Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1566
Views
0
Helpful
1
Replies

Cisco Router & Checkpoint VPN issue

Go to solution
blackswans
Level 1
Level 1

‎09-29-2014 01:28 AM

Hi,

I could not establish site to site vp between cisco and checkpoint. Can you check the logs please?

Thanks.

 

*Sep 29 08:17:22.627: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= Y.Y.Y.Y:500, remote= X.X.X.X:500,
    local_proxy= 192.168.222.0/255.255.255.0/256/0,
    remote_proxy= 10.0.10.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Sep 29 08:17:22.631: ISAKMP:(0): SA request profile is (NULL)
*Sep 29 08:17:22.631: ISAKMP: Created a peer struct for X.X.X.X, peer port 500
*Sep 29 08:17:22.631: ISAKMP: New peer created peer = 0x88AD1AB0 peer_handle = 0x80000004
*Sep 29 08:17:22.631: ISAKMP: Locking peer struct 0x88AD1AB0, refcount 1 for isakmp_initiator
*Sep 29 08:17:22.631: ISAKMP: local port 500, remote port 500
*Sep 29 08:17:22.631: ISAKMP: set new node 0 to QM_IDLE
*Sep 29 08:17:22.631: ISAKMP:(0):insert sa successfully sa = 88AF7D94
*Sep 29 08:17:22.631: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Sep 29 08:17:22.631: ISAKMP:(0):found peer pre-shared key matching X.X.X.X
*Sep 29 08:17:22.631: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Sep 29 08:17:22.631: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Sep 29 08:17:22.631: ISAKMP:(0): constructed NAT-T vendor-03 IDexit
Router(config)#n
*Sep 29 08:17:22.631: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Sep 29 08:17:22.631: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Sep 29 08:17:22.631: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Sep 29 08:17:22.631: ISAKMP:(0): beginning Main Mode exchange
*Sep 29 08:17:22.631: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:17:22.631: ISAKMP:(0):Sending an IKE IPv4 Packet.o

*Sep 29 08:17:32.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:17:32.631: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Sep 29 08:17:32.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Sep 29 08:17:32.631: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:17:32.631: ISAKMP:(0):Sending an IKE IPvaccess-lists CPVPN

*Sep 29 08:17:42.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:17:42.631: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Sep 29 08:17:42.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Sep 29 08:17:42.631: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:17:42.631: ISAKMP:(0):Sending an IKE IPv4 Packet...
*Sep 29 08:17:52.627: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= Y.Y.Y.Y:0, remote= X.X.X.X:0,
    local_proxy= 192.168.222.0/255.255.255.0/256/0,
    remote_proxy= 10.0.10.0/255.255.255.0/256/0
*Sep 29 08:17:52.627: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= Y.Y.Y.Y:500, remote= X.X.X.X:500,
    local_proxy= 192.168.222.0/255.255.255.0/256/0,
    remote_proxy= 10.0.10.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Sep 29 08:17:52.627: ISAKMP: set new node 0 to QM_IDLE
*Sep 29 08:17:52.627: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local Y.Y.Y.Y, remote X.X.X.X)
*Sep 29 08:17:52.627: ISAKMP: Error while processing SA request: Failed to initialize SA
*Sep 29 08:17:52.627: ISAKMP: Error while processing KMI message 0, error 2.
*Sep 29 08:17:52.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:17:52.631: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Sep 29 08:17:52.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Sep 29 08:17:52.631: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:17:52.631: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 29 08:18:02.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:18:02.631: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Sep 29 08:18:02.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Sep 29 08:18:02.631: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:18:02.631: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 29 08:18:12.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:18:12.631: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Sep 29 08:18:12.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Sep 29 08:18:12.631: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:18:12.631: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 29 08:18:22.627: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= Y.Y.Y.Y:0, remote= X.X.X.X:0,
    local_proxy= 192.168.222.0/255.255.255.0/256/0,
    remote_proxy= 10.0.10.0/255.255.255.0/256/0
*Sep 29 08:18:22.631: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:18:22.631: ISAKMP:(0):peer does not do paranoid keepalives.

*Sep 29 08:18:22.631: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X)
*Sep 29 08:18:22.631: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X)
*Sep 29 08:18:22.631: ISAKMP: Unlocking peer struct 0x88AD1AB0 for isadb_mark_sa_deleted(), count 0
*Sep 29 08:18:22.631: ISAKMP: Deleting peer node by peer_reap for X.X.X.X: 88AD1AB0
*Sep 29 08:18:22.631: ISAKMP:(0):deleting node -930113685 error FALSE reason "IKE deleted"
*Sep 29 08:18:22.631: ISAKMP:(0):deleting node 661004686 error FALSE reason "IKE deleted"
*Sep 29 08:18:22.631: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Sep 29 08:18:22.631: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Sep 29 08:18:22.631: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 29 08:18:27.559: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= Y.Y.Y.Y:500, remote= X.X.X.X:500,
    local_proxy= 192.168.222.0/255.255.255.0/256/0,
    remote_proxy= 10.0.10.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Sep 29 08:18:27.559: ISAKMP:(0): SA request profile is (NULL)
*Sep 29 08:18:27.559: ISAKMP: Created a peer struct for X.X.X.X, peer port 500
*Sep 29 08:18:27.559: ISAKMP: New peer created peer = 0x85EDF1F0 peer_handle = 0x80000005
*Sep 29 08:18:27.559: ISAKMP: Locking peer struct 0x85EDF1F0, refcount 1 for isakmp_initiator
*Sep 29 08:18:27.559: ISAKMP: local port 500, remote port 500
*Sep 29 08:18:27.559: ISAKMP: set new node 0 to QM_IDLE
*Sep 29 08:18:27.559: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88C1CE60
*Sep 29 08:18:27.559: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Sep 29 08:18:27.559: ISAKMP:(0):found peer pre-shared key matching X.X.X.X
*Sep 29 08:18:27.559: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Sep 29 08:18:27.559: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Sep 29 08:18:27.559: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Sep 29 08:18:27.559: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Sep 29 08:18:27.559: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Sep 29 08:18:27.559: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Sep 29 08:18:27.559: ISAKMP:(0): beginning Main Mode exchange
*Sep 29 08:18:27.559: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:18:27.559: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 29 08:18:37.559: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:18:37.559: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Sep 29 08:18:37.559: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Sep 29 08:18:37.559: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:18:37.559: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 29 08:18:47.559: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:18:47.559: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Sep 29 08:18:47.559: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Sep 29 08:18:47.559: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:18:47.559: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Sep 29 08:18:57.559: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= Y.Y.Y.Y:0, remote= X.X.X.X:0,
    local_proxy= 192.168.222.0/255.255.255.0/256/0,
    remote_proxy= 10.0.10.0/255.255.255.0/256/0
*Sep 29 08:18:57.559: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= Y.Y.Y.Y:500, remote= X.X.X.X:500,
    local_proxy= 192.168.222.0/255.255.255.0/256/0,
    remote_proxy= 10.0.10.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Sep 29 08:18:57.559: ISAKMP: set new node 0 to QM_IDLE
*Sep 29 08:18:57.559: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local Y.Y.Y.Y, remote X.X.X.X)
*Sep 29 08:18:57.559: ISAKMP: Error while processing SA request: Failed to initialize SA
*Sep 29 08:18:57.559: ISAKMP: Error while processing KMI message 0, error 2.
*Sep 29 08:18:57.559: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:18:57.559: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Sep 29 08:18:57.559: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Sep 29 08:18:57.559: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Router#
Router#
*Sep 29 08:18:57.559: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 29 08:19:07.559: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Sep 29 08:19:07.559: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Sep 29 08:19:07.559: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Sep 29 08:19:07.559: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 29 08:19:07.559: ISAKMP:(0):Sending an IKE IPv4 Packet.
Router#
Router#un all
All possible debugging has been turned off

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Brandon Svec
Level 7
Level 7

‎09-29-2014 08:29 AM

The log indicates main mode setup is failing.  See if this helps: http://www.itcertnotes.com/2011/04/ipsec-stuck-in-mmsasetup-and-mmnostate.html

-- please remember to rate and mark answered helpful posts --

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Brandon Svec
Level 7
Level 7

‎09-29-2014 08:29 AM

The log indicates main mode setup is failing.  See if this helps: http://www.itcertnotes.com/2011/04/ipsec-stuck-in-mmsasetup-and-mmnostate.html

-- please remember to rate and mark answered helpful posts --
0 Helpful
Customers Also Viewed These Support Documents