- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN Tunnel not forming.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2016 08:04 PM
Dear All,
I am trying to build a site to site vpn between 2 sites. It worked initially but stopped suddenly (we didn't do any change). Please help me in solving the issue.
Config
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key X.X.X.X address 1.1.1.1
crypto isakmp identity hostname
crypto isakmp keepalive 10 5 periodic
!
crypto ipsec security-association replay window-size 512
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
mode transport
!
!
!
crypto map gre-ipsec 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set IPSEC
match address gre-tunnel0
!
!
!
!
!
!
!
interface Tunnel0
ip address 172.16.0.6 255.255.255.252
ip mtu 1372
tunnel source 10.1.1.5
tunnel destination 1.1.1.1
!
interface GigabitEthernet0/0/0
ip address 10.1.1.5 255.255.255.0
negotiation auto
crypto map gre-ipsec
!
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Debug
*Jan 20 06:36:15.936: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:36:18.788: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:36:18.788: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 20 06:36:18.788: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:36:18.788: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:36:18.788: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:36:19.511: ISAKMP:(0):purging SA., sa=7FDF7C269818, delme=7FDF7C269818
*Jan 20 06:36:25.936: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:36:28.788: ISAKMP: set new node 0 to QM_IDLE
*Jan 20 06:36:28.788: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.1.1.5, remote 1.1.1.1)
*Jan 20 06:36:28.789: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 20 06:36:28.789: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 20 06:36:28.789: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:36:28.789: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 20 06:36:28.789: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:36:28.789: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:36:28.789: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:36:35.944: ISAKMP:(0):purging SA., sa=7FDF8AA62BA0, delme=7FDF8AA62BA0
*Jan 20 06:36:35.972: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (N) NEW SA
*Jan 20 06:36:35.972: ISAKMP: Created a peer struct for 192.168.250.2, peer port 1011
*Jan 20 06:36:35.972: ISAKMP: New peer created peer = 0x7FDF822926D0 peer_handle = 0x8000053B
*Jan 20 06:36:35.972: ISAKMP: Locking peer struct 0x7FDF822926D0, refcount 1 for crypto_isakmp_process_block
*Jan 20 06:36:35.972: ISAKMP: local port 500, remote port 1011
*Jan 20 06:36:35.972: ISAKMP:(0):insert sa successfully sa = 7FDF7C269818
*Jan 20 06:36:35.972: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 20 06:36:35.972: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 20 06:36:35.973: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 20 06:36:35.973: ISAKMP:(0): processing vendor id payload
*Jan 20 06:36:35.973: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 20 06:36:35.973: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 20 06:36:35.973: ISAKMP:(0): processing vendor id payload
*Jan 20 06:36:35.973: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 20 06:36:35.973: ISAKMP (0): vendor ID is NAT-T v7
*Jan 20 06:36:35.973: ISAKMP:(0): processing vendor id payload
*Jan 20 06:36:35.973: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 20 06:36:35.973: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 20 06:36:35.973: ISAKMP:(0): processing vendor id payload
*Jan 20 06:36:35.973: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 20 06:36:35.973: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 20 06:36:35.973: ISAKMP:(0):No pre-shared key with 192.168.250.2!
*Jan 20 06:36:35.975: ISAKMP : Scanning profiles for xauth ...
*Jan 20 06:36:35.975: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jan 20 06:36:35.975: ISAKMP: encryption 3DES-CBC
*Jan 20 06:36:35.975: ISAKMP: hash SHA
*Jan 20 06:36:35.975: ISAKMP: default group 1
*Jan 20 06:36:35.975: ISAKMP: auth pre-share
*Jan 20 06:36:35.975: ISAKMP: life type in seconds
*Jan 20 06:36:35.975: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jan 20 06:36:35.975: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Jan 20 06:36:35.975: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Jan 20 06:36:35.975: ISAKMP:(0):no offers accepted!
*Jan 20 06:36:35.976: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.1.1.5 remote 192.168.250.2)
*Jan 20 06:36:35.976: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Jan 20 06:36:35.976: ISAKMP:(0): Failed to construct AG informational message.
*Jan 20 06:36:35.976: ISAKMP:(0): sending packet to 192.168.250.2 my_port 500 peer_port 1011 (R) MM_NO_STATE
*Jan 20 06:36:35.976: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:36:35.977: ISAKMP:(0):peer does not do paranoid keepalives.
*Jan 20 06:36:35.977: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.250.2)
*Jan 20 06:36:35.977: ISAKMP:(0): processing vendor id payload
*Jan 20 06:36:35.977: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 20 06:36:35.977: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 20 06:36:35.977: ISAKMP:(0): processing vendor id payload
*Jan 20 06:36:35.977: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 20 06:36:35.977: ISAKMP (0): vendor ID is NAT-T v7
*Jan 20 06:36:35.977: ISAKMP:(0): processing vendor id payload
*Jan 20 06:36:35.977: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 20 06:36:35.977: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 20 06:36:35.977: ISAKMP:(0): processing vendor id payload
*Jan 20 06:36:35.977: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 20 06:36:35.977: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 20 06:36:35.978: ISAKMP (0): FSM action returned error: 2
*Jan 20 06:36:35.978: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 20 06:36:35.978: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jan 20 06:36:35.978: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.250.2)
*Jan 20 06:36:35.978: ISAKMP: Unlocking peer struct 0x7FDF822926D0 for isadb_mark_sa_deleted(), count 0
*Jan 20 06:36:35.978: ISAKMP: Deleting peer node by peer_reap for 192.168.250.2: 7FDF822926D0
*Jan 20 06:36:35.981: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 20 06:36:35.981: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Jan 20 06:36:38.789: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:36:38.789: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 20 06:36:38.789: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:36:38.789: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:36:38.789: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:36:45.971: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:36:47.431: ISAKMP:(0):purging node 2649427273
*Jan 20 06:36:48.789: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:36:48.789: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 20 06:36:48.789: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:36:48.789: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:36:48.789: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:36:55.971: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:36:57.431: ISAKMP:(0):purging SA., sa=7FDF8B735C08, delme=7FDF8B735C08
*Jan 20 06:36:58.790: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:36:58.790: ISAKMP:(0):peer does not do paranoid keepalives.
*Jan 20 06:36:58.790: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.1.1.1)
*Jan 20 06:36:58.790: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.1.1.1)
*Jan 20 06:36:58.790: ISAKMP: Unlocking peer struct 0x7FDF7D8F8AE0 for isadb_mark_sa_deleted(), count 0
*Jan 20 06:36:58.790: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 7FDF7D8F8AE0
*Jan 20 06:36:58.793: ISAKMP:(0):deleting node 1246790282 error FALSE reason "IKE deleted"
*Jan 20 06:36:58.793: ISAKMP:(0):deleting node 471266460 error FALSE reason "IKE deleted"
*Jan 20 06:36:58.793: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 20 06:36:58.793: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Jan 20 06:36:58.905: ISAKMP:(0): SA request profile is (NULL)
*Jan 20 06:36:58.905: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Jan 20 06:36:58.905: ISAKMP: New peer created peer = 0x7FDF7D8F8AE0 peer_handle = 0x8000053D
*Jan 20 06:36:58.905: ISAKMP: Locking peer struct 0x7FDF7D8F8AE0, refcount 1 for isakmp_initiator
*Jan 20 06:36:58.905: ISAKMP: local port 500, remote port 500
*Jan 20 06:36:58.905: ISAKMP: set new node 0 to QM_IDLE
*Jan 20 06:36:58.905: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7FDF8AA62BA0
*Jan 20 06:36:58.905: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 20 06:36:58.905: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
*Jan 20 06:36:58.905: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 20 06:36:58.905: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 20 06:36:58.905: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 20 06:36:58.905: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 20 06:36:58.905: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 20 06:36:58.905: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jan 20 06:36:58.905: ISAKMP:(0): beginning Main Mode exchange
*Jan 20 06:36:58.905: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:36:58.905: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:37:05.970: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:37:08.905: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:37:08.905: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jan 20 06:37:08.905: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:37:08.905: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:37:08.905: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:37:15.970: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:37:18.906: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:37:18.906: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 20 06:37:18.906: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:37:18.906: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:37:18.906: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:37:25.968: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:37:28.904: ISAKMP: set new node 0 to QM_IDLE
*Jan 20 06:37:28.904: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.1.1.5, remote 1.1.1.1)
*Jan 20 06:37:28.905: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 20 06:37:28.905: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 20 06:37:28.905: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:37:28.905: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 20 06:37:28.905: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:37:28.905: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:37:28.905: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:37:35.982: ISAKMP:(0):purging SA., sa=7FDF7C269818, delme=7FDF7C269818
*Jan 20 06:37:36.008: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (N) NEW SA
*Jan 20 06:37:36.008: ISAKMP: Created a peer struct for 192.168.250.2, peer port 1011
*Jan 20 06:37:36.008: ISAKMP: New peer created peer = 0x7FDF823FEA28 peer_handle = 0x80000546
*Jan 20 06:37:36.008: ISAKMP: Locking peer struct 0x7FDF823FEA28, refcount 1 for crypto_isakmp_process_block
*Jan 20 06:37:36.008: ISAKMP: local port 500, remote port 1011
*Jan 20 06:37:36.008: ISAKMP:(0):insert sa successfully sa = 7FDF7C269818
*Jan 20 06:37:36.008: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 20 06:37:36.008: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 20 06:37:36.008: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 20 06:37:36.008: ISAKMP:(0): processing vendor id payload
*Jan 20 06:37:36.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 20 06:37:36.008: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 20 06:37:36.008: ISAKMP:(0): processing vendor id payload
*Jan 20 06:37:36.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 20 06:37:36.008: ISAKMP (0): vendor ID is NAT-T v7
*Jan 20 06:37:36.008: ISAKMP:(0): processing vendor id payload
*Jan 20 06:37:36.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 20 06:37:36.008: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 20 06:37:36.008: ISAKMP:(0): processing vendor id payload
*Jan 20 06:37:36.008: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 20 06:37:36.008: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 20 06:37:36.008: ISAKMP:(0):No pre-shared key with 192.168.250.2!
*Jan 20 06:37:36.010: ISAKMP : Scanning profiles for xauth ...
*Jan 20 06:37:36.010: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jan 20 06:37:36.010: ISAKMP: encryption 3DES-CBC
*Jan 20 06:37:36.010: ISAKMP: hash SHA
*Jan 20 06:37:36.010: ISAKMP: default group 1
*Jan 20 06:37:36.010: ISAKMP: auth pre-share
*Jan 20 06:37:36.010: ISAKMP: life type in seconds
*Jan 20 06:37:36.010: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jan 20 06:37:36.010: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Jan 20 06:37:36.010: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Jan 20 06:37:36.010: ISAKMP:(0):no offers accepted!
*Jan 20 06:37:36.012: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.1.1.5 remote 192.168.250.2)
*Jan 20 06:37:36.012: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Jan 20 06:37:36.012: ISAKMP:(0): Failed to construct AG informational message.
*Jan 20 06:37:36.012: ISAKMP:(0): sending packet to 192.168.250.2 my_port 500 peer_port 1011 (R) MM_NO_STATE
*Jan 20 06:37:36.012: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:37:36.012: ISAKMP:(0):peer does not do paranoid keepalives.
*Jan 20 06:37:36.012: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.250.2)
*Jan 20 06:37:36.012: ISAKMP:(0): processing vendor id payload
*Jan 20 06:37:36.012: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 20 06:37:36.012: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 20 06:37:36.012: ISAKMP:(0): processing vendor id payload
*Jan 20 06:37:36.012: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 20 06:37:36.012: ISAKMP (0): vendor ID is NAT-T v7
*Jan 20 06:37:36.012: ISAKMP:(0): processing vendor id payload
*Jan 20 06:37:36.012: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 20 06:37:36.012: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 20 06:37:36.012: ISAKMP:(0): processing vendor id payload
*Jan 20 06:37:36.012: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 20 06:37:36.012: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 20 06:37:36.013: ISAKMP (0): FSM action returned error: 2
*Jan 20 06:37:36.013: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 20 06:37:36.013: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jan 20 06:37:36.013: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.250.2)
*Jan 20 06:37:36.013: ISAKMP: Unlocking peer struct 0x7FDF823FEA28 for isadb_mark_sa_deleted(), count 0
*Jan 20 06:37:36.013: ISAKMP: Deleting peer node by peer_reap for 192.168.250.2: 7FDF823FEA28
*Jan 20 06:37:36.017: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 20 06:37:36.017: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Jan 20 06:37:38.905: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:37:38.905: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 20 06:37:38.905: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:37:38.905: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:37:38.905: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:37:46.026: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:37:48.793: ISAKMP:(0):purging node 1246790282
*Jan 20 06:37:48.793: ISAKMP:(0):purging node 471266460
*Jan 20 06:37:48.906: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:37:48.906: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 20 06:37:48.906: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:37:48.906: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:37:48.906: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:37:56.007: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:37:58.794: ISAKMP:(0):purging SA., sa=7FDF8BF4C188, delme=7FDF8BF4C188
*Jan 20 06:37:58.906: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:37:58.906: ISAKMP:(0):peer does not do paranoid keepalives.
*Jan 20 06:37:58.906: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.1.1.1)
*Jan 20 06:37:58.906: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.1.1.1)
*Jan 20 06:37:58.906: ISAKMP: Unlocking peer struct 0x7FDF7D8F8AE0 for isadb_mark_sa_deleted(), count 0
*Jan 20 06:37:58.906: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 7FDF7D8F8AE0
*Jan 20 06:37:58.909: ISAKMP:(0):deleting node 222138919 error FALSE reason "IKE deleted"
*Jan 20 06:37:58.909: ISAKMP:(0):deleting node 2868150311 error FALSE reason "IKE deleted"
*Jan 20 06:37:58.909: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 20 06:37:58.909: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Jan 20 06:37:59.026: ISAKMP:(0): SA request profile is (NULL)
*Jan 20 06:37:59.026: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Jan 20 06:37:59.026: ISAKMP: New peer created peer = 0x7FDF7D8F8AE0 peer_handle = 0x80000548
*Jan 20 06:37:59.026: ISAKMP: Locking peer struct 0x7FDF7D8F8AE0, refcount 1 for isakmp_initiator
*Jan 20 06:37:59.026: ISAKMP: local port 500, remote port 500
*Jan 20 06:37:59.026: ISAKMP: set new node 0 to QM_IDLE
*Jan 20 06:37:59.026: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7FDF8BF4C188
*Jan 20 06:37:59.026: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 20 06:37:59.026: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
*Jan 20 06:37:59.026: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 20 06:37:59.026: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 20 06:37:59.026: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 20 06:37:59.026: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 20 06:37:59.026: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 20 06:37:59.026: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jan 20 06:37:59.026: ISAKMP:(0): beginning Main Mode exchange
*Jan 20 06:37:59.026: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:37:59.026: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:38:06.016: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:38:09.026: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:38:09.026: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jan 20 06:38:09.026: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:38:09.026: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:38:09.026: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:38:16.005: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:38:19.026: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:38:19.026: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 20 06:38:19.026: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:38:19.026: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:38:19.026: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:38:26.003: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:38:29.025: ISAKMP: set new node 0 to QM_IDLE
*Jan 20 06:38:29.025: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.1.1.5, remote 1.1.1.1)
*Jan 20 06:38:29.026: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 20 06:38:29.026: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 20 06:38:29.026: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:38:29.026: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 20 06:38:29.026: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:38:29.026: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:38:29.026: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:38:36.017: ISAKMP:(0):purging SA., sa=7FDF7C269818, delme=7FDF7C269818
*Jan 20 06:38:36.049: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (N) NEW SA
*Jan 20 06:38:36.049: ISAKMP: Created a peer struct for 192.168.250.2, peer port 1011
*Jan 20 06:38:36.049: ISAKMP: New peer created peer = 0x7FDF82348358 peer_handle = 0x8000053F
*Jan 20 06:38:36.049: ISAKMP: Locking peer struct 0x7FDF82348358, refcount 1 for crypto_isakmp_process_block
*Jan 20 06:38:36.049: ISAKMP: local port 500, remote port 1011
*Jan 20 06:38:36.049: ISAKMP:(0):insert sa successfully sa = 7FDF7C269818
*Jan 20 06:38:36.049: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 20 06:38:36.049: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 20 06:38:36.049: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 20 06:38:36.049: ISAKMP:(0): processing vendor id payload
*Jan 20 06:38:36.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 20 06:38:36.049: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 20 06:38:36.049: ISAKMP:(0): processing vendor id payload
*Jan 20 06:38:36.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 20 06:38:36.049: ISAKMP (0): vendor ID is NAT-T v7
*Jan 20 06:38:36.049: ISAKMP:(0): processing vendor id payload
*Jan 20 06:38:36.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 20 06:38:36.049: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 20 06:38:36.049: ISAKMP:(0): processing vendor id payload
*Jan 20 06:38:36.049: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 20 06:38:36.049: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 20 06:38:36.049: ISAKMP:(0):No pre-shared key with 192.168.250.2!
*Jan 20 06:38:36.051: ISAKMP : Scanning profiles for xauth ...
*Jan 20 06:38:36.051: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jan 20 06:38:36.051: ISAKMP: encryption 3DES-CBC
*Jan 20 06:38:36.051: ISAKMP: hash SHA
*Jan 20 06:38:36.051: ISAKMP: default group 1
*Jan 20 06:38:36.051: ISAKMP: auth pre-share
*Jan 20 06:38:36.051: ISAKMP: life type in seconds
*Jan 20 06:38:36.051: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Jan 20 06:38:36.051: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Jan 20 06:38:36.051: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Jan 20 06:38:36.051: ISAKMP:(0):no offers accepted!
*Jan 20 06:38:36.053: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.1.1.5 remote 192.168.250.2)
*Jan 20 06:38:36.053: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Jan 20 06:38:36.053: ISAKMP:(0): Failed to construct AG informational message.
*Jan 20 06:38:36.053: ISAKMP:(0): sending packet to 192.168.250.2 my_port 500 peer_port 1011 (R) MM_NO_STATE
*Jan 20 06:38:36.053: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:38:36.053: ISAKMP:(0):peer does not do paranoid keepalives.
*Jan 20 06:38:36.053: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.250.2)
*Jan 20 06:38:36.053: ISAKMP:(0): processing vendor id payload
*Jan 20 06:38:36.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 20 06:38:36.053: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 20 06:38:36.053: ISAKMP:(0): processing vendor id payload
*Jan 20 06:38:36.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 20 06:38:36.053: ISAKMP (0): vendor ID is NAT-T v7
*Jan 20 06:38:36.053: ISAKMP:(0): processing vendor id payload
*Jan 20 06:38:36.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 20 06:38:36.053: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 20 06:38:36.053: ISAKMP:(0): processing vendor id payload
*Jan 20 06:38:36.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 20 06:38:36.053: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 20 06:38:36.054: ISAKMP (0): FSM action returned error: 2
*Jan 20 06:38:36.054: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 20 06:38:36.054: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jan 20 06:38:36.054: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.250.2)
*Jan 20 06:38:36.054: ISAKMP: Unlocking peer struct 0x7FDF82348358 for isadb_mark_sa_deleted(), count 0
*Jan 20 06:38:36.054: ISAKMP: Deleting peer node by peer_reap for 192.168.250.2: 7FDF82348358
*Jan 20 06:38:36.058: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 20 06:38:36.058: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Jan 20 06:38:39.027: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:38:39.027: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 20 06:38:39.027: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:38:39.027: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:38:39.027: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:38:46.049: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:38:48.910: ISAKMP:(0):purging node 222138919
*Jan 20 06:38:48.910: ISAKMP:(0):purging node 2868150311
*Jan 20 06:38:49.027: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:38:49.027: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 20 06:38:49.027: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:38:49.027: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:38:49.027: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:38:56.049: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2016 10:29 PM
It is complaining about the initial authentication.
Preshared authentication offered but does not match policy
You should not be using hostname authentication. Remove this line:
crypto isakmp identity hostname
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-19-2016 10:34 PM
Hi
I am able to see debugs for 2 peers i.e 1.1.1.1 and 192.168.250.2
- if it's for 192.168.250.2 , i can see according to the configuration attached that there is no pre-shared key configured for the same.
- If its for the 1.1.1.1, debugs show
-
*Jan 20 06:37:38.905: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:37:38.905: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 20 06:37:38.905: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:37:38.905: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:37:38.905: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:37:46.026: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:37:48.793: ISAKMP:(0):purging node 1246790282
*Jan 20 06:37:48.793: ISAKMP:(0):purging node 471266460
*Jan 20 06:37:48.906: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:37:48.906: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 20 06:37:48.906: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan 20 06:37:48.906: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 20 06:37:48.906: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 20 06:37:56.007: ISAKMP (0): received packet from 192.168.250.2 dport 500 sport 1011 Global (R) MM_NO_STATE
*Jan 20 06:37:58.794: ISAKMP:(0):purging SA., sa=7FDF8BF4C188, delme=7FDF8BF4C188
*Jan 20 06:37:58.906: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan 20 06:37:58.906: ISAKMP:(0):peer does not do paranoid keepalives.*Jan 20 06:37:58.906: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE
- It means that tunnel is being initiated from this side, this side is sending the main mode(Phase 1) message number 1 for negotiation but not getting a reply back from the 1.1.1.1 side.
- It tries to re-transmit the same for 5 times, in case of no reply the negotiation will die out eventually saying "Death by retransmission"
- It might be because the other side(1.1.1.1) is not receiving the main mode message 1(MM1) from this side or if its receiving it its not replying for some reason (Need to check debugs on other side for that) or its sending the message 2 (MM2) and this side is not receiving it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide