02-25-2014 04:45 PM
Hi guys
I'm having some trouble getting phase 2 up in this site to site.
I have a server on the inside that needs to do some snmp polling on a server at a customer location over a site to site.
Internal server 10.10.10.10, remote server 10.172.100.20.
My internal server, after doing a traceroute, doesn't seem to know a route when i try to hit that remote server, so what i did was create an object NAT.
We have other customers we monitor, but we usually put our own ASA at their localtion for the site to site, however not in this case, so i'm using the customers SonicWall. We have an IP range defined for these monitoring customers of 10.2.255.x /29, so i made a new object for the remote server and called it 10.2.255.97 and NATing to the actual IP of 10.170.100.20.
Phase 1 comes up fine, but phase 2 will not. I have screen shots of the SonicWall setup, and all config is fine. I'm thinking this idea of trying to use a NAT to that server is screwing me over. Anyone ever do anything like this at all?
Thanks
02-25-2014 06:57 PM
Hi Steve,
Can you post your config? Particular the ACL you are using to match VPN traffic. And what version code are you using?
Regards,
Mike
Sent from Cisco Technical Support Android App
02-26-2014 05:44 AM
Thanks for the reply. Tons of config, so here's what's relevant. If I miss anything, let me know. Debugs added for your viewing pleasure...
crypto map outside_map 10 match address outside_cryptomap_2
crypto map outside_map 10 set peer x.x.x.x
crypto map outside_map 10 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-MD5 ESP-AES-256-MD5 ESP-AES-192-MD5 ESP-AES-192-SHA ESP-AES-128-MD5 ESP-AES-128-SHA ESP-3DES-SHA ESP-AES-256-SHA
access-list outside_cryptomap_2 extended permit ip object INTERNAL_SERVER object 10.2.255.97_RemoteServer_NAT
object network 10.2.255.97_RemoteServer_NAT
host 10.2.255.97
object network 10.2.255.97_RemoteServer_NAT
nat (inside,outside) static 10.172.100.20 <--remote server
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-tunnel-protocol ikev1
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer RemotePeerIPx.x.x.x local Proxy Address 10.172.100.20, remote Proxy Address 10.2.255.97, Crypto map (outside_map)
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing ISAKMP SA payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Traversal VID ver 02 payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Traversal VID ver 03 payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Traversal VID ver RFC payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing Fragmentation VID + extended capabilities payload
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 284
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 120
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing SA payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Oakley proposal is acceptable
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing VID payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Received xauth V6 VID
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing VID payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Received NAT-Traversal ver 02 VID
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing ke payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing nonce payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing Cisco Unity VID payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing xauth V6 VID payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Send IOS VID
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing VID payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Discovery payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, computing NAT Discovery hash
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, constructing NAT-Discovery payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, computing NAT Discovery hash
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 220
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing ke payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing ISA_KE payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing nonce payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing NAT-Discovery payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, computing NAT Discovery hash
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, processing NAT-Discovery payload
Feb 26 07:36:57 [IKEv1 DEBUG]IP = RemotePeerIPx.x.x.x, computing NAT Discovery hash
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, Connection landed on tunnel_group RemotePeerIPx.x.x.x
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Generating keys for Initiator...
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing ID payload
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing hash payload
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Computing hash for ISAKMP
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing dpd vid payload
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Feb 26 07:36:57 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing ID payload
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Computing hash for ISAKMP
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing VID payload
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received DPD VID
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, Connection landed on tunnel_group RemotePeerIPx.x.x.x
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Oakley begin quick mode
Feb 26 07:36:57 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, PHASE 1 COMPLETED
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, Keep-alive type for this connection: DPD
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Starting P1 rekey timer: 64800 seconds.
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x4848d1bf
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x8de01337
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0xc651facf
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x6de46d10
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x1a6bb9bb
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0xb46ecb90
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0xd39d77dd
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x12b15c5e
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x1b9b490d
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE got SPI from key engine: SPI = 0x2ce6cbf0
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, oakley constucting quick mode
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing blank hash payload
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing IPSec SA payload
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing IPSec nonce payload
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing proxy ID
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Transmitting Proxy Id:
Local host: 10.172.100.20 Protocol 0 Port 0
Remote host: 10.2.255.97 Protocol 0 Port 0
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing qm hash payload
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=dbc8a511) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 644
Feb 26 07:36:57 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=e7b42a42) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload
Feb 26 07:36:57 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing notify payload
Feb 26 07:36:57 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)
Feb 26 07:37:05 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=9c1586a2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Feb 26 07:37:05 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload
Feb 26 07:37:05 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing notify payload
Feb 26 07:37:05 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)
Feb 26 07:37:13 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=cab41f38) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Feb 26 07:37:13 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload
Feb 26 07:37:13 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing notify payload
Feb 26 07:37:13 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)
Feb 26 07:37:21 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE RECEIVED Message (msgid=eee718a9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 68
Feb 26 07:37:21 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing hash payload
Feb 26 07:37:21 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, processing notify payload
Feb 26 07:37:21 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)
Feb 26 07:37:29 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, QM FSM error (P2 struct &0x7486d8b8, mess id 0xdbc8a511)!
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE QM Initiator FSM error history (struct &0x7486d8b8)
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, sending delete/delete with reason message
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing blank hash payload
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing IPSec delete payload
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing qm hash payload
Feb 26 07:37:29 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=b3336872) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255.97, Local Proxy 10.172.100.20
Feb 26 07:37:29 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Removing peer from correlator table failed, no match!
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE SA MM:296c99ad rcv'd Terminate: state MM_ACTIVE flags 0x00008062, refcnt 1, tuncnt 0
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, IKE SA MM:296c99ad terminating: flags 0x01008022, refcnt 0, tuncnt 0
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, sending delete/delete with reason message
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing blank hash payload
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing IKE delete payload
Feb 26 07:37:29 [IKEv1 DEBUG]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, constructing qm hash payload
Feb 26 07:37:29 [IKEv1]IP = RemotePeerIPx.x.x.x, IKE_DECODE SENDING Message (msgid=43c81111) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Feb 26 07:37:29 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Session is being torn down. Reason: Lost Service
02-26-2014 05:53 AM
Hi Steve,
Feb 26 07:37:21 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Received non-routine Notify message: No proposal chosen (14)
Feb 26 07:37:29 [IKEv1]Group = RemotePeerIPx.x.x.x, IP = RemotePeerIPx.x.x.x, Session is being torn down. Reason: Lost Service
What do you see on the Sonic Wall side?
Would you mind enabling the IPsec debug to 255?
The Sonic Wall should not send any network range (1.1.1.1 - 1.1.1.254, for instance) since the ASA expects a subnet 1.1.1.0/24, for example.
So, check the logs on the Sonic Wall, get the IPsec logs at 255 to check what they send and hopefully find the issue.
02-26-2014 06:17 AM
I'm emailed my customer to get logs from his end. Will update once I have them.
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 207. 173.224.194 local Proxy Address LocalServer, remote Proxy Address 10.2.255.97, Crypto map (outside_map)
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing ISAKMP SA payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Traversal VID ver 03 payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Traversal VID ver RFC payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VE NDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 284
SENDING PACKET to x.x.x.x
IKE Recv RAW packet dump
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
01 10 02 00 00 00 00 00 00 00 00 78 0d 00 00 3c | ...........x...<
00 00 00 01 00 00 00 01 00 00 00 30 01 01 00 01 | ...........0....
00 00 00 28 02 01 00 00 80 04 00 02 80 01 00 07 | ...(............
80 0e 01 00 80 02 00 02 80 03 00 01 80 0b 00 01 | ................
00 0c 00 04 00 01 51 80 0d 00 00 0c 09 00 26 89 | ......Q.......&.
df d6 b7 12 00 00 00 14 90 cb 80 91 3e bb 69 6e | ............>.in
08 63 81 b5 ec 42 7b 1f | .c...B{.
RECV PACKET from x.x.x.x
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 120
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 60
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 48
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): 09 00 26 89 df d6 b7 12
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + V ENDOR (13) + VENDOR (13) + NONE (0) total length : 120
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing SA payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Oakley proposal is acceptable
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing VID payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Received xauth V6 VID
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing VID payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Received NAT-Traversal ver 02 VID
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing ke payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing nonce payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing Cisco Unity VID payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing xauth V6 VID payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Send IOS VID
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing VID payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Discovery payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, computing NAT Discovery hash
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, constructing NAT-Discovery payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, computing NAT Discovery hash
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NO NCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total lengt h : 304
SENDING PACKET to x.x.x.x
IKE Recv RAW packet dump
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
04 10 02 00 00 00 00 00 00 00 00 dc 0a 00 00 84 | ................
0d 50 14 db ba af fb ee 1e e2 32 e3 68 06 b8 e9 | .P........2.h...
d7 20 76 5f d3 a8 2d 18 23 f6 6b 1b ad 7f d2 da | . v_..-.#.k...
ea 36 87 f0 3a 1d b8 46 92 8e 79 6e 79 37 10 0f | .6..:..F..yny7..
17 31 9a 49 a6 86 af 7f 09 d2 e6 f7 67 63 d0 12 | .1.I......gc..
e1 70 72 0f 51 43 79 a7 63 2b 42 5a 8b 9d 03 0f | .pr.QCy.c+BZ....
75 63 f3 13 ae 9a 50 c9 20 d0 86 af 47 35 da 9a | uc....P. ...G5..
a3 ed b1 2b e0 f5 8d 06 08 cc 27 ea 4d 5e 75 25 | ...+......'.M^u%
78 cd f9 fd 3b db f0 93 32 89 19 1c c3 a0 50 e7 | x...;...2.....P.
82 00 00 0c 94 f8 c3 0a 74 c4 c0 bf 82 00 00 18 | ........t.......
b8 b8 02 2b d7 fc 54 35 59 5e 13 22 06 04 2f 13 | ...+..T5Y^."../.
cd 2d 51 1d 00 00 00 18 07 07 13 0f e7 1a b6 a1 | .-Q.............
59 36 98 4d 9b 8e dc 9e 2f ca d1 f1 | Y6.M..../...
RECV PACKET from x.x.x.x
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 220
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
0d 50 14 db ba af fb ee 1e e2 32 e3 68 06 b8 e9
d7 20 76 5f d3 a8 2d 18 23 f6 6b 1b ad 7f d2 da
ea 36 87 f0 3a 1d b8 46 92 8e 79 6e 79 37 10 0f
17 31 9a 49 a6 86 af 7f 09 d2 e6 f7 67 63 d0 12
e1 70 72 0f 51 43 79 a7 63 2b 42 5a 8b 9d 03 0f
75 63 f3 13 ae 9a 50 c9 20 d0 86 af 47 35 da 9a
a3 ed b1 2b e0 f5 8d 06 08 cc 27 ea 4d 5e 75 25
78 cd f9 fd 3b db f0 93 32 89 19 1c c3 a0 50 e7
Payload Nonce
Next Payload: NAT-D
Reserved: 00
Payload Length: 12
Data: 94 f8 c3 0a 74 c4 c0 bf
Payload NAT-D
Next Payload: NAT-D
Reserved: 00
Payload Length: 24
Data:
b8 b8 02 2b d7 fc 54 35 59 5e 13 22 06 04 2f 13
cd 2d 51 1d
Payload NAT-D
Next Payload: None
Reserved: 00
Payload Length: 24
Data:
07 07 13 0f e7 1a b6 a1 59 36 98 4d 9b 8e dc 9e
2f ca d1 f1
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + N ONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 220
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing ke payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing ISA_KE payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing nonce payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing NAT-Discovery payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, computing NAT Discovery hash
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, processing NAT-Discovery payload
Feb 26 07:59:43 [IKEv1 DEBUG]IP = x.x.x.x, computing NAT Discovery hash
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Generating keys for Initiator...
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing ID payload
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing hash payload
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing dpd vid payload
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HA SH (8) + VENDOR (13) + NONE (0) total length : 84
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
05 10 02 00 00 00 00 00 1c 00 00 00 08 00 00 0c | ................
01 11 00 00 43 da 10 7c 0d 00 00 18 61 46 bc 93 | ....C..|....aF..
1d 8a 92 f4 dc fd 3a 45 20 8a be a2 c1 4d dd 78 | ......:E ....M.x
00 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | ........h...k...
77 57 01 00 | wW..
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 0
ID Data: 67.218.16.124
Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
61 46 bc 93 1d 8a 92 f4 dc fd 3a 45 20 8a be a2
c1 4d dd 78
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Feb 26 07:59:43 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status: Remote en d is NOT behind a NAT device This end is NOT behind a NAT device
SENDING PACKET to x.x.x.x
IKE Recv RAW packet dump
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
05 10 02 01 00 00 00 00 00 00 00 5c 19 9f 2a 93 | ...........\..*.
2e e8 d3 18 58 47 f6 c5 3f 77 5b aa f0 c7 15 89 | ....XG..?w[.....
12 23 ae c3 4d 32 88 4a cc 32 6d 2d 75 1e fc 34 | .#..M2.J.2m-u..4
d1 be cd 37 d4 c4 02 d7 1f af 9d 68 87 49 58 5d | ...7.......h.IX]
94 20 7b dc a1 74 88 35 d0 45 3d 10 | . {..t.5.E=.
RECV PACKET from x.x.x.x
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 92
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 92
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: x.x.x.x
Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
3b 06 9d 5f ea 28 60 20 15 b8 e8 e3 5c 56 23 3b
df f3 d8 08
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + H ASH (8) + VENDOR (13) + NONE (0) total length : 84
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing ID payload
Feb 26 07:59:43 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, ID_IPV4_ADDR ID received
x.x.x.x
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Computing hash for ISAKMP
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing VID payload
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Received DPD VID
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, Connection landed on tunnel_group x.x.x.x
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Oakley begin quick mode
Feb 26 07:59:43 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator starting QM: msg id = 03 abefc3
Feb 26 07:59:43 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, Keep-alive type for this connection: DPD
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Starting P1 rekey timer: 64800 seconds.
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x41 d78d8c
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0xf0 073a17
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0xfc d1f908
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0xa3 f91d04
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x3d 13c244
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x10 d256fa
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0xa3 91873e
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x37 ee49ba
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x64 90a58b
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE got SPI from key engine: SPI = 0x28 b10b9e
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, oakley constucting quick mode
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec SA payload
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec nonce payload
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing proxy ID
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, Transmitting Proxy Id:
Local host: LocalServer Protocol 0 Port 0
Remote host: 10.2.255.97 Protocol 0 Port 0
Feb 26 07:59:43 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending Initial Contact
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Feb 26 07:59:43 [IKEv1 DECODE]Group = x.x.x.x, IP = x.x.x.x, IKE Initiator sending 1st QM pkt: msg id = 03abefc3
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=3abefc3) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 644
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
08 10 20 00 c3 ef ab 03 1c 00 00 00 01 00 00 18 | .. .............
87 8a 56 dd c8 fc ff 2c 5f c9 0d a7 af f6 04 23 | ..V....,_......#
14 0c 4e 28 0a 00 02 04 00 00 00 01 00 00 00 01 | ..N(............
02 00 00 30 01 03 04 01 41 d7 8d 8c 00 00 00 24 | ...0....A......$
01 02 00 00 80 01 00 01 80 02 70 80 80 01 00 02 | ..........p.....
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02 | .....FP.........
02 00 00 30 02 03 04 01 f0 07 3a 17 00 00 00 24 | ...0......:....$
01 02 00 00 80 01 00 01 80 02 70 80 80 01 00 02 | ..........p.....
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 01 | .....FP.........
02 00 00 30 03 03 04 01 fc d1 f9 08 00 00 00 24 | ...0...........$
01 03 00 00 80 01 00 01 80 02 70 80 80 01 00 02 | ..........p.....
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 01 | .....FP.........
02 00 00 34 04 03 04 01 a3 f9 1d 04 00 00 00 28 | ...4...........(
01 0c 00 00 80 01 00 01 80 02 70 80 80 01 00 02 | ..........p.....
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 01 | .....FP.........
80 06 01 00 02 00 00 34 05 03 04 01 3d 13 c2 44 | .......4....=..D
00 00 00 28 01 0c 00 00 80 01 00 01 80 02 70 80 | ...(..........p.
80 01 00 02 00 02 00 04 00 46 50 00 80 04 00 01 | .........FP.....
80 05 00 01 80 06 00 c0 02 00 00 34 06 03 04 01 | ...........4....
10 d2 56 fa 00 00 00 28 01 0c 00 00 80 01 00 01 | ..V....(........
80 02 70 80 80 01 00 02 00 02 00 04 00 46 50 00 | ..p..........FP.
80 04 00 01 80 05 00 02 80 06 00 c0 02 00 00 34 | ...............4
07 03 04 01 a3 91 87 3e 00 00 00 28 01 0c 00 00 | .......>...(....
80 01 00 01 80 02 70 80 80 01 00 02 00 02 00 04 | ......p.........
00 46 50 00 80 04 00 01 80 05 00 01 80 06 00 80 | .FP.............
02 00 00 34 08 03 04 01 37 ee 49 ba 00 00 00 28 | ...4....7.I....(
01 0c 00 00 80 01 00 01 80 02 70 80 80 01 00 02 | ..........p.....
00 02 00 04 00 46 50 00 80 04 00 01 80 05 00 02 | .....FP.........
80 06 00 80 02 00 00 30 09 03 04 01 64 90 a5 8b | .......0....d...
00 00 00 24 01 03 00 00 80 01 00 01 80 02 70 80 | ...$..........p.
80 01 00 02 00 02 00 04 00 46 50 00 80 04 00 01 | .........FP.....
80 05 00 02 00 00 00 34 0a 03 04 01 28 b1 0b 9e | .......4....(...
00 00 00 28 01 0c 00 00 80 01 00 01 80 02 70 80 | ...(..........p.
80 01 00 02 00 02 00 04 00 46 50 00 80 04 00 01 | .........FP.....
80 05 00 02 80 06 01 00 05 00 00 18 f1 54 fc 26 | .............T.&
6d 43 7b f4 f9 00 92 c3 b8 b8 4c 76 74 66 af 08 | mC{.......Lvtf..
05 00 00 0c 01 00 00 00 ac 10 7d bc 0b 00 00 0c | ..........}.....
01 00 00 00 0a 02 ff 61 00 00 00 1c 00 00 00 01 | .......a........
01 10 60 02 51 17 01 0f 76 1a ab 96 b9 cf 2d 3e | ..`.Q...v.....->
e2 2a 9e e0 | .*..
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (none)
MessageID: C3EFAB03
Length: 469762048
Payload Hash
Next Payload: Security Association
Reserved: 00
Payload Length: 24
Data:
87 8a 56 dd c8 fc ff 2c 5f c9 0d a7 af f6 04 23
14 0c 4e 28
Payload Security Association
Next Payload: Nonce
Reserved: 00
Payload Length: 516
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 1
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 41 d7 8d 8c
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 2
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: f0 07 3a 17
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: MD5
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 3
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: fc d1 f9 08
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: MD5
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 4
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: a3 f9 1d 04
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: MD5
Key Length: 256
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 5
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 3d 13 c2 44
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: MD5
Key Length: 192
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 6
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 10 d2 56 fa
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Key Length: 192
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 7
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: a3 91 87 3e
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: MD5
Key Length: 128
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 52
Proposal #: 8
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 37 ee 49 ba
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Key Length: 128
Payload Proposal
Next Payload: Proposal
Reserved: 00
Payload Length: 48
Proposal #: 9
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 64 90 a5 8b
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: ESP_3DES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 52
Proposal #: 10
Protocol-Id: PROTO_IPSEC_ESP
SPI Size: 4
# of transforms: 1
SPI: 28 b1 0b 9e
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: ESP_AES
Reserved2: 0000
Life Type: Seconds
Life Duration (Hex): 70 80
Life Type: Kilobytes
Life Duration (Hex): 00 46 50 00
Encapsulation Mode: Tunnel
Authentication Algorithm: SHA1
Key Length: 256
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 24
Data:
f1 54 fc 26 6d 43 7b f4 f9 00 92 c3 b8 b8 4c 76
74 66 af 08
Payload Identification
Next Payload: Identification
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: LocalServer
Payload Identification
Next Payload: Notification
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: 10.2.255.97
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
Notify Type: STATUS_INITIAL_CONTACT
SPI:
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0
IKE Recv RAW packet dump
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
08 10 05 01 9a 89 2c 3f 00 00 00 4c c7 9d 70 5d | ......,?...L..p]
63 4b cf f8 13 be c0 3a 3a f3 d7 d0 a0 7e 65 4c | cK.....::....~eL
37 c2 e3 21 58 6c 11 01 c0 67 75 35 81 85 d6 c4 | 7..!Xl...gu5....
ed b2 9a 2b bf 94 b0 2c 78 4c 81 03 | ...+...,xL..
RECV PACKET from x.x.x.x
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 9A892C3F
Length: 76
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 9A892C3F
Length: 76
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
4e 28 ec ea eb 41 9e c7 72 4a 0a bf 6d 4b 1a 49
69 c3 c6 00
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: NO_PROPOSAL_CHOSEN
SPI: 41 d7 8d 8c
Feb 26 07:59:43 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=9a892c3f) with payloads : HDR + HAS H (8) + NOTIFY (11) + NONE (0) total length : 68
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Feb 26 07:59:43 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Feb 26 07:59:43 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No propo sal chosen (14)
IKE Recv RAW packet dump
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
08 10 05 01 90 43 74 39 00 00 00 4c cd e9 e9 b2 | .....Ct9...L....
13 1a 91 67 aa 19 c5 43 8a 4b a0 9d e1 d5 6c 72 | ...g...C.K....lr
43 0b 57 42 27 d9 1a 02 eb 29 fa 89 ae 79 5d 66 | C.WB'....)...y]f
ba f8 75 7c c5 c9 eb 6c 4f 84 fb 4d | ..u|...lO..M
RECV PACKET from x.x.x.x
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 90437439
Length: 76
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 90437439
Length: 76
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
ae 92 53 da f6 71 3e cd 23 c3 a3 ad bc a3 2f a8
0d 63 3e f1
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: NO_PROPOSAL_CHOSEN
SPI: 41 d7 8d 8c
Feb 26 07:59:51 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=90437439) with payloads : HDR + HAS H (8) + NOTIFY (11) + NONE (0) total length : 68
Feb 26 07:59:51 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Feb 26 07:59:51 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Feb 26 07:59:51 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No propo sal chosen (14)
IKE Recv RAW packet dump
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
08 10 05 01 80 52 56 c3 00 00 00 4c 67 2e 0f 4b | .....RV....Lg..K
1b d7 0f 34 ba 4b e7 d2 b0 95 6c f9 db b4 a4 49 | ...4.K....l....I
c0 f1 fa 3e 3a 4d cd 39 49 88 4a 7a 4f c7 25 cf | ...>:M.9I.JzO.%.
f8 66 4c 27 b8 79 1b 92 11 cd 92 77 | .fL'.y.....w
RECV PACKET from x.x.x.x
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 805256C3
Length: 76
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: 805256C3
Length: 76
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
82 6b d7 07 c6 88 f5 fe 0a 0a 84 7f 11 fc b7 64
74 8b f3 5b
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: NO_PROPOSAL_CHOSEN
SPI: 41 d7 8d 8c
Feb 26 07:59:59 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=805256c3) with payloads : HDR + HAS H (8) + NOTIFY (11) + NONE (0) total length : 68
Feb 26 07:59:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Feb 26 07:59:59 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Feb 26 07:59:59 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No propo sal chosen (14)
IKE Recv RAW packet dump
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
08 10 05 01 f8 3f 8e 9e 00 00 00 4c 21 6d 93 31 | .....?.....L!m.1
97 12 3f fd e0 1c b0 77 fa ac ff 3b 85 0a e6 3d | ..?....w...;...=
d9 d5 04 cd 5d d2 fa eb 60 8c 09 4a fe 60 6a 56 | ....]...`..J.`jV
f0 88 ec 51 7b 52 ec 54 b1 21 a3 70 | ...Q{R.T.!.p
RECV PACKET from x.x.x.x
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: F83F8E9E
Length: 76
AFTER DECRYPTION
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: F83F8E9E
Length: 76
Payload Hash
Next Payload: Notification
Reserved: 00
Payload Length: 24
Data:
bf e1 0c 1b 42 a0 3e d4 53 f6 80 bb e0 5f ee 4f
fb 3d fc 25
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
Notify Type: NO_PROPOSAL_CHOSEN
SPI: 41 d7 8d 8c
Feb 26 08:00:07 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=f83f8e9e) with payloads : HDR + HAS H (8) + NOTIFY (11) + NONE (0) total length : 68
Feb 26 08:00:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing hash payload
Feb 26 08:00:07 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, processing notify payload
Feb 26 08:00:07 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No propo sal chosen (14)
Feb 26 08:00:15 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x748afa20, mess id 0x3abefc3)!
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE QM Initiator FSM error history (str uct &0x748afa20)
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason messa ge
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IPSec delete payload
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Feb 26 08:00:15 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=cd9374cb) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
08 10 05 00 cb 74 93 cd 1c 00 00 00 0c 00 00 18 | .....t..........
9b bd 7b fc a1 5d 55 d0 3c ed fe 69 7a d0 fc b1 | ..{..]U.<..iz...
31 97 da fd 00 00 00 10 00 00 00 01 03 04 00 01 | 1...............
41 d7 8d 8c | A...
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: CB7493CD
Length: 469762048
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
9b bd 7b fc a1 5d 55 d0 3c ed fe 69 7a d0 fc b1
31 97 da fd
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 16
DOI: IPsec
Protocol-ID: PROTO_IPSEC_ESP
Spi Size: 4
# of SPIs: 1
SPI (Hex dump): 41 d7 8d 8c
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.2.255. 97, Local Proxy LocalServer
Feb 26 08:00:15 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, n o match!
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:0f011751 rcv'd Terminate: sta te MM_ACTIVE flags 0x00008062, refcnt 1, tuncnt 0
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:0f011751 terminating: flags 0x01008022, refcnt 0, tuncnt 0
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason messa ge
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing blank hash payload
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing IKE delete payload
Feb 26 08:00:15 [IKEv1 DEBUG]Group = x.x.x.x, IP = x.x.x.x, constructing qm hash payload
Feb 26 08:00:15 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=d0f33f10) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
BEFORE ENCRYPTION
RAW PACKET DUMP on SEND
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
08 10 05 00 10 3f f3 d0 1c 00 00 00 0c 00 00 18 | .....?..........
4d 28 eb 8f e7 66 89 55 bb 66 92 ef 86 e6 9e 43 | M(...f.U.f.....C
15 a3 d4 df 00 00 00 1c 00 00 00 01 01 10 00 01 | ................
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0 | Q...v.....->.*..
ISAKMP Header
Initiator COOKIE: 51 17 01 0f 76 1a ab 96
Responder COOKIE: b9 cf 2d 3e e2 2a 9e e0
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 103FF3D0
Length: 469762048
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
4d 28 eb 8f e7 66 89 55 bb 66 92 ef 86 e6 9e 43
15 a3 d4 df
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
# of SPIs: 1
SPI (Hex dump):
51 17 01 0f 76 1a ab 96 b9 cf 2d 3e e2 2a 9e e0
Feb 26 08:00:15 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: Lost Serv ice
02-26-2014 06:44 AM
Code version is 8.4(5)
02-26-2014 07:33 AM
Steve,
Notify Type: NO_PROPOSAL_CHOSEN
Are you completely sure that your ASA is proposing a valid transform-set?
Could you ask for the Phase II settings of the remote endpoint?
Thanks,
02-26-2014 07:53 AM
02-26-2014 07:56 AM
Okay, I propbably read Sonic Wall from a different case
The screenshot does not display.
02-26-2014 07:57 AM
Edited. No, i mistakenly said sonicwall in my OP.
02-26-2014 08:04 AM
I see... So this one should hit: ESP-AES-128-SHA
Please do the following:
On the ASA:
no crypto map outside_map 10 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-MD5 ESP-AES-256-MD5 ESP-AES-192-MD5 ESP-AES-192-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-AES-256-SHA
On the Watchguard keep only the ESP-AES-SHA1 one.
On the other hand, could you please share the Phase II settings of the Watchguard (not only the transform-sets)?
Thanks,
02-26-2014 08:29 AM
02-26-2014 08:48 AM
As per the log:
RemotePeerIPx.x.x.x local Proxy Address 10.172.100.20, remote Proxy Address 10.2.255.97, Crypto map (outside_map)
So:
Local host: 10.172.100.20
Remote host: 10.2.255.97
Why are you including totally different private IPs on the Watchguard?
02-26-2014 08:53 AM
The screen shots have the actual ips. In my op and in the logs, the ips were changed. I didn't have access to the firewall at the time of the post, so I chose some random addresses. Also changed them in the log so they made some sense.
The ips in the watch guard are correct. Sorry for the confusion.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: