- Cisco Community
- Technology and Support
- Security
- VPN
- IPSec can't pass Phase 2 ISAKMP:FSM error - Message from AAA grp/user.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
IPSec can't pass Phase 2 ISAKMP:FSM error - Message from AAA grp/user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-01-2017 05:59 AM - edited 02-21-2020 09:10 PM
Hi! I can't setup VPN server properly. Using macOS VPN client, can't pass Phase 2.
Cisco 861 Version: 15.4(3)M5
My config:
aaa new-model
aaa authentication login USER-AUTH local
aaa authorization network MY_GROUP local
username alex123 password 7 091D1C5A
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MY_GROUP
key GROUP_PASSWORD_HERE
dns 192.168.1.1
pool VPN-POOL
acl 110
save-password
crypto ipsec transform-set IPSEC-CRYPTO esp-aes esp-sha-hmac
mode tunnel
crypto dynamic-map DYNMAP 10
set transform-set IPSEC-CRYPTO
reverse-route
crypto map DMAP client authentication list USER-AUTH
crypto map DMAP isakmp authorization list MY_GROUP
crypto map DMAP client configuration address respond
crypto map DMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet4
ip address MY_EXTERNAL_IP MASK
ip access-group FIREWALL in
ip inspect INSPECT_OUT out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map DMAP
ip access-list extended FIREWALL
permit udp any any
permit tcp any any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Log:
*Jan 2 00:57:34.087: ISAKMP (0): received packet from 185.46.220.130 dport 500 sport 500 Global (N) NEW SA
*Jan 2 00:57:34.087: ISAKMP: Created a peer struct for 185.46.220.130, peer port 500
*Jan 2 00:57:34.087: ISAKMP: New peer created peer = 0x853D1BC8 peer_handle = 0x80000038
*Jan 2 00:57:34.087: ISAKMP: Locking peer struct 0x853D1BC8, refcount 1 for crypto_isakmp_process_block
*Jan 2 00:57:34.087: ISAKMP:(0):Setting client config settings 853D1CF4
*Jan 2 00:57:34.087: ISAKMP:(0):(Re)Setting client xauth list and state
*Jan 2 00:57:34.087: ISAKMP/xauth: initializing AAA request
*Jan 2 00:57:34.087: ISAKMP AAA: NAS Port Id is currently unavailable.
*Jan 2 00:57:34.087: ISAKMP:(0):AAA: Nas Port ID is unavailable.
*Jan 2 00:57:34.087: ISAKMP/aaa: unique id = 83
*Jan 2 00:57:34.087: ISAKMP: local port 500, remote port 500
*Jan 2 00:57:34.087: ISAKMP:(0):insert sa successfully sa = 8877960C
*Jan 2 00:57:34.091: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 2 00:57:34.091: ISAKMP:(0): processing ID payload. message ID = 0
*Jan 2 00:57:34.091: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : MY_GROUP
protocol : 0
port : 0
length : 16
*Jan 2 00:57:34.091: ISAKMP:(0):: peer matches *none* of the profiles
*Jan 2 00:57:34.091: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0): processing IKE frag vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jan 2 00:57:34.091: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 2 00:57:34.091: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 2 00:57:34.091: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Jan 2 00:57:34.091: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Jan 2 00:57:34.091: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 2 00:57:34.091: ISAKMP (0): vendor ID is NAT-T v7
*Jan 2 00:57:34.091: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Jan 2 00:57:34.091: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Jan 2 00:57:34.091: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Jan 2 00:57:34.091: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.091: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 2 00:57:34.095: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 2 00:57:34.095: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.095: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jan 2 00:57:34.095: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.095: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 2 00:57:34.095: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 2 00:57:34.095: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.095: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Jan 2 00:57:34.095: ISAKMP:(0): vendor ID is XAUTH
*Jan 2 00:57:34.095: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.095: ISAKMP:(0): vendor ID is Unity
*Jan 2 00:57:34.095: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.095: ISAKMP:(0): vendor ID is DPD
*Jan 2 00:57:34.095: ISAKMP:(0): Authentication by xauth preshared
*Jan 2 00:57:34.095: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 2 00:57:34.095: ISAKMP: life type in seconds
*Jan 2 00:57:34.095: ISAKMP: life duration (basic) of 3600
*Jan 2 00:57:34.095: ISAKMP: encryption AES-CBC
*Jan 2 00:57:34.095: ISAKMP: keylength of 256
*Jan 2 00:57:34.095: ISAKMP: auth XAUTHInitPreShared
*Jan 2 00:57:34.095: ISAKMP: hash SHA256
*Jan 2 00:57:34.095: ISAKMP: default group 14
*Jan 2 00:57:34.095: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jan 2 00:57:34.095: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 2 00:57:34.095: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Jan 2 00:57:34.095: ISAKMP: life type in seconds
*Jan 2 00:57:34.095: ISAKMP: life duration (basic) of 3600
*Jan 2 00:57:34.095: ISAKMP: encryption AES-CBC
*Jan 2 00:57:34.095: ISAKMP: keylength of 256
*Jan 2 00:57:34.095: ISAKMP: auth XAUTHInitPreShared
*Jan 2 00:57:34.099: ISAKMP: hash SHA
*Jan 2 00:57:34.099: ISAKMP: default group 14
*Jan 2 00:57:34.099: ISAKMP:(0):Proposed key length does not match policy
*Jan 2 00:57:34.099: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 2 00:57:34.099: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Jan 2 00:57:34.099: ISAKMP: life type in seconds
*Jan 2 00:57:34.099: ISAKMP: life duration (basic) of 3600
*Jan 2 00:57:34.099: ISAKMP: encryption AES-CBC
*Jan 2 00:57:34.099: ISAKMP: keylength of 256
*Jan 2 00:57:34.099: ISAKMP: auth XAUTHInitPreShared
*Jan 2 00:57:34.099: ISAKMP: hash MD5
*Jan 2 00:57:34.099: ISAKMP: default group 14
*Jan 2 00:57:34.099: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jan 2 00:57:34.099: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 2 00:57:34.099: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Jan 2 00:57:34.099: ISAKMP: life type in seconds
*Jan 2 00:57:34.099: ISAKMP: life duration (basic) of 3600
*Jan 2 00:57:34.099: ISAKMP: encryption AES-CBC
*Jan 2 00:57:34.099: ISAKMP: keylength of 256
*Jan 2 00:57:34.099: ISAKMP: auth XAUTHInitPreShared
*Jan 2 00:57:34.099: ISAKMP: hash SHA512
*Jan 2 00:57:34.099: ISAKMP: default group 14
*Jan 2 00:57:34.099: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jan 2 00:57:34.099: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Jan 2 00:57:34.099: ISAKMP:(0):no offers accepted!
*Jan 2 00:57:34.099: ISAKMP:(0): phase 1 SA policy not acceptable! (local 185.17.127.162 remote 185.46.220.130)
*Jan 2 00:57:34.099: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Jan 2 00:57:34.099: ISAKMP:(0): Failed to construct AG informational message.
*Jan 2 00:57:34.099: ISAKMP:(0): sending packet to 185.46.220.130 my_port 500 peer_port 500 (R) AG_NO_STATE
*Jan 2 00:57:34.099: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 2 00:57:34.103: ISAKMP:(0):peer does not do paranoid keepalives.
*Jan 2 00:57:34.103: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 185.46.220.130)
*Jan 2 00:57:34.103: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 2 00:57:34.103: ISAKMP:(0): group size changed! Should be 0, is 256
*Jan 2 00:57:34.103: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Jan 2 00:57:34.103: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY
*Jan 2 00:57:34.103: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jan 2 00:57:34.103: ISAKMP:(0):Old State = IKE_READY New State = IKE_READY
*Jan 2 00:57:34.103: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 185.46.220.130
*Jan 2 00:57:34.103: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 185.46.220.130)
*Jan 2 00:57:34.103: ISAKMP: Unlocking peer struct 0x853D1BC8 for isadb_mark_sa_deleted(), count 0
*Jan 2 00:57:34.103: ISAKMP: Deleting peer node by peer_reap for 185.46.220.130: 853D1BC8
*Jan 2 00:57:34.107: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 2 00:57:34.107: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
*Jan 2 00:57:34.127: ISAKMP (0): received packet from 185.46.220.130 dport 500 sport 500 Global (N) NEW SA
*Jan 2 00:57:34.127: ISAKMP: Created a peer struct for 185.46.220.130, peer port 500
*Jan 2 00:57:34.127: ISAKMP: New peer created peer = 0x853DF284 peer_handle = 0x80000039
*Jan 2 00:57:34.127: ISAKMP: Locking peer struct 0x853DF284, refcount 1 for crypto_isakmp_process_block
*Jan 2 00:57:34.127: ISAKMP:(0):Setting client config settings 886A99E0
*Jan 2 00:57:34.127: ISAKMP:(0):(Re)Setting client xauth list and state
*Jan 2 00:57:34.127: ISAKMP/xauth: initializing AAA request
*Jan 2 00:57:34.127: ISAKMP AAA: NAS Port Id is currently unavailable.
*Jan 2 00:57:34.127: ISAKMP:(0):AAA: Nas Port ID is unavailable.
*Jan 2 00:57:34.127: ISAKMP/aaa: unique id = 84
*Jan 2 00:57:34.127: ISAKMP: local port 500, remote port 500
*Jan 2 00:57:34.127: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 853DE730
*Jan 2 00:57:34.127: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 2 00:57:34.127: ISAKMP:(0): processing ID payload. message ID = 0
*Jan 2 00:57:34.127: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : MY_GROUP
protocol : 0
port : 0
length : 16
*Jan 2 00:57:34.131: ISAKMP:(0):: peer matches *none* of the profiles
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): processing IKE frag vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 2 00:57:34.131: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 2 00:57:34.131: ISAKMP (0): vendor ID is NAT-T v7
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
*Jan 2 00:57:34.131: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.131: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 2 00:57:34.135: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 2 00:57:34.135: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
*Jan 2 00:57:34.135: ISAKMP:(0): vendor ID is XAUTH
*Jan 2 00:57:34.135: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.135: ISAKMP:(0): vendor ID is Unity
*Jan 2 00:57:34.135: ISAKMP:(0): processing vendor id payload
*Jan 2 00:57:34.135: ISAKMP:(0): vendor ID is DPD
*Jan 2 00:57:34.135: ISAKMP:(0): Authentication by xauth preshared
*Jan 2 00:57:34.135: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 2 00:57:34.135: ISAKMP: life type in seconds
*Jan 2 00:57:34.135: ISAKMP: life duration (basic) of 3600
*Jan 2 00:57:34.135: ISAKMP: encryption AES-CBC
*Jan 2 00:57:34.135: ISAKMP: keylength of 256
*Jan 2 00:57:34.135: ISAKMP: auth XAUTHInitPreShared
*Jan 2 00:57:34.135: ISAKMP: hash SHA
*Jan 2 00:57:34.135: ISAKMP: default group 2
*Jan 2 00:57:34.135: ISAKMP:(0):Proposed key length does not match policy
*Jan 2 00:57:34.135: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 2 00:57:34.135: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Jan 2 00:57:34.135: ISAKMP: life type in seconds
*Jan 2 00:57:34.135: ISAKMP: life duration (basic) of 3600
*Jan 2 00:57:34.135: ISAKMP: encryption AES-CBC
*Jan 2 00:57:34.135: ISAKMP: keylength of 256
*Jan 2 00:57:34.135: ISAKMP: auth XAUTHInitPreShared
*Jan 2 00:57:34.135: ISAKMP: hash MD5
*Jan 2 00:57:34.135: ISAKMP: default group 2
*Jan 2 00:57:34.135: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jan 2 00:57:34.135: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jan 2 00:57:34.135: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Jan 2 00:57:34.135: ISAKMP: life type in seconds
*Jan 2 00:57:34.135: ISAKMP: life duration (basic) of 3600
*Jan 2 00:57:34.139: ISAKMP: encryption AES-CBC
*Jan 2 00:57:34.139: ISAKMP: keylength of 128
*Jan 2 00:57:34.139: ISAKMP: auth XAUTHInitPreShared
*Jan 2 00:57:34.139: ISAKMP: hash SHA
*Jan 2 00:57:34.139: ISAKMP: default group 2
*Jan 2 00:57:34.139: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jan 2 00:57:34.139: ISAKMP:(0):Acceptable atts:actual life: 86400
*Jan 2 00:57:34.139: ISAKMP:(0):Acceptable atts:life: 0
*Jan 2 00:57:34.139: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 2 00:57:34.139: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 2 00:57:34.139: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 2 00:57:34.139: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 2 00:57:34.175: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 2 00:57:34.175: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 2 00:57:34.175: ISAKMP (0): vendor ID is NAT-T v7
*Jan 2 00:57:34.175: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 2 00:57:34.175: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 2 00:57:34.175: ISAKMP:(0):ISAKMP/tunnel: setting up tunnel MY_GROUP pw request
*Jan 2 00:57:34.175: ISAKMP:(0):ISAKMP/tunnel: Tunnel MY_GROUP PW Request successfully sent to AAA
*Jan 2 00:57:34.175: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jan 2 00:57:34.175: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
*Jan 2 00:57:34.175: ISAKMP:(0):ISAKMP/tunnel: received callback from AAA
AAA/AUTHOR/IKE: Processing AV tunnel-password
AAA/AUTHOR/IKE: Processing AV addr-pool
AAA/AUTHOR/IKE: Processing AV inacl
AAA/AUTHOR/IKE: Processing AV dns-servers
AAA/AUTHOR/IKE: Processing AV wins-servers
AAA/AUTHOR/IKE: Processing AV save-password
AAA/AUTHOR/IKE: Processing AV route-metric
*Jan 2 00:57:34.179: ISAKMP/tunnel: received tunnel atts
*Jan 2 00:57:34.179: ISAKMP:(2023): constructed NAT-T vendor-rfc3947 ID
*Jan 2 00:57:34.179: ISAKMP:(2023):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Jan 2 00:57:34.179: ISAKMP (2023): ID payload
next-payload : 10
type : 1
address : 185.17.127.162
protocol : 0
port : 0
length : 12
*Jan 2 00:57:34.179: ISAKMP:(2023):Total payload length: 12
*Jan 2 00:57:34.179: ISAKMP:(2023): sending packet to 185.46.220.130 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jan 2 00:57:34.179: ISAKMP:(2023):Sending an IKE IPv4 Packet.
*Jan 2 00:57:34.183: ISAKMP:(2023):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Jan 2 00:57:34.183: ISAKMP:(2023):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
*Jan 2 00:57:34.383: ISAKMP (2023): received packet from 185.46.220.130 dport 4500 sport 4500 Global (R) AG_INIT_EXCH
*Jan 2 00:57:34.383: ISAKMP:(2023): processing HASH payload. message ID = 0
*Jan 2 00:57:34.383: ISAKMP:received payload type 20
*Jan 2 00:57:34.383: ISAKMP (2023): His hash no match - this node outside NAT
*Jan 2 00:57:34.383: ISAKMP:received payload type 20
*Jan 2 00:57:34.383: ISAKMP (2023): His hash no match - this node outside NAT
*Jan 2 00:57:34.383: ISAKMP:(2023): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x853DE730
*Jan 2 00:57:34.383: ISAKMP:(2023):SA authentication status:
authenticated
*Jan 2 00:57:34.383: ISAKMP:(2023):SA has been authenticated with 185.46.220.130
*Jan 2 00:57:34.383: ISAKMP:(2023):Detected port,floating to port = 4500
*Jan 2 00:57:34.383: ISAKMP: Trying to find existing peer 185.17.127.162/185.46.220.130/4500/
*Jan 2 00:57:34.383: ISAKMP:(2023):SA authentication status:
authenticated
*Jan 2 00:57:34.383: ISAKMP:(2023): Process initial contact,
bring down existing phase 1 and 2 SA's with local 185.17.127.162 remote 185.46.220.130 remote port 4500
*Jan 2 00:57:34.383: ISAKMP:(2023):returning IP addr to the address pool
*Jan 2 00:57:34.383: ISAKMP AAA: Deleting old aaa_uid = 84
*Jan 2 00:57:34.383: ISAKMP AAA: NAS Port Id is set to 185.17.127.162
*Jan 2 00:57:34.383: ISAKMP:(0):AAA: Nas Port ID set to 185.17.127.162.
*Jan 2 00:57:34.387: ISAKMP AAA: Allocated new aaa_uid = 85
*Jan 2 00:57:34.387: ISAKMP: Trying to insert a peer 185.17.127.162/185.46.220.130/4500/, and inserted successfully 853DF284.
*Jan 2 00:57:34.387: ISAKMP AAA: Accounting is not enabled
*Jan 2 00:57:34.387: ISAKMP:(2023):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jan 2 00:57:34.387: ISAKMP:(2023):Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE
*Jan 2 00:57:34.387: ISAKMP:(2023):Need XAUTH
*Jan 2 00:57:34.387: ISAKMP: set new node -1303350024 to CONF_XAUTH
*Jan 2 00:57:34.391: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Jan 2 00:57:34.391: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Jan 2 00:57:34.391: ISAKMP:(2023): initiating peer config to 185.46.220.130. ID = 2991617272
*Jan 2 00:57:34.391: ISAKMP:(2023): sending packet to 185.46.220.130 my_port 4500 peer_port 4500 (R) CONF_XAUTH
*Jan 2 00:57:34.391: ISAKMP:(2023):Sending an IKE IPv4 Packet.
*Jan 2 00:57:34.391: ISAKMP:(2023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan 2 00:57:34.391: ISAKMP:(2023):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT
*Jan 2 00:57:34.427: ISAKMP (2023): received packet from 185.46.220.130 dport 4500 sport 4500 Global (R) CONF_XAUTH
*Jan 2 00:57:34.431: ISAKMP:(2023):processing transaction payload from 185.46.220.130. message ID = -1303350024
*Jan 2 00:57:34.431: ISAKMP: Config payload REPLY
*Jan 2 00:57:34.431: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Jan 2 00:57:34.431: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Jan 2 00:57:34.431: ISAKMP AAA: NAS Port Id is already set to 185.17.127.162
*Jan 2 00:57:34.431: ISAKMP/Authen: unique id = 85
*Jan 2 00:57:34.431: ISAKMP:(2023):AAA Authen: setting up authen_request
*Jan 2 00:57:34.431: ISAKMP:(2023):AAA Authen: Successfully sent authen info to AAA
*Jan 2 00:57:34.431: ISAKMP:(2023):deleting node -1303350024 error FALSE reason "Done with xauth request/reply exchange"
*Jan 2 00:57:34.431: ISAKMP:(2023):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Jan 2 00:57:34.431: ISAKMP:(2023):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
*Jan 2 00:57:34.431: ISAKMP:(2023):AAA Authen: Local Authentication or no RADIUS atts recvd
*Jan 2 00:57:34.431: ISAKMP: set new node -1382126504 to CONF_XAUTH
*Jan 2 00:57:34.431: ISAKMP:(2023): initiating peer config to 185.46.220.130. ID = 2912840792
*Jan 2 00:57:34.435: ISAKMP:(2023): sending packet to 185.46.220.130 my_port 4500 peer_port 4500 (R) CONF_XAUTH
*Jan 2 00:57:34.435: ISAKMP:(2023):Sending an IKE IPv4 Packet.
*Jan 2 00:57:34.435: ISAKMP:(2023):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
*Jan 2 00:57:34.435: ISAKMP:(2023):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
*Jan 2 00:57:34.455: ISAKMP (2023): received packet from 185.46.220.130 dport 4500 sport 4500 Global (R) CONF_XAUTH
*Jan 2 00:57:34.455: ISAKMP: set new node -525563425 to CONF_XAUTH
*Jan 2 00:57:34.455: ISAKMP:(2023):processing transaction payload from 185.46.220.130. message ID = -525563425
*Jan 2 00:57:34.455: ISAKMP: Config payload REQUEST
*Jan 2 00:57:34.455: ISAKMP (2023): Unknown Input IKE_MESG_FROM_PEER, IKE_CFG_REQUEST: state = IKE_XAUTH_SET_SENT
*Jan 2 00:57:34.455: ISAKMP:(2023):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Jan 2 00:57:34.455: ISAKMP:(2023):Old State = IKE_XAUTH_SET_SENT New State = IKE_XAUTH_SET_SENT
*Jan 2 00:57:34.455: ISAKMP (2023): received packet from 185.46.220.130 dport 4500 sport 4500 Global (R) CONF_XAUTH
*Jan 2 00:57:34.459: ISAKMP:(2023):processing transaction payload from 185.46.220.130. message ID = -1382126504
*Jan 2 00:57:34.459: ISAKMP: Config payload ACK
*Jan 2 00:57:34.459: ISAKMP:(2023): XAUTH ACK Processed
*Jan 2 00:57:34.459: ISAKMP:(2023):deleting node -1382126504 error FALSE reason "Transaction mode done"
*Jan 2 00:57:34.459: ISAKMP:(2023):Talking to a Unity Client
*Jan 2 00:57:34.459: ISAKMP:(2023):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
*Jan 2 00:57:34.459: ISAKMP:(2023):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE
*Jan 2 00:57:34.459: ISAKMP:(2023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan 2 00:57:34.459: ISAKMP:(2023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jan 2 00:57:37.751: ISAKMP (2023): received packet from 185.46.220.130 dport 4500 sport 4500 Global (R) QM_IDLE
*Jan 2 00:57:37.751: ISAKMP:(2023):processing transaction payload from 185.46.220.130. message ID = -525563425
*Jan 2 00:57:37.751: ISAKMP: Config payload REQUEST
*Jan 2 00:57:37.751: ISAKMP:(2023):checking request:
*Jan 2 00:57:37.751: ISAKMP: IP4_ADDRESS
*Jan 2 00:57:37.751: ISAKMP: IP4_NETMASK
*Jan 2 00:57:37.751: ISAKMP: IP4_DNS
*Jan 2 00:57:37.751: ISAKMP: IP4_NBNS
*Jan 2 00:57:37.751: ISAKMP: ADDRESS_EXPIRY
*Jan 2 00:57:37.751: ISAKMP: APPLICATION_VERSION
*Jan 2 00:57:37.751: ISAKMP: Client Version is : Cisco Systems VPN Client 10.12.3:Mac OS Xp
*Jan 2 00:57:37.751: ISAKMP: MODECFG_BANNER
*Jan 2 00:57:37.751: ISAKMP: DEFAULT_DOMAIN
*Jan 2 00:57:37.751: ISAKMP: SPLIT_DNS
*Jan 2 00:57:37.751: ISAKMP: SPLIT_INCLUDE
*Jan 2 00:57:37.751: ISAKMP: INCLUDE_LOCAL_LAN
*Jan 2 00:57:37.751: ISAKMP: PFS
*Jan 2 00:57:37.751: ISAKMP: MODECFG_SAVEPWD
*Jan 2 00:57:37.751: ISAKMP: FW_RECORD
*Jan 2 00:57:37.751: ISAKMP: BACKUP_SERVER
*Jan 2 00:57:37.751: ISAKMP: MODECFG_BROWSER_PROXY
*Jan 2 00:57:37.751: ISAKMP:(2023):ISAKMP/author: setting up the authorization request for MY_GROUP
*Jan 2 00:57:37.755: ISAKMP/author: Author request for group MY_GROUPsuccessfully sent to AAA
*Jan 2 00:57:37.755: ISAKMP:(2023):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Jan 2 00:57:37.755: ISAKMP:(2023):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
*Jan 2 00:57:37.755: ISAKMP:(0):ISAKMP/author: received callback from AAA
AAA/AUTHOR/IKE: Processing AV tunnel-password
AAA/AUTHOR/IKE: Processing AV addr-pool
AAA/AUTHOR/IKE: Processing AV inacl
AAA/AUTHOR/IKE: Processing AV dns-servers
AAA/AUTHOR/IKE: Processing AV wins-servers
*Jan 2 00:57:37.755:
AAA/AUTHOR/IKE: no WINS addresses
AAA/AUTHOR/IKE: Processing AV save-password
AAA/AUTHOR/IKE: Processing AV route-metric
*Jan 2 00:57:37.755: ISAKMP:(2023):ISAKMP/author: No Class attributes
*Jan 2 00:57:37.755: ISAKMP:(2023):attributes sent in message:
*Jan 2 00:57:37.755: Address: 0.2.0.0
*Jan 2 00:57:37.759: ISAKMP:(2023):allocating address 192.168.1.168
*Jan 2 00:57:37.759: ISAKMP: Sending private address: 192.168.1.168
*Jan 2 00:57:37.759: ISAKMP: Sending subnet mask: 255.255.255.0
*Jan 2 00:57:37.759: ISAKMP: Sending IP4_DNS server address: 192.168.1.1
*Jan 2 00:57:37.759: ISAKMP: Sending ADDRESS_EXPIRY seconds left to use the address: 3596
*Jan 2 00:57:37.759: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, C860 Software (C860-UNIVERSALK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 09-Feb-16 07:08 by prod_rel_team
*Jan 2 00:57:37.759: ISAKMP: Sending split include name 110 network 192.168.1.0 mask 255.255.255.0 protocol 0, src port 0, dst port 0
*Jan 2 00:57:37.759: ISAKMP: Sending save password reply value 1
*Jan 2 00:57:37.759: ISAKMP:(2023): responding to peer config from 185.46.220.130. ID = 3769403871
*Jan 2 00:57:37.759: ISAKMP: Marking node 3769403871 for late deletion
*Jan 2 00:57:37.759: ISAKMP:(2023): sending packet to 185.46.220.130 my_port 4500 peer_port 4500 (R) CONF_ADDR
*Jan 2 00:57:37.759: ISAKMP:(2023):Sending an IKE IPv4 Packet.
*Jan 2 00:57:37.759: ISAKMP:(2023):Talking to a Unity Client
*Jan 2 00:57:37.759: ISAKMP:(0):Can't decrement IKE Call Admission Control stat phase1dot5 negotiating since it's already 0.
*Jan 2 00:57:37.759: ISAKMP:(2023):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
*Jan 2 00:57:37.763: ISAKMP:(2023):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
*Jan 2 00:57:37.763: ISAKMP:FSM error - Message from AAA grp/user.
*Jan 2 00:57:37.763: ISAKMP:(2023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan 2 00:57:37.763: ISAKMP:(2023):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jan 2 00:57:52.759: ISAKMP:(2023): retransmitting phase 2 QM_IDLE -525563425 ...
*Jan 2 00:57:52.759: ISAKMP (2023): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Jan 2 00:57:52.759: ISAKMP:(2023): retransmitting phase 2 -525563425 QM_IDLE
*Jan 2 00:57:52.759: ISAKMP:(2023): sending packet to 185.46.220.130 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jan 2 00:57:52.759: ISAKMP:(2023):Sending an IKE IPv4 Packet.
*Jan 2 00:57:53.839: ISAKMP (2023): received packet from 185.46.220.130 dport 4500 sport 4500 Global (R) QM_IDLE
*Jan 2 00:57:53.839: ISAKMP: set new node -350826880 to QM_IDLE
*Jan 2 00:57:53.839: ISAKMP:(2023): processing HASH payload. message ID = 3944140416
*Jan 2 00:57:53.839: ISAKMP:(2023): processing DELETE payload. message ID = 3944140416
*Jan 2 00:57:53.839: ISAKMP:(2023):peer does not do paranoid keepalives.
*Jan 2 00:57:53.839: ISAKMP:(2023):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x0)
*Jan 2 00:57:53.839: ISAKMP:(2023):peer does not do paranoid keepalives.
*Jan 2 00:57:53.839: ISAKMP:(2023):deleting SA reason "No reason" state (R) QM_IDLE (peer 185.46.220.130)
*Jan 2 00:57:53.839: ISAKMP:(2023):deleting node -350826880 error FALSE reason "Informational (in) state 1"
*Jan 2 00:57:53.843: ISAKMP: set new node 912153433 to QM_IDLE
*Jan 2 00:57:53.843: ISAKMP:(2023): sending packet to 185.46.220.130 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jan 2 00:57:53.843: ISAKMP:(2023):Sending an IKE IPv4 Packet.
*Jan 2 00:57:53.843: ISAKMP:(2023):purging node 912153433
*Jan 2 00:57:53.843: ISAKMP:(2023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 2 00:57:53.843: ISAKMP:(2023):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Jan 2 00:57:53.843: ISAKMP:(2023):deleting SA reason "No reason" state (R) QM_IDLE (peer 185.46.220.130)
*Jan 2 00:57:53.847: ISAKMP (2023): returning address 192.168.1.168 to pool
*Jan 2 00:57:53.847: ISAKMP: Unlocking peer struct 0x853DF284 for isadb_mark_sa_deleted(), count 0
*Jan 2 00:57:53.847: ISAKMP: returning address 192.168.1.168 to pool
*Jan 2 00:57:53.847: ISAKMP: Deleting peer node by peer_reap for 185.46.220.130: 853DF284
*Jan 2 00:57:53.847: ISAKMP: returning address 192.168.1.168 to pool
*Jan 2 00:57:53.847: ISAKMP:(2023):deleting node -525563425 error FALSE reason "IKE deleted"
*Jan 2 00:57:53.847: ISAKMP:(2023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 2 00:57:53.847: ISAKMP:(2023):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Can anyone have idea what is wrong?
- Labels:
-
IPSEC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide