12-22-2011 05:42 AM
Hello,
We are trying to establish a vpn tunnel and we get the message of the matter, you know that it is due?
Thanks in advance
00:20:40: ISAKMP:(2029):purging node 1377634609 00:20:40: ISAKMP:(2029):purging node -829528593 00:20:49: IPSEC(key_engine): request timer fired: count = 2, (identity) local= 80.33.74.77, remote= 147.84.200.240, local_proxy= 10.166.204.36/255.255.255.255/0/0 (type=1), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) 00:20:49: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 80.33.74.77, remote= 147.84.200.240, local_proxy= 10.166.204.36/255.255.255.255/0/0 (type=1), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 00:20:49: ISAKMP:(0): SA request profile is (NULL) 00:20:49: ISAKMP: Created a peer struct for 147.84.200.240, peer port 500 00:20:49: ISAKMP: New peer created peer = 0x81F9B410 peer_handle = 0x80000020 00:20:49: ISAKMP: Locking peer struct 0x81F9B410, refcount 1 for isakmp_initiator 00:20:49: ISAKMP: local port 500, remote port 500 00:20:49: ISAKMP: set new node 0 to QM_IDLE 00:20:49: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82DB798C 00:20:49: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. 00:20:49: ISAKMP:(0):found peer pre-shared key matching 147.84.200.240 00:20:49: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID 00:20:49: ISAKMP:(0): constructed NAT-T vendor-07 ID 00:20:49: ISAKMP:(0): constructed NAT-T vendor-03 ID 00:20:49: ISAKMP:(0): constructed NAT-T vendor-02 ID 00:20:49: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM 00:20:49: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 00:20:49: ISAKMP:(0): beginning Main Mode exchange 00:20:49: ISAKMP:(0): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) MM_NO_STATE 00:20:49: ISAKMP:(0):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP (0:0): received packet from 147.84.200.240 dport 500 sport 500 Global (I) MM_NO_STATE 00:20:50: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:20:50: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2 00:20:50: ISAKMP:(0): processing SA payload. message ID = 0 00:20:50: ISAKMP:(0): processing vendor id payload 00:20:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch 00:20:50: ISAKMP:(0): vendor ID is NAT-T v2 00:20:50: ISAKMP:(0): processing vendor id payload 00:20:50: ISAKMP:(0): processing IKE frag vendor id payload 00:20:50: ISAKMP:(0):Support for IKE Fragmentation not enabled 00:20:50: ISAKMP:(0):found peer pre-shared key matching 147.84.200.240 00:20:50: ISAKMP:(0): local preshared key found 00:20:50: ISAKMP : Scanning profiles for xauth ... 00:20:50: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy 00:20:50: ISAKMP: encryption AES-CBC 00:20:50: ISAKMP: keylength of 256 00:20:50: ISAKMP: hash SHA 00:20:50: ISAKMP: default group 5 00:20:50: ISAKMP: auth pre-share 00:20:50: ISAKMP: life type in seconds 00:20:50: ISAKMP: life duration (basic) of 28800 00:20:50: ISAKMP:(0):atts are acceptable. Next payload is 0 00:20:50: ISAKMP:(0):Acceptable atts:actual life: 0 00:20:50: ISAKMP:(0):Acceptable atts:life: 0 00:20:50: ISAKMP:(0):Basic life_in_seconds:28800 00:20:50: ISAKMP:(0):Returning Actual lifetime: 28800 00:20:50: ISAKMP:(0)::Started lifetime timer: 28800. 00:20:50: ISAKMP:(0): processing vendor id payload 00:20:50: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch 00:20:50: ISAKMP:(0): vendor ID is NAT-T v2 00:20:50: ISAKMP:(0): processing vendor id payload 00:20:50: ISAKMP:(0): processing IKE frag vendor id payload 00:20:50: ISAKMP:(0):Support for IKE Fragmentation not enabled 00:20:50: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:20:50: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2 00:20:50: ISAKMP:(0): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) MM_SA_SETUP 00:20:50: ISAKMP:(0):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:20:50: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3 00:20:50: ISAKMP:(2029):purging SA., sa=81F99704, delme=81F99704 00:20:50: ISAKMP (0:0): received packet from 147.84.200.240 dport 500 sport 500 Global (I) MM_SA_SETUP 00:20:50: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:20:50: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4 00:20:50: ISAKMP:(0): processing KE payload. message ID = 0 00:20:50: ISAKMP:(0): processing NONCE payload. message ID = 0 00:20:50: ISAKMP:(0):found peer pre-shared key matching 147.84.200.240 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031): vendor ID is Unity 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031): vendor ID seems Unity/DPD but major 54 mismatch 00:20:50: ISAKMP:(2031): vendor ID is XAUTH 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031): speaking to another IOS box! 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031):vendor ID seems Unity/DPD but hash mismatch 00:20:50: ISAKMP:received payload type 20 00:20:50: ISAKMP:received payload type 20 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM4 New State = IKE_I_MM4 00:20:50: ISAKMP:(2031):Send initial contact 00:20:50: ISAKMP:(2031):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR 00:20:50: ISAKMP (0:2031): ID payload next-payload : 8 type : 1 address : 80.33.74.77 protocol : 17 port : 500 length : 12 00:20:50: ISAKMP:(2031):Total payload length: 12 00:20:50: ISAKMP:(2031): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) MM_KEY_EXCH 00:20:50: ISAKMP:(2031):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM4 New State = IKE_I_MM5 00:20:50: ISAKMP (0:2031): received packet from 147.84.200.240 dport 500 sport 500 Global (I) MM_KEY_EXCH 00:20:50: ISAKMP:(2031): processing ID payload. message ID = 0 00:20:50: ISAKMP (0:2031): ID payload next-payload : 8 type : 1 address : 147.84.200.240 protocol : 17 port : 0 length : 12 00:20:50: ISAKMP:(0):: peer matches *none* of the profiles 00:20:50: ISAKMP:(2031): processing HASH payload. message ID = 0 00:20:50: ISAKMP:received payload type 17 00:20:50: ISAKMP:(2031): processing vendor id payload 00:20:50: ISAKMP:(2031): vendor ID is DPD 00:20:50: ISAKMP:(2031):SA authentication status: authenticated 00:20:50: ISAKMP:(2031):SA has been authenticated with 147.84.200.240 00:20:50: ISAKMP: Trying to insert a peer 80.33.74.77/147.84.200.240/500/, and inserted successfully 81F9B410. 00:20:50: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM5 New State = IKE_I_MM6 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM6 New State = IKE_I_MM6 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 00:20:50: ISAKMP:(2031):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE 00:20:50: ISAKMP:(2031):beginning Quick Mode exchange, M-ID of -548268726 00:20:50: ISAKMP:(2031):QM Initiator gets spi 00:20:50: ISAKMP:(2031): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) QM_IDLE 00:20:50: ISAKMP:(2031):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP:(2031):Node -548268726, Input = IKE_MESG_INTERNAL, IKE_INIT_QM 00:20:50: ISAKMP:(2031):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 00:20:50: ISAKMP:(2031):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:20:50: ISAKMP (0:2031): received packet from 147.84.200.240 dport 500 sport 500 Global (I) QM_IDLE 00:20:50: ISAKMP: set new node -1767254880 to QM_IDLE 00:20:50: ISAKMP:(2031): processing HASH payload. message ID = -1767254880 00:20:50: ISAKMP:(2031): processing NOTIFY INVALID_ID_INFO protocol 1 spi 0, message ID = -1767254880, sa = 82DB798C 00:20:50: ISAKMP:(2031):peer does not do paranoid keepalives. 00:20:50: ISAKMP:(2031):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 147.84.200.240) 00:20:50: ISAKMP:(2031):deleting node -1767254880 error FALSE reason "Informational (in) state 1" 00:20:50: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY 00:20:50: ISAKMP:(2031):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 00:20:50: ISAKMP (0:2031): received packet from 147.84.200.240 dport 500 sport 500 Global (I) QM_IDLE 00:20:50: ISAKMP: set new node 1603059088 to QM_IDLE 00:20:50: ISAKMP:(2031): sending packet to 147.84.200.240 my_port 500 peer_port 500 (I) QM_IDLE 00:20:50: ISAKMP:(2031):Sending an IKE IPv4 Packet. 00:20:50: ISAKMP:(2031):purging node 1603059088 00:20:50: ISAKMP:(2031):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL 00:20:50: ISAKMP:(2031):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA 00:20:50: ISAKMP:(2031):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 147.84.200.240) 00:20:50: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0. 00:20:50: ISAKMP: Unlocking peer struct 0x81F9B410 for isadb_mark_sa_deleted(), count 0 00:20:50: ISAKMP: Deleting peer node by peer_reap for 147.84.200.240: 81F9B410 00:20:50: ISAKMP:(2031):deleting node -548268726 error FALSE reason "IKE deleted" 00:20:50: ISAKMP:(2031):deleting node -1767254880 error FALSE reason "IKE deleted" 00:20:50: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 00:20:50: ISAKMP:(2031):Old State = IKE_DEST_SA New State = IKE_DEST_SA 00:20:50: IPSEC(key_engine): got a queue event with 1 KMI message(s)
12-22-2011 09:01 AM
It looks like this end is sending phase 2 parameters the other side doesn't work.
Check debugs on the other end to understand what the problem is.
08-20-2013 09:53 AM
FYI I had a site to site tunnel that would not come up on Phase 1 with the following debug warning:
deleting SA reason "Recevied fatal informational" state
Device: VPN Service Module blade
199.173.227.18 149.168.1.164 MM_NO_STATE 78536 ACTIVE (deleted)
199.173.227.18 149.168.1.164 MM_NO_STATE 78577 ACTIVE (deleted)
!
Aug 20 11:54:11.870: ISAKMP:(77730): sending packet to 199.173.227.18 my_port 500 peer_port 500 (I) QM_IDLE
Aug 20 11:54:11.894: ISAKMP (77730): received packet from 199.173.227.18 dport 500 sport 500 Global (I) QM_IDLE
Aug 20 11:54:11.894: ISAKMP:(77730):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 199.173.227.18)
Aug 20 11:54:11.898: ISAKMP:(77730): sending packet to 199.173.227.18 my_port 500 peer_port 500 (I) QM_IDLE
Aug 20 11:54:11.898: ISAKMP:(77730):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 199.173.227.18)
Until I realized I had left out 'PFS group 2', when I added it the tunnel popped right up.
crypto map DHHS-SF-map 25 ipsec-isakmp
set peer 199.173.227.18
set transform-set aes256
set isakmp-profile DHHSSF
set pfs group2
match address DHHS6112-SSA
Dan
01-29-2015 02:50 PM
I had this exact same issue and was pulling my hair out trying to figure out what I was missing. Ended up being the "PFS Group2" was missing. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide