Re: VPN tunnel issue

takhellnadmin · ‎06-15-2011

Hi,

Please help on the below issue

I have a VPN configured in cisco router to third party customer. The issue is VPN is working fine but phase 1 and phase 2 is frequently negotiates for every 2 minutes and it is generating hugh logs. Please help me on this.

7556838: May 31 03:50:27.846: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253

7556839: May 31 03:51:57.431: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253

7556840: May 31 03:53:57.274: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253

7556841: May 31 03:55:27.648: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253

7556842: May 31 03:57:27.163: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253

7556843: May 31 03:58:57.860: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253

7556844: May 31 04:00:57.291: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253

7556838: May 31 03:50:27.846: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253
7556839: May 31 03:51:57.431: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253
7556840: May 31 03:53:57.274: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253
7556841: May 31 03:55:27.648: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253
7556842: May 31 03:57:27.163: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253
7556843: May 31 03:58:57.860: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253
7556844: May 31 04:00:57.291: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 210.23.85.253

Regards,

Nirvan

takhellnadmin · ‎06-16-2011

Side 1: checkpoint

Phase 2:
   phase2ikealgs aes128/sha1
   phase2exptime 28800
   phase2dhgroup group2

Phase 1:
   phase1ikealgs aes128/md5
   phase1exptime 1440
   phase1dhgroup group2

Side 2: Cisco

crypto map extranet-vpn 250 ipsec-isakmp

set peer x.x.x.x.

set security-association lifetime seconds 28800

set transform-set extranet-vpn-aes128

set pfs group2

crypto map extranet-vpn 250 ipsec-isakmp

set peer x.x.x.x.x

set security-association lifetime seconds 28800

set transform-set extranet-vpn-aes128

set pfs group2

match address vpn-cccc-Prod

crypto ipsec transform-set extranet-vpn-aes128 esp-aes esp-sha-hmac

Access list is also right.

praprama · ‎06-30-2011

Hi Nirvan,

I noticed this message in the debugs:

7556688: May 31 03:42:02.151: ISAKMP (0:704): processing DELETE payload. message ID = 366828355

7556726: May 31 03:42:02.579: ISAKMP (0:704): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

Looks like the checkpoint is sending a delete payload. Can you take a look at the logs on the checkpoint to see what could be wrong?

Regards,

Prapanch