03-14-2013 08:36 AM
I did a site-to-site VPN that worked for about a week and won't come back up. Can anyone spot the problem? Its an IOS router on one side, and an ASA on the other. There are 5 VPN's on the box, the others are working fine. I tried to isolate the commands for this tunnel but some others maybe mixed in.
000443: *Mar 14 15:28:47: ISAKMP:(0:3:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000444: *Mar 14 15:28:50: ISAKMP (0:0): received packet from 199.x.x. dport 500 sport 500 Global (N) NEW SA
000445: *Mar 14 15:28:50: ISAKMP: Created a peer struct for 199.x.x.x, peer port 500
000446: *Mar 14 15:28:50: ISAKMP: New peer created peer = 0x640CB9E0 peer_handle = 0x80000015
000447: *Mar 14 15:28:50: ISAKMP: Locking peer struct 0x640CB9E0, IKE refcount 1 for crypto_isakmp_process_block
000448: *Mar 14 15:28:50: ISAKMP: local port 500, remote port 500
000449: *Mar 14 15:28:50: insert sa successfully sa = 64040BD8
000450: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000451: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State =IKE_R_MM1
000452: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing SA payload. message ID= 0
000453: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing vendor id payload
000454: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
000455: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
000456: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing vendor id payload
000457: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
000458: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
000459: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing vendor id payload
000460: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
000461: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): processing vendor id payload
000462: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
000463: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Looking for a matching key for 199.x.x.x in default
000464: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): : success
000465: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 199.x.x.x
000466: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0): local preshared key found
000467: *Mar 14 15:28:50: ISAKMP : Scanning profiles for xauth ...
000468: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
000469: *Mar 14 15:28:50: ISAKMP: default group 2
000470: *Mar 14 15:28:50: ISAKMP: encryption AES-CBC
000471: *Mar 14 15:28:50: ISAKMP: keylength of 256
000472: *Mar 14 15:28:50: ISAKMP: hash SHA
000473: *Mar 14 15:28:50: ISAKMP: auth pre-share
000474: *Mar 14 15:28:50: ISAKMP: life type in seconds
000475: *Mar 14 15:28:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000476: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000477: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000478: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 1 policy
000479: *Mar 14 15:28:50: ISAKMP: default group 2
000480: *Mar 14 15:28:50: ISAKMP: encryption AES-CBC
000481: *Mar 14 15:28:50: ISAKMP: keylength of 192
000482: *Mar 14 15:28:50: ISAKMP: hash SHA
000483: *Mar 14 15:28:50: ISAKMP: auth pre-share
000484: *Mar 14 15:28:50: ISAKMP: life type in seconds
000485: *Mar 14 15:28:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000486: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000487: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000488: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 1 policy
000489: *Mar 14 15:28:50: ISAKMP: default group 2
000490: *Mar 14 15:28:50: ISAKMP: encryption AES-CBC
000491: *Mar 14 15:28:50: ISAKMP: keylength of 128
000492: *Mar 14 15:28:50: ISAKMP: hash SHA
000493: *Mar 14 15:28:50: ISAKMP: auth pre-share
000494: *Mar 14 15:28:50: ISAKMP: life type in seconds
000495: *Mar 14 15:28:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000496: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
000497: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
000498: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 1 policy
000499: *Mar 14 15:28:50: ISAKMP: default group 2
000500: *Mar 14 15:28:50: ISAKMP: encryption 3DES-CBC
000501: *Mar 14 15:28:50: ISAKMP: hash SHA
000502: *Mar 14 15:28:50: ISAKMP: auth pre-share
000503: *Mar 14 15:28:50: ISAKMP: life type in seconds
000504: *Mar 14 15:28:50: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000505: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
000506: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload
000507: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
000508: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v2
000509: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload
000510: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
000511: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is NAT-T v3
000512: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload
000513: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
000514: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload
000515: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 194 mismatch
000516: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000517: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
000518: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): constructed NAT-T vendor-03 ID
000519: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): sending packet to 199.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP
000520: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000521: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
000522: *Mar 14 15:28:51: ISAKMP (0:134217732): received packet from 199.x.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP
000523: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000524: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
000525: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing KE payload. message ID = 0
000526: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing NONCE payload. message ID = 0
000527: *Mar 14 15:28:51: ISAKMP:(0:0:N/A:0):Looking for a matching key for 199.x.x.x in default
000528: *Mar 14 15:28:51: ISAKMP:(0:0:N/A:0): : success
000529: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):found peer pre-shared key matching 199.x.x.x.
000530: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):SKEYID state generated
000531: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload
000532: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is Unity
000533: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload
000534: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID seems Unity/DPD but major 206 mismatch
000535: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is XAUTH
000536: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload
000537: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): speaking to another IOS box!
000538: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload
000539: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):vendor ID seems Unity/DPD but hash mismatch
000540: *Mar 14 15:28:51: ISAKMP:received payload type 20
000541: *Mar 14 15:28:51: ISAKMP (0:134217732): NAT found, the node inside NAT
000542: *Mar 14 15:28:51: ISAKMP:received payload type 20
000543: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000544: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
000545: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): sending packet to 199.x.x.x. my_port 500 peer_port 500 (R) MM_KEY_EXCH
000546: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000547: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
000548: *Mar 14 15:28:51: ISAKMP (0:134217732): received packet from 199.xx..x.x dport 4500 sport 4500 Global (R) MM_KEY_EXCH
000549: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000550: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
000551: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing ID payload. message ID = 0
000552: *Mar 14 15:28:51: ISAKMP (0:134217732): ID payload
next-payload : 8
type : 1
address : 199.x.x.x
protocol : 17
port : 0
length : 12
000553: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):: peer matches *none* of the profiles
000554: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 0
000555: *Mar 14 15:28:51: ISAKMP:received payload type 17
000556: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing vendor id payload
000557: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): vendor ID is DPD
000558: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):SA authentication status: authenticated
000559: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):SA has been authenticated with 199.x.x.x
000560: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Detected port floating to port = 4500
000561: *Mar 14 15:28:51: ISAKMP: Trying to insert a peer 10.1.10.185/199.x.x..x/4500/, and inserted successfully 640CB9E0.
000562: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Setting UDP ENC peer struct 0x63EC9A58 sa= 0x64040BD8
000563: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000564: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
000565: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000566: *Mar 14 15:28:51: ISAKMP (0:134217732): ID payload
next-payload : 8
type : 1
address : 10.1.10.185
protocol : 17
port : 0
length : 12
000567: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Total payload length: 12
000568: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): sending packet to 199.x.x.x my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
000569: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000570: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
000571: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000572: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000573: *Mar 14 15:28:51: ISAKMP (0:134217732): received packet from 199.x.x..x dport 4500 sport 4500 Global (R) QM_IDLE
000574: *Mar 14 15:28:51: ISAKMP: set new node 397879553 to QM_IDLE
000575: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing HASH payload. message ID = 397879553
000576: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1): processing DELETE payload. messageID = 397879553
000577: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):peer does not do paranoid keepalives.
000578: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 199.x.x.x)
000579: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):deleting node 397879553 error FALSEreason "Informational (in) state 1"
000580: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000581: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
000582: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 199.x.x.x)
000583: *Mar 14 15:28:51: ISAKMP: Unlocking IKE struct 0x640CB9E0 for isadb_mark_sa_deleted(), count 0
000584: *Mar 14 15:28:51: ISAKMP: Deleting peer node by peer_reap for 199.x.x.x.x: 640CB9E0
000585: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):deleting node 397879553 error FALSEreason "IKE deleted"
000586: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000587: *Mar 14 15:28:51: ISAKMP:(0:4:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
12-17-2015 02:00 PM
Did you figure out what the problem was?
12-17-2015 03:11 PM
Hi:
i check the logs you sent and found below statement. As per the log the phase one policy does not match between 2 peers.Check the policy and let us know.
000476: *Mar 14 15:28:50: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide