04-09-2008 12:21 AM - edited 02-21-2020 03:39 PM
Hi, I keep getting these errors on my IPSec output, what does it mean and does the other parts look ok?
mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
This is on a Cisco 877 DSL router that I'm trying to configure to a Cisco ASA server.
Apr 9 08:05:00.579: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
Apr 9 08:05:00.579: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
Apr 9 08:05:07.483: ISAKMP:(1011): retransmitting phase 2 QM_IDLE -1129044802 ...
Apr 9 08:05:07.483: ISAKMP (0:1011): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
Apr 9 08:05:07.483: ISAKMP (0:1011): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
Apr 9 08:05:07.483: ISAKMP:(1011): retransmitting phase 2 -1129044802 QM_IDLE
Apr 9 08:05:07.483: ISAKMP:(1011): sending packet to 80.71.156.64 my_port 500 peer_port 500 (R) QM_IDLE
Apr 9 08:05:07.483: ISAKMP:(1011): retransmitting phase 2 QM_IDLE 589395199 ...
Apr 9 08:05:07.483: ISAKMP (0:1011): incrementing error counter on node, attempt 5 of 5: retransmit phase 2
Apr 9 08:05:07.483: ISAKMP (0:1011): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
Apr 9 08:05:07.483: ISAKMP:(1011): retransmitting phase 2 589395199 QM_IDLE
Apr 9 08:05:07.483: ISAKMP:(1011): sending packet to 80.71.156.64 my_port 500 peer_port 500 (R) QM_IDLE
Apr 9 08:05:07.515: ISAKMP (0:1011): received packet from 80.71.156.64 dport 500 sport 500 Global (R) QM_IDLE
Apr 9 08:05:07.515: ISAKMP: set new node 1754770008 to QM_IDLE
Apr 9 08:05:07.519: ISAKMP:(1011): processing HASH payload. message ID = 1754770008
Apr 9 08:05:07.519: ISAKMP:(1011): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = 1754770008, sa = 82E60C84
Apr 9 08:05:07.519: ISAKMP:(1011):deleting node 1754770008 error FALSE reason "Informational (in) state 1"
Apr 9 08:05:07.519: ISAKMP:(1011):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Apr 9 08:05:07.519: ISAKMP:(1011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Apr 9 08:05:18.323: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.149.110.103, remote= 80.71.156.64,
local_proxy= 172.19.15.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xC976D068(3380007016), conn_id= 0, keysize= 256, flags= 0x0
04-15-2008 05:05 AM
It may be peer initiates IPSec SA pair, and again duplicate IPSec SA pairs are established, so better you clear crypto and reenabel it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide