03-31-2006 08:36 AM - edited 02-21-2020 02:20 PM
Hi,
I'm trying to bring up an IPSec tunnel between a Cisco IOS 6500 switch and a third party Nortel Alteon firewall.
Stage 1 is failing but the policy configuration looks the same at each end.
Debug output:
*Mar 31 15:33:39.836: ISAKMP:(0:5:HW:2): beginning Main Mode exchange
*Mar 31 15:33:39.836: ISAKMP:(0:5:HW:2): sending packet to 10.129.224.158 my_por
t 500 peer_port 500 (I) MM_NO_STATE
*Mar 31 15:33:39.848: ISAKMP (0:268435461): received packet from 10.129.224.158
dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 31 15:33:39.848: ISAKMP:(0:5:HW:2):Couldn't find node: message_id 124167445
2
*Mar 31 15:33:39.848: ISAKMP:(0:5:HW:2):Unknown Input: state = IKE_I_MM1, major,
minor = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 31 15:33:39.848: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational m
ode failed with peer at 10.129.224.158
I can't find any explanation of the "couldn't find node" error anywhere on CCO. The debug reports a response from the peer on protocol 500 so it looks like the two peers can see each other.
Anyone got any ideas?
04-04-2006 01:57 AM
Hi
you need to verify the following parameters on both the sides to overcome this error message...
Encryption DES or 3DES
Hash MD5 or SHA
Diffie-Hellman Group 1 or 2
Authentication {rsa-sig | rsa-encr | pre-share
for more info do refer this link..
regds
04-04-2006 02:22 AM
Thanks for the response.
From what the engineer working on the Nortel told me the parameters matched ours so there was no obvious reason why the tunnel didn't come up.
Having changed their end from pre-share to rsa and then back again the tunnel came up!
Strange.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide