06-16-2003 06:57 AM - edited 02-21-2020 12:36 PM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Hi
I am trying to determine the cause of a anomalie with a VPN connection between a Cisco 1700 and a Raptor Firewall. The VPN will establish if you initiate the connection from the Cisco end (Via a ping for example) but will not establish if you try and initialise from the LAN behind the Raptor Firewall.
I have the following debug output from the 1700 when trying to establish the VPN from the Raptor Firewall end:
*Mar 1 00:06:04: IPSEC(decapsulate): error in decapsulation crypto_ipsec_sa_exists
*Mar 1 00:06:15: ISAKMP: received ke message (3/1)
*Mar 1 00:06:15: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
*Mar 1 00:06:20: ISAKMP: received ke message (3/1)
*Mar 1 00:06:20: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0x3EB21954
*Mar 1 00:06:30: ISAKMP: received ke message (3/1)
*Mar 1 00:06:30: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
*Mar 1 00:06:41: ISAKMP: received ke message (3/1)
*Mar 1 00:06:41: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
*Mar 1 00:06:47: ISAKMP: received ke message (3/1)
*Mar 1 00:06:47: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
*Mar 1 00:06:55: ISAKMP: received ke message (3/1)
*Mar 1 00:06:55: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
*Mar 1 00:07:04: IPSEC(decapsulate): error in decapsulation crypto_ipsec_sa_exists
*Mar 1 00:07:06: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
destaddr=yyy.yy.yyyy.57, prot=50, spi=0xBCBF20B5(-1128324939), srcaddr=nnn.nnn.nnn.250
*Mar 1 00:07:06: ISAKMP: received ke message (3/1)
*Mar 1 00:07:06: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
*Mar 1 00:07:26: ISAKMP: received ke message (3/1)
*Mar 1 00:07:26: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
*Mar 1 00:07:31: ISAKMP: received ke message (3/1)
*Mar 1 00:07:31: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
*Mar 1 00:07:37: ISAKMP: received ke message (3/1)
*Mar 1 00:07:37: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
*Mar 1 00:07:42: %SEC-6-IPACCESSLOGP: list 102 denied tcp yyy.yy.zzz.221(1930) -> yyy.yy.yyyy.57(80), 1 packet
*Mar 1 00:07:42: ISAKMP: received ke message (3/1)
*Mar 1 00:07:42: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5
ANy suggestions as to why the VPN will only establish when initialised from the Cisco side would be appreciated.
06-20-2003 08:14 AM
Hi,
Try this: Clear the Cecurity Associations (SA) on both sides. This sometimes work!
06-23-2003 10:02 AM
Check you isakmp timers on the Cisco side and have whoever manages the Raptor Firewall see if he can check to see what Raptors default times are.
06-24-2003 07:10 AM
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide