- Cisco Community
- Technology and Support
- Security
- VPN
- Stuck on a VPN problem - can anyone help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Stuck on a VPN problem - can anyone help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2013 12:19 PM
ISAKMP Header
Initiator COOKIE: 0b e0 e3 08 39 eb 3d 89
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 188
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 136
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 124
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 3
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
Feb 21 16:17:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:27 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:27 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:29 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:30 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:31 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:31 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:32 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:34 [IKEv1]: IP = 38.98.146.1, IKE_DECODE RESENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 188
ISAKMP Header
Initiator COOKIE: 0b e0 e3 08 39 eb 3d 89
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 188
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 136
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 124
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 3
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
Feb 21 16:17:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:37 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:41 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:41 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:42 [IKEv1]: IP = 38.98.146.1, IKE_DECODE RESENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 188
ISAKMP Header
Initiator COOKIE: 0b e0 e3 08 39 eb 3d 89
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 188
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 136
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 124
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 3
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
Feb 21 16:17:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:45 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:47 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:47 [IKEv1]: IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Feb 21 16:17:50 [IKEv1 DEBUG]: IP = 38.98.146.1, IKE MM Initiator FSM error hist
ory (struct &0x37ceaf8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV
_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SN
D_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, E
V_RETRY
Feb 21 16:17:50 [IKEv1 DEBUG]: IP = 38.98.146.1, IKE SA MM:08e3e00b terminating:
flags 0x01000022, refcnt 0, tuncnt 0
Feb 21 16:17:50 [IKEv1 DEBUG]: IP = 38.98.146.1, sending delete/delete with reas
on message
Feb 21 16:17:50 [IKEv1]: IP = 38.98.146.1, Removing peer from peer table failed,
no match!
Feb 21 16:17:50 [IKEv1]: IP = 38.98.146.1, Error: Unable to remove PeerTblEntry
Feb 21 16:17:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:17:51 [IKEv1]: IP = 38.98.146.1, IKE Initiator: New Phase 1, Intf insi
de, IKE Peer 38.98.146.1 local Proxy Address 10.70.50.0, remote Proxy Address 1
0.10.100.0, Crypto map (S2S-VPN)
Feb 21 16:17:51 [IKEv1 DEBUG]: IP = 38.98.146.1, constructing ISAKMP SA payload
Feb 21 16:17:51 [IKEv1 DEBUG]: IP = 38.98.146.1, constructing Fragmentation VID
+ extended capabilities payload
Feb 21 16:17:51 [IKEv1]: IP = 38.98.146.1, IKE_DECODE SENDING Message (msgid=0)
with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 188
SENDING PACKET to 38.98.146.1
ISAKMP Header
Initiator COOKIE: 96 21 c7 41 66 de df 5c
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 188
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 136
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 124
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 3
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
uall
^
ERROR: % Invalid input detected at '^' marker.
ASA5505# Feb 21 16:17:59 [IKEv1]: IP = 38.98.146.1, IKE_DECODE RESENDING Message
(msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length :
188
ISAKMP Header
Initiator COOKIE: 96 21 c7 41 66 de df 5c
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 188
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 136
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 124
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 3
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: Transformu
Reserved: 00
Payload Length: 40
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
a Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
Feb 21 16:18:01 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 21 16:18:01 [IKEv1] : IP = 38.98.146.1, Queuing KEY-ACQUIRE messages to be p
rocessed when P1 SA is complete.
all
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2013 08:26 AM
It seems that this device is initiating the tunnel, it sends IKE MM1 but it never receives a response from the peer.
Feb 21 16:17:50 [IKEv1 DEBUG]: IP = 38.98.146.1, IKE MM Initiator FSM error hist
ory (struct &0x37ceaf8)
_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SN
D_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, E
V_RETRY
EV_ERROR-->MM_WAIT_MSG2
indicates that we give up when waiting for the response...
Check if the peer is reachable, if the ISP (yours or the peer's) is not blocking UDP500, if the peer has IKE enabled, ... run debugs on the peer to see if it receives MM1 and why it does not respond...
hth
Herbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide