08-07-2015 07:57 PM - edited 02-21-2020 08:23 PM
HI,
Can anybody help me, We have configured Crypto ISAKMP VPN tunnel in router. But the tunnel is going down automatically and not coming up.
as searched and suggested in many discussions in support forums and others, we have enabled debug and found the below errors in loggings.
below is the debug information right now.
cking ISAKMP transform 7 against priority 65535 policy
005211: *Aug 7 21:35:42.149 UTC: ISAKMP: encryption DES-CBC
005212: *Aug 7 21:35:42.149 UTC: ISAKMP: hash SHA
005213: *Aug 7 21:35:42.149 UTC: ISAKMP: auth pre-share
005214: *Aug 7 21:35:42.149 UTC: ISAKMP: default group 1
005215: *Aug 7 21:35:42.149 UTC: ISAKMP: life type in seconds
005216: *Aug 7 21:35:42.149 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
005217: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Authentication method offered does not match policy!
005218: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
005219: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 8 against priority 65535 policy
005220: *Aug 7 21:35:42.149 UTC: ISAKMP: encryption DES-CBC
005221: *Aug 7 21:35:42.149 UTC: ISAKMP: hash MD5
005222: *Aug 7 21:35:42.149 UTC: ISAKMP: auth pre-share
005223: *Aug 7 21:35:42.149 UTC: ISAKMP: default group 1
005224: *Aug 7 21:35:42.149 UTC: ISAKMP: life type in seconds
005225: *Aug 7 21:35:42.149 UTC: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
005226: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!
005227: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
005228: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):no offers accepted!
005229: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local x.x.x.x remote x.x.x.x)
005230: *Aug 7 21:35:42.149 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
005231: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0): sending packet to x.x.x.x my_port 500 peer_port 60105 (R) MM_NO_STATE
005232: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
005233: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer x.x.x.x)
005234: *Aug 7 21:35:42.149 UTC: ISAKMP (0:0): FSM action returned error: 2
005235: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
005236: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_R_MM1 New State = IKE_R_MM1
005237: *Aug 7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer x.x.x.x)
005238: *Aug 7 21:35:42.153 UTC: ISAKMP: Unlocking IKE struct 0x62F9757C for isadb_mark_sa_deleted(), count 0
005239: *Aug 7 21:35:42.153 UTC: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 62F9757C
005240: *Aug 7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
005241: *Aug 7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
005242: *Aug 7 21:35:42.153 UTC: IPSEC(key_engine): got a queue event with 1 kei messages
005243: *Aug 7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer x.x.x.x)
005244: *Aug 7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
005245: *Aug 7 21:35:42.153 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
005246: *Aug 7 21:36:42.153 UTC: ISAKMP:(0:0:N/A:0):purging SA., sa=63C576D4, delme=63C576D4
005247: *Aug 7 21:36:49.005 UTC: crypto_engine: generate public/private keypair
005248: *Aug 7 22:36:50.045 UTC: crypto_engine: generate public/private keypair
005249: *Aug 7 23:36:52.457 UTC: crypto_engine: generate public/private keypair
005250: *Aug 8 00:36:53.165 UTC: crypto_engine: generate public/private keypair
005251: *Aug 8 01:27:49.440 UTC: CRYPTO_ENGINE: key process suspended and continued
005252: *Aug 8 01:29:22.888 UTC: CRYPTO_ENGINE: key process suspended and continued
005253: *Aug 8 01:36:53.748 UTC: crypto_engine: generate public/private keypair
005254: *Aug 8 02:29:23.500 UTC: CRYPTO_ENGINE: key process suspended and continued
08-07-2015 09:17 PM
Please help ASAP. This is bit urgent
08-09-2015 11:13 PM
Hi,
please find the attached config file details.
Note : Attached file is the previous running config before configure the ISAKMP.
please suggest us for the enable the ISAKMP in the same router also if required we will attach my another end router config file to close this ASAP.
08-10-2015 05:31 AM
Where is the config ?
usually both sides must agree on everything related to the tunnel.
08-08-2015 12:39 AM
Look at your ISAKMP Policy:
005229: *Aug 7 21:35:42.149 UTC: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local x.x.x.x remote x.x.x.x)
> Please help ASAP. This is bit urgent
If it's urgent, it's probably better to ask Cisco TAC. They are available 24/7.
08-08-2015 02:26 AM
Hi Karsten,
Please help me to sort out the issue.
Below is the policy configured in both peers. There is no mismatch.
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 1440 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
08-08-2015 05:48 AM
> Below is the policy configured in both peers. There is no mismatch.
If they really match, then there must be a some other config that is conflicting. Hard to say without seeing the config.
08-10-2015 05:15 AM
Please help us to configure the crypto isakmp . configuration has attached already.
Looking forward hear from you.
08-10-2015 05:39 AM
> configuration has attached already.
Where is the config attached?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide