VPN is stuck in phase 2

gajanangavli · ‎06-22-2013

Hi All,

I have built VPN on Cisco 7200 router to remote site Juniper ISG 1000.Phase 1 is up but Packets are not decrypting.I tried to debug ipsec , but not able to see any error in logs.

Below are some logs can some body help me (Peer IP hided due to some reasons & mentioned as A.B.C.D )

Jun 22 17:02:28.981 IST: IPSEC(key_engine): got a queue event with 1 KMI message(s)

.Jun 22 17:02:28.981 IST: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

.Jun 22 17:02:28.981 IST: IPSEC(key_engine_delete_sas): delete SA with spi 0x9CD904E6 proto 50 for A.B..C.D

.Jun 22 17:02:28.981 IST: IPSEC(delete_sa): deleting SA,

.Jun 22 17:04:28.981 IST: ISAKMP (0:1056): received packet from A.B.C.D dport 500 sport 500 xxx (R) QM_IDLE
.Jun 22 17:04:28.985 IST: ISAKMP: set new node 1605814188 to QM_IDLE
.Jun 22 17:04:28.985 IST: ISAKMP:(1056): processing HASH payload. message ID = 1605814188
.Jun 22 17:04:28.985 IST: ISAKMP:(1056): processing DELETE payload. message ID = 1605814188
.Jun 22 17:04:28.985 IST: ISAKMP:(1056):peer does not do paranoid keepalives.

.Jun 22 17:04:28.985 IST: ISAKMP:(1056):deleting node 1605814188 error FALSE reason "Informational (in) state 1"

Rudy Sanjoko · ‎06-24-2013

If you are saying that packets are not decrypting, do you mean on both sides or only on one side? If you see on both sides packets are being encrypted and no packets are decrypted then you have routing issue. Both sides only sending packets but not receiving any packets. If the issue is only on one side, then make sure the ports are open and NAT are configured correctly.