Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1118
Views
0
Helpful
1
Replies

Problem with site to site ipsec 2xSA520

erik.lonn
Level 1
Level 1

‎12-16-2012 01:30 PM - edited ‎02-21-2020 06:33 PM

Hi,

After creating a site to site ipsec-tunnel with two new Cisco SA 520 i get the following problem in the log:

Sun Dec 16 22:20:57 2012 (GMT +0100): [Cisco] [IKE] INFO:  accept a request to establish IKE-SA: xx.xx.42.68

Sun Dec 16 22:20:57 2012 (GMT +0100): [Cisco] [IKE] INFO:  Configuration found for xx.xx.42.68.

Sun Dec 16 22:20:57 2012 (GMT +0100): [Cisco] [IKE] INFO:  Initiating new phase 1 negotiation: xx.xx.141.112[500]<=>xx.xx.42.68[500]

Sun Dec 16 22:20:57 2012 (GMT +0100): [Cisco] [IKE] INFO:  Beginning Identity Protection mode.

Sun Dec 16 22:20:57 2012 (GMT +0100): [Cisco] [IKE] INFO:   [isakmp_ident.c:184]: XXX: NUMNATTVENDORIDS: 3javascript:pop('platform.cgi?page=aboutPop.htm')

Sun Dec 16 22:20:57 2012 (GMT +0100): [Cisco] [IKE] INFO:   [isakmp_ident.c:188]: XXX: setting vendorid: 4

Sun Dec 16 22:20:57 2012 (GMT +0100): [Cisco] [IKE] INFO:   [isakmp_ident.c:188]: XXX: setting vendorid: 8

Sun Dec 16 22:20:57 2012 (GMT +0100): [Cisco] [IKE] INFO:   [isakmp_ident.c:188]: XXX: setting vendorid: 9

Sun Dec 16 22:21:28 2012 (GMT +0100): [Cisco] [IKE] ERROR:  Invalid SA protocol type: 0

Sun Dec 16 22:21:28 2012 (GMT +0100): [Cisco] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.

Sun Dec 16 22:21:57 2012 (GMT +0100): [Cisco] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 217.208.42.68[500]. 2aa7a1ae5eba2642:0000000000000000

The IPSec tunnel is created with the wizard,

Select VPN Type: 

Site to Site        

Enable Cisco VPN Client:        

Blank / marked gray

Connection Name and Remote IP Type:

What is the new Connection Name?

Testx

What is the pre-shared key?

1234567890     

Local WAN Interface:

Dedicated Wan

Remote Gateway Type:

IP Adress

Remote WAN's IP Address / FQDN:

Site A - xx.xx.42.68 / Site B - xx.xx.141.112

Local Gateway Type: IP Address      

Local WAN's IP Address / FQDN:   

Site A - xx.xx.42.68 / Site B - xx.xx.141.112

Secure Connection Remote Accessibility

Remote LAN IP Address:    

Site A - 192.168.93.0 / Site B - 192.168.94.0

Remote LAN Subnet Mask:    

255.255.255.0

Labels:
0 Helpful
1 Reply 1

nine_2012
Level 1
Level 1

‎12-20-2012 08:50 AM

the error:

Invalid SA protocol type: 0

directs that the ID type is not matching. Since the tuneel is in main mode you need to check the ID types. You have to use the IP address as the ID type.

You may check the defaults at:

To view the basic setting defaults that are configured by the Wizard, click VPN on

the menu bar, and then click IPsec > Basic Setting Defaults.

also

NOTE If you choose Main Mode, then you must use an IP address as the

identifier type for both the Local device and the Remote device

You may follow the guide as below:

http://www.cisco.com/en/US/docs/security/multi_function_security/multi_function_security_appliance/sa_500/administration/guide/SA500_AG_OL1911404.pdf

0 Helpful
Customers Also Viewed These Support Documents