09-17-2015 07:46 AM - edited 02-21-2020 08:28 PM
Hello,
I have a site-to-site VPN topology on my network between a 2911 and a 1800 routers, works properly and there are no communications problem.
But in the show logging on the 2911 I can see a lot of these messages:
%CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:<local_IP> local_id:<local_ID> remote:<remote_IP> remote_id:<remote_ID> IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:1
%CRYPTO-5-IPSEC_SETUP_FAILURE: IPSEC SETUP FAILED for local:<local_IP> local_id:<local_ID> remote:<remote_IP> remote_id:<remote_ID> IKE profile:None fvrf:None fail_reason:IPSec Proposal failure fail_class_cnt:2
What you suggest to do to resolve this issue?
09-21-2015 08:20 PM
can you check if the crypto acl on both the routers are configured with the same entries.
looks like the local router is trying to setup a phase 2 sa for the local and the remote id specified in the logs and it is not able to establish that sa.
please check if you want to or not setup the ipsec sa between those subnets
01-21-2016 01:44 AM
Pjain2
I have the same problem, as stated by OP, the tunnel is up PH1 & PS2 with Active SA.
also I can reach the remote end. I see encryption/decryption and no inc on the error packets.
but this thing keeps displaying on the screen
its 3800 router with a sonicwall firewall(cant remember the IOS on the device tho )
thanks in advice
lance
01-21-2016 06:03 AM
Lance
Can you post the crypto configuration from your router? This might help us to identify the issue. Certainly one thing to look for is the possibility mentioned by Pjain2 that the router is attempting to negotiate a SA for a second address in the crypto access list. If we look at the config and do not find an explanation then the next step would be to run debug for crypto IPsec which may supply information about what is going on.
It would be helpful if you would post examples of a couple of the log messages that you are seeing. The original poster carefully blanked out all of the identifying information. If we could see that information it may relate to what we are looking at in the config.
HTH
Rick
01-21-2016 08:07 AM
Hi Richard,
Ignore this, I just got the customer to clear the session wolla no error any more :D
awww
thanks for the response though, much appreciated it
regards,
the cool lancellot
01-21-2016 08:21 AM
Glad you were able to clear it. Thanks for letting us know.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide