10-08-2012 10:14 PM
Hi, My company is using ezvpn to connect from branch (877) to hq (ASA5520). Everything is doing great but when I tried to establish ezvpn connection from Cisco2651XM (emergency using) to ASA5520 but it's surprisingly not working. I compared both config on both 877 and 2651 and it's the same. I really don't know what going on here LOL....Please help
show version:
Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(4)T, RELEASE SOFTWARE (fc1)
show running-config on Cisco 2651 :
!
!
crypto ipsec client ezvpn XXX_VPN
connect auto
group XXX_ezvpn key cisco123
mode network-extension
peer 203.170.236.194
xauth userid mode interactive
!
!
interface FastEthernet0/0
description ### ADSL Link ###
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 192.168.199.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn XXX_VPN inside
!
interface Dialer0
description ### ADSL Link ###
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxx@fttxbiz
ppp chap password 0 xxxxxxxx
ppp pap sent-username xxxxxxx@fttxbiz password 0 xxxxxxxx
crypto ipsec client ezvpn XXX_VPN
!
Please help ......Thank you
10-08-2012 11:11 PM
Hello Polkit,
I hop you go the public IP via PPOE,
can you get the output for
'sh crypto ipsec client ezvpn'
also do a debug as follows and remove and add the crypto ipsec client ezvpn XXX_VPN from dialer interface and get the output
'debug crypto ipsec client ezvpn'
Regards
Harish.
10-08-2012 11:31 PM
Here is the output.
Test-Router#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : BLA_VPN
Inside interface list: FastEthernet0/1
Outside interface: Dialer0
Current State: SS_OPEN
Last Event: SOCKET_READY
Default Domain: xxx.co.th
Save Password: Disallowed
Current EzVPN Peer: 203.170.236.194
---------------------------------------------------------------------------------------------
Here is the output from debug after remove and add crypto to int dialer 0
*Mar 1 15:40:53.375: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar 1 15:40:53.375: EZVPN(BLA_VPN): Current State: IDLE
*Mar 1 15:40:53.375: EZVPN(BLA_VPN): Event: VALID_CONFIG_ENTERED
*Mar 1 15:40:53.375: EZVPN(BLA_VPN): ezvpn_check_tunnel_interface_state
*Mar 1 15:40:53.375: EZVPN(BLA_VPN): New State: VALID_CFG
*Mar 1 15:40:53.375: EZVPN(BLA_VPN): Current State: VALID_CFG
*Mar 1 15:40:53.375: EZVPN(BLA_VPN): Event: VALID_CONFIG_ENTERED
*Mar 1 15:40:53.379: EZVPN(BLA_VPN): No state change
*Mar 1 15:40:53.379: EZVPN(BLA_VPN): Current State: VALID_CFG
*Mar 1 15:40:53.379: EZVPN(BLA_VPN): Event: TUNNEL_INTERFACE_UP
*Mar 1 15:40:53.379: EZVPN(BLA_VPN): ezvpn_check_tunnel_interface_address
*Mar 1 15:40:53.379: EZVPN(BLA_VPN): New State: TUNNEL_INT_UP
*Mar 1 15:40:53.379: EZVPN(BLA_VPN): Current State: TUNNEL_INT_UP
*Mar 1 15:40:53.379: EZVPN(BLA_VPN): Event: TUNNEL_HAS_PUBLIC_IP_ADD
*Mar 1 15:40:53.379: EZVPN(BLA_VPN): New State: TRACKING
*Mar 1 15:40:53.383: EZVPN(BLA_VPN): Current State: TRACKING
*Mar 1 15:40:53.383: EZVPN(BLA_VPN): Event: TRACKED OBJECT UP
*Mar 1 15:40:53.383: EZVPN(BLA_VPN): New State: CONNECT_REQUIRED
*Mar 1 15:40:53.383: EZVPN(BLA_VPN): Current State: CONNECT_REQUIRED
*Mar 1 15:40:53.383: EZVPN(BLA_VPN): Event: CONNECT
*Mar 1 15:40:53.383: EZVPN(BLA_VPN): ezvpn_connect_request
*Mar 1 15:40:53.383: EZVPN(BLA_VPN): Found valid peer 203.170.236.194
*Mar 1 15:40:53.383: EZVPN(BLA_VPN): Added PSK for address 203.170.236.194
*Mar 1 15:40:53.383: EzVPN(BLA_VPN): sleep jitter delay 1645
*Mar 1 15:40:55.029: EZVPN(BLA_VPN): New State: READY
*Mar 1 15:40:55.366: EZVPN(BLA_VPN): Current State: READY
*Mar 1 15:40:55.366: EZVPN(BLA_VPN): Event: IKE_PFS
*Mar 1 15:40:55.366: EZVPN(BLA_VPN): No state change
*Mar 1 15:40:55.370: EZVPN(BLA_VPN): Current State: READY
*Mar 1 15:40:55.370: EZVPN(BLA_VPN): Event: CONN_UP
*Mar 1 15:40:55.374: EZVPN(BLA_VPN): ezvpn_conn_up 49A5D809 98573010 76CBD901 91CE014D
*Mar 1 15:40:55.374: EZVPN(BLA_VPN): No state change
*Mar 1 15:40:55.382: EZVPN(BLA_VPN): Current State: READY
*Mar 1 15:40:55.382: EZVPN(BLA_VPN): Event: MODE_CONFIG_REPLY
*Mar 1 15:40:55.382: EzVPN(BLA_VPN): rollback skipped! 49A5D809 98573010 76CBD901 91CE014D
*Mar 1 15:40:55.386: EZVPN(BLA_VPN): ezvpn_parse_mode_config_msg
*Mar 1 15:40:55.386: EZVPN: Attributes sent in message:
*Mar 1 15:40:55.386: Savepwd off
*Mar 1 15:40:55.386: Default Domain: bla.co.th
*Mar 1 15:40:55.386: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Mar 1 15:40:55.394: EZVPN(BLA_VPN): ezvpn_mode_config
*Mar 1 15:40:55.394: EZVPN(BLA_VPN): New State: SS_OPEN
*Mar 1 15:40:55.426: EZVPN(BLA_VPN): Current State: SS_OPEN
*Mar 1 15:40:55.426: EZVPN(BLA_VPN): Event: SOCKET_READY
*Mar 1 15:40:55.426: EZVPN(BLA_VPN): No state change
*Mar 1 15:41:12.390: EZVPN(BLA_VPN): Current State: SS_OPEN
*Mar 1 15:41:12.390: EZVPN(BLA_VPN): Event: CONN_DOWN
*Mar 1 15:41:12.390: EZVPN(BLA_VPN): ezvpn_close 49A5D809 98573010 76CBD901 91CE014D
*Mar 1 15:41:12.394: EZVPN(BLA_VPN): Deleted PSK for address 203.170.236.194
*Mar 1 15:41:12.394: EzVPN(BLA_VPN): rollback skipped!
*Mar 1 15:41:12.394: EZVPN(BLA_VPN): No Connect ACL checking status change
*Mar 1 15:41:12.394: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=BLA_ezvpn Client_public_addr=180.180.46.31 Server_public_addr=203.170.236.194
----------------------------------------------------------------------------------------------------------------------------------
this show crypto session and show crypto isa sa
Test-Router#sh crypt se
Crypto session current status
Interface: Dialer0
Session status: UP-IDLE
Peer: 203.170.236.194 port 500
IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Active
IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Inactive
IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Inactive
IKE SA: local 180.180.46.31/500 remote 203.170.236.194/500 Inactive
IPSEC FLOW: permit ip 192.168.199.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.199.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Test-Router#
Test-Router#
Test-Router#
Test-Router#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
203.170.236.194 180.180.46.31 QM_IDLE 1369 0 ACTIVE
203.170.236.194 180.180.46.31 MM_NO_STATE 1368 0 ACTIVE (deleted)
203.170.236.194 180.180.46.31 MM_NO_STATE 1367 0 ACTIVE (deleted)
203.170.236.194 180.180.46.31 MM_NO_STATE 1366 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
Thanks Harrish,
10-09-2012 12:18 AM
Hello Polkit,
I dont see the xauth phase is not happening here in the debug.. are you giving the username and passowrd manually ?
regards
Harish
10-09-2012 12:54 AM
Hi Harish,
The xauth does not come up to let me enter username and password at all. I am not sure whether it's because of ASA config or Router config but as I said, it works fine on 877 without xauth. So I'm not sure that I have to aware of xauth or not ?
Thanks,
Polkit
10-09-2012 01:06 AM
Hello Polki,
Ok, can you give this 'crypto ipsec client ezvpn xauth' and see whether it is asking username and password
regards
Harish.
10-09-2012 01:13 AM
Harish,
here is the output.
Test-Router#crypto ipsec client ezvpn xauth
EZVPN(BLA_VPN): There are no pending Xauth Requests
Test-Router#
Thanks
Polkit
10-09-2012 01:21 AM
Hello Polkit,
Since you had given xauth userid mode interactive, i believe we need to enter the above command when it is asking us to enter.. you can change this to local as follows and make sure that you have the username and password configured on the global configuration mode.
crypto ipsec client ezvpn XXX_VPN
xauth userid mode local
Also after changin this, please remove and add crypto ipsec client ezvpn XXX_VPN from dialer interface and try to do the above debugs again
regards
Harish.
10-09-2012 01:39 AM
Harish,
Here is my config after changing
crypto ipsec client ezvpn XXX_VPN
connect auto
group XXX_ezvpn key cisco123
mode network-extension
peer 203.170.236.194
username admin password XXXXXX ---> also have it on global (must enter this unless can't enter cli "xauth local")
xauth userid mode local
-------------------------------------------------------------------------------
and here is the debug
Test-Router(config-if)#crypto ipse clie ezvpn XXX_VPN
Test-Router(config-if)#
*Mar 1 17:53:09.933: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar 1 17:53:09.933: EZVPN(XXX_VPN): Current State: IDLE
*Mar 1 17:53:09.933: EZVPN(XXX_VPN): Event: VALID_CONFIG_ENTERED
*Mar 1 17:53:09.933: EZVPN(XXX_VPN): ezvpn_check_tunnel_interface_state
*Mar 1 17:53:09.933: EZVPN(XXX_VPN): New State: VALID_CFG
*Mar 1 17:53:09.933: EZVPN(XXX_VPN): Current State: VALID_CFG
*Mar 1 17:53:09.933: EZVPN(XXX_VPN): Event: VALID_CONFIG_ENTERED
*Mar 1 17:53:09.937: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:09.937: EZVPN(XXX_VPN): Current State: VALID_CFG
*Mar 1 17:53:09.937: EZVPN(XXX_VPN): Event: TUNNEL_INTERFACE_UP
*Mar 1 17:53:09.937: EZVPN(XXX_VPN): ezvpn_check_tunnel_interface_address
*Mar 1 17:53:09.937: EZVPN(XXX_VPN): New State: TUNNEL_INT_UP
*Mar 1 17:53:09.937: EZVPN(XXX_VPN): Current State: TUNNEL_INT_UP
*Mar 1 17:53:09.937: EZVPN(XXX_VPN): Event: TUNNEL_HAS_PUBLIC_IP_ADD
*Mar 1 17:53:09.937: EZVPN(XXX_VPN): New State: TRACKING
*Mar 1 17:53:09.941: EZVPN(XXX_VPN): Current State: TRACKING
*Mar 1 17:53:09.941: EZVPN(XXX_VPN): Event: TRACKED OBJECT UP
*Mar 1 17:53:09.941: EZVPN(XXX_VPN): New State: CONNECT_REQUIRED
*Mar 1 17:53:09.941: EZVPN(XXX_VPN): Current State: CONNECT_REQUIRED
*Mar 1 17:53:09.941: EZVPN(XXX_VPN): Event: CONNECT
*Mar 1 17:53:09.941: EZVPN(XXX_VPN): ezvpn_connect_request
*Mar 1 17:53:09.941: EZVPN(XXX_VPN): Found valid peer 203.170.236.194
*Mar 1 17:53:09.941: EZVPN(XXX_VPN): Added PSK for address 203.170.236.194
*Mar 1 17:53:09.945: EzVPN(XXX_VPN): sleep jitter delay 1149
*Mar 1 17:53:11.095: EZVPN(XXX_VPN): New State: READY
*Mar 1 17:53:11.371: EZVPN(XXX_VPN): Current State: READY
*Mar 1 17:53:11.371: EZVPN(XXX_VPN): Event: IKE_PFS
*Mar 1 17:53:11.371: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:11.379: EZVPN(XXX_VPN): Current State: READY
*Mar 1 17:53:11.379: EZVPN(XXX_VPN): Event: CONN_UP
*Mar 1 17:53:11.379: EZVPN(XXX_VPN): ezvpn_conn_up DDAE2106 7D87DC28 75BE74BB C05C6B77
*Mar 1 17:53:11.383: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:11.391: EZVPN(XXX_VPN): Current State: READY
*Mar 1 17:53:11.391: EZVPN(XXX_VPN): Event: MODE_CONFIG_REPLY
*Mar 1 17:53:11.391: EzVPN(XXX_VPN): rollback skipped! DDAE2106 7D87DC28 75BE74BB C05C6B77
*Mar 1 17:53:11.391: EZVPN(XXX_VPN): ezvpn_parse_mode_config_msg
*Mar 1 17:53:11.391: EZVPN: Attributes sent in message:
*Mar 1 17:53:11.391: Savepwd off
*Mar 1 17:53:11.391: Default Domain: XXX.co.th
*Mar 1 17:53:11.391: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Mar 1 17:53:11.403: EZVPN(XXX_VPN): ezvpn_mode_config
*Mar 1 17:53:11.403: EZVPN(XXX_VPN): New State: SS_OPEN
*Mar 1 17:53:11.435: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar 1 17:53:11.435: EZVPN(XXX_VPN): Event: SOCKET_READY
*Mar 1 17:53:11.435: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:28.395: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar 1 17:53:28.395: EZVPN(XXX_VPN): Event: CONN_DOWN
*Mar 1 17:53:28.395: EZVPN(XXX_VPN): ezvpn_close DDAE2106 7D87DC28 75BE74BB C05C6B77
*Mar 1 17:53:28.399: EZVPN(XXX_VPN): Deleted PSK for address 203.170.236.194
*Mar 1 17:53:28.399: EzVPN(XXX_VPN): rollback skipped!
*Mar 1 17:53:28.399: EZVPN(XXX_VPN): No Connect ACL checking status change
*Mar 1 17:53:28.399: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=XXX_ezvpn Client_public_addr=180.180.122.124 Server_public_addr=203.170.236.194
*Mar 1 17:53:28.399: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:28.407: EZVPN(XXX_VPN): Current State: CONNECT_REQUIRED
*Mar 1 17:53:28.407: EZVPN(XXX_VPN): Event: CONNECT
*Mar 1 17:53:28.407: EZVPN(XXX_VPN): ezvpn_connect_request
*Mar 1 17:53:28.407: EZVPN(XXX_VPN): Found valid peer 203.170.236.194
*Mar 1 17:53:28.407: EZVPN(XXX_VPN): Added PSK for address 203.170.236.194
*Mar 1 17:53:28.407: EzVPN(XXX_VPN): sleep jitter delay 1771
*Mar 1 17:53:30.182: EZVPN(XXX_VPN): New State: READY
*Mar 1 17:53:30.466: EZVPN(XXX_VPN): Current State: READY
*Mar 1 17:53:30.466: EZVPN(XXX_VPN): Event: IKE_PFS
*Mar 1 17:53:30.466: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:30.470: EZVPN(XXX_VPN): Current State: READY
*Mar 1 17:53:30.470: EZVPN(XXX_VPN): Event: CONN_UP
*Mar 1 17:53:30.470: EZVPN(XXX_VPN): ezvpn_conn_up DDAE2106 D39E485D EACEB5B9 072629FD
*Mar 1 17:53:30.474: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:30.482: EZVPN(XXX_VPN): Current State: READY
*Mar 1 17:53:30.482: EZVPN(XXX_VPN): Event: MODE_CONFIG_REPLY
*Mar 1 17:53:30.482: EzVPN(XXX_VPN): rollback skipped! DDAE2106 D39E485D EACEB5B9 072629FD
*Mar 1 17:53:30.482: EZVPN(XXX_VPN): ezvpn_parse_mode_config_msg
*Mar 1 17:53:30.486: EZVPN: Attributes sent in message:
*Mar 1 17:53:30.486: Savepwd off
*Mar 1 17:53:30.486: Default Domain: XXX.co.th
*Mar 1 17:53:30.486: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Mar 1 17:53:30.498: EZVPN(XXX_VPN): ezvpn_mode_config
*Mar 1 17:53:30.498: EZVPN(XXX_VPN): New State: SS_OPEN
*Mar 1 17:53:30.526: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar 1 17:53:30.531: EZVPN(XXX_VPN): Event: SOCKET_READY
*Mar 1 17:53:30.531: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:47.498: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar 1 17:53:47.498: EZVPN(XXX_VPN): Event: CONN_DOWN
*Mar 1 17:53:47.498: EZVPN(XXX_VPN): ezvpn_close DDAE2106 D39E485D EACEB5B9 072629FD
*Mar 1 17:53:47.502: EZVPN(XXX_VPN): Deleted PSK for address 203.170.236.194
*Mar 1 17:53:47.502: EzVPN(XXX_VPN): rollback skipped!
*Mar 1 17:53:47.502: EZVPN(XXX_VPN): No Connect ACL checking status change
*Mar 1 17:53:47.502: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=XXX_ezvpn Client_public_addr=180.180.122.124 Server_public_addr=203.170.236.194
*Mar 1 17:53:47.502: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:47.510: EZVPN(XXX_VPN): Current State: CONNECT_REQUIRED
*Mar 1 17:53:47.510: EZVPN(XXX_VPN): Event: CONNECT
*Mar 1 17:53:47.510: EZVPN(XXX_VPN): ezvpn_connect_request
*Mar 1 17:53:47.510: EZVPN(XXX_VPN): Found valid peer 203.170.236.194
*Mar 1 17:53:47.510: EZVPN(XXX_VPN): Added PSK for address 203.170.236.194
*Mar 1 17:53:47.510: EzVPN(XXX_VPN): sleep jitter delay 1238
*Mar 1 17:53:48.752: EZVPN(XXX_VPN): New State: READY
*Mar 1 17:53:49.033: EZVPN(XXX_VPN): Current State: READY
*Mar 1 17:53:49.033: EZVPN(XXX_VPN): Event: IKE_PFS
*Mar 1 17:53:49.033: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:49.037: EZVPN(XXX_VPN): Current State: READY
*Mar 1 17:53:49.037: EZVPN(XXX_VPN): Event: CONN_UP
*Mar 1 17:53:49.037: EZVPN(XXX_VPN): ezvpn_conn_up DDAE2106 281F6864 1B11B929 28FB9D17
*Mar 1 17:53:49.041: EZVPN(XXX_VPN): No state change
*Mar 1 17:53:49.049: EZVPN(XXX_VPN): Current State: READY
*Mar 1 17:53:49.053: EZVPN(XXX_VPN): Event: MODE_CONFIG_REPLY
*Mar 1 17:53:49.053: EzVPN(XXX_VPN): rollback skipped! DDAE2106 281F6864 1B11B929 28FB9D17
*Mar 1 17:53:49.053: EZVPN(XXX_VPN): ezvpn_parse_mode_config_msg
*Mar 1 17:53:49.053: EZVPN: Attributes sent in message:
*Mar 1 17:53:49.053: Savepwd off
*Mar 1 17:53:49.053: Default Domain: XXX.co.th
*Mar 1 17:53:49.053: EZVPN: Unknown/Unsupported Attr: APPLICATION_VERSION (0x7)
*Mar 1 17:53:49.065: EZVPN(XXX_VPN): ezvpn_mode_config
*Mar 1 17:53:49.069: EZVPN(XXX_VPN): New State: SS_OPEN
*Mar 1 17:53:49.097: EZVPN(XXX_VPN): Current State: SS_OPEN
*Mar 1 17:53:49.097: EZVPN(XXX_VPN): Event: SOCKET_READY
*Mar 1 17:53:49.097: EZVPN(XXX_VPN): No state change
Test-Router(config-if)#
Very appreciate your help...thanks
Polkit
10-09-2012 01:52 AM
Hello Polkit,
can we have debug crypto isakmp ouput as well during the during the change in the dialer..
sorry for a lot of outputs
Harish.
10-09-2012 02:08 AM
Harish,
That's not a problem..I know it's kinda confusing LOL to me as well...
*Mar 1 18:22:25.182: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Mar 1 18:22:25.182: ISAKMP: Created a peer struct for 203.170.236.194, peer port 500
*Mar 1 18:22:26.624: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 18:22:26.624: ISAKMP: Found a peer struct for 203.170.236.194, peer port 500
*Mar 1 18:22:26.624: ISAKMP: Locking peer struct 0x85F0413C, refcount 1 for isakmp_initiator
*Mar 1 18:22:26.624: ISAKMP:(0):Setting client config settings 85168FA0
*Mar 1 18:22:26.624: ISAKMP: local port 500, remote port 500
*Mar 1 18:22:26.624: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 860B4FD8
*Mar 1 18:22:26.628: ISAKMP:(0): client mode configured.
*Mar 1 18:22:26.628: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 18:22:26.628: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 1 18:22:26.628: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 1 18:22:26.749: ISKAMP: growing send buffer from 1024 to 3072
*Mar 1 18:22:26.749: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*Mar 1 18:22:26.749: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : XXX_ezvpn
protocol : 17
port : 0
length : 17
*Mar 1 18:22:26.749: ISAKMP:(0):Total payload length: 17
*Mar 1 18:22:26.749: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar 1 18:22:26.753: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1
*Mar 1 18:22:26.753: ISAKMP:(0): beginning Aggressive Mode exchange
*Mar 1 18:22:26.753: ISAKMP:(0): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar 1 18:22:26.765: ISAKMP (0:0): received packet from 203.170.236.194 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar 1 18:22:26.765: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 1 18:22:26.769: ISAKMP:(0): processing ID payload. message ID = 0
*Mar 1 18:22:26.769: ISAKMP (0:0): ID payload
next-payload : 8
type : 1
address : 203.170.236.194
protocol : 17
port : 0
length : 12
*Mar 1 18:22:26.769: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 1 18:22:26.769: ISAKMP:(0): processing vendor id payload
*Mar 1 18:22:26.769: ISAKMP:(0): vendor ID is Unity
*Mar 1 18:22:26.769: ISAKMP:(0): processing vendor id payload
*Mar 1 18:22:26.769: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Mar 1 18:22:26.769: ISAKMP:(0): vendor ID is XAUTH
*Mar 1 18:22:26.769: ISAKMP:(0): processing vendor id payload
*Mar 1 18:22:26.769: ISAKMP:(0): vendor ID is DPD
*Mar 1 18:22:26.773: ISAKMP:(0): local preshared key found
*Mar 1 18:22:26.773: ISAKMP : Scanning profiles for xauth ...
*Mar 1 18:22:26.773: ISAKMP:(0): Authentication by xauth preshared
*Mar 1 18:22:26.773: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65515 policy
*Mar 1 18:22:26.773: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.773: ISAKMP: hash SHA
*Mar 1 18:22:26.773: ISAKMP: default group 2
*Mar 1 18:22:26.773: ISAKMP: auth pre-share
*Mar 1 18:22:26.773: ISAKMP: life type in seconds
*Mar 1 18:22:26.773: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.773: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.773: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.773: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65516 policy
*Mar 1 18:22:26.777: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.777: ISAKMP: hash SHA
*Mar 1 18:22:26.777: ISAKMP: default group 2
*Mar 1 18:22:26.777: ISAKMP: auth pre-share
*Mar 1 18:22:26.777: ISAKMP: life type in seconds
*Mar 1 18:22:26.777: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.777: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.777: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.777: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65517 policy
*Mar 1 18:22:26.777: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.777: ISAKMP: hash SHA
*Mar 1 18:22:26.777: ISAKMP: default group 2
*Mar 1 18:22:26.777: ISAKMP: auth pre-share
*Mar 1 18:22:26.777: ISAKMP: life type in seconds
*Mar 1 18:22:26.777: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.781: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.781: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.781: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65518 policy
*Mar 1 18:22:26.781: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.781: ISAKMP: hash SHA
*Mar 1 18:22:26.781: ISAKMP: default group 2
*Mar 1 18:22:26.781: ISAKMP: auth pre-share
*Mar 1 18:22:26.781: ISAKMP: life type in seconds
*Mar 1 18:22:26.781: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.781: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.781: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.781: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65519 policy
*Mar 1 18:22:26.781: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.781: ISAKMP: hash SHA
*Mar 1 18:22:26.785: ISAKMP: default group 2
*Mar 1 18:22:26.785: ISAKMP: auth pre-share
*Mar 1 18:22:26.785: ISAKMP: life type in seconds
*Mar 1 18:22:26.785: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.785: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.785: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.785: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65520 policy
*Mar 1 18:22:26.785: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.785: ISAKMP: hash SHA
*Mar 1 18:22:26.785: ISAKMP: default group 2
*Mar 1 18:22:26.785: ISAKMP: auth pre-share
*Mar 1 18:22:26.785: ISAKMP: life type in seconds
*Mar 1 18:22:26.785: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.785: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.789: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.789: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65521 policy
*Mar 1 18:22:26.789: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.789: ISAKMP: hash SHA
*Mar 1 18:22:26.789: ISAKMP: default group 2
*Mar 1 18:22:26.789: ISAKMP: auth pre-share
*Mar 1 18:22:26.789: ISAKMP: life type in seconds
*Mar 1 18:22:26.789: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.789: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.789: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.789: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65522 policy
*Mar 1 18:22:26.789: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.789: ISAKMP: hash SHA
*Mar 1 18:22:26.789: ISAKMP: default group 2
*Mar 1 18:22:26.789: ISAKMP: auth pre-share
*Mar 1 18:22:26.789: ISAKMP: life type in seconds
*Mar 1 18:22:26.789: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.793: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.793: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.793: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65523 policy
*Mar 1 18:22:26.793: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.793: ISAKMP: hash SHA
*Mar 1 18:22:26.793: ISAKMP: default group 2
*Mar 1 18:22:26.793: ISAKMP: auth pre-share
*Mar 1 18:22:26.793: ISAKMP: life type in seconds
*Mar 1 18:22:26.793: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.793: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.793: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.793: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65524 policy
*Mar 1 18:22:26.793: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.793: ISAKMP: hash SHA
*Mar 1 18:22:26.793: ISAKMP: default group 2
*Mar 1 18:22:26.793: ISAKMP: auth pre-share
*Mar 1 18:22:26.793: ISAKMP: life type in seconds
*Mar 1 18:22:26.793: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.797: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.797: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.797: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65525 policy
*Mar 1 18:22:26.797: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.797: ISAKMP: hash SHA
*Mar 1 18:22:26.797: ISAKMP: default group 2
*Mar 1 18:22:26.797: ISAKMP: auth pre-share
*Mar 1 18:22:26.797: ISAKMP: life type in seconds
*Mar 1 18:22:26.797: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.797: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.797: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.797: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65526 policy
*Mar 1 18:22:26.797: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.797: ISAKMP: hash SHA
*Mar 1 18:22:26.797: ISAKMP: default group 2
*Mar 1 18:22:26.797: ISAKMP: auth pre-share
*Mar 1 18:22:26.797: ISAKMP: life type in seconds
*Mar 1 18:22:26.797: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.801: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.801: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.801: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65527 policy
*Mar 1 18:22:26.801: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.801: ISAKMP: hash SHA
*Mar 1 18:22:26.801: ISAKMP: default group 2
*Mar 1 18:22:26.801: ISAKMP: auth pre-share
*Mar 1 18:22:26.801: ISAKMP: life type in seconds
*Mar 1 18:22:26.801: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.801: ISAKMP:(0):Authentication method offered does not match policy!
*Mar 1 18:22:26.801: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.801: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65528 policy
*Mar 1 18:22:26.801: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.801: ISAKMP: hash SHA
*Mar 1 18:22:26.801: ISAKMP: default group 2
*Mar 1 18:22:26.801: ISAKMP: auth pre-share
*Mar 1 18:22:26.801: ISAKMP: life type in seconds
*Mar 1 18:22:26.801: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.805: ISAKMP:(0):Hash algorithm offered does not match policy!
*Mar 1 18:22:26.805: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.805: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65529 policy
*Mar 1 18:22:26.805: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.805: ISAKMP: hash SHA
*Mar 1 18:22:26.805: ISAKMP: default group 2
*Mar 1 18:22:26.805: ISAKMP: auth pre-share
*Mar 1 18:22:26.805: ISAKMP: life type in seconds
*Mar 1 18:22:26.805: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.805: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.805: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.805: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65530 policy
*Mar 1 18:22:26.805: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.805: ISAKMP: hash SHA
*Mar 1 18:22:26.805: ISAKMP: default group 2
*Mar 1 18:22:26.805: ISAKMP: auth pre-share
*Mar 1 18:22:26.805: ISAKMP: life type in seconds
*Mar 1 18:22:26.805: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.809: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:26.809: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:26.809: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65531 policy
*Mar 1 18:22:26.809: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:26.809: ISAKMP: hash SHA
*Mar 1 18:22:26.809: ISAKMP: default group 2
*Mar 1 18:22:26.809: ISAKMP: auth pre-share
*Mar 1 18:22:26.809: ISAKMP: life type in seconds
*Mar 1 18:22:26.809: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:26.809: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 1 18:22:26.809: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 18:22:26.953: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 18:22:26.957: ISAKMP:(1329): processing HASH payload. message ID = 0
*Mar 1 18:22:26.957: ISAKMP:(1329): vendor ID is NAT-T v2
*Mar 1 18:22:26.957: ISAKMP:received payload type 20
*Mar 1 18:22:26.957: ISAKMP:received payload type 20
*Mar 1 18:22:26.957: ISAKMP:(1329):SA authentication status:
authenticated
*Mar 1 18:22:26.957: ISAKMP:(1329):SA has been authenticated with 203.170.236.194
*Mar 1 18:22:26.957: ISAKMP:(1329):IKE_DPD is enabled, initializing timers
*Mar 1 18:22:26.957: ISAKMP:(1329):Send initial contact
*Mar 1 18:22:26.961: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar 1 18:22:26.961: ISAKMP:(1329):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar 1 18:22:26.961: ISAKMP:(1329):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE
*Mar 1 18:22:26.965: ISAKMP:(1329):Need config/address
*Mar 1 18:22:26.965: ISAKMP: set new node 608190535 to CONF_ADDR
*Mar 1 18:22:26.965: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(4)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 26-Oct-05 21:54 by ccai
*Mar 1 18:22:26.969: ISAKMP:(1329): initiating peer config to 203.170.236.194. ID = 608190535
*Mar 1 18:22:26.969: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) CONF_ADDR
*Mar 1 18:22:26.973: ISAKMP:(1329):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 18:22:26.973: ISAKMP:(1329):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_REQ_SENT
*Mar 1 18:22:26.981: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) CONF_ADDR
*Mar 1 18:22:26.981: ISAKMP:(1329):processing transaction payload from 203.170.236.194. message ID = 608190535
*Mar 1 18:22:26.985: ISAKMP: Config payload REPLY
*Mar 1 18:22:26.985: ISAKMP(0:1329) process config reply
*Mar 1 18:22:26.985: ISAKMP:(1329):deleting node 608190535 error FALSE reason "Transaction mode done"
*Mar 1 18:22:26.985: ISAKMP:(1329):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Mar 1 18:22:26.985: ISAKMP:(1329):Old State = IKE_CONFIG_MODE_REQ_SENT New State = IKE_P1_COMPLETE
*Mar 1 18:22:27.009: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 18:22:27.013: ISAKMP:(1329):beginning Quick Mode exchange, M-ID of -1547246263
*Mar 1 18:22:27.017: ISKAMP: growing send buffer from 1024 to 3072
*Mar 1 18:22:27.025: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 18:22:27.025: ISAKMP:(1329):Node -1547246263, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 18:22:27.029: ISAKMP:(1329):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 18:22:27.029: ISAKMP:(1329):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 18:22:27.029: ISAKMP:(1329):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 18:22:30.086: ISAKMP:(1327):purging SA., sa=85F658C0, delme=85F658C0
*Mar 1 18:22:30.743: ISAKMP:(1328):purging node -500002571
*Mar 1 18:22:30.743: ISAKMP:(1328):purging node -1753021632
*Mar 1 18:22:34.974: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 18:22:34.974: ISAKMP:(1329): phase 2 packet is a duplicate of a previous packet.
*Mar 1 18:22:34.974: ISAKMP:(1329): retransmitting due to retransmit phase 2
*Mar 1 18:22:34.974: ISAKMP:(1329): retransmitting phase 2 QM_IDLE 608190535 ...
*Mar 1 18:22:35.475: ISAKMP:(1329): retransmitting phase 2 QM_IDLE 608190535 ...
*Mar 1 18:22:35.475: ISAKMP (0:1329): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Mar 1 18:22:35.475: ISAKMP (0:1329): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Mar 1 18:22:35.475: ISAKMP:(1329): retransmitting phase 2 608190535 QM_IDLE
*Mar 1 18:22:35.475: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 18:22:35.483: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 18:22:35.483: ISAKMP:(1329): phase 2 packet is a duplicate of a previous packet.
*Mar 1 18:22:35.483: ISAKMP:(1329): retransmission skipped for phase 2 (time since last transmission 8)
*Mar 1 18:22:37.025: ISAKMP:(1329): retransmitting phase 2 QM_IDLE -1547246263 ...
*Mar 1 18:22:37.025: ISAKMP (0:1329): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Mar 1 18:22:37.025: ISAKMP (0:1329): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Mar 1 18:22:37.025: ISAKMP:(1329): retransmitting phase 2 -1547246263 QM_IDLE
*Mar 1 18:22:37.025: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 18:22:40.744: ISAKMP:(1328):purging SA., sa=85EE3FE0, delme=85EE3FE0
*Mar 1 18:22:43.484: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 18:22:43.484: ISAKMP:(1329): phase 2 packet is a duplicate of a previous packet.
*Mar 1 18:22:43.484: ISAKMP:(1329): retransmitting due to retransmit phase 2
*Mar 1 18:22:43.484: ISAKMP:(1329): retransmitting phase 2 QM_IDLE 608190535 ...
*Mar 1 18:22:43.985: ISAKMP:(1329): retransmitting phase 2 QM_IDLE 608190535 ...
*Mar 1 18:22:43.985: ISAKMP (0:1329): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Mar 1 18:22:43.985: ISAKMP (0:1329): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
*Mar 1 18:22:43.985: ISAKMP:(1329): retransmitting phase 2 608190535 QM_IDLE
*Mar 1 18:22:43.985: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 18:22:43.993: ISAKMP (0:1329): received packet from 203.170.236.194 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 18:22:43.997: ISAKMP: set new node 1136963526 to QM_IDLE
*Mar 1 18:22:43.997: ISAKMP:(1329): processing HASH payload. message ID = 1136963526
*Mar 1 18:22:43.997: ISAKMP:(1329): processing DELETE payload. message ID = 1136963526
*Mar 1 18:22:43.997: ISAKMP:(1329):peer does not do paranoid keepalives.
*Mar 1 18:22:43.997: ISAKMP:(1329):deleting SA reason "No reason" state (I) QM_IDLE (peer 203.170.236.194)
*Mar 1 18:22:43.997: ISAKMP:(1329):deleting node 1136963526 error FALSE reason "Informational (in) state 1"
*Mar 1 18:22:44.001: ISAKMP: set new node 1045494720 to QM_IDLE
*Mar 1 18:22:44.001: ISAKMP:(1329): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 18:22:44.005: ISAKMP:(1329):purging node 1045494720
*Mar 1 18:22:44.005: ISAKMP:(1329):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 18:22:44.005: ISAKMP:(1329):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 1 18:22:44.009: ISAKMP:(1329):deleting SA reason "No reason" state (I) QM_IDLE (peer 203.170.236.194)
*Mar 1 18:22:44.009: ISAKMP: Unlocking peer struct 0x85F0413C for isadb_mark_sa_deleted(), count 0
*Mar 1 18:22:44.009: ISAKMP: Deferring peer node 85F0413C deletion, by peer_reap as there are other users 4
*Mar 1 18:22:44.013: ISAKMP:(1329):deleting node 608190535 error FALSE reason "IKE deleted"
*Mar 1 18:22:44.013: ISAKMP:(1329):deleting node -1547246263 error FALSE reason "IKE deleted"
*Mar 1 18:22:44.013: ISAKMP:(1329):deleting node 1136963526 error FALSE reason "IKE deleted"
*Mar 1 18:22:44.013: ISAKMP:(1329):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 18:22:44.013: ISAKMP:(1329):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 1 18:22:44.017: ISAKMP: Deleting peer node by peer_reap for 203.170.236.194: 85F0413C
*Mar 1 18:22:44.017: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=XXX_ezvpn Client_public_addr=180.180.122.124 Server_public_addr=203.170.236.194
*Mar 1 18:22:44.025: ISAKMP:(1329):peer does not do paranoid keepalives.
*Mar 1 18:22:44.025: ISAKMP: Created a peer struct for 203.170.236.194, peer port 500
*Mar 1 18:22:45.231: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 18:22:45.231: ISAKMP: Found a peer struct for 203.170.236.194, peer port 500
*Mar 1 18:22:45.231: ISAKMP: Locking peer struct 0x85FAEFC0, refcount 1 for isakmp_initiator
*Mar 1 18:22:45.231: ISAKMP:(0):Setting client config settings 85F0413C
*Mar 1 18:22:45.231: ISAKMP: local port 500, remote port 500
*Mar 1 18:22:45.231: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85F24F50
*Mar 1 18:22:45.235: ISAKMP:(0): client mode configured.
*Mar 1 18:22:45.235: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 18:22:45.235: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 1 18:22:45.235: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 1 18:22:45.351: ISKAMP: growing send buffer from 1024 to 3072
*Mar 1 18:22:45.355: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*Mar 1 18:22:45.355: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : XXX_ezvpn
protocol : 17
port : 0
length : 17
*Mar 1 18:22:45.355: ISAKMP:(0):Total payload length: 17
*Mar 1 18:22:45.355: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar 1 18:22:45.355: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1
*Mar 1 18:22:45.355: ISAKMP:(0): beginning Aggressive Mode exchange
*Mar 1 18:22:45.355: ISAKMP:(0): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar 1 18:22:45.371: ISAKMP (0:0): received packet from 203.170.236.194 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Mar 1 18:22:45.371: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 1 18:22:45.371: ISAKMP:(0): processing ID payload. message ID = 0
*Mar 1 18:22:45.375: ISAKMP (0:0): ID payload
next-payload : 8
type : 1
address : 203.170.236.194
protocol : 17
port : 0
length : 12
*Mar 1 18:22:45.375: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 1 18:22:45.375: ISAKMP:(0): processing vendor id payload
*Mar 1 18:22:45.375: ISAKMP:(0): vendor ID is Unity
*Mar 1 18:22:45.375: ISAKMP:(0): processing vendor id payload
*Mar 1 18:22:45.375: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Mar 1 18:22:45.375: ISAKMP:(0): vendor ID is XAUTH
*Mar 1 18:22:45.375: ISAKMP:(0): processing vendor id payload
*Mar 1 18:22:45.375: ISAKMP:(0): vendor ID is DPD
*Mar 1 18:22:45.375: ISAKMP:(0): local preshared key found
*Mar 1 18:22:45.379: ISAKMP : Scanning profiles for xauth ...
*Mar 1 18:22:45.379: ISAKMP:(0): Authentication by xauth preshared
*Mar 1 18:22:45.379: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65515 policy
*Mar 1 18:22:45.379: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.379: ISAKMP: hash SHA
*Mar 1 18:22:45.379: ISAKMP: default group 2
*Mar 1 18:22:45.379: ISAKMP: auth pre-share
*Mar 1 18:22:45.379: ISAKMP: life type in seconds
*Mar 1 18:22:45.379: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.379: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.379: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.379: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65516 policy
*Mar 1 18:22:45.379: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.379: ISAKMP: hash SHA
*Mar 1 18:22:45.379: ISAKMP: default group 2
*Mar 1 18:22:45.379: ISAKMP: auth pre-share
*Mar 1 18:22:45.383: ISAKMP: life type in seconds
*Mar 1 18:22:45.383: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.383: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.383: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.383: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65517 policy
*Mar 1 18:22:45.383: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.383: ISAKMP: hash SHA
*Mar 1 18:22:45.383: ISAKMP: default group 2
*Mar 1 18:22:45.383: ISAKMP: auth pre-share
*Mar 1 18:22:45.383: ISAKMP: life type in seconds
*Mar 1 18:22:45.383: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.383: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.383: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.383: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65518 policy
*Mar 1 18:22:45.387: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.387: ISAKMP: hash SHA
*Mar 1 18:22:45.387: ISAKMP: default group 2
*Mar 1 18:22:45.387: ISAKMP: auth pre-share
*Mar 1 18:22:45.387: ISAKMP: life type in seconds
*Mar 1 18:22:45.387: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.387: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.387: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.387: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65519 policy
*Mar 1 18:22:45.387: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.387: ISAKMP: hash SHA
*Mar 1 18:22:45.387: ISAKMP: default group 2
*Mar 1 18:22:45.387: ISAKMP: auth pre-share
*Mar 1 18:22:45.387: ISAKMP: life type in seconds
*Mar 1 18:22:45.387: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.391: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.391: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.391: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65520 policy
*Mar 1 18:22:45.391: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.391: ISAKMP: hash SHA
*Mar 1 18:22:45.391: ISAKMP: default group 2
*Mar 1 18:22:45.391: ISAKMP: auth pre-share
*Mar 1 18:22:45.391: ISAKMP: life type in seconds
*Mar 1 18:22:45.391: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.391: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.391: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.391: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65521 policy
*Mar 1 18:22:45.391: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.391: ISAKMP: hash SHA
*Mar 1 18:22:45.395: ISAKMP: default group 2
*Mar 1 18:22:45.395: ISAKMP: auth pre-share
*Mar 1 18:22:45.395: ISAKMP: life type in seconds
*Mar 1 18:22:45.395: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.395: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.395: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.395: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65522 policy
*Mar 1 18:22:45.395: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.395: ISAKMP: hash SHA
*Mar 1 18:22:45.395: ISAKMP: default group 2
*Mar 1 18:22:45.395: ISAKMP: auth pre-share
*Mar 1 18:22:45.395: ISAKMP: life type in seconds
*Mar 1 18:22:45.395: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.395: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.395: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.395: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65523 policy
*Mar 1 18:22:45.399: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.399: ISAKMP: hash SHA
*Mar 1 18:22:45.399: ISAKMP: default group 2
*Mar 1 18:22:45.399: ISAKMP: auth pre-share
*Mar 1 18:22:45.399: ISAKMP: life type in seconds
*Mar 1 18:22:45.399: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.399: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.399: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.399: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65524 policy
*Mar 1 18:22:45.399: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.399: ISAKMP: hash SHA
*Mar 1 18:22:45.399: ISAKMP: default group 2
*Mar 1 18:22:45.399: ISAKMP: auth pre-share
*Mar 1 18:22:45.399: ISAKMP: life type in seconds
*Mar 1 18:22:45.399: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.399: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.399: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.403: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65525 policy
*Mar 1 18:22:45.403: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.403: ISAKMP: hash SHA
*Mar 1 18:22:45.403: ISAKMP: default group 2
*Mar 1 18:22:45.403: ISAKMP: auth pre-share
*Mar 1 18:22:45.403: ISAKMP: life type in seconds
*Mar 1 18:22:45.403: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.403: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.403: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.403: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65526 policy
*Mar 1 18:22:45.403: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.403: ISAKMP: hash SHA
*Mar 1 18:22:45.403: ISAKMP: default group 2
*Mar 1 18:22:45.403: ISAKMP: auth pre-share
*Mar 1 18:22:45.403: ISAKMP: life type in seconds
*Mar 1 18:22:45.403: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.403: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.403: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.407: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65527 policy
*Mar 1 18:22:45.407: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.407: ISAKMP: hash SHA
*Mar 1 18:22:45.407: ISAKMP: default group 2
*Mar 1 18:22:45.407: ISAKMP: auth pre-share
*Mar 1 18:22:45.407: ISAKMP: life type in seconds
*Mar 1 18:22:45.407: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.407: ISAKMP:(0):Authentication method offered does not match policy!
*Mar 1 18:22:45.407: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.407: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65528 policy
*Mar 1 18:22:45.407: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.407: ISAKMP: hash SHA
*Mar 1 18:22:45.407: ISAKMP: default group 2
*Mar 1 18:22:45.407: ISAKMP: auth pre-share
*Mar 1 18:22:45.407: ISAKMP: life type in seconds
*Mar 1 18:22:45.407: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.407: ISAKMP:(0):Hash algorithm offered does not match policy!
*Mar 1 18:22:45.411: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.411: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65529 policy
*Mar 1 18:22:45.411: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.411: ISAKMP: hash SHA
*Mar 1 18:22:45.411: ISAKMP: default group 2
*Mar 1 18:22:45.411: ISAKMP: auth pre-share
*Mar 1 18:22:45.411: ISAKMP: life type in seconds
*Mar 1 18:22:45.411: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.411: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.411: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.411: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65530 policy
*Mar 1 18:22:45.411: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.411: ISAKMP: hash SHA
*Mar 1 18:22:45.411: ISAKMP: default group 2
*Mar 1 18:22:45.411: ISAKMP: auth pre-share
*Mar 1 18:22:45.411: ISAKMP: life type in seconds
*Mar 1 18:22:45.411: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.415: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 18:22:45.415: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Mar 1 18:22:45.415: ISAKMP:(0):Checking ISAKMP transform 17 against priority 65531 policy
*Mar 1 18:22:45.415: ISAKMP: encryption 3DES-CBC
*Mar 1 18:22:45.415: ISAKMP: hash SHA
*Mar 1 18:22:45.415: ISAKMP: default group 2
*Mar 1 18:22:45.415: ISAKMP: auth pre-share
*Mar 1 18:22:45.415: ISAKMP: life type in seconds
*Mar 1 18:22:45.415: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 18:22:45.415: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 1 18:22:45.415: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 18:22:45.559: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 18:22:45.563: ISAKMP:(1330): processing HASH payload. message ID = 0
*Mar 1 18:22:45.563: ISAKMP:(1330): vendor ID is NAT-T v2
*Mar 1 18:22:45.563: ISAKMP:received payload type 20
*Mar 1 18:22:45.563: ISAKMP:received payload type 20
*Mar 1 18:22:45.567: ISAKMP:(1330):SA authentication status:
authenticated
*Mar 1 18:22:45.567: ISAKMP:(1330):SA has been authenticated with 203.170.236.194
*Mar 1 18:22:45.567: ISAKMP:(1330):IKE_DPD is enabled, initializing timers
*Mar 1 18:22:45.567: ISAKMP:(1330):Send initial contact
*Mar 1 18:22:45.567: ISAKMP:(1330): sending packet to 203.170.236.194 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar 1 18:22:45.572: ISAKMP:(1330):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar 1 18:22:45.572: ISAKMP:(1330):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE
Thanks
Polkit
10-09-2012 02:24 AM
Hello Polkit,
Ok this says that isakmp pahse1 is completed and ideally the nexy step is xauth , and we should receive the following message in debug
*Jun 3 05:59:27.479: ISAKMP (0:2006): received packet from
dport 500 sport 500 Global (I) CONF_XAUTH
*Jun 3 05:59:27.483: ISAKMP: set new node 850198625 to CONF_XAUTH
*Jun 3 05:59:27.487: ISAKMP:(2006):processing transaction payload from
172.16.186.186. message ID = -1517216966
*Jun 3 05:59:27.487: ISAKMP: Config payload REQUEST
*Jun 3 05:59:27.487: ISAKMP:(2006):checking request:
*Jun 3 05:59:27.487: ISAKMP: XAUTH_USER_NAME_V2
*Jun 3 05:59:27.487: ISAKMP: XAUTH_USER_PASSWORD_V2
*Jun 3 05:59:27.487: ISAKMP:(2006):Xauth process request
*Jun 3 05:59:27.487: ISAKMP:(2006):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Jun 3 05:59:27.487: ISAKMP:(2006):Old State = IKE_P1_COMPLETE
New State = IKE_XAUTH_REPLY_AWAIT
and in the console you should see
*Jun 3 05:59:30.242: EZVPN(ez): Pending XAuth Request, Please enter the
following command:
*Jun 3 05:59:30.242: EZVPN: crypto ipsec client ezvpn xauth
and in that time we have to enter 'crypto ipsec client ezvpn xauth' for entring the username and password
is it possible for you to remove and re add the crypto map interface configuration on you asa ? as follows
no crypto map
crypto map
please note that it will reset other connected vpns
harish.
10-09-2012 02:34 AM
Harish,
LOL that's I'm going to do as well, reset crypto map on ASA. however it's gonna take time a little bit to do that. Get back to you with the output asap. By the way I have a question about xauth do we have to enter username and password all the time ? Can I do something like auto activation xauth on 2651 so I don't have to enter username and password every time that crypto is reset.
Thanks,
Polkit
10-09-2012 02:40 AM
Hello Polkit,
You can do this by changing the client setting as follows fi you supports that and also please make sure that you have that username and password in the global configuraton
username XXXXXXX password YYYYYYY
crypto ipsec client ezvpn XXX_VPN
xauth userid mode local
Harish
10-09-2012 03:03 AM
Hello Harish,
I already reset the crypto map on the ASA, unfortunately it doesn't work, everything is still the same LOL. So I show crypto isa sa on the ASA and it shows
37 IKE Peer: 180.180.122.69
Type : user Role : responder
Rekey : no State : AM_TM_INIT_MODECFG_V6H
try to search the Internet but still didn't get anything on that
Thanks
Polkit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide