05-16-2002
06:23 AM
- last edited on
02-21-2020
11:42 PM
by
cc_security_adm
Hi -
Consider the following error from a isakmp debug on the PIX:
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 21 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): Unable to generate DH phase I values!
return status is IKMP_ERR_RETRANS
key exchange never makes it out of MM_NO_STATE
As you can see, my isakmp attributes are good, but all of a sudden I get that last error message about phase I.
Never heard of this before. Any ideas?
Cisco PIX Firewall Version 6.1(1)
C2600 Software (C2600-IK8S-M), Version 12.2(8)T
Standard config as per <A HREF="javascript:newWin('http://www.cisco.com/warp/customer/110/39.html')">http://www.cisco.com/warp/customer/110/39.html</A>
I've varied that i am running a transform set of esp-des only. I'm not making it to ipsec, so I don't think that's my problem.
Thanks!
05-17-2002 04:42 AM
It looks like it may be having a problem calculating the Diffie-Hellmen values? Maybe you should try making the transform set esp-des esp-md5-hmac like in the doc. If that still does not work it could be a bug. Try a different version of code on your 2600. Good luck.
05-28-2002 07:20 AM
Ok. That's what I thought. Diffie-Helmen values not working. On the PIX side.
Changed my isakmp policy to use md5 hash, but get same error. Router has other tunnels to other routers, that cannot be changed, so my configuration is not exactly as the configuration guide.
My router is Version 12.2(8)T. Just upgraded.
Any other ideas?
05-31-2002 08:47 AM
Don't bother modifying your transform sets they are only for negotiating the phase 2 tunnel establishments. If your problem lies in phase one group issues, you may wanna use DH group 2
this is a 1024-bit group identifier
link to config on pix is
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/ipsec.htm#xtocid1580135')">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v50/config/ipsec.htm#xtocid1580135
and on the router
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fipsenc/scfike.htm#22086')">http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fipsenc/scfike.htm#22086
IKE is what you should be Troubleshooting not Transform sets
Since you have other tunnels creat a brand new ISA policy for the problem tunnel and trouble shoot with the test policy.
05-31-2002 12:03 PM
Thanks for the comments. I, too, thought that the adjustments to my policies would not make a difference. It didn't.
But I did fix it!
Rebooted the PIX. Everything came up fine.
I expect that my CA's were bad? I don't know that I ever ran any clear crypto type commands.
Thanks again! Problems solved with reboot!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide