Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1763
Views
0
Helpful
3
Replies

S2S IPSEC: Cisco2811 to Checkpoint - transform proposal not supported for identity error

yurkovskym
Level 1
Level 1

‎04-10-2013 05:30 AM - edited ‎02-21-2020 06:48 PM

Hi all,

My first post here ...

I have wierd issue that i couldn't resolve ....

I'm trying to bring up ipsec tunnel but get - transform proposal not supported for identity - message.

I know that this points on missmatch at phase 2 parameters for IPSEC to come up - but I checked and looks like all parameters are the same on both ends [I have access only to cisco router but i got other end (with checkpoint) on the phone and verified all parameters]

I have disabled NAT to interesting segments by ACL

Thank you for any help on this subject - if you require additional info - just ask

My config:

Cisco 2811 - c2800nm-advipservicesk9-mz.124-18a.bin

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

...

crypto isakmp key XXXXXXXX address 198.A.A.248 no-xauth

crypto isakmp keepalive 120 10 periodic

...

crypto ipsec transform-set BBB esp-3des esp-md5-hmac

!

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address respond

...

crypto map mymap 20 ipsec-isakmp

set peer 198.A.A.248

set transform-set BBB

match address BBB_ACL

ip access-list extended BBB_ACL

permit ip host 10.C.C.77 host 170.D.D.138

!

interface FastEthernet0/0

ip address 69.X.X.234 255.255.255.248

ip access-group Protect_From_Internet in

ip nat outside

ip virtual-reassembly

load-interval 30

duplex full

speed 100

crypto map mymap

My debug:

DEBUG:

inet-rtr-1#

inet-rtr-1#

.Apr 10 11:24:27.457: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 69.X.X.234, remote= 198.A.A.248,

    local_proxy= 10.C.C.77/255.255.255.255/0/0 (type=1),

    remote_proxy= 170.D.D.138/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x26DD572D(652039981), conn_id= 0, keysize= 0, flags= 0x400E

.Apr 10 11:24:27.457: ISAKMP: local port 500, remote port 500

.Apr 10 11:24:27.457: ISAKMP: set new node 0 to QM_I

inet-rtr-1#DLE     

.Apr 10 11:24:27.457: insert sa successfully sa = 462B7918

.Apr 10 11:24:27.457: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

.Apr 10 11:24:27.457: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 198.A.A.248

.Apr 10 11:24:27.457: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

.Apr 10 11:24:27.457: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

.Apr 10 11:24:27.457: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

.Apr 10 11:24:27.461: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_F

inet-rtr-1#ROM_IPSEC, IKE_SA_REQ_MM

.Apr 10 11:24:27.461: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

.Apr 10 11:24:27.461: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

.Apr 10 11:24:27.461: ISAKMP:(0:0:N/A:0): sending packet to 198.A.A.248 my_port 500 peer_port 500 (I) MM_NO_STATE

.Apr 10 11:24:27.481: ISAKMP (0:0): received packet from 198.A.A.248 dport 500 sport 500 Global (I) MM_NO_STATE

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

.Apr 10 11:24:27.485: ISAKMP:(

inet-rtr-1#0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 198.A.A.248

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0): local preshared key found

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy

.Apr 10 11:24:27.485: ISAKMP:      encryption 3DES-CBC

.Apr 10 11:24:27.485: ISAKMP:      hash MD5

.Apr 10 11:24:27.485: ISAKMP:      default group 2

.Apr 10 11:24:27.485: ISAKMP:      auth pre-share

.Apr 10 11:24:27.485: ISAKMP:      life type in seconds

.Apr 10 11:24:27.485: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 2 policy

.Apr 10 11:24:27.485: ISAKMP:      encryption 3DES-CBC

.A

inet-rtr-1#pr 10 11:24:27.485: ISAKMP:      hash MD5

.Apr 10 11:24:27.485: ISAKMP:      default group 2

.Apr 10 11:24:27.485: ISAKMP:      auth pre-share

.Apr 10 11:24:27.485: ISAKMP:      life type in seconds

.Apr 10 11:24:27.485: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 3 policy

.Apr 10 11:24:27.485: ISAKMP:      encryption 3DES-CBC

.Apr 10 11:24:27.485: ISAKMP:      hash MD5

.Apr 10 11:24:27.485: ISAKMP:      default group 2

.Apr 10 11:24:27.485: ISAKMP:      auth pre-share

.Apr 10 11:24:27.485: ISAKMP:      life type in seconds

.Apr 10 11:24:27.485: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):Hash algorithm offered does not match policy!

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

.Apr 10 11:24:27.485: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 4 policy

.Apr 10 11:24:27.485: ISAKMP:      encryption 3DES-CBC

.Apr 10 11:24:27.485: ISAKMP:      hash MD5

.Apr 10 11:24:27.485: ISAKMP:      default group 2

.Apr 10 11:24:27.485: ISAKMP:      auth pre-share

.Apr 10 11:24:27.485: ISAKMP:      life type in seconds

.Apr 10 11:24:27.489: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

.Apr 10 11:24:27.489: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!

.Apr 10 11:24:

inet-rtr-1#27.489: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0

.Apr 10 11:24:27.489: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy

.Apr 10 11:24:27.489: ISAKMP:      encryption 3DES-CBC

.Apr 10 11:24:27.489: ISAKMP:      hash MD5

.Apr 10 11:24:27.489: ISAKMP:      default group 2

.Apr 10 11:24:27.489: ISAKMP:      auth pre-share

.Apr 10 11:24:27.489: ISAKMP:      life type in seconds

.Apr 10 11:24:27.489: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

.Apr 10 11:24:27.489: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

.Apr 10 11:24:27.525: ISAKMP:(0:170:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

.Apr 10 11:24:27.525: ISAKMP:(0:170:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

.Apr 10 11:24:27.529: ISAKMP:(0:170:SW:1): sending packet to 198.A.A.248 my_port 500 peer_port 500 (I) MM_SA_SETUP

.Apr 10 11:24:27.529: ISAKMP:(0:170:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

.Apr 10 11:24:27.529: ISAKMP:(0:170:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

.Apr 10 11:24:27.553: ISAKMP (0:134217898): received packet from 198.A.A.248 dport 500 sport 500 Global (I) MM_SA_SETUP

.Apr 10 11:24:27.553: ISAKMP:(0:170:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

.Apr 10 11:24:27.553: ISAKMP:(0:170:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

.Apr 10 11:24:27.553: ISAKMP:(0:170:SW:1): processing KE payload. message ID = 0

.Apr 10 11:24:27.605: ISAKMP:(0:170:SW:1): processing NONCE payload. message ID = 0

.Apr 10 11:24:27.605: ISAKMP:(0:170:SW:1):found peer pre-shared key matching 198.A.A.248

.Apr 10 11:24:27.605: ISAKMP:(0:170:SW:1):SKEYID state generated

.Apr 10 11:24:27.605: ISAKMP:(0:170:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

.Apr 10 11:24:27.605: ISAKMP:(0:170:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

.Apr 10 11:24:27.609: ISAKMP:(0:170:SW:1):Send initial contact

.Apr 10 11:24:27.609: ISAKMP:(0:170:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

.Apr 10 11:24:27.609: ISAKMP (0:134217898): ID payload

        next-payload : 8

        type    

inet-rtr-1#    : 1

        address      : 69.X.X.234

        protocol     : 17

        port         : 500

        length       : 12

.Apr 10 11:24:27.609: ISAKMP:(0:170:SW:1):Total payload length: 12

.Apr 10 11:24:27.609: ISAKMP:(0:170:SW:1): sending packet to 198.A.A.248 my_port 500 peer_port 500 (I) MM_KEY_EXCH

.Apr 10 11:24:27.613: ISAKMP:(0:170:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

.Apr 10 11:24:27.613: ISAKMP:(0:170:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

.Apr 10 11:24:27.637: ISAKMP (0:134217898): received packet from 198.A.A.248 dport 500 sport 500 Global (I) MM_KEY_EXCH

.Apr 10 11:24:27.637: ISAKMP:(0:170:SW:1): processing ID payload. message ID = 0

.Apr 10 11:24:27.637: ISAKMP (0:134217898): ID payload

        next-payload : 8

        type         : 1

        address      : 198.A.A.248

        protocol     : 0

        port         : 0

        length       : 12

.Apr 10 11:24:27.637: ISAKMP:(0:170:SW:1):: peer matches *none* of the profiles

.Apr 10 11:24:27.637: ISAKMP:(0:170:SW:1): processing HASH payload. message ID = 0

.Apr 10 11:24:27.637: ISAKMP:(0:170:SW:1):SA authentication status:

        authenticated

.Apr 10 11:24:27.637: ISAKMP:(0:170:SW:1):SA has been authenticated with 198.A.A.248

.Apr 10 11:24:27.637: ISAKMP:(0:170:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

.Apr 10 11:24:27.637: ISAKMP:(0:170:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

.Apr 10 11:24:27.637: ISAKMP:(0:170:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

.Apr 10 11:24:27.637: ISAKMP:(0:170:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

.Apr 10 11:24:27.641: ISAKMP:(0:170:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

.Apr 10 11:24:27.641: ISAKMP:(0:170:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

.Apr 10 11:24:27.641: ISAKMP:(0:170:SW:1):beginning Quick Mode exchange, M-ID of 1789684298

.Apr 10 11:24:27.641: ISAKMP:(0:170:SW:1): sending packet to 198.A.A.248 my_port 500 peer_port 500 (I) QM_IDLE     

.Apr 10 11:24:27.641: ISAKMP:(0:170:SW:1):Node 1789684298, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

.Apr 10 11:24:27.645: ISAKMP:(0:170:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

.Apr 10 11:24:27.645: ISAKMP:(0:170:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

.Apr 10 11:24:27.645: ISAKMP:(0:170:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

.Apr 10 11:24:27.665: ISAKMP (0:134217898): received packet from 198.A.A.248 dport 500 sport 500 Global (I) QM_IDLE     

.Apr 10 11:24:27.665: ISAKMP:(0:170:SW:1): processing HASH payload. message ID = 1789684298

.Apr 10 11:24:27.665: ISAKMP:(0:170:SW:1): processing SA payload. message ID = 1789684298

.Apr 10 11:

inet-rtr-1#24:27.665: ISAKMP:(0:170:SW:1):Checking IPSec proposal 1

.Apr 10 11:24:27.665: ISAKMP: transform 1, ESP_3DES

.Apr 10 11:24:27.665: ISAKMP:   attributes in transform:

.Apr 10 11:24:27.665: ISAKMP:      encaps is 1 (Tunnel)

.Apr 10 11:24:27.665: ISAKMP:      SA life type in seconds

.Apr 10 11:24:27.665: ISAKMP:      SA life duration (basic) of 3600

.Apr 10 11:24:27.665: ISAKMP:      SA life type in kilobytes

.Apr 10 11:24:27.665: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

.Apr 10 11:24:27.669: ISAKMP:      authenticator is HMAC-MD5

.Apr 10 11:24:27.669: ISAKMP:(0:170:SW:1):atts are acceptable.

.Apr 10 11:24:27.669: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 69.X.X.234, remote= 198.A.A.248,

    local_proxy= 10.C.C.77/255.255.255.255/0/0 (type=1),

    remote_proxy= 170.D.D.138/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

.Apr 10 11:24:27.669: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

    {esp-3des esp-md5-hmac }

.Apr 10 11:24:27.669: ISAKMP:(0:170:SW:1): IPSec policy invalidated proposal

.Apr 10 11:24:27.669: ISAKMP:(0:170:SW:1): phase 2 SA policy not acceptable! (local 69.X.X.234 remote 198.A.A.248)

.Apr 10 11:24:27.669: ISAKMP: set new node -1911168147 to QM_IDLE     

.Apr 10 11:24:27.669: ISAKMP:(0:170:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 1169002592, message ID = -1911168147

.Apr 10 11:24:27.669: ISAKMP:(0:170:SW:1): sending packet to 198.A.A.248 my_port 500 peer_port 500 (I) QM_IDLE     

.Apr 10 11:24:27.669: ISAKMP:(0:170:SW:1):purging node -1911168147

.Apr 10 11:24:27.673: ISAKMP (0:134217898): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node 1789684298: state = IKE_QM_I_QM1

.Apr 10 11:24:27.673: ISAKMP:(0:170:SW:1):Node 1789684298, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

.Apr 10 11:24:27.673: ISAKMP:(0:170:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_I_QM1

.Apr 10 06:24:27.673: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 198.A.A.248

inet-rtr-1#

.Apr 10 11:24:57.457: IPSEC(key_engine): request timer fired: count = 1,

  (identity) local= 69.X.X.234, remote= 198.A.A.248,

    local_proxy= 10.C.C.77/255.255.255.255/0/0 (type=1),

    remote_proxy= 170.D.D.138/255.255.255.255/0/0 (type=1)

.Apr 10 11:24:57.457: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 69.X.X.234, remote= 198.A.A.248,

    local_proxy= 10.C.C.77/255.255.255.255/0/0 (type=1),

    remote_proxy= 170.D.D.138/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x348EC7FF(881772543), conn_id= 0, keysize= 0, flags= 0x400E

.Apr 10 11:24:57.457: ISAKMP: set new node 0 to QM_IDLE     

.Apr 10 11:24:57.457: SA has outstanding requests  (local 69.X.X.234 port 500, remote 198.A.A.248 port 500)

.Apr 10 11:24:57.457: ISAKMP:(0:170:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE      )

.Apr 10 11:24:57.457: ISAKMP:(0:170:SW:1):beginning Quick Mode exchange, M-ID of -380643872

.Apr 10 11:24:57.457: ISAKMP:(0:170:SW:1): sending packet to 198.A.A.248 my_port 500 peer_port 500 (I) QM_IDLE     

.Apr 10 11:24:57.461: ISAKMP:(0:170:SW:1):Node -380643872, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

.Apr 10 11:24:57.461: ISAKMP:(0:170:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

.Apr 10 11:24:57.481: ISAKMP (0:134217898): received packet from 198.A.A.248 dport 500 sport 500 Global (I) QM_IDLE     

.Apr 10 11:24:57.485: ISAKMP:(0:170:SW:1): processing HASH payload. message ID = -380643872

.Apr 10 11:24:57.485: ISAKMP:(0:170:SW:1): processing SA payload. message ID = -380643872

.Apr 10 11:24:57.485: ISAKMP:(0:170:SW:1):Checking IPSec proposal 1

.Apr 10 11:24:57.485: ISAKMP: transform 1, ESP_3DES

.Apr 10 11:24:57.485: ISAKMP:   attributes in transform:

.Apr 10 11:24:57.485: ISAKMP:      encaps is 1 (Tunnel)

.Apr 10 11:24:57.485: ISAKMP:      SA life type in seconds

.Apr 10 11:24:57.485: ISAKMP:      SA life duration (basic) of 3600

.Apr 10 11:24:57.485: ISAKMP:      SA life type in kilobytes

.Apr 10 11:24:57.485: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

.Apr 10 11:24:57.485: ISAKMP:      authenticator is HMAC-MD5

.Apr 10 11:24:57.485: ISAKMP:(0:170:SW:1):atts are acceptable.

.Apr 10 11:24:57.485: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 69.X.X.234, remote= 198.A.A.248,

    local_proxy= 10.C.C.77/255.255.255.255/0/0 (type=1),

    remote_proxy= 170.D.D.138/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

.Apr 10 11:24:57.485: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

    {esp-3des esp-md5-hmac }

.Apr 10 11:24:57.485: ISAKMP:(0:170:SW:1): IPSec policy invalidated proposal

.Apr 10 11:24:57.485: ISAKMP:(0:170:SW:1): phase 2 SA policy not acceptable! (local 69.X.X.234 remote 198.A.A.248)

.Apr 10 11:24:57.485: ISAKMP: set new node 717110591 to QM_IDLE     

.Apr 10 11:24:57.485: ISAKMP:(0:170:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 1169002592, message ID = 717110591

.Apr 10 11:24:57.489: ISAKMP:(0:170:SW:1): sending packet to 198.A.A.248 my_port 500 peer_port 500 (I) QM_IDLE     

inet-rtr-1#

.Apr 10 11:24:57.489: ISAKMP:(0:170:SW:1):purging node 717110591

.Apr 10 11:24:57.489: ISAKMP (0:134217898): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -380643872: state = IKE_QM_I_QM1

.Apr 10 11:24:57.489: ISAKMP:(0:170:SW:1):Node -380643872, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

.Apr 10 11:24:57.489: ISAKMP:(0:170:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_I_QM1

inet-rtr-1#

.Apr 10 11:25:27.457: IPSEC(key_engine): request timer fired: count = 2,

  (identity) local= 69.X.X.234, remote= 198.A.A.248,

    local_proxy= 10.C.C.77/255.255.255.255/0/0 (type=1),

    remote_proxy= 170.D.D.138/255.255.255.255/0/0 (type=1)

.Apr 10 11:25:27.457: ISAKMP:(0:170:SW:1):peer does not do paranoid keepalives.

.Apr 10 11:25:27.457: ISAKMP:(0:170:SW:1):deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 198.A.A.248)

.Apr 10 11:25:27.457: ISAKMP: set new node 1428228561 to QM_IDLE     

.Apr 10 11:25:27.457: ISAKMP:(0:170:SW:1): sending packet to 198.A.A.248 my_port 500 peer_port 500 (I) QM_IDLE     

.Apr 10 11:25:27.457: ISAKMP:(0:170:SW:1):purging node 1428228561

.Apr 10 11:25:27.461: ISAKMP:(0:170:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

.Apr 10 11:25:27.461: ISAKMP:(0:170:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

.Apr 10 11:25:27.461: ISAKMP:(0:170:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 198.A.A.248)

.Apr 10 11:25:27.461: ISAKMP:(0:170:SW:1):deleting node 1789684298 error FALSE reason "IKE deleted"

.Apr 10 11:25:27.461: ISAKMP:(0:170:SW:1):deleting node -380643872 error FALSE reason "IKE deleted"

.Apr 10 11:25:27.461: ISAKMP:(0:170:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

inet-rtr-1#

.Apr 10 11:25:27.461: ISAKMP:(0:170:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

.Apr 10 11:25:27.461: IPSEC(key_engine): got a queue event with 1 kei messages

Labels:
0 Helpful
3 Replies 3

yurkovskym
Level 1
Level 1

‎04-17-2013 06:30 AM

Anyone?

Looks like tough one?

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to yurkovskym

‎04-17-2013 10:00 AM

IPSec transform-sets seem to be fine on both sites. What about proxy-IDs? Here your id looks like this:

ip access-list extended BBB_ACL

permit ip host 10.C.C.77 host 170.D.D.138

Are you trying to protect traffic between only this two hosts?

Does the other end have exact mirror of this ACL configured?

0 Helpful

yurkovskym
Level 1
Level 1
In response to Andrew Phirsov

‎04-17-2013 10:27 AM

Thanks for reply

Yes we changed interesting traffic to only two host for troubleshoot

and yes as the guy on the side said the ACL is mirrored -

From what i know when ACL is not mirrored the error in debug is looks different -

0 Helpful
Customers Also Viewed These Support Documents