Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4823
Views
10
Helpful
5
Replies

VPN Phase 2 failed NOTIFY INVALID_ID_INFO protocol 3 deleting node 2962914502 error TRUE reason "Delete Larval" deleting node 4270399056 error FALSE reason "I

Go to solution
Wan_Whisperer
Level 1
Level 1

‎06-20-2020 05:32 PM

I have a site to site VPN working on and ASA to a Cisco router (64.x.x.226) on my edge.  I want to move it form the edge to my core (192.x.x.57).  Once again I have it up.  When I copy  and remove the VPN configs from the edge and place them on the core the VPN fails.  (I change the IP on the ASA to reflect the new destination.  When I perform a debug on the Router I get the following.

 

Router#9.276: ISAKMP:(35353):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:02:19.276: ISAKMP:(35353):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Jun 20 22:02:19.276: ISAKMP:(35353):beginning Quick Mode exchange, M-ID of 2962914502
Jun 20 22:02:19.276: ISAKMP:(35353):QM Initiator gets spi
Jun 20 22:02:19.277: ISAKMP:(35353): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) QM_IDLE
Jun 20 22:02:19.277: ISAKMP:(35353):Sending an IKE IPv4 Packet.
Jun 20 22:02:19.277: ISA
Router#KMP:(35353):Node 2962914502, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 20 22:02:19.277: ISAKMP:(35353):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jun 20 22:02:19.277: ISAKMP:(35353):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 20 22:02:19.277: ISAKMP:(35353):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 20 22:02:19.305: ISAKMP (35353): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) QM_IDLE
Jun 20 22:02:19.305: ISAKMP: set new node 4270399056 to
Router# QM_IDLE
Jun 20 22:02:19.305: ISAKMP:(35353): processing HASH payload. message ID = 4270399056
Jun 20 22:02:19.305: ISAKMP:(35353): processing NOTIFY INVALID_ID_INFO protocol 3
spi 324526909, message ID = 4270399056, sa = 0x7F4B36701498
Jun 20 22:02:19.305: ISAKMP:(35353): deleting spi 324526909 message ID = 2962914502
Jun 20 22:02:19.305: ISAKMP:(35353):deleting node 2962914502 error TRUE reason "Delete Larval"
Jun 20 22:02:19.305: ISAKMP:(35353):deleting node 4270399056 error FALSE reason "I

 

I am attaching the full debug.

 

These are my ideals of the issue:

1.  In my ASA there are old configs for the VPN to my edge (64.x.x.226) that are interfering the new endpoint my core (192.x.x57)

2. My NAT set up by be conflicting with my routemap

 

Please let me know....its driving me crazy.

 

I have attached the following

ASA config

Router config 

Router debug 

ASA ASDM err log 

 

I posted the full debug so other can find it on a search

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.06.20 18:02:31 =~=~=~=~=~=~=~=~=~=~=~=

Jun 20 22:02:19.195: ISAKMP:(0): SA request profile is (NULL)
Jun 20 22:02:19.195: ISAKMP: Created a peer struct for 96.XXX.XXX.210, peer port 500
Jun 20 22:02:19.195: ISAKMP: New peer created peer = 0x7F4B36D8C620 peer_handle = 0x800003C5
Jun 20 22:02:19.195: ISAKMP: Locking peer struct 0x7F4B36D8C620, refcount 1 for isakmp_initiator
Jun 20 22:02:19.195: ISAKMP: local port 500, remote port 500
Jun 20 22:02:19.195: ISAKMP: set new node 0 to QM_IDLE
Jun 20 22:02:19.195: ISAKMP: Find a dup sa in
Router# the avl tree during calling isadb_insert sa = 7F4B36701498
Jun 20 22:02:19.195: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jun 20 22:02:19.195: ISAKMP:(0):found peer pre-shared key matching 96.XXX.XXX.210
Jun 20 22:02:19.195: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jun 20 22:02:19.195: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jun 20 22:02:19.195: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jun 20 22:02:19.195: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jun 20 22:02:19.195:
Router#ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 20 22:02:19.195: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Jun 20 22:02:19.195: ISAKMP:(0): beginning Main Mode exchange
Jun 20 22:02:19.196: ISAKMP:(0): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 20 22:02:19.196: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 20 22:02:19.220: ISAKMP (0): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) MM_NO_STATE
Jun 20 22:02:19.220: ISAKMP:(0)
Router#:Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:02:19.220: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

Jun 20 22:02:19.220: ISAKMP:(0): processing SA payload. message ID = 0
Jun 20 22:02:19.220: ISAKMP:(0): processing vendor id payload
Jun 20 22:02:19.220: ISAKMP:(0): processing IKE frag vendor id payload
Jun 20 22:02:19.220: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 20 22:02:19.220: ISAKMP:(0):found peer pre-shared key matching 96.XXX.XXX.210
Jun 20 22:02:19.220: ISA
Router#KMP:(0): local preshared key found
Jun 20 22:02:19.220: ISAKMP : Scanning profiles for xauth ...
Jun 20 22:02:19.220: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Jun 20 22:02:19.220: ISAKMP: encryption AES-CBC
Jun 20 22:02:19.220: ISAKMP: keylength of 256
Jun 20 22:02:19.220: ISAKMP: hash MD5
Jun 20 22:02:19.220: ISAKMP: default group 2
Jun 20 22:02:19.220: ISAKMP: auth pre-share
Jun 20 22:02:19.220: ISAKMP: life type in seconds
Jun 20 22:02:19.22
Router#0: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jun 20 22:02:19.220: ISAKMP:(0):atts are acceptable. Next payload is 0
Jun 20 22:02:19.220: ISAKMP:(0):Acceptable atts:actual life: 0
Jun 20 22:02:19.220: ISAKMP:(0):Acceptable atts:life: 0
Jun 20 22:02:19.220: ISAKMP:(0):Fill atts in sa vpi_length:4
Jun 20 22:02:19.220: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jun 20 22:02:19.220: ISAKMP:(0):Returning Actual lifetime: 86400
Jun 20 22:02:19.220: ISAKMP:(0)::Started lifetime timer: 86
Router#400.

Jun 20 22:02:19.222: ISAKMP:(0): processing vendor id payload
Jun 20 22:02:19.222: ISAKMP:(0): processing IKE frag vendor id payload
Jun 20 22:02:19.222: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 20 22:02:19.222: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 22:02:19.222: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

Jun 20 22:02:19.222: ISAKMP:(0): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun 20 22:02:19.223: I
Router#SAKMP:(0):Sending an IKE IPv4 Packet.
Jun 20 22:02:19.223: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:02:19.223: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

Jun 20 22:02:19.247: ISAKMP (0): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun 20 22:02:19.247: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:02:19.247: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

Jun 20 22:02:19.248: ISAKMP:(0): processing
Router#KE payload. message ID = 0
Jun 20 22:02:19.249: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 20 22:02:19.249: ISAKMP:(0):found peer pre-shared key matching 96.XXX.XXX.210
Jun 20 22:02:19.249: ISAKMP:(35353): processing vendor id payload
Jun 20 22:02:19.249: ISAKMP:(35353): vendor ID is Unity
Jun 20 22:02:19.249: ISAKMP:(35353): processing vendor id payload
Jun 20 22:02:19.249: ISAKMP:(35353): vendor ID seems Unity/DPD but major 178 mismatch
Jun 20 22:02:19.249: ISAKMP:(35353): vendor ID i
Router#s XAUTH
Jun 20 22:02:19.249: ISAKMP:(35353): processing vendor id payload
Jun 20 22:02:19.249: ISAKMP:(35353): speaking to another IOS box!
Jun 20 22:02:19.249: ISAKMP:(35353): processing vendor id payload
Jun 20 22:02:19.249: ISAKMP:(35353):vendor ID seems Unity/DPD but hash mismatch
Jun 20 22:02:19.249: ISAKMP:(35353):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 22:02:19.250: ISAKMP:(35353):Old State = IKE_I_MM4 New State = IKE_I_MM4

Jun 20 22:02:19.250: ISAKMP:(35353):Send initial
Router#contact
Jun 20 22:02:19.250: ISAKMP:(35353):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 20 22:02:19.250: ISAKMP (35353): ID payload
next-payload : 8
type : 1
address : 192.XXX.XXX.57
protocol : 17
port : 500
length : 12
Jun 20 22:02:19.250: ISAKMP:(35353):Total payload length: 12
Jun 20 22:02:19.250: ISAKMP:(35353): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 20 22:02:19.250: ISAKMP:(35353):Sen
Router#ding an IKE IPv4 Packet.
Jun 20 22:02:19.250: ISAKMP:(35353):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:02:19.250: ISAKMP:(35353):Old State = IKE_I_MM4 New State = IKE_I_MM5

Jun 20 22:02:19.274: ISAKMP (35353): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 20 22:02:19.274: ISAKMP:(35353): processing ID payload. message ID = 0
Jun 20 22:02:19.274: ISAKMP (35353): ID payload
next-payload : 8
type : 1
address : 96.XXX.XXX.210
p
Router#rotocol : 17
port : 500
length : 12
Jun 20 22:02:19.274: ISAKMP:(0):: peer matches *none* of the profiles
Jun 20 22:02:19.274: ISAKMP:(35353): processing HASH payload. message ID = 0
Jun 20 22:02:19.274: ISAKMP:received payload type 17
Jun 20 22:02:19.276: ISAKMP:(35353): processing vendor id payload
Jun 20 22:02:19.276: ISAKMP:(35353): vendor ID is DPD
Jun 20 22:02:19.276: ISAKMP:(35353):SA authentication status:
authenticated
Jun 20 22:02:19.276: ISAKMP:(35353):SA has bee
Router#n authenticated with 96.XXX.XXX.210
Jun 20 22:02:19.276: ISAKMP: Trying to insert a peer 192.XXX.XXX.57/96.XXX.XXX.210/500/, and inserted successfully 7F4B36D8C620.
Jun 20 22:02:19.276: ISAKMP:(35353):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:02:19.276: ISAKMP:(35353):Old State = IKE_I_MM5 New State = IKE_I_MM6

Jun 20 22:02:19.276: ISAKMP:(35353):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 22:02:19.276: ISAKMP:(35353):Old State = IKE_I_MM6 New State = IKE_I_MM6

Jun 20 22:02:1
Router#9.276: ISAKMP:(35353):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:02:19.276: ISAKMP:(35353):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Jun 20 22:02:19.276: ISAKMP:(35353):beginning Quick Mode exchange, M-ID of 2962914502
Jun 20 22:02:19.276: ISAKMP:(35353):QM Initiator gets spi
Jun 20 22:02:19.277: ISAKMP:(35353): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) QM_IDLE
Jun 20 22:02:19.277: ISAKMP:(35353):Sending an IKE IPv4 Packet.
Jun 20 22:02:19.277: ISA
Router#KMP:(35353):Node 2962914502, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 20 22:02:19.277: ISAKMP:(35353):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jun 20 22:02:19.277: ISAKMP:(35353):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 20 22:02:19.277: ISAKMP:(35353):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 20 22:02:19.305: ISAKMP (35353): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) QM_IDLE
Jun 20 22:02:19.305: ISAKMP: set new node 4270399056 to
Router# QM_IDLE
Jun 20 22:02:19.305: ISAKMP:(35353): processing HASH payload. message ID = 4270399056
Jun 20 22:02:19.305: ISAKMP:(35353): processing NOTIFY INVALID_ID_INFO protocol 3
spi 324526909, message ID = 4270399056, sa = 0x7F4B36701498
Jun 20 22:02:19.305: ISAKMP:(35353): deleting spi 324526909 message ID = 2962914502
Jun 20 22:02:19.305: ISAKMP:(35353):deleting node 2962914502 error TRUE reason "Delete Larval"
Jun 20 22:02:19.305: ISAKMP:(35353):deleting node 4270399056 error FALSE reason "I
Router#nformational (in) state 1"
Jun 20 22:02:19.305: ISAKMP:(35353):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 20 22:02:19.305: ISAKMP:(35353):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 20 22:02:19.305: ISAKMP (35353): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) QM_IDLE
Jun 20 22:02:19.305: ISAKMP: set new node 2200411747 to QM_IDLE
Jun 20 22:02:19.305: ISAKMP:(35353): processing HASH payload. message ID = 2200411747
Jun 20 22:02:19.305: ISAKMP:(
Router#35353): processing DELETE payload. message ID = 2200411747
Jun 20 22:02:19.305: ISAKMP:(35353):peer does not do paranoid keepalives.

Jun 20 22:02:19.305: ISAKMP:(35353):deleting SA reason "No reason" state (I) QM_IDLE (peer 96.XXX.XXX.210)
Jun 20 22:02:19.305: ISAKMP:(35353):deleting node 2200411747 error FALSE reason "Informational (in) state 1"
Jun 20 22:02:19.305: ISAKMP: set new node 438984769 to QM_IDLE
Jun 20 22:02:19.305: ISAKMP:(35353): sending packet to 96.XXX.XXX.210 my_port 500
Router#peer_port 500 (I) QM_IDLE
Jun 20 22:02:19.305: ISAKMP:(35353):Sending an IKE IPv4 Packet.
Jun 20 22:02:19.305: ISAKMP:(35353):purging node 438984769
Jun 20 22:02:19.305: ISAKMP:(35353):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 20 22:02:19.305: ISAKMP:(35353):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Jun 20 22:02:19.305: ISAKMP:(35353):deleting SA reason "No reason" state (I) QM_IDLE (peer 96.XXX.XXX.210)
Jun 20 22:02:19.305: ISAKMP: Unlocking peer struct 0x7F4B36D8C620 f
Router#or isadb_mark_sa_deleted(), count 0
Jun 20 22:02:19.305: ISAKMP: Deleting peer node by peer_reap for 96.XXX.XXX.210: 7F4B36D8C620
Jun 20 22:02:19.307: ISAKMP:(35353):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:02:19.307: ISAKMP:(35353):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Router#
Jun 20 22:02:39.305: ISAKMP:(35352):purging node 2565789858
Jun 20 22:02:39.305: ISAKMP:(35352):purging node 3813193004
Jun 20 22:02:39.305: ISAKMP:(35352):purging node 3747436067
Router#
Jun 20 22:02:49.307: ISAKMP:(35352):purging SA., sa=7F4B35C6F140, delme=7F4B35C6F140
Jun 20 22:02:50.624: ISAKMP:(0): SA request profile is (NULL)
Jun 20 22:02:50.624: ISAKMP: Created a peer struct for 96.XXX.XXX.210, peer port 500
Jun 20 22:02:50.624: ISAKMP: New peer created peer = 0x7F4B36D8C620 peer_handle = 0x80000877
Jun 20 22:02:50.624: ISAKMP: Locking peer struct 0x7F4B36D8C620, refcount 1 for isakmp_initiator
Jun 20 22:02:50.624: ISAKMP: local port 500, remote port 500
Jun 20 22:02:50.624:
Router#ISAKMP: set new node 0 to QM_IDLE
Jun 20 22:02:50.624: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F4B3200AE20
Jun 20 22:02:50.624: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jun 20 22:02:50.624: ISAKMP:(0):found peer pre-shared key matching 96.XXX.XXX.210
Jun 20 22:02:50.624: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jun 20 22:02:50.624: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jun 20 22:02:50.624: ISAKMP:(0): constructed NAT-T vendor-03 ID

Router#Jun 20 22:02:50.624: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jun 20 22:02:50.624: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 20 22:02:50.624: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Jun 20 22:02:50.624: ISAKMP:(0): beginning Main Mode exchange
Jun 20 22:02:50.624: ISAKMP:(0): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 20 22:02:50.624: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 20 22:02:50.664: ISAKMP (0): received packet from 96.
Router#68.215.210 dport 500 sport 500 Global (I) MM_NO_STATE
Jun 20 22:02:50.664: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:02:50.664: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

Jun 20 22:02:50.664: ISAKMP:(0): processing SA payload. message ID = 0
Jun 20 22:02:50.664: ISAKMP:(0): processing vendor id payload
Jun 20 22:02:50.664: ISAKMP:(0): processing IKE frag vendor id payload
Jun 20 22:02:50.664: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 20 22:02:50.664:
Router# ISAKMP:(0):found peer pre-shared key matching 96.XXX.XXX.210
Jun 20 22:02:50.664: ISAKMP:(0): local preshared key found
Jun 20 22:02:50.664: ISAKMP : Scanning profiles for xauth ...
Jun 20 22:02:50.664: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Jun 20 22:02:50.664: ISAKMP: encryption AES-CBC
Jun 20 22:02:50.664: ISAKMP: keylength of 256
Jun 20 22:02:50.664: ISAKMP: hash MD5
Jun 20 22:02:50.664: ISAKMP: default group 2
Jun 20 22:02:50.664: ISAKMP: auth
Router# pre-share
Jun 20 22:02:50.664: ISAKMP: life type in seconds
Jun 20 22:02:50.664: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jun 20 22:02:50.664: ISAKMP:(0):atts are acceptable. Next payload is 0
Jun 20 22:02:50.664: ISAKMP:(0):Acceptable atts:actual life: 0
Jun 20 22:02:50.664: ISAKMP:(0):Acceptable atts:life: 0
Jun 20 22:02:50.664: ISAKMP:(0):Fill atts in sa vpi_length:4
Jun 20 22:02:50.664: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jun 20 22:02:50.664: ISAKMP:(0):Returni
Router#ng Actual lifetime: 86400
Jun 20 22:02:50.664: ISAKMP:(0)::Started lifetime timer: 86400.

Jun 20 22:02:50.666: ISAKMP:(0): processing vendor id payload
Jun 20 22:02:50.666: ISAKMP:(0): processing IKE frag vendor id payload
Jun 20 22:02:50.666: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 20 22:02:50.666: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 22:02:50.666: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

Jun 20 22:02:50.666: ISAKMP:(0): sending pac
Router#ket to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun 20 22:02:50.666: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 20 22:02:50.666: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:02:50.666: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

Jun 20 22:02:50.702: ISAKMP (0): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun 20 22:02:50.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:02:50.702: ISAKMP:(0):Old Sta
Router#te = IKE_I_MM3 New State = IKE_I_MM4

Jun 20 22:02:50.702: ISAKMP:(0): processing KE payload. message ID = 0
Jun 20 22:02:50.704: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 20 22:02:50.704: ISAKMP:(0):found peer pre-shared key matching 96.XXX.XXX.210
Jun 20 22:02:50.704: ISAKMP:(35354): processing vendor id payload
Jun 20 22:02:50.704: ISAKMP:(35354): vendor ID is Unity
Jun 20 22:02:50.704: ISAKMP:(35354): processing vendor id payload
Jun 20 22:02:50.704: ISAKMP:(35354): vendor ID se
Router#ems Unity/DPD but major 190 mismatch
Jun 20 22:02:50.704: ISAKMP:(35354): vendor ID is XAUTH
Jun 20 22:02:50.704: ISAKMP:(35354): processing vendor id payload
Jun 20 22:02:50.704: ISAKMP:(35354): speaking to another IOS box!
Jun 20 22:02:50.704: ISAKMP:(35354): processing vendor id payload
Jun 20 22:02:50.704: ISAKMP:(35354):vendor ID seems Unity/DPD but hash mismatch
Jun 20 22:02:50.704: ISAKMP:(35354):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 22:02:50.704: ISAKMP:(35354):Old State =
Router#IKE_I_MM4 New State = IKE_I_MM4

Jun 20 22:02:50.704: ISAKMP:(35354):Send initial contact
Jun 20 22:02:50.704: ISAKMP:(35354):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 20 22:02:50.704: ISAKMP (35354): ID payload
next-payload : 8
type : 1
address : 192.XXX.XXX.57
protocol : 17
port : 500
length : 12
Jun 20 22:02:50.704: ISAKMP:(35354):Total payload length: 12
Jun 20 22:02:50.704: ISAKMP:(35354): sending packet to 96.68.215.
Router#210 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 20 22:02:50.704: ISAKMP:(35354):Sending an IKE IPv4 Packet.
Jun 20 22:02:50.704: ISAKMP:(35354):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:02:50.704: ISAKMP:(35354):Old State = IKE_I_MM4 New State = IKE_I_MM5

Jun 20 22:02:50.742: ISAKMP (35354): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 20 22:02:50.742: ISAKMP:(35354): processing ID payload. message ID = 0
Jun 20 22:02:50.742: ISAKMP (35354):
Router#ID payload
next-payload : 8
type : 1
address : 96.XXX.XXX.210
protocol : 17
port : 500
length : 12
Jun 20 22:02:50.742: ISAKMP:(0):: peer matches *none* of the profiles
Jun 20 22:02:50.742: ISAKMP:(35354): processing HASH payload. message ID = 0
Jun 20 22:02:50.742: ISAKMP:received payload type 17
Jun 20 22:02:50.744: ISAKMP:(35354): processing vendor id payload
Jun 20 22:02:50.744: ISAKMP:(35354): vendor ID is DPD
Jun 20 22:02:50.744: ISAKMP:(35354):SA
Router#authentication status:
authenticated
Jun 20 22:02:50.744: ISAKMP:(35354):SA has been authenticated with 96.XXX.XXX.210
Jun 20 22:02:50.744: ISAKMP: Trying to insert a peer 192.XXX.XXX.57/96.XXX.XXX.210/500/, and inserted successfully 7F4B36D8C620.
Jun 20 22:02:50.744: ISAKMP:(35354):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:02:50.744: ISAKMP:(35354):Old State = IKE_I_MM5 New State = IKE_I_MM6

Jun 20 22:02:50.745: ISAKMP:(35354):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 22:02:
Router#50.745: ISAKMP:(35354):Old State = IKE_I_MM6 New State = IKE_I_MM6

Jun 20 22:02:50.745: ISAKMP:(35354):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:02:50.745: ISAKMP:(35354):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Jun 20 22:02:50.745: ISAKMP:(35354):beginning Quick Mode exchange, M-ID of 2714965507
Jun 20 22:02:50.745: ISAKMP:(35354):QM Initiator gets spi
Jun 20 22:02:50.745: ISAKMP:(35354): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) QM_IDLE
Jun
Router# 20 22:02:50.745: ISAKMP:(35354):Sending an IKE IPv4 Packet.
Jun 20 22:02:50.745: ISAKMP:(35354):Node 2714965507, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 20 22:02:50.745: ISAKMP:(35354):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jun 20 22:02:50.745: ISAKMP:(35354):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 20 22:02:50.745: ISAKMP:(35354):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 20 22:02:50.780: ISAKMP (35354): received packet from 96.XXX.XXX.210 dport 500 sport
Router# 500 Global (I) QM_IDLE
Jun 20 22:02:50.780: ISAKMP: set new node 399964954 to QM_IDLE
Jun 20 22:02:50.780: ISAKMP:(35354): processing HASH payload. message ID = 399964954
Jun 20 22:02:50.780: ISAKMP:(35354): processing NOTIFY INVALID_ID_INFO protocol 3
spi 2573098564, message ID = 399964954, sa = 0x7F4B3200AE20
Jun 20 22:02:50.780: ISAKMP:(35354): deleting spi 2573098564 message ID = 2714965507
Jun 20 22:02:50.780: ISAKMP:(35354):deleting node 2714965507 error TRUE reason "Delete Larval
Router#"
Jun 20 22:02:50.780: ISAKMP:(35354):deleting node 399964954 error FALSE reason "Informational (in) state 1"
Jun 20 22:02:50.780: ISAKMP:(35354):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 20 22:02:50.780: ISAKMP:(35354):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 20 22:02:50.780: ISAKMP (35354): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) QM_IDLE
Jun 20 22:02:50.780: ISAKMP: set new node 2000914840 to QM_IDLE
Jun 20 22:02:50.780: ISAKMP:(353
Router#54): processing HASH payload. message ID = 2000914840
Jun 20 22:02:50.780: ISAKMP:(35354): processing DELETE payload. message ID = 2000914840
Jun 20 22:02:50.780: ISAKMP:(35354):peer does not do paranoid keepalives.

Jun 20 22:02:50.780: ISAKMP:(35354):deleting SA reason "No reason" state (I) QM_IDLE (peer 96.XXX.XXX.210)
Jun 20 22:02:50.780: ISAKMP:(35354):deleting node 2000914840 error FALSE reason "Informational (in) state 1"
Jun 20 22:02:50.780: ISAKMP: set new node 3912458166 to QM_IDLE
Router#
Jun 20 22:02:50.780: ISAKMP:(35354): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) QM_IDLE
Jun 20 22:02:50.780: ISAKMP:(35354):Sending an IKE IPv4 Packet.
Jun 20 22:02:50.780: ISAKMP:(35354):purging node 3912458166
Jun 20 22:02:50.780: ISAKMP:(35354):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 20 22:02:50.780: ISAKMP:(35354):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Jun 20 22:02:50.780: ISAKMP:(35354):deleting SA reason "No reason" state (I) QM_IDLE (pee
Router#r 96.XXX.XXX.210)
Jun 20 22:02:50.780: ISAKMP: Unlocking peer struct 0x7F4B36D8C620 for isadb_mark_sa_deleted(), count 0
Jun 20 22:02:50.780: ISAKMP: Deleting peer node by peer_reap for 96.XXX.XXX.210: 7F4B36D8C620
Jun 20 22:02:50.783: ISAKMP:(35354):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:02:50.783: ISAKMP:(35354):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Jun 20 22:03:09.304: ISAKMP:(35353):purging node 2962914502
Jun 20 22:03:09.304: ISAKMP:(35353):purging node 4270399056
Jun 20
Router# 22:03:09.304: ISAKMP:(35353):purging node 2200411747
Router#
Jun 20 22:03:19.307: ISAKMP:(35353):purging SA., sa=7F4B36701498, delme=7F4B36701498
Jun 20 22:03:20.624: ISAKMP:(0): SA request profile is (NULL)
Jun 20 22:03:20.624: ISAKMP: Created a peer struct for 96.XXX.XXX.210, peer port 500
Jun 20 22:03:20.624: ISAKMP: New peer created peer = 0x7F4B36D8C620 peer_handle = 0x800009D8
Jun 20 22:03:20.624: ISAKMP: Locking peer struct 0x7F4B36D8C620, refcount 1 for isakmp_initiator
Jun 20 22:03:20.624: ISAKMP: local port 500, remote port 500
Jun 20 22:03:20.624:
Router#ISAKMP: set new node 0 to QM_IDLE
Jun 20 22:03:20.624: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F4B36701498
Jun 20 22:03:20.624: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jun 20 22:03:20.624: ISAKMP:(0):found peer pre-shared key matching 96.XXX.XXX.210
Jun 20 22:03:20.624: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jun 20 22:03:20.624: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jun 20 22:03:20.624: ISAKMP:(0): constructed NAT-T vendor-03 ID

Router#Jun 20 22:03:20.624: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jun 20 22:03:20.624: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 20 22:03:20.624: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Jun 20 22:03:20.624: ISAKMP:(0): beginning Main Mode exchange
Jun 20 22:03:20.624: ISAKMP:(0): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 20 22:03:20.624: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 20 22:03:20.669: ISAKMP (0): received packet from 96.
Router#68.215.210 dport 500 sport 500 Global (I) MM_NO_STATE
Jun 20 22:03:20.669: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:03:20.669: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

Jun 20 22:03:20.669: ISAKMP:(0): processing SA payload. message ID = 0
Jun 20 22:03:20.670: ISAKMP:(0): processing vendor id payload
Jun 20 22:03:20.670: ISAKMP:(0): processing IKE frag vendor id payload
Jun 20 22:03:20.670: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 20 22:03:20.670:
Router# ISAKMP:(0):found peer pre-shared key matching 96.XXX.XXX.210
Jun 20 22:03:20.670: ISAKMP:(0): local preshared key found
Jun 20 22:03:20.670: ISAKMP : Scanning profiles for xauth ...
Jun 20 22:03:20.670: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Jun 20 22:03:20.670: ISAKMP: encryption AES-CBC
Jun 20 22:03:20.670: ISAKMP: keylength of 256
Jun 20 22:03:20.670: ISAKMP: hash MD5
Jun 20 22:03:20.670: ISAKMP: default group 2
Jun 20 22:03:20.670: ISAKMP: auth
Router# pre-share
Jun 20 22:03:20.670: ISAKMP: life type in seconds
Jun 20 22:03:20.670: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jun 20 22:03:20.670: ISAKMP:(0):atts are acceptable. Next payload is 0
Jun 20 22:03:20.670: ISAKMP:(0):Acceptable atts:actual life: 0
Jun 20 22:03:20.670: ISAKMP:(0):Acceptable atts:life: 0
Jun 20 22:03:20.670: ISAKMP:(0):Fill atts in sa vpi_length:4
Jun 20 22:03:20.670: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jun 20 22:03:20.670: ISAKMP:(0):Returni
Router#ng Actual lifetime: 86400
Jun 20 22:03:20.670: ISAKMP:(0)::Started lifetime timer: 86400.

Jun 20 22:03:20.672: ISAKMP:(0): processing vendor id payload
Jun 20 22:03:20.672: ISAKMP:(0): processing IKE frag vendor id payload
Jun 20 22:03:20.672: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 20 22:03:20.672: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 22:03:20.672: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

Jun 20 22:03:20.672: ISAKMP:(0): sending pac
Router#ket to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jun 20 22:03:20.672: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 20 22:03:20.672: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:03:20.672: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

Jun 20 22:03:20.695: ISAKMP (0): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) MM_SA_SETUP
Jun 20 22:03:20.695: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:03:20.695: ISAKMP:(0):Old Sta
Router#te = IKE_I_MM3 New State = IKE_I_MM4

Jun 20 22:03:20.695: ISAKMP:(0): processing KE payload. message ID = 0
Jun 20 22:03:20.697: ISAKMP:(0): processing NONCE payload. message ID = 0
Jun 20 22:03:20.697: ISAKMP:(0):found peer pre-shared key matching 96.XXX.XXX.210
Jun 20 22:03:20.697: ISAKMP:(35355): processing vendor id payload
Jun 20 22:03:20.697: ISAKMP:(35355): vendor ID is Unity
Jun 20 22:03:20.697: ISAKMP:(35355): processing vendor id payload
Jun 20 22:03:20.697: ISAKMP:(35355): vendor ID se
Router#ems Unity/DPD but major 55 mismatch
Jun 20 22:03:20.697: ISAKMP:(35355): vendor ID is XAUTH
Jun 20 22:03:20.697: ISAKMP:(35355): processing vendor id payload
Jun 20 22:03:20.697: ISAKMP:(35355): speaking to another IOS box!
Jun 20 22:03:20.697: ISAKMP:(35355): processing vendor id payload
Jun 20 22:03:20.697: ISAKMP:(35355):vendor ID seems Unity/DPD but hash mismatch
Jun 20 22:03:20.697: ISAKMP:(35355):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 22:03:20.697: ISAKMP:(35355):Old State = I
Router#KE_I_MM4 New State = IKE_I_MM4

Jun 20 22:03:20.697: ISAKMP:(35355):Send initial contact
Jun 20 22:03:20.697: ISAKMP:(35355):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 20 22:03:20.697: ISAKMP (35355): ID payload
next-payload : 8
type : 1
address : 192.XXX.XXX.57
protocol : 17
port : 500
length : 12
Jun 20 22:03:20.697: ISAKMP:(35355):Total payload length: 12
Jun 20 22:03:20.697: ISAKMP:(35355): sending packet to 96.68.215.2
Router#10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 20 22:03:20.697: ISAKMP:(35355):Sending an IKE IPv4 Packet.
Jun 20 22:03:20.697: ISAKMP:(35355):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:03:20.697: ISAKMP:(35355):Old State = IKE_I_MM4 New State = IKE_I_MM5

Jun 20 22:03:20.723: ISAKMP (35355): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 20 22:03:20.723: ISAKMP:(35355): processing ID payload. message ID = 0
Jun 20 22:03:20.723: ISAKMP (35355): I
Router#D payload
next-payload : 8
type : 1
address : 96.XXX.XXX.210
protocol : 17
port : 500
length : 12
Jun 20 22:03:20.724: ISAKMP:(0):: peer matches *none* of the profiles
Jun 20 22:03:20.724: ISAKMP:(35355): processing HASH payload. message ID = 0
Jun 20 22:03:20.724: ISAKMP:received payload type 17
Jun 20 22:03:20.725: ISAKMP:(35355): processing vendor id payload
Jun 20 22:03:20.725: ISAKMP:(35355): vendor ID is DPD
Jun 20 22:03:20.725: ISAKMP:(35355):SA a
Router#uthentication status:
authenticated
Jun 20 22:03:20.726: ISAKMP:(35355):SA has been authenticated with 96.XXX.XXX.210
Jun 20 22:03:20.726: ISAKMP: Trying to insert a peer 192.XXX.XXX.57/96.XXX.XXX.210/500/, and inserted successfully 7F4B36D8C620.
Jun 20 22:03:20.726: ISAKMP:(35355):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:03:20.726: ISAKMP:(35355):Old State = IKE_I_MM5 New State = IKE_I_MM6

Jun 20 22:03:20.726: ISAKMP:(35355):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 20 22:03:2
Router#0.726: ISAKMP:(35355):Old State = IKE_I_MM6 New State = IKE_I_MM6

Jun 20 22:03:20.726: ISAKMP:(35355):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 20 22:03:20.726: ISAKMP:(35355):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Jun 20 22:03:20.726: ISAKMP:(35355):beginning Quick Mode exchange, M-ID of 4066892992
Jun 20 22:03:20.726: ISAKMP:(35355):QM Initiator gets spi
Jun 20 22:03:20.726: ISAKMP:(35355): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) QM_IDLE
Jun
Router#20 22:03:20.726: ISAKMP:(35355):Sending an IKE IPv4 Packet.
Jun 20 22:03:20.726: ISAKMP:(35355):Node 4066892992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 20 22:03:20.726: ISAKMP:(35355):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jun 20 22:03:20.726: ISAKMP:(35355):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 20 22:03:20.726: ISAKMP:(35355):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 20 22:03:20.755: ISAKMP (35355): received packet from 96.XXX.XXX.210 dport 500 sport
Router#500 Global (I) QM_IDLE
Jun 20 22:03:20.755: ISAKMP: set new node 2805946093 to QM_IDLE
Jun 20 22:03:20.756: ISAKMP:(35355): processing HASH payload. message ID = 2805946093
Jun 20 22:03:20.756: ISAKMP:(35355): processing NOTIFY INVALID_ID_INFO protocol 3
spi 512847656, message ID = 2805946093, sa = 0x7F4B36701498
Jun 20 22:03:20.756: ISAKMP:(35355): deleting spi 512847656 message ID = 4066892992
Jun 20 22:03:20.756: ISAKMP:(35355):deleting node 4066892992 error TRUE reason "Delete Larval
Router#"
Jun 20 22:03:20.756: ISAKMP:(35355):deleting node 2805946093 error FALSE reason "Informational (in) state 1"
Jun 20 22:03:20.756: ISAKMP:(35355):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 20 22:03:20.756: ISAKMP:(35355):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 20 22:03:20.756: ISAKMP (35355): received packet from 96.XXX.XXX.210 dport 500 sport 500 Global (I) QM_IDLE
Jun 20 22:03:20.756: ISAKMP: set new node 622701736 to QM_IDLE
Jun 20 22:03:20.756: ISAKMP:(353
Router#55): processing HASH payload. message ID = 622701736
Jun 20 22:03:20.756: ISAKMP:(35355): processing DELETE payload. message ID = 622701736
Jun 20 22:03:20.756: ISAKMP:(35355):peer does not do paranoid keepalives.

Jun 20 22:03:20.756: ISAKMP:(35355):deleting SA reason "No reason" state (I) QM_IDLE (peer 96.XXX.XXX.210)
Jun 20 22:03:20.756: ISAKMP:(35355):deleting node 622701736 error FALSE reason "Informational (in) state 1"
Jun 20 22:03:20.756: ISAKMP: set new node 3654339799 to QM_IDLE Router#
Jun 20 22:03:20.756: ISAKMP:(35355): sending packet to 96.XXX.XXX.210 my_port 500 peer_port 500 (I) QM_IDLE
Jun 20 22:03:20.756: ISAKMP:(35355):Sending an IKE IPv4 Packet.
Jun 20 22:03:20.756: ISAKMP:(35355):purging node 3654339799
Jun 20 22:03:20.756: ISAKMP:(35355):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 20 22:03:20.756: ISAKMP:(35355):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Jun 20 22:03:20.756: ISAKMP:(35355):deleting SA reason "No reason" state (I) QM_IDLE (peer
Router#96.XXX.XXX.210)
Jun 20 22:03:20.756: ISAKMP: Unlocking peer struct 0x7F4B36D8C620 for isadb_mark_sa_deleted(), count 0
Jun 20 22:03:20.756: ISAKMP: Deleting peer node by peer_reap for 96.XXX.XXX.210: 7F4B36D8C620
Jun 20 22:03:20.758: ISAKMP:(35355):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 20 22:03:20.758: ISAKMP:(35355):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Router#
Jun 20 22:03:40.780: ISAKMP:(35354):purging node 2714965507
Jun 20 22:03:40.780: ISAKMP:(35354):purging node 399964954
Jun 20 22:03:40.780: ISAKMP:(35354):purging node 2000914840
Router#

 

Thanks in advance for the help!!!!

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Wan_Whisperer
Level 1
Level 1

‎06-22-2020 05:05 AM

Its up...

 

The cause was conflicting Crypto maps in my ASA.  I used ASDM to configure and remove VPNs throughout the years.

Removing a Site-to-Site VPNs via ASDM has/did not completely remove an old VPNs and this was conflicting with the new one.  I found this out by going line by line of the CLI removing old configs that did not show up on the GUI.

 

 

I hope this helps someone.

 

  

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-20-2020 08:30 PM

Hi

Can you share the config if the vpn part only for your asa and new router?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Wan_Whisperer
Level 1
Level 1
In response to Francesco Molino

‎06-20-2020 08:51 PM - edited ‎06-20-2020 08:52 PM

access-list ATT_cryptomap_1 line 1 extended permit ip object-group Internal object-group NYC_Internals
group-policy GroupPolicy_192.x.x.57 internal
group-policy GroupPolicy_192.x.x.57 attributes
vpn-tunnel-protocol ikev2 ikev1
exit
tunnel-group 192.x.x.57 type ipsec-l2l
tunnel-group 192.x.x.57 general-attributes
default-group-policy GroupPolicy_192.x.x.57
tunnel-group 192.x.x.57 ipsec-attributes
ikev1 pre-shared-key **********
ikev2 remote-authentication pre-shared-key **********
ikev2 local-authentication pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto map ATT_map 3 match address ATT_cryptomap_1
crypto map ATT_map 3 set peer 192.x.x.57
crypto map ATT_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map ATT_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Wan_Whisperer

‎06-20-2020 09:08 PM

Are you trying to configure ikev1 or ikev2?
Just remove the unnecessary config from the ike version you’re not using first.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Wan_Whisperer
Level 1
Level 1
In response to Francesco Molino

‎06-21-2020 06:01 AM

Hi, Francesco,

 

I removed IKE1:

 


group-policy GroupPolicy_192.81.80.57 attributes
vpn-tunnel-protocol ikev2
exit
no crypto map Comcast_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

 

Its sill failing phase 2,  I attached the new debug.

 

I really appreciate your help!

 

 

Preview file
31 KB
0 Helpful

Go to solution
Wan_Whisperer
Level 1
Level 1

‎06-22-2020 05:05 AM

Its up...

 

The cause was conflicting Crypto maps in my ASA.  I used ASDM to configure and remove VPNs throughout the years.

Removing a Site-to-Site VPNs via ASDM has/did not completely remove an old VPNs and this was conflicting with the new one.  I found this out by going line by line of the CLI removing old configs that did not show up on the GUI.

 

 

I hope this helps someone.

 

  

0 Helpful
Customers Also Viewed These Support Documents