02-04-2016 07:58 AM
Hi
Having this issue for a few days now. Initial VPN connection works and everything is ok for an hour or so. When the VPN drops out the ASA does not reconnect the VPN.
Cisco Adaptive Security Appliance Software Version 8.2(5)58
Device Manager Version 7.5(1)90
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
VPN initial connection after system startup.
# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: xx.xx.xx.xx
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : xx.xx.xx.xx
Index : 1 IP Addr : xx.xx.xx.xx
Protocol : IKE IPsec
Encryption : 3DES Hashing : MD5
Bytes Tx : 362664 Bytes Rx : 3636746
Login Time : 16:23:40 UTC Thu Feb 4 2016
Duration : 0h:08m:43s
#
When the VPN drops; the state does not get beyond MM_WAIT_MSG2
# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: xx.xx.xx.xx
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
#
Reconnection attempt log details are attached in ASA-logs.txt
VPN config
object-group network PALO_VPN
network-object 10.21.0.0 255.255.0.0
network-object 10.29.0.0 255.255.0.0
access-list VPNtoHQ extended permit ip 10.10.10.0 255.255.255.0 object-group PALO_VPN
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN 1 match address VPNtoHQ
crypto map VPN 1 set pfs
crypto map VPN 1 set peer xx.xx.xx.xx
crypto map VPN 1 set transform-set ESP-3DES-MD5
crypto map VPN 1 set security-association lifetime seconds 86400
crypto map VPN 1 set security-association lifetime kilobytes 4608000
crypto map VPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1
tunnel-group xx.xx.xx.xxtype ipsec-l2l
tunnel-group xx.xx.xx.xxipsec-attributes
pre-shared-key **removed**
The peer is a Palo Alto with many other VPNs sucessfully connected and no issues with reconnections.
ASA has also been replaced but not made a difference.
Palo logs also attached (palo-logs.jpg), Palo Fails when trying to initiate P1, and the ASA does not get a responce when trying to initiate P1.
When the VPN drops on the ASA, the Palo keeps trying to send data over the VPN.
VPNs on Palo and ASA have been rebuilt but no difference - all settings confirmed to match on each end.
Any ideas?
Thanks
Iain
02-04-2016 10:03 AM
Hi Taggart2004,
MM_WAITING_MSG2 normally means that you have a connectivity issue between the peers on udp500/4500.
When this issue is happening you can set up a capture on the outside interface in order to find out if traffic is flowing both ways:
capture test interface outside match ip host (ASApeerip) host (PALOpeerip)
Hope this helps you find the problem.
-JP-
02-10-2016 03:50 AM
Hi JP
Thanks for your reply.Still stuck on the rekey, even if the timeout is an hour or 24 hours. On Rekey the VPN goes does and fails to re-establish the link.
All timeouts have since been removed.
This is the output from the capture
107 packets captured
1: 12:34:48.774511 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557007:4128557075(68) ack 3615896712 win 32768
2: 12:34:48.801151 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557007 win 64384
3: 12:34:48.853303 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557075 win 64316
4: 12:34:49.196706 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 100
5: 12:34:49.660396 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896712:3615896764(52) ack 4128557075 win 64316
6: 12:34:49.660457 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896764 win 32768
7: 12:34:49.662029 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557075:4128557127(52) ack 3615896764 win 32768
8: 12:34:49.663097 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557127:4128557195(68) ack 3615896764 win 32768
9: 12:34:49.692316 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557195 win 64196
10: 12:34:49.842790 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896764:3615896816(52) ack 4128557195 win 64196
11: 12:34:49.842836 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896816 win 32768
12: 12:34:49.844301 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557195:4128557247(52) ack 3615896816 win 32768
13: 12:34:49.845400 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557247:4128557315(68) ack 3615896816 win 32768
14: 12:34:49.874939 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557315 win 64076
15: 12:34:49.995340 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896816:3615896868(52) ack 4128557315 win 64076
16: 12:34:49.995386 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896868 win 32768
17: 12:34:49.996866 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557315:4128557367(52) ack 3615896868 win 32768
18: 12:34:49.997949 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557367:4128557435(68) ack 3615896868 win 32768
19: 12:34:50.027525 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557435 win 63956
20: 12:34:50.428963 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 100
21: 12:34:51.054165 802.1Q vlan#2 P0 (ASApeerip).500 > (PALOpeerip).500: udp 184
22: 12:34:52.193135 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 100
23: 12:34:52.869614 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 100
24: 12:34:53.427468 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 164
25: 12:34:53.443489 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 164
26: 12:34:53.664287 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896868:3615896920(52) ack 4128557435 win 63956
27: 12:34:53.664363 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896920 win 32768
28: 12:34:53.665920 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557435:4128557487(52) ack 3615896920 win 32768
29: 12:34:53.666698 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557487:4128557539(52) ack 3615896920 win 32768
30: 12:34:53.667445 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557539:4128557591(52) ack 3615896920 win 32768
31: 12:34:53.668178 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557591:4128557643(52) ack 3615896920 win 32768
32: 12:34:53.668910 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557643:4128557695(52) ack 3615896920 win 32768
33: 12:34:53.669643 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557695:4128557747(52) ack 3615896920 win 32768
34: 12:34:53.670390 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557747:4128557799(52) ack 3615896920 win 32768
35: 12:34:53.671138 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557799:4128557851(52) ack 3615896920 win 32768
36: 12:34:53.671870 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557851:4128557903(52) ack 3615896920 win 32768
37: 12:34:53.672603 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557903:4128557955(52) ack 3615896920 win 32768
38: 12:34:53.673335 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128557955:4128558007(52) ack 3615896920 win 32768
39: 12:34:53.696375 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557539 win 63852
40: 12:34:53.700372 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557643 win 63748
41: 12:34:53.702371 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557747 win 63644
42: 12:34:53.704431 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557851 win 63540
43: 12:34:53.704477 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 84
44: 12:34:53.708428 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128557955 win 64860
45: 12:34:53.764547 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558007 win 64808
46: 12:34:54.075710 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896920:3615896972(52) ack 4128558007 win 64808
47: 12:34:54.075771 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615896972 win 32768
48: 12:34:54.077251 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558007:4128558059(52) ack 3615896972 win 32768
49: 12:34:54.079387 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558059:4128558175(116) ack 3615896972 win 32768
50: 12:34:54.080852 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558175:4128558275(100) ack 3615896972 win 32768
51: 12:34:54.081843 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558275:4128558343(68) ack 3615896972 win 32768
52: 12:34:54.107797 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558175 win 64640
53: 12:34:54.111780 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558343 win 64472
54: 12:34:54.190236 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 100
55: 12:34:54.627622 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615896972:3615897024(52) ack 4128558343 win 64472
56: 12:34:54.627683 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897024 win 32768
57: 12:34:54.629224 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558343:4128558395(52) ack 3615897024 win 32768
58: 12:34:54.630277 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558395:4128558463(68) ack 3615897024 win 32768
59: 12:34:54.659755 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558463 win 64352
60: 12:34:54.812229 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897024:3615897076(52) ack 4128558463 win 64352
61: 12:34:54.812305 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897076 win 32768
62: 12:34:54.813846 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558463:4128558515(52) ack 3615897076 win 32768
63: 12:34:54.814945 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558515:4128558583(68) ack 3615897076 win 32768
64: 12:34:54.842485 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558583 win 64232
65: 12:34:54.978754 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897076:3615897128(52) ack 4128558583 win 64232
66: 12:34:54.978800 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897128 win 32768
67: 12:34:54.980219 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558583:4128558635(52) ack 3615897128 win 32768
68: 12:34:54.981287 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558635:4128558703(68) ack 3615897128 win 32768
69: 12:34:55.010955 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558703 win 64112
70: 12:34:55.163489 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897128:3615897180(52) ack 4128558703 win 64112
71: 12:34:55.163535 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897180 win 32768
72: 12:34:55.165061 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558703:4128558755(52) ack 3615897180 win 32768
73: 12:34:55.166129 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558755:4128558823(68) ack 3615897180 win 32768
74: 12:34:55.193608 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558823 win 63992
75: 12:34:56.435936 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 100
76: 12:34:57.202610 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 100
77: 12:34:57.862824 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 100
78: 12:34:58.418832 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 100
79: 12:34:58.435020 802.1Q vlan#2 P0 (PALOpeerip) > (ASApeerip): ip-proto-50, length 164
80: 12:34:58.567353 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897180:3615897248(68) ack 4128558823 win 63992
81: 12:34:58.567429 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897248 win 32768
82: 12:34:58.569199 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558823:4128558875(52) ack 3615897248 win 32768
83: 12:34:58.569947 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558875:4128558927(52) ack 3615897248 win 32768
84: 12:34:58.570679 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558927:4128558979(52) ack 3615897248 win 32768
85: 12:34:58.571427 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128558979:4128559031(52) ack 3615897248 win 32768
86: 12:34:58.572159 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559031:4128559083(52) ack 3615897248 win 32768
87: 12:34:58.572907 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559083:4128559135(52) ack 3615897248 win 32768
88: 12:34:58.573639 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559135:4128559187(52) ack 3615897248 win 32768
89: 12:34:58.574387 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559187:4128559239(52) ack 3615897248 win 32768
90: 12:34:58.575104 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559239:4128559291(52) ack 3615897248 win 32768
91: 12:34:58.575852 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559291:4128559343(52) ack 3615897248 win 32768
92: 12:34:58.576584 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559343:4128559395(52) ack 3615897248 win 32768
93: 12:34:58.577316 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559395:4128559447(52) ack 3615897248 win 32768
94: 12:34:58.578049 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559447:4128559499(52) ack 3615897248 win 32768
95: 12:34:58.578781 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559499:4128559551(52) ack 3615897248 win 32768
96: 12:34:58.579529 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559551:4128559603(52) ack 3615897248 win 32768
97: 12:34:58.597610 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128558927 win 63888
98: 12:34:58.601424 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559031 win 63784
99: 12:34:58.603484 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559135 win 63680
100: 12:34:58.605467 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559239 win 63576
101: 12:34:58.607436 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559343 win 64860
102: 12:34:58.611449 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559447 win 64756
103: 12:34:58.613539 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559551 win 64652
104: 12:34:58.667644 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: . ack 4128559603 win 64600
105: 12:34:59.020888 802.1Q vlan#2 P0 (PALOpeerip).8743 > (ASApeerip).22: P 3615897248:3615897300(52) ack 4128559603 win 64600
106: 12:34:59.020949 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: . ack 3615897300 win 32768
107: 12:34:59.022490 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559603:4128559655(52) ack 3615897300 win 32768
108: 12:34:59.023680 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559655:4128559707(52) ack 3615897300 win 32768
109: 12:34:59.024641 802.1Q vlan#2 P0 (ASApeerip).22 > (PALOpeerip).8743: P 4128559707:4128559775(68) ack 3615897300 win 32768
109 packets shown
This is an output from debug crypto isakmp 200
Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), IKE MM Initiator FSM error history (struct &0xc92ffbe8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), IKE SA MM:7407846f terminating: flags 0x01000022, refcnt 0, tuncnt 0
Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), sending delete/delete with reason message
Feb 10 12:44:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:44:59 [IKEv1]: IP = (PALOpeerip), IKE Initiator: New Phase 1, Intf inside, IKE Peer (PALOpeerip) local Proxy Address 10.10.10.0, remote Proxy Address 10.29.0.0, Crypto map (outside_map0)
Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), constructing ISAKMP SA payload
Feb 10 12:44:59 [IKEv1 DEBUG]: IP = (PALOpeerip), constructing Fragmentation VID + extended capabilities payload
Feb 10 12:44:59 [IKEv1]: IP = (PALOpeerip), IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 184
Feb 10 12:45:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:02 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:05 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:05 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:07 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:07 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:07 [IKEv1]: IP = (PALOpeerip), IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 184
Feb 10 12:45:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:10 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:11 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:15 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:15 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:15 [IKEv1]: IP = (PALOpeerip), IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 184
Feb 10 12:45:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:16 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:20 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:21 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:21 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:23 [IKEv1]: IP = (PALOpeerip), IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 184
Feb 10 12:45:24 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:24 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:26 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:30 [IKEv1]: IP = (PALOpeerip), Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Feb 10 12:45:31 [IKEv1 DEBUG]: IP = (PALOpeerip), IKE MM Initiator FSM error history (struct &0xc92ffbe8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Feb 10 12:45:31 [IKEv1 DEBUG]: IP = (PALOpeerip), IKE SA MM:557dc40c terminating: flags 0x01000022, refcnt 0, tuncnt 0
Feb 10 12:45:31 [IKEv1 DEBUG]: IP = (PALOpeerip), sending delete/delete with reason message
Feb 10 12:45:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 10 12:45:32 [IKEv1]: IP = (PALOpeerip), IKE Initiator: New Phase 1, Intf inside, IKE Peer (PALOpeerip) local Proxy Address 10.10.10.0, remote Proxy Address 10.29.0.0, Crypto map (outside_map0)
Feb 10 12:45:32 [IKEv1 DEBUG]: IP = (PALOpeerip), constructing ISAKMP SA payload
Thanks
Iain
02-10-2016 06:50 AM
If the ASA has been replaced and still there is a problem, then maybe its on the palo alto end, especially since the output shows that it cannot complete ike phase 1. Do both peers have a matching parameter for ike phase 1? Check that the lifetime settings on the palo alto aren't different than the ones on the ASA?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide