Now I can't pass first IKE phase.

The logs are:

Nov 25 12:20:53 [IKEv1 DEBUG]: IP = --.176.85, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False

Nov 25 12:20:53 [IKEv1]: IP = --.176.85, Connection landed on tunnel_group TunelVPN

Nov 25 12:20:58 [IKEv1]: Group = TunelVPN, IP = --.176.85, Duplicate Phase 1 packet detected. Retransmitting last packet.

Nov 25 12:20:58 [IKEv1]: Group = TunelVPN, IP = --.176.85, P1 Retransmit msg dispatched to AM FSM

Nov 25 12:21:22 [IKEv1]: Group = TunelVPN, IP = --.176.85, Removing peer from peer table failed, no match!

Nov 25 12:21:22 [IKEv1]: Group = TunelVPN, IP = --.176.85, Error: Unable to remove PeerTblEntry

The config is:

access-list inside_nat0_outbound_2 extended permit ip any 10.0.0.0 255.255.255.192

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_2

nat (inside) 101 0.0.0.0 0.0.0.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list inside_access_in extended permit tcp 10.0.0.0 255.255.255.0 any object-group DM_INLINE_TCP_1

access-list inside_access_in extended permit icmp any any echo

access-list inside_access_in extended permit icmp any any echo-reply

access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 --.89.192 255.255.255.192 log warnings

access-list inside_access_in extended deny ip any any log warnings

access-list outside_access_in extended permit icmp any --.74.48 255.255.255.252 echo-reply

access-list outside_access_in extended permit icmp 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list outside_access_in extended permit udp 10.0.0.0 255.255.255.0 any eq domain

group-policy TunelVPN internal

group-policy TunelVPN attributes

dns-server value 10.0.0.9 --.89.253

vpn-tunnel-protocol IPSec

default-domain value --.es

What did you change?

I have change nonat rules but maybe something else. I'm not sure.

The messages isakmp are

pucca(config)# deNov 25 13:01:57 [IKEv1]: Group = TunelVPN, IP = --.176.85, Removing peer from peer table failed, no match!

Nov 25 13:01:57 [IKEv1]: Group = TunelVPN, IP = --.176.85, Error: Unable to remove PeerTblEntry

bug crypto isakmp 7

pucca(config)# Nov 25 13:02:22 [IKEv1]: IP = --.176.85, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 852

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing SA payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing ke payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing ISA_KE payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing nonce payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing ID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received xauth V6 VID

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received DPD VID

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received Fragmentation VID

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received NAT-Traversal ver 02 VID

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, processing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: IP = --.176.85, Received Cisco Unity client VID

Nov 25 13:02:22 [IKEv1]: IP = --.176.85, Connection landed on tunnel_group TunelVPN

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, processing IKE SA payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing ISAKMP SA payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --176.85, constructing ke payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing nonce payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, Generating keys for Responder...

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing ID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing hash payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, Computing hash for ISAKMP

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing Cisco Unity VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing xauth V6 VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing dpd vid payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing NAT-Traversal VID ver 02 payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing NAT-Discovery payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, computing NAT Discovery hash

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing NAT-Discovery payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, computing NAT Discovery hash

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing Fragmentation VID + extended capabilities payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing VID payload

Nov 25 13:02:22 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Nov 25 13:02:22 [IKEv1]: IP = --.176.85, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440

Nov 25 13:02:26 [IKEv1]: Group = TunelVPN, IP = --.176.85, Duplicate Phase 1 packet detected. Retransmitting last packet.

Nov 25 13:02:26 [IKEv1]: Group = TunelVPN, IP = --.176.85, P1 Retransmit msg dispatched to AM FSM

Nov 25 13:02:36 [IKEv1]: Group = TunelVPN, IP = --.176.85, Duplicate Phase 1 packet detected. Retransmitting last packet.

Nov 25 13:02:36 [IKEv1]: Group = TunelVPN, IP = --.176.85, P1 Retransmit msg dispatched to AM FSM

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, IKE AM Responder FSM error history (struct &0xd5a8ef30) , : AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, IKE SA AM:075789aa terminating: flags 0x0104c001, refcnt 0, tuncnt 0

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, sending delete/delete with reason message

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing blank hash payload

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing IKE delete payload

Nov 25 13:02:44 [IKEv1 DEBUG]: Group = TunelVPN, IP = --.176.85, constructing qm hash payload

Nov 25 13:02:44 [IKEv1]: IP = --176.85, IKE_DECODE SENDING Message (msgid=b12c3627) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Nov 25 13:02:44 [IKEv1]: Group = TunelVPN, IP = --.176.85, Removing peer from peer table failed, no match!

Nov 25 13:02:44 [IKEv1]: Group = TunelVPN, IP = --.176.85, Error: Unable to remove PeerTblEntry

I suggest you roll back your changes.

You should never make a change on a production system in working hours

You should think thru your changes

You should only make one change at a time

Ok, but now I have a worse problem, and it is that I can't finish IKE phase 1 because any fault in the config. You can see this in the logs I have posted before. Do you see anything missing in the config?

Finally, I have restored an ancient configuration and VPN ISAKMP works. I will open a new item for the problem with the DHCP server.

Thanks for all