VPN Connection between Raptor FW and IOS Router Failing in 1 Direction

srowles · ‎06-16-2003

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Hi

I am trying to determine the cause of a anomalie with a VPN connection between a Cisco 1700 and a Raptor Firewall. The VPN will establish if you initiate the connection from the Cisco end (Via a ping for example) but will not establish if you try and initialise from the LAN behind the Raptor Firewall.

I have the following debug output from the 1700 when trying to establish the VPN from the Raptor Firewall end:

*Mar 1 00:06:04: IPSEC(decapsulate): error in decapsulation crypto_ipsec_sa_exists

*Mar 1 00:06:15: ISAKMP: received ke message (3/1)

*Mar 1 00:06:15: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

*Mar 1 00:06:20: ISAKMP: received ke message (3/1)

*Mar 1 00:06:20: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0x3EB21954

*Mar 1 00:06:30: ISAKMP: received ke message (3/1)

*Mar 1 00:06:30: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

*Mar 1 00:06:41: ISAKMP: received ke message (3/1)

*Mar 1 00:06:41: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

*Mar 1 00:06:47: ISAKMP: received ke message (3/1)

*Mar 1 00:06:47: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

*Mar 1 00:06:55: ISAKMP: received ke message (3/1)

*Mar 1 00:06:55: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

*Mar 1 00:07:04: IPSEC(decapsulate): error in decapsulation crypto_ipsec_sa_exists

*Mar 1 00:07:06: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=yyy.yy.yyyy.57, prot=50, spi=0xBCBF20B5(-1128324939), srcaddr=nnn.nnn.nnn.250

*Mar 1 00:07:06: ISAKMP: received ke message (3/1)

*Mar 1 00:07:06: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

*Mar 1 00:07:26: ISAKMP: received ke message (3/1)

*Mar 1 00:07:26: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

*Mar 1 00:07:31: ISAKMP: received ke message (3/1)

*Mar 1 00:07:31: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

*Mar 1 00:07:37: ISAKMP: received ke message (3/1)

*Mar 1 00:07:37: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

*Mar 1 00:07:42: %SEC-6-IPACCESSLOGP: list 102 denied tcp yyy.yy.zzz.221(1930) -> yyy.yy.yyyy.57(80), 1 packet

*Mar 1 00:07:42: ISAKMP: received ke message (3/1)

*Mar 1 00:07:42: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src yyy.yy.yyyy.57 dst nnn.nnn.nnn.250 for SPI 0xBCBF20B5

ANy suggestions as to why the VPN will only establish when initialised from the Cisco side would be appreciated.

vkapoor5 · ‎06-20-2003

Hi,

Try this: Clear the Cecurity Associations (SA) on both sides. This sometimes work!

itnetwork · ‎06-23-2003

Check you isakmp timers on the Cisco side and have whoever manages the Raptor Firewall see if he can check to see what Raptors default times are.

srowles · ‎06-24-2003

Thanks for your help.