VPN Isse- Phase 1 itself not coming UP.

sameer5051 · ‎07-27-2011

Hi All,

I have one VPN issue going on, my end is a ASA5520 and other end is a checkpoint. Phase 1 itself is not coming up, I can see ISAKMP leaves my firewall and I am able to ping the peer IP. Below is the phase 1 status and debug outputs. Any inputs pls?

sh isa sa

IKE Peer: 194.x.x.x

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

Jul 28 10:15:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jul 28 10:15:26 [IKEv1]: IP = 194.x.x.x, IKE Initiator: New Phase 1, Intf Henry-V518, IKE Peer 194.x.x.x local Proxy Address 172.16.x.x, remote Proxy Address 10.0.33.42, Crypto map (customer)

Jul 28 10:15:26 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing ISAKMP SA payload

Jul 28 10:15:26 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing Fragmentation VID + extended capabilities payload

Jul 28 10:15:26 [IKEv1]: IP = 194.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 296

Jul 28 10:15:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jul 28 10:15:28 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 28 10:15:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jul 28 10:15:32 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 28 10:15:34 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 296

Jul 28 10:15:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jul 28 10:15:40 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Jul 28 10:15:42 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 296

Jul 28 10:15:50 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 296

Jul 28 10:15:58 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE MM Initiator FSM error history (struct &0x2dd0bc8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Jul 28 10:15:58 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE SA MM:fb6ba61c terminating: flags 0x01000022, refcnt 0, tuncnt 0

Jul 28 10:15:58 [IKEv1 DEBUG]: IP = 194.x.x.x, sending delete/delete with reason message

Jul 28 10:15:58 [IKEv1]: IP = 194.x.x.x, Removing peer from peer table failed, no match!

Jul 28 10:15:58 [IKEv1]: IP = 194.x.x.x, Error: Unable to remove PeerTblEntry

Lee Valentin · ‎07-28-2011

Ask if there are any policies configured on the Checkpoint prior to Phase 1 negotiations. Secondly, and most importantly, verify they're matching isakmp policies with what you have configured.

I'm sure you'll getseveral responses from engineers who've had this same issue between Checkpoint and Cisco.

Good luck