*Mar  1 15:40:55.366: EZVPN(BLA_VPN): No state change
*Mar  1 15:40:55.370: EZVPN(BLA_VPN): Current State: READY
*Mar  1 15:40:55.370: EZVPN(BLA_VPN): Event: CONN_UP
*Mar  1 15:40:55.374: EZVPN(BLA_VPN): ezvpn_conn_up 49A5D809 98573010 76CBD901 91CE014D
*Mar  1 15:40:55.374: EZVPN(BLA_VPN): No state change
*Mar  1 15:40:55.382: EZVPN(BLA_VPN): Current State: READY
*Mar  1 15:40:55.382: EZVPN(BLA_VPN): Event: MODE_CONFIG_REPLY
*Mar  1 15:40:55.382: EzVPN(BLA_VPN): rollback skipped! 49A5D809 98573010 76CBD901 91CE014D
*Mar  1 15:40:55.386: EZVPN(BLA_VPN): ezvpn_parse_mode_config_msg
*Mar  1 15:40:55.386: EZVPN: Attributes sent in message:
*Mar  1 15:40:55.386:         Savepwd off
*Mar  1 15:40:55.386:         Default Domain: bla.co.th
*Mar  1 15:40:55.386: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Mar  1 15:40:55.394: EZVPN(BLA_VPN): ezvpn_mode_config
*Mar  1 15:40:55.394: EZVPN(BLA_VPN): New State: SS_OPEN
*Mar  1 15:40:55.426: EZVPN(BLA_VPN): Current State: SS_OPEN
*Mar  1 15:40:55.426: EZVPN(BLA_VPN): Event: SOCKET_READY
*Mar  1 15:40:55.426: EZVPN(BLA_VPN): No state change
*Mar  1 15:41:12.390: EZVPN(BLA_VPN): Current State: SS_OPEN
*Mar  1 15:41:12.390: EZVPN(BLA_VPN): Event: CONN_DOWN
*Mar  1 15:41:12.390: EZVPN(BLA_VPN): ezvpn_close 49A5D809 98573010 76CBD901 91CE014D
*Mar  1 15:41:12.394: EZVPN(BLA_VPN): Deleted PSK for address 203.170.236.194

*Mar  1 15:41:12.394: EzVPN(BLA_VPN): rollback skipped!
*Mar  1 15:41:12.394: EZVPN(BLA_VPN): No Connect ACL checking status change
*Mar  1 15:41:12.394: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=BLA_ezvpn  Client_public_addr=180.180.46.31  Server_public_addr=203.170.236.194

----------------------------------------------------------------------------------------------------------------------------------

this show crypto session and show crypto isa sa

Test-Router#sh crypt se
Crypto session current status

Interface: Dialer0
Session status: UP-IDLE
Peer: 203.170.236.194 port 500
  IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Active
  IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Inactive
  IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Inactive
  IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Inactive
  IPSEC FLOW: permit ip 192.168.199.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.199.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

Test-Router#
Test-Router#
Test-Router#
Test-Router#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
203.170.236.194 180.180.46.31   QM_IDLE           1369    0 ACTIVE
203.170.236.194 180.180.46.31   MM_NO_STATE       1368    0 ACTIVE (deleted)
203.170.236.194 180.180.46.31   MM_NO_STATE       1367    0 ACTIVE (deleted)
203.170.236.194 180.180.46.31   MM_NO_STATE       1366    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

Thanks Harrish,

Hello Polkit,

I dont see the xauth phase is not happening here in the debug.. are you giving the username and passowrd manually ?

regards

Harish

Hi Harish,

The xauth does not come up to let me enter username and password at all.  I am not sure whether it's because of ASA config or Router config but as I said, it works fine on 877 without xauth. So I'm not sure that I have to aware of xauth or not ?

Thanks,

Polkit

Hello Polki,

Ok, can you give this 'crypto ipsec client ezvpn xauth' and see whether it is asking username and password

regards

Harish.

Harish,

here is the output.

Test-Router#crypto ipsec client ezvpn xauth

EZVPN(BLA_VPN): There are no pending Xauth Requests

Test-Router#

Thanks

Polkit

Hello Polkit,

Since you had given  xauth userid mode interactive, i believe we need to enter the above command when it is asking us to enter.. you can change this to local as follows and make sure that you have the username and password configured on the global configuration mode.

crypto ipsec client ezvpn XXX_VPN

xauth userid mode local

Also after changin this, please remove and add crypto ipsec client ezvpn XXX_VPN from dialer interface and try to do the above debugs again

regards

Harish.

Harish,

Here is my config after changing

crypto ipsec client ezvpn XXX_VPN

connect auto

group XXX_ezvpn key cisco123

mode network-extension

peer 203.170.236.194

username admin password XXXXXX ---> also have it on global (must enter this unless can't enter cli "xauth local")

xauth userid mode local

-------------------------------------------------------------------------------

and here is the debug

Test-Router(config-if)#crypto ipse clie ezvpn XXX_VPN
Test-Router(config-if)#
*Mar  1 17:53:09.933: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar  1 17:53:09.933: EZVPN(XXX_VPN): Current State: IDLE
*Mar  1 17:53:09.933: EZVPN(XXX_VPN): Event: VALID_CONFIG_ENTERED
*Mar  1 17:53:09.933: EZVPN(XXX_VPN): ezvpn_check_tunnel_interface_state
*Mar  1 17:53:09.933: EZVPN(XXX_VPN): New State: VALID_CFG
*Mar  1 17:53:09.933: EZVPN(XXX_VPN): Current State: VALID_CFG
*Mar  1 17:53:09.933: EZVPN(XXX_VPN): Event: VALID_CONFIG_ENTERED
*Mar  1 17:53:09.937: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:09.937: EZVPN(XXX_VPN): Current State: VALID_CFG
*Mar  1 17:53:09.937: EZVPN(XXX_VPN): Event: TUNNEL_INTERFACE_UP
*Mar  1 17:53:09.937: EZVPN(XXX_VPN): ezvpn_check_tunnel_interface_address
*Mar  1 17:53:09.937: EZVPN(XXX_VPN): New State: TUNNEL_INT_UP
*Mar  1 17:53:09.937: EZVPN(XXX_VPN): Current State: TUNNEL_INT_UP
*Mar  1 17:53:09.937: EZVPN(XXX_VPN): Event: TUNNEL_HAS_PUBLIC_IP_ADD
*Mar  1 17:53:09.937: EZVPN(XXX_VPN): New State: TRACKING
*Mar  1 17:53:09.941: EZVPN(XXX_VPN): Current State: TRACKING
*Mar  1 17:53:09.941: EZVPN(XXX_VPN): Event: TRACKED OBJECT UP
*Mar  1 17:53:09.941: EZVPN(XXX_VPN): New State: CONNECT_REQUIRED
*Mar  1 17:53:09.941: EZVPN(XXX_VPN): Current State: CONNECT_REQUIRED
*Mar  1 17:53:09.941: EZVPN(XXX_VPN): Event: CONNECT
*Mar  1 17:53:09.941: EZVPN(XXX_VPN): ezvpn_connect_request
*Mar  1 17:53:09.941: EZVPN(XXX_VPN): Found valid peer 203.170.236.194
*Mar  1 17:53:09.941: EZVPN(XXX_VPN): Added PSK for address 203.170.236.194

*Mar  1 17:53:09.945: EzVPN(XXX_VPN): sleep jitter delay 1149
*Mar  1 17:53:11.095: EZVPN(XXX_VPN): New State: READY
*Mar  1 17:53:11.371: EZVPN(XXX_VPN): Current State: READY
*Mar  1 17:53:11.371: EZVPN(XXX_VPN): Event: IKE_PFS
*Mar  1 17:53:11.371: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:11.379: EZVPN(XXX_VPN): Current State: READY
*Mar  1 17:53:11.379: EZVPN(XXX_VPN): Event: CONN_UP
*Mar  1 17:53:11.379: EZVPN(XXX_VPN): ezvpn_conn_up DDAE2106 7D87DC28 75BE74BB C05C6B77
*Mar  1 17:53:11.383: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:11.391: EZVPN(XXX_VPN): Current State: READY
*Mar  1 17:53:11.391: EZVPN(XXX_VPN): Event: MODE_CONFIG_REPLY
*Mar  1 17:53:11.391: EzVPN(XXX_VPN): rollback skipped! DDAE2106 7D87DC28 75BE74BB C05C6B77
*Mar  1 17:53:11.391: EZVPN(XXX_VPN): ezvpn_parse_mode_config_msg
*Mar  1 17:53:11.391: EZVPN: Attributes sent in message:
*Mar  1 17:53:11.391:         Savepwd off
*Mar  1 17:53:11.391:         Default Domain: XXX.co.th
*Mar  1 17:53:11.391: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Mar  1 17:53:11.403: EZVPN(XXX_VPN): ezvpn_mode_config
*Mar  1 17:53:11.403: EZVPN(XXX_VPN): New State: SS_OPEN
*Mar  1 17:53:11.435: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar  1 17:53:11.435: EZVPN(XXX_VPN): Event: SOCKET_READY
*Mar  1 17:53:11.435: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:28.395: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar  1 17:53:28.395: EZVPN(XXX_VPN): Event: CONN_DOWN
*Mar  1 17:53:28.395: EZVPN(XXX_VPN): ezvpn_close DDAE2106 7D87DC28 75BE74BB C05C6B77
*Mar  1 17:53:28.399: EZVPN(XXX_VPN): Deleted PSK for address 203.170.236.194

*Mar  1 17:53:28.399: EzVPN(XXX_VPN): rollback skipped!
*Mar  1 17:53:28.399: EZVPN(XXX_VPN): No Connect ACL checking status change
*Mar  1 17:53:28.399: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=XXX_ezvpn  Client_public_addr=180.180.122.124  Server_public_addr=203.170.236.194 
*Mar  1 17:53:28.399: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:28.407: EZVPN(XXX_VPN): Current State: CONNECT_REQUIRED
*Mar  1 17:53:28.407: EZVPN(XXX_VPN): Event: CONNECT
*Mar  1 17:53:28.407: EZVPN(XXX_VPN): ezvpn_connect_request
*Mar  1 17:53:28.407: EZVPN(XXX_VPN): Found valid peer 203.170.236.194
*Mar  1 17:53:28.407: EZVPN(XXX_VPN): Added PSK for address 203.170.236.194

*Mar  1 17:53:28.407: EzVPN(XXX_VPN): sleep jitter delay 1771
*Mar  1 17:53:30.182: EZVPN(XXX_VPN): New State: READY
*Mar  1 17:53:30.466: EZVPN(XXX_VPN): Current State: READY
*Mar  1 17:53:30.466: EZVPN(XXX_VPN): Event: IKE_PFS
*Mar  1 17:53:30.466: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:30.470: EZVPN(XXX_VPN): Current State: READY
*Mar  1 17:53:30.470: EZVPN(XXX_VPN): Event: CONN_UP
*Mar  1 17:53:30.470: EZVPN(XXX_VPN): ezvpn_conn_up DDAE2106 D39E485D EACEB5B9 072629FD
*Mar  1 17:53:30.474: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:30.482: EZVPN(XXX_VPN): Current State: READY
*Mar  1 17:53:30.482: EZVPN(XXX_VPN): Event: MODE_CONFIG_REPLY
*Mar  1 17:53:30.482: EzVPN(XXX_VPN): rollback skipped! DDAE2106 D39E485D EACEB5B9 072629FD
*Mar  1 17:53:30.482: EZVPN(XXX_VPN): ezvpn_parse_mode_config_msg
*Mar  1 17:53:30.486: EZVPN: Attributes sent in message:
*Mar  1 17:53:30.486:         Savepwd off
*Mar  1 17:53:30.486:         Default Domain: XXX.co.th
*Mar  1 17:53:30.486: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Mar  1 17:53:30.498: EZVPN(XXX_VPN): ezvpn_mode_config
*Mar  1 17:53:30.498: EZVPN(XXX_VPN): New State: SS_OPEN
*Mar  1 17:53:30.526: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar  1 17:53:30.531: EZVPN(XXX_VPN): Event: SOCKET_READY
*Mar  1 17:53:30.531: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:47.498: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar  1 17:53:47.498: EZVPN(XXX_VPN): Event: CONN_DOWN
*Mar  1 17:53:47.498: EZVPN(XXX_VPN): ezvpn_close DDAE2106 D39E485D EACEB5B9 072629FD
*Mar  1 17:53:47.502: EZVPN(XXX_VPN): Deleted PSK for address 203.170.236.194

*Mar  1 17:53:47.502: EzVPN(XXX_VPN): rollback skipped!
*Mar  1 17:53:47.502: EZVPN(XXX_VPN): No Connect ACL checking status change
*Mar  1 17:53:47.502: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=XXX_ezvpn  Client_public_addr=180.180.122.124  Server_public_addr=203.170.236.194 
*Mar  1 17:53:47.502: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:47.510: EZVPN(XXX_VPN): Current State: CONNECT_REQUIRED
*Mar  1 17:53:47.510: EZVPN(XXX_VPN): Event: CONNECT
*Mar  1 17:53:47.510: EZVPN(XXX_VPN): ezvpn_connect_request
*Mar  1 17:53:47.510: EZVPN(XXX_VPN): Found valid peer 203.170.236.194
*Mar  1 17:53:47.510: EZVPN(XXX_VPN): Added PSK for address 203.170.236.194

*Mar  1 17:53:47.510: EzVPN(XXX_VPN): sleep jitter delay 1238
*Mar  1 17:53:48.752: EZVPN(XXX_VPN): New State: READY
*Mar  1 17:53:49.033: EZVPN(XXX_VPN): Current State: READY
*Mar  1 17:53:49.033: EZVPN(XXX_VPN): Event: IKE_PFS
*Mar  1 17:53:49.033: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:49.037: EZVPN(XXX_VPN): Current State: READY
*Mar  1 17:53:49.037: EZVPN(XXX_VPN): Event: CONN_UP
*Mar  1 17:53:49.037: EZVPN(XXX_VPN): ezvpn_conn_up DDAE2106 281F6864 1B11B929 28FB9D17
*Mar  1 17:53:49.041: EZVPN(XXX_VPN): No state change
*Mar  1 17:53:49.049: EZVPN(XXX_VPN): Current State: READY
*Mar  1 17:53:49.053: EZVPN(XXX_VPN): Event: MODE_CONFIG_REPLY
*Mar  1 17:53:49.053: EzVPN(XXX_VPN): rollback skipped! DDAE2106 281F6864 1B11B929 28FB9D17
*Mar  1 17:53:49.053: EZVPN(XXX_VPN): ezvpn_parse_mode_config_msg
*Mar  1 17:53:49.053: EZVPN: Attributes sent in message:
*Mar  1 17:53:49.053:         Savepwd off
*Mar  1 17:53:49.053:         Default Domain: XXX.co.th
*Mar  1 17:53:49.053: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Mar  1 17:53:49.065: EZVPN(XXX_VPN): ezvpn_mode_config
*Mar  1 17:53:49.069: EZVPN(XXX_VPN): New State: SS_OPEN
*Mar  1 17:53:49.097: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar  1 17:53:49.097: EZVPN(XXX_VPN): Event: SOCKET_READY
*Mar  1 17:53:49.097: EZVPN(XXX_VPN): No state change
Test-Router(config-if)#

Very appreciate your help...thanks

Polkit

Hello Polkit,

can we have debug crypto isakmp ouput as well during the  during the change in the dialer..

sorry for a lot of outputs

Harish.

Harish,

     That's not a problem..I know it's kinda confusing LOL to me as well...

*Mar  1 18:22:25.182: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar  1 18:22:25.182: ISAKMP: Created a peer struct for 203.170.236.194, peer port 500
*Mar  1 18:22:26.624: ISAKMP:(0): SA request profile is (NULL)
*Mar  1 18:22:26.624: ISAKMP: Found a peer struct for 203.170.236.194, peer port 500
*Mar  1 18:22:26.624: ISAKMP: Locking peer struct 0x85F0413C, refcount 1 for isakmp_initiator
*Mar  1 18:22:26.624: ISAKMP:(0):Setting client config settings 85168FA0
*Mar  1 18:22:26.624: ISAKMP: local port 500, remote port 500
*Mar  1 18:22:26.624: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 860B4FD8
*Mar  1 18:22:26.628: ISAKMP:(0): client mode configured.
*Mar  1 18:22:26.628: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar  1 18:22:26.628: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar  1 18:22:26.628: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar  1 18:22:26.749: ISKAMP: growing send buffer from 1024 to 3072
*Mar  1 18:22:26.749: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*Mar  1 18:22:26.749: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : XXX_ezvpn
        protocol     : 17
        port         : 0
        length       : 17
*Mar  1 18:22:26.749: ISAKMP:(0):Total payload length: 17
*Mar  1 18:22:26.749: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar  1 18:22:26.753: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*Mar  1 18:22:26.753: ISAKMP:(0): beginning Aggressive Mode exchange
*Mar  1 18:22:26.753: ISAKMP:(0): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 18:22:26.765: ISAKMP (0:0): received packet from 203.170.236.194 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  1 18:22:26.765: ISAKMP:(0): processing SA payload. message ID = 0
*Mar  1 18:22:26.769: ISAKMP:(0): processing ID payload. message ID = 0
*Mar  1 18:22:26.769: ISAKMP (0:0): ID payload
        next-payload : 8
        type         : 1
        address      : 203.170.236.194
        protocol     : 17
        port         : 0
        length       : 12
*Mar  1 18:22:26.769: ISAKMP:(0):: peer matches *none* of the profiles
*Mar  1 18:22:26.769: ISAKMP:(0): processing vendor id payload
*Mar  1 18:22:26.769: ISAKMP:(0): vendor ID is Unity
*Mar  1 18:22:26.769: ISAKMP:(0): processing vendor id payload
*Mar  1 18:22:26.769: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Mar  1 18:22:26.769: ISAKMP:(0): vendor ID is XAUTH
*Mar  1 18:22:26.769: ISAKMP:(0): processing vendor id payload
*Mar  1 18:22:26.769: ISAKMP:(0): vendor ID is DPD
*Mar  1 18:22:26.773: ISAKMP:(0): local preshared key found
*Mar  1 18:22:26.773: ISAKMP : Scanning profiles for xauth ...
*Mar  1 18:22:26.773: ISAKMP:(0): Authentication by xauth preshared
*Mar  1 18:22:26.773: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65515 policy
*Mar  1 18:22:26.773: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.773: ISAKMP:      hash SHA
*Mar  1 18:22:26.773: ISAKMP:      default group 2
*Mar  1 18:22:26.773: ISAKMP:      auth pre-share
*Mar  1 18:22:26.773: ISAKMP:      life type in seconds
*Mar  1 18:22:26.773: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.773: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.773: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.773: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65516 policy
*Mar  1 18:22:26.777: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.777: ISAKMP:      hash SHA
*Mar  1 18:22:26.777: ISAKMP:      default group 2
*Mar  1 18:22:26.777: ISAKMP:      auth pre-share
*Mar  1 18:22:26.777: ISAKMP:      life type in seconds
*Mar  1 18:22:26.777: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.777: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.777: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.777: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65517 policy
*Mar  1 18:22:26.777: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.777: ISAKMP:      hash SHA
*Mar  1 18:22:26.777: ISAKMP:      default group 2
*Mar  1 18:22:26.777: ISAKMP:      auth pre-share
*Mar  1 18:22:26.777: ISAKMP:      life type in seconds
*Mar  1 18:22:26.777: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.781: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.781: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.781: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65518 policy
*Mar  1 18:22:26.781: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.781: ISAKMP:      hash SHA
*Mar  1 18:22:26.781: ISAKMP:      default group 2
*Mar  1 18:22:26.781: ISAKMP:      auth pre-share
*Mar  1 18:22:26.781: ISAKMP:      life type in seconds
*Mar  1 18:22:26.781: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.781: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.781: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.781: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65519 policy
*Mar  1 18:22:26.781: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.781: ISAKMP:      hash SHA
*Mar  1 18:22:26.785: ISAKMP:      default group 2
*Mar  1 18:22:26.785: ISAKMP:      auth pre-share
*Mar  1 18:22:26.785: ISAKMP:      life type in seconds
*Mar  1 18:22:26.785: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.785: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.785: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.785: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65520 policy
*Mar  1 18:22:26.785: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.785: ISAKMP:      hash SHA
*Mar  1 18:22:26.785: ISAKMP:      default group 2
*Mar  1 18:22:26.785: ISAKMP:      auth pre-share
*Mar  1 18:22:26.785: ISAKMP:      life type in seconds
*Mar  1 18:22:26.785: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.785: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.789: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.789: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65521 policy
*Mar  1 18:22:26.789: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.789: ISAKMP:      hash SHA
*Mar  1 18:22:26.789: ISAKMP:      default group 2
*Mar  1 18:22:26.789: ISAKMP:      auth pre-share
*Mar  1 18:22:26.789: ISAKMP:      life type in seconds
*Mar  1 18:22:26.789: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.789: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.789: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.789: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65522 policy
*Mar  1 18:22:26.789: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.789: ISAKMP:      hash SHA
*Mar  1 18:22:26.789: ISAKMP:      default group 2
*Mar  1 18:22:26.789: ISAKMP:      auth pre-share
*Mar  1 18:22:26.789: ISAKMP:      life type in seconds
*Mar  1 18:22:26.789: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.793: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.793: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.793: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65523 policy
*Mar  1 18:22:26.793: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.793: ISAKMP:      hash SHA
*Mar  1 18:22:26.793: ISAKMP:      default group 2
*Mar  1 18:22:26.793: ISAKMP:      auth pre-share
*Mar  1 18:22:26.793: ISAKMP:      life type in seconds
*Mar  1 18:22:26.793: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.793: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.793: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.793: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65524 policy
*Mar  1 18:22:26.793: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.793: ISAKMP:      hash SHA
*Mar  1 18:22:26.793: ISAKMP:      default group 2
*Mar  1 18:22:26.793: ISAKMP:      auth pre-share
*Mar  1 18:22:26.793: ISAKMP:      life type in seconds
*Mar  1 18:22:26.793: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.797: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.797: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.797: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65525 policy
*Mar  1 18:22:26.797: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.797: ISAKMP:      hash SHA
*Mar  1 18:22:26.797: ISAKMP:      default group 2
*Mar  1 18:22:26.797: ISAKMP:      auth pre-share
*Mar  1 18:22:26.797: ISAKMP:      life type in seconds
*Mar  1 18:22:26.797: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.797: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.797: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.797: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65526 policy
*Mar  1 18:22:26.797: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.797: ISAKMP:      hash SHA
*Mar  1 18:22:26.797: ISAKMP:      default group 2
*Mar  1 18:22:26.797: ISAKMP:      auth pre-share
*Mar  1 18:22:26.797: ISAKMP:      life type in seconds
*Mar  1 18:22:26.797: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.801: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.801: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.801: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65527 policy
*Mar  1 18:22:26.801: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.801: ISAKMP:      hash SHA
*Mar  1 18:22:26.801: ISAKMP:      default group 2
*Mar  1 18:22:26.801: ISAKMP:      auth pre-share
*Mar  1 18:22:26.801: ISAKMP:      life type in seconds
*Mar  1 18:22:26.801: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.801: ISAKMP:(0):Authentication method offered does not match policy!
*Mar  1 18:22:26.801: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.801: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65528 policy
*Mar  1 18:22:26.801: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.801: ISAKMP:      hash SHA
*Mar  1 18:22:26.801: ISAKMP:      default group 2
*Mar  1 18:22:26.801: ISAKMP:      auth pre-share
*Mar  1 18:22:26.801: ISAKMP:      life type in seconds
*Mar  1 18:22:26.801: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.805: ISAKMP:(0):Hash algorithm offered does not match policy!
*Mar  1 18:22:26.805: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.805: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65529 policy
*Mar  1 18:22:26.805: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.805: ISAKMP:      hash SHA
*Mar  1 18:22:26.805: ISAKMP:      default group 2
*Mar  1 18:22:26.805: ISAKMP:      auth pre-share
*Mar  1 18:22:26.805: ISAKMP:      life type in seconds
*Mar  1 18:22:26.805: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.805: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.805: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.805: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65530 policy
*Mar  1 18:22:26.805: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.805: ISAKMP:      hash SHA
*Mar  1 18:22:26.805: ISAKMP:      default group 2
*Mar  1 18:22:26.805: ISAKMP:      auth pre-share
*Mar  1 18:22:26.805: ISAKMP:      life type in seconds
*Mar  1 18:22:26.805: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.809: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:26.809: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:26.809: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65531 policy
*Mar  1 18:22:26.809: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:26.809: ISAKMP:      hash SHA
*Mar  1 18:22:26.809: ISAKMP:      default group 2
*Mar  1 18:22:26.809: ISAKMP:      auth pre-share
*Mar  1 18:22:26.809: ISAKMP:      life type in seconds
*Mar  1 18:22:26.809: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:26.809: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar  1 18:22:26.809: ISAKMP:(0): processing KE payload. message ID = 0
*Mar  1 18:22:26.953: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar  1 18:22:26.957: ISAKMP:(1329): processing HASH payload. message ID = 0
*Mar  1 18:22:26.957: ISAKMP:(1329): vendor ID is NAT-T v2
*Mar  1 18:22:26.957: ISAKMP:received payload type 20
*Mar  1 18:22:26.957: ISAKMP:received payload type 20
*Mar  1 18:22:26.957: ISAKMP:(1329):SA authentication status:
        authenticated
*Mar  1 18:22:26.957: ISAKMP:(1329):SA has been authenticated with 203.170.236.194
*Mar  1 18:22:26.957: ISAKMP:(1329):IKE_DPD is enabled, initializing timers
*Mar  1 18:22:26.957: ISAKMP:(1329):Send initial contact
*Mar  1 18:22:26.961: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 18:22:26.961: ISAKMP:(1329):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar  1 18:22:26.961: ISAKMP:(1329):Old State = IKE_I_AM1  New State = IKE_P1_COMPLETE

*Mar  1 18:22:26.965: ISAKMP:(1329):Need config/address
*Mar  1 18:22:26.965: ISAKMP: set new node 608190535 to CONF_ADDR   
*Mar  1 18:22:26.965: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(4)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 26-Oct-05 21:54 by ccai
*Mar  1 18:22:26.969: ISAKMP:(1329): initiating peer config to 203.170.236.194. ID = 608190535
*Mar  1 18:22:26.969: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) CONF_ADDR   
*Mar  1 18:22:26.973: ISAKMP:(1329):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 18:22:26.973: ISAKMP:(1329):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_MODE_REQ_SENT

*Mar  1 18:22:26.981: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) CONF_ADDR   
*Mar  1 18:22:26.981: ISAKMP:(1329):processing transaction payload from 203.170.236.194. message ID = 608190535
*Mar  1 18:22:26.985: ISAKMP: Config payload REPLY
*Mar  1 18:22:26.985: ISAKMP(0:1329) process config reply
*Mar  1 18:22:26.985: ISAKMP:(1329):deleting node 608190535 error FALSE reason "Transaction mode done"
*Mar  1 18:22:26.985: ISAKMP:(1329):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Mar  1 18:22:26.985: ISAKMP:(1329):Old State = IKE_CONFIG_MODE_REQ_SENT  New State = IKE_P1_COMPLETE

*Mar  1 18:22:27.009: ISAKMP: set new node 0 to QM_IDLE     
*Mar  1 18:22:27.013: ISAKMP:(1329):beginning Quick Mode exchange, M-ID of -1547246263
*Mar  1 18:22:27.017: ISKAMP: growing send buffer from 1024 to 3072
*Mar  1 18:22:27.025: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE     
*Mar  1 18:22:27.025: ISAKMP:(1329):Node -1547246263, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 18:22:27.029: ISAKMP:(1329):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 18:22:27.029: ISAKMP:(1329):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 18:22:27.029: ISAKMP:(1329):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 18:22:30.086: ISAKMP:(1327):purging SA., sa=85F658C0, delme=85F658C0
*Mar  1 18:22:30.743: ISAKMP:(1328):purging node -500002571
*Mar  1 18:22:30.743: ISAKMP:(1328):purging node -1753021632
*Mar  1 18:22:34.974: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) QM_IDLE     
*Mar  1 18:22:34.974: ISAKMP:(1329): phase 2 packet is a duplicate of a previous packet.
*Mar  1 18:22:34.974: ISAKMP:(1329): retransmitting due to retransmit phase 2
*Mar  1 18:22:34.974: ISAKMP:(1329): retransmitting phase 2 QM_IDLE       608190535 ...
*Mar  1 18:22:35.475: ISAKMP:(1329): retransmitting phase 2 QM_IDLE       608190535 ...
*Mar  1 18:22:35.475: ISAKMP (0:1329): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Mar  1 18:22:35.475: ISAKMP (0:1329): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Mar  1 18:22:35.475: ISAKMP:(1329): retransmitting phase 2 608190535 QM_IDLE     
*Mar  1 18:22:35.475: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE     
*Mar  1 18:22:35.483: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) QM_IDLE     
*Mar  1 18:22:35.483: ISAKMP:(1329): phase 2 packet is a duplicate of a previous packet.
*Mar  1 18:22:35.483: ISAKMP:(1329): retransmission skipped for phase 2 (time since last transmission 8)
*Mar  1 18:22:37.025: ISAKMP:(1329): retransmitting phase 2 QM_IDLE       -1547246263 ...
*Mar  1 18:22:37.025: ISAKMP (0:1329): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Mar  1 18:22:37.025: ISAKMP (0:1329): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Mar  1 18:22:37.025: ISAKMP:(1329): retransmitting phase 2 -1547246263 QM_IDLE     
*Mar  1 18:22:37.025: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE     
*Mar  1 18:22:40.744: ISAKMP:(1328):purging SA., sa=85EE3FE0, delme=85EE3FE0
*Mar  1 18:22:43.484: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) QM_IDLE     
*Mar  1 18:22:43.484: ISAKMP:(1329): phase 2 packet is a duplicate of a previous packet.
*Mar  1 18:22:43.484: ISAKMP:(1329): retransmitting due to retransmit phase 2
*Mar  1 18:22:43.484: ISAKMP:(1329): retransmitting phase 2 QM_IDLE       608190535 ...
*Mar  1 18:22:43.985: ISAKMP:(1329): retransmitting phase 2 QM_IDLE       608190535 ...
*Mar  1 18:22:43.985: ISAKMP (0:1329): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Mar  1 18:22:43.985: ISAKMP (0:1329): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
*Mar  1 18:22:43.985: ISAKMP:(1329): retransmitting phase 2 608190535 QM_IDLE     
*Mar  1 18:22:43.985: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE     
*Mar  1 18:22:43.993: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) QM_IDLE     
*Mar  1 18:22:43.997: ISAKMP: set new node 1136963526 to QM_IDLE     
*Mar  1 18:22:43.997: ISAKMP:(1329): processing HASH payload. message ID = 1136963526
*Mar  1 18:22:43.997: ISAKMP:(1329): processing DELETE payload. message ID = 1136963526
*Mar  1 18:22:43.997: ISAKMP:(1329):peer does not do paranoid keepalives.

*Mar  1 18:22:43.997: ISAKMP:(1329):deleting SA reason "No reason" state (I) QM_IDLE       (peer 203.170.236.194)
*Mar  1 18:22:43.997: ISAKMP:(1329):deleting node 1136963526 error FALSE reason "Informational (in) state 1"
*Mar  1 18:22:44.001: ISAKMP: set new node 1045494720 to QM_IDLE     
*Mar  1 18:22:44.001: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE     
*Mar  1 18:22:44.005: ISAKMP:(1329):purging node 1045494720
*Mar  1 18:22:44.005: ISAKMP:(1329):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 18:22:44.005: ISAKMP:(1329):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar  1 18:22:44.009: ISAKMP:(1329):deleting SA reason "No reason" state (I) QM_IDLE       (peer 203.170.236.194)
*Mar  1 18:22:44.009: ISAKMP: Unlocking peer struct 0x85F0413C for isadb_mark_sa_deleted(), count 0
*Mar  1 18:22:44.009: ISAKMP: Deferring peer node 85F0413C deletion, by peer_reap as there are other users 4
*Mar  1 18:22:44.013: ISAKMP:(1329):deleting node 608190535 error FALSE reason "IKE deleted"
*Mar  1 18:22:44.013: ISAKMP:(1329):deleting node -1547246263 error FALSE reason "IKE deleted"
*Mar  1 18:22:44.013: ISAKMP:(1329):deleting node 1136963526 error FALSE reason "IKE deleted"
*Mar  1 18:22:44.013: ISAKMP:(1329):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 18:22:44.013: ISAKMP:(1329):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Mar  1 18:22:44.017: ISAKMP: Deleting peer node by peer_reap for 203.170.236.194: 85F0413C
*Mar  1 18:22:44.017: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=XXX_ezvpn  Client_public_addr=180.180.122.124  Server_public_addr=203.170.236.194 
*Mar  1 18:22:44.025: ISAKMP:(1329):peer does not do paranoid keepalives.

*Mar  1 18:22:44.025: ISAKMP: Created a peer struct for 203.170.236.194, peer port 500
*Mar  1 18:22:45.231: ISAKMP:(0): SA request profile is (NULL)
*Mar  1 18:22:45.231: ISAKMP: Found a peer struct for 203.170.236.194, peer port 500
*Mar  1 18:22:45.231: ISAKMP: Locking peer struct 0x85FAEFC0, refcount 1 for isakmp_initiator
*Mar  1 18:22:45.231: ISAKMP:(0):Setting client config settings 85F0413C
*Mar  1 18:22:45.231: ISAKMP: local port 500, remote port 500
*Mar  1 18:22:45.231: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85F24F50
*Mar  1 18:22:45.235: ISAKMP:(0): client mode configured.
*Mar  1 18:22:45.235: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar  1 18:22:45.235: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar  1 18:22:45.235: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar  1 18:22:45.351: ISKAMP: growing send buffer from 1024 to 3072
*Mar  1 18:22:45.355: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*Mar  1 18:22:45.355: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : XXX_ezvpn
        protocol     : 17
        port         : 0
        length       : 17
*Mar  1 18:22:45.355: ISAKMP:(0):Total payload length: 17
*Mar  1 18:22:45.355: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar  1 18:22:45.355: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*Mar  1 18:22:45.355: ISAKMP:(0): beginning Aggressive Mode exchange
*Mar  1 18:22:45.355: ISAKMP:(0): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 18:22:45.371: ISAKMP (0:0): received packet from 203.170.236.194 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar  1 18:22:45.371: ISAKMP:(0): processing SA payload. message ID = 0
*Mar  1 18:22:45.371: ISAKMP:(0): processing ID payload. message ID = 0
*Mar  1 18:22:45.375: ISAKMP (0:0): ID payload
        next-payload : 8
        type         : 1
        address      : 203.170.236.194
        protocol     : 17
        port         : 0
        length       : 12
*Mar  1 18:22:45.375: ISAKMP:(0):: peer matches *none* of the profiles
*Mar  1 18:22:45.375: ISAKMP:(0): processing vendor id payload
*Mar  1 18:22:45.375: ISAKMP:(0): vendor ID is Unity
*Mar  1 18:22:45.375: ISAKMP:(0): processing vendor id payload
*Mar  1 18:22:45.375: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Mar  1 18:22:45.375: ISAKMP:(0): vendor ID is XAUTH
*Mar  1 18:22:45.375: ISAKMP:(0): processing vendor id payload
*Mar  1 18:22:45.375: ISAKMP:(0): vendor ID is DPD
*Mar  1 18:22:45.375: ISAKMP:(0): local preshared key found
*Mar  1 18:22:45.379: ISAKMP : Scanning profiles for xauth ...
*Mar  1 18:22:45.379: ISAKMP:(0): Authentication by xauth preshared
*Mar  1 18:22:45.379: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65515 policy
*Mar  1 18:22:45.379: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.379: ISAKMP:      hash SHA
*Mar  1 18:22:45.379: ISAKMP:      default group 2
*Mar  1 18:22:45.379: ISAKMP:      auth pre-share
*Mar  1 18:22:45.379: ISAKMP:      life type in seconds
*Mar  1 18:22:45.379: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.379: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.379: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.379: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65516 policy
*Mar  1 18:22:45.379: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.379: ISAKMP:      hash SHA
*Mar  1 18:22:45.379: ISAKMP:      default group 2
*Mar  1 18:22:45.379: ISAKMP:      auth pre-share
*Mar  1 18:22:45.383: ISAKMP:      life type in seconds
*Mar  1 18:22:45.383: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.383: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.383: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.383: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65517 policy
*Mar  1 18:22:45.383: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.383: ISAKMP:      hash SHA
*Mar  1 18:22:45.383: ISAKMP:      default group 2
*Mar  1 18:22:45.383: ISAKMP:      auth pre-share
*Mar  1 18:22:45.383: ISAKMP:      life type in seconds
*Mar  1 18:22:45.383: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.383: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.383: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.383: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65518 policy
*Mar  1 18:22:45.387: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.387: ISAKMP:      hash SHA
*Mar  1 18:22:45.387: ISAKMP:      default group 2
*Mar  1 18:22:45.387: ISAKMP:      auth pre-share
*Mar  1 18:22:45.387: ISAKMP:      life type in seconds
*Mar  1 18:22:45.387: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.387: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.387: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.387: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65519 policy
*Mar  1 18:22:45.387: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.387: ISAKMP:      hash SHA
*Mar  1 18:22:45.387: ISAKMP:      default group 2
*Mar  1 18:22:45.387: ISAKMP:      auth pre-share
*Mar  1 18:22:45.387: ISAKMP:      life type in seconds
*Mar  1 18:22:45.387: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.391: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.391: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.391: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65520 policy
*Mar  1 18:22:45.391: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.391: ISAKMP:      hash SHA
*Mar  1 18:22:45.391: ISAKMP:      default group 2
*Mar  1 18:22:45.391: ISAKMP:      auth pre-share
*Mar  1 18:22:45.391: ISAKMP:      life type in seconds
*Mar  1 18:22:45.391: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.391: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.391: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.391: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65521 policy
*Mar  1 18:22:45.391: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.391: ISAKMP:      hash SHA
*Mar  1 18:22:45.395: ISAKMP:      default group 2
*Mar  1 18:22:45.395: ISAKMP:      auth pre-share
*Mar  1 18:22:45.395: ISAKMP:      life type in seconds
*Mar  1 18:22:45.395: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.395: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.395: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.395: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65522 policy
*Mar  1 18:22:45.395: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.395: ISAKMP:      hash SHA
*Mar  1 18:22:45.395: ISAKMP:      default group 2
*Mar  1 18:22:45.395: ISAKMP:      auth pre-share
*Mar  1 18:22:45.395: ISAKMP:      life type in seconds
*Mar  1 18:22:45.395: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.395: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.395: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.395: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65523 policy
*Mar  1 18:22:45.399: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.399: ISAKMP:      hash SHA
*Mar  1 18:22:45.399: ISAKMP:      default group 2
*Mar  1 18:22:45.399: ISAKMP:      auth pre-share
*Mar  1 18:22:45.399: ISAKMP:      life type in seconds
*Mar  1 18:22:45.399: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.399: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.399: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.399: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65524 policy
*Mar  1 18:22:45.399: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.399: ISAKMP:      hash SHA
*Mar  1 18:22:45.399: ISAKMP:      default group 2
*Mar  1 18:22:45.399: ISAKMP:      auth pre-share
*Mar  1 18:22:45.399: ISAKMP:      life type in seconds
*Mar  1 18:22:45.399: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.399: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.399: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.403: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65525 policy
*Mar  1 18:22:45.403: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.403: ISAKMP:      hash SHA
*Mar  1 18:22:45.403: ISAKMP:      default group 2
*Mar  1 18:22:45.403: ISAKMP:      auth pre-share
*Mar  1 18:22:45.403: ISAKMP:      life type in seconds
*Mar  1 18:22:45.403: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.403: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.403: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.403: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65526 policy
*Mar  1 18:22:45.403: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.403: ISAKMP:      hash SHA
*Mar  1 18:22:45.403: ISAKMP:      default group 2
*Mar  1 18:22:45.403: ISAKMP:      auth pre-share
*Mar  1 18:22:45.403: ISAKMP:      life type in seconds
*Mar  1 18:22:45.403: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.403: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.403: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.407: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65527 policy
*Mar  1 18:22:45.407: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.407: ISAKMP:      hash SHA
*Mar  1 18:22:45.407: ISAKMP:      default group 2
*Mar  1 18:22:45.407: ISAKMP:      auth pre-share
*Mar  1 18:22:45.407: ISAKMP:      life type in seconds
*Mar  1 18:22:45.407: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.407: ISAKMP:(0):Authentication method offered does not match policy!
*Mar  1 18:22:45.407: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.407: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65528 policy
*Mar  1 18:22:45.407: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.407: ISAKMP:      hash SHA
*Mar  1 18:22:45.407: ISAKMP:      default group 2
*Mar  1 18:22:45.407: ISAKMP:      auth pre-share
*Mar  1 18:22:45.407: ISAKMP:      life type in seconds
*Mar  1 18:22:45.407: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.407: ISAKMP:(0):Hash algorithm offered does not match policy!
*Mar  1 18:22:45.411: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.411: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65529 policy
*Mar  1 18:22:45.411: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.411: ISAKMP:      hash SHA
*Mar  1 18:22:45.411: ISAKMP:      default group 2
*Mar  1 18:22:45.411: ISAKMP:      auth pre-share
*Mar  1 18:22:45.411: ISAKMP:      life type in seconds
*Mar  1 18:22:45.411: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.411: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.411: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.411: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65530 policy
*Mar  1 18:22:45.411: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.411: ISAKMP:      hash SHA
*Mar  1 18:22:45.411: ISAKMP:      default group 2
*Mar  1 18:22:45.411: ISAKMP:      auth pre-share
*Mar  1 18:22:45.411: ISAKMP:      life type in seconds
*Mar  1 18:22:45.411: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.415: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar  1 18:22:45.415: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar  1 18:22:45.415: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65531 policy
*Mar  1 18:22:45.415: ISAKMP:      encryption 3DES-CBC
*Mar  1 18:22:45.415: ISAKMP:      hash SHA
*Mar  1 18:22:45.415: ISAKMP:      default group 2
*Mar  1 18:22:45.415: ISAKMP:      auth pre-share
*Mar  1 18:22:45.415: ISAKMP:      life type in seconds
*Mar  1 18:22:45.415: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 18:22:45.415: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar  1 18:22:45.415: ISAKMP:(0): processing KE payload. message ID = 0
*Mar  1 18:22:45.559: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar  1 18:22:45.563: ISAKMP:(1330): processing HASH payload. message ID = 0
*Mar  1 18:22:45.563: ISAKMP:(1330): vendor ID is NAT-T v2
*Mar  1 18:22:45.563: ISAKMP:received payload type 20
*Mar  1 18:22:45.563: ISAKMP:received payload type 20
*Mar  1 18:22:45.567: ISAKMP:(1330):SA authentication status:
        authenticated
*Mar  1 18:22:45.567: ISAKMP:(1330):SA has been authenticated with 203.170.236.194
*Mar  1 18:22:45.567: ISAKMP:(1330):IKE_DPD is enabled, initializing timers
*Mar  1 18:22:45.567: ISAKMP:(1330):Send initial contact
*Mar  1 18:22:45.567: ISAKMP:(1330): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 18:22:45.572: ISAKMP:(1330):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar  1 18:22:45.572: ISAKMP:(1330):Old State = IKE_I_AM1  New State = IKE_P1_COMPLETE

Thanks

Polkit

Hello Polkit,

Ok this says that isakmp pahse1 is completed  and ideally the nexy step is  xauth , and we should receive the following message in debug

*Jun  3 05:59:27.479: ISAKMP (0:2006): received packet from

                      dport 500 sport 500 Global (I) CONF_XAUTH

*Jun  3 05:59:27.483: ISAKMP: set new node 850198625 to CONF_XAUTH

*Jun  3 05:59:27.487: ISAKMP:(2006):processing transaction payload from

                      172.16.186.186. message ID = -1517216966

*Jun  3 05:59:27.487: ISAKMP: Config payload REQUEST

*Jun  3 05:59:27.487: ISAKMP:(2006):checking request:

*Jun  3 05:59:27.487: ISAKMP:    XAUTH_USER_NAME_V2

*Jun  3 05:59:27.487: ISAKMP:    XAUTH_USER_PASSWORD_V2

*Jun  3 05:59:27.487: ISAKMP:(2006):Xauth process request

*Jun  3 05:59:27.487: ISAKMP:(2006):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

*Jun  3 05:59:27.487: ISAKMP:(2006):Old State = IKE_P1_COMPLETE 

                      New State = IKE_XAUTH_REPLY_AWAIT

and in the console you should see

*Jun 3 05:59:30.242: EZVPN(ez): Pending XAuth Request, Please enter the

following command:

*Jun 3 05:59:30.242: EZVPN: crypto ipsec client ezvpn xauth

and in that time we have to enter  'crypto ipsec client ezvpn xauth'  for entring the username and password

is it possible for you to remove and re add the crypto map interface configuration on you asa ? as follows

no crypto map interface outside

crypto map interface outside

please note that it will reset other connected vpns

harish.

Harish,

     LOL that's I'm going to do as well, reset crypto map on ASA. however it's gonna take time a little bit to do that. Get back to you with the output asap. By the way I have a question about xauth do we have to enter username and password all the time ? Can I do something like auto activation xauth on 2651 so I don't have to enter username and password every time that crypto is reset.

Thanks,

Polkit

Hello Polkit,

You can do this by changing the client setting as follows fi you supports that and also please make sure that you have that username and password in the global configuraton

username XXXXXXX password YYYYYYY

crypto ipsec client ezvpn XXX_VPN

xauth userid mode local

Harish

Hello  Harish,

I already reset the crypto map on the ASA, unfortunately it doesn't work, everything is still the same LOL. So I show crypto isa sa on the ASA and it shows

37  IKE Peer: 180.180.122.69

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_TM_INIT_MODECFG_V6H

try to search the Internet but still didn't get anything on that

Thanks

Polkit

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: