Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2340
Views
0
Helpful
1
Replies

I keep getting these errors on my IPSec output, what does it mean?

whiteford
Level 1
Level 1

‎04-09-2008 12:21 AM - edited ‎02-21-2020 03:39 PM

Hi, I keep getting these errors on my IPSec output, what does it mean and does the other parts look ok?

mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

This is on a Cisco 877 DSL router that I'm trying to configure to a Cisco ASA server.

Apr 9 08:05:00.579: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

Apr 9 08:05:00.579: IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

Apr 9 08:05:07.483: ISAKMP:(1011): retransmitting phase 2 QM_IDLE -1129044802 ...

Apr 9 08:05:07.483: ISAKMP (0:1011): incrementing error counter on node, attempt 2 of 5: retransmit phase 2

Apr 9 08:05:07.483: ISAKMP (0:1011): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

Apr 9 08:05:07.483: ISAKMP:(1011): retransmitting phase 2 -1129044802 QM_IDLE

Apr 9 08:05:07.483: ISAKMP:(1011): sending packet to 80.71.156.64 my_port 500 peer_port 500 (R) QM_IDLE

Apr 9 08:05:07.483: ISAKMP:(1011): retransmitting phase 2 QM_IDLE 589395199 ...

Apr 9 08:05:07.483: ISAKMP (0:1011): incrementing error counter on node, attempt 5 of 5: retransmit phase 2

Apr 9 08:05:07.483: ISAKMP (0:1011): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2

Apr 9 08:05:07.483: ISAKMP:(1011): retransmitting phase 2 589395199 QM_IDLE

Apr 9 08:05:07.483: ISAKMP:(1011): sending packet to 80.71.156.64 my_port 500 peer_port 500 (R) QM_IDLE

Apr 9 08:05:07.515: ISAKMP (0:1011): received packet from 80.71.156.64 dport 500 sport 500 Global (R) QM_IDLE

Apr 9 08:05:07.515: ISAKMP: set new node 1754770008 to QM_IDLE

Apr 9 08:05:07.519: ISAKMP:(1011): processing HASH payload. message ID = 1754770008

Apr 9 08:05:07.519: ISAKMP:(1011): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 0, message ID = 1754770008, sa = 82E60C84

Apr 9 08:05:07.519: ISAKMP:(1011):deleting node 1754770008 error FALSE reason "Informational (in) state 1"

Apr 9 08:05:07.519: ISAKMP:(1011):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Apr 9 08:05:07.519: ISAKMP:(1011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Apr 9 08:05:18.323: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 80.149.110.103, remote= 80.71.156.64,

local_proxy= 172.19.15.0/255.255.255.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= NONE (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0xC976D068(3380007016), conn_id= 0, keysize= 256, flags= 0x0

Labels:
0 Helpful
1 Reply 1

mchin345
Level 6
Level 6

‎04-15-2008 05:05 AM

It may be peer initiates IPSec SA pair, and again duplicate IPSec SA pairs are established, so better you clear crypto and reenabel it.

0 Helpful
Customers Also Viewed These Support Documents