cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1937
Views
0
Helpful
2
Replies

VRF IPSec to ASA

joe.ho
Level 1
Level 1

I am trying to setup a VRF IPSec to ASA VPN tunnel. VRF IPSec is at head office and ASA is at the customer end. I am successfully establish the tunnel when I initiate a ping from the ASA end (ping was successful). However I am getting error in ipsec stats when I initiate the ping from the head office (ping between the same hosts as before). A debug was captured from the VRF router. I wonder if you can see the problem from the debug. I appreciate your help in advance.        

GTO-ClientEdge-RT1#sh cry ipse sa    

interface: GigabitEthernet0/0
    Crypto map tag: gto_share_map, local addr 192.33.232.209

   protected vrf: vrf-veridian
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 173.46.8.98 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 15, #recv errors 0

     local crypto endpt.: 192.33.232.209, remote crypto endpt.: 173.46.8.98
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:
         
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Crypto ISAKMP debugging is on
GTO-ClientEdge-RT1#
Nov 19 22:46:29.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:29.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x80000019
Nov 19 22:46:29.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:29.702: ISAKMP:(0):Setting client config settings 131406B8
Nov 19 22:46:29.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:29.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:29.702: ISAKMP: set new node 0 to QM_IDLE     
Nov 19 22:46:29.702: ISAKMP:(0):insert sa successfully sa = 1235BF68
Nov 19 22:46:29.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov 19 22:46:29.702: ISAKMP:(0): c
GTO-ClientEdgeonstructed NAT-T vendor-03 ID
Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Nov 19 22:46:29.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:29.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Nov 19 22:46:29.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:29.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:29.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:29.702: ISAKMP:      encryption AES-CBC
Nov 19 22:46:29.702: ISAKMP:      keylength of 256
Nov 19 22:46:29.702: ISAKMP:      hash SHA
Nov 19 22:46:29.702: ISAKMP:      default group 5
Nov 19 22:46:29.702: ISAKMP:      auth pre-share
Nov 19 22:46:29.702: ISAKMP:      life type in seconds
Nov 19 22:46:29.702: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Nov 19 22:46:29.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:29.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:29.702: ISAKMP:(0)::Started lifetime timer: 86400.

Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:29.706: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:29.706: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:29.706: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Nov 19 22:46:29.706: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:29.706: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Nov 19 22:46:29.802: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:29.802: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.802: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Nov 19 22:46:29.802: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is Unity
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID seems Unity/DPD but major 86 mismatch
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is XAUTH
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): speaking to another IOS box!
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): His hash no match - this node outside NAT
Nov 19 22:46:29.806: ISAKMP:received payload type 20
Nov 19 22:46:29.806: ISAKMP (9023): No NAT Found for self or peer
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4  New State = IKE_I_MM4

Nov 19 22:46:29.806: ISAKMP:(9023):Send initial contact
Nov 19 22:46:29.806: ISAKMP:(9023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
        next-payload : 8
        type         : 1
        address      : 192.33.232.209
        protocol     : 17
        port         : 500
        length       : 12
Nov 19 22:46:29.806: ISAKMP:(9023):Total payload length: 12
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4  New State = IKE_I_MM5

Nov 19 22:46:29.806: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023): processing ID payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP (9023): ID payload
        next-payload : 8
        type         : 1
        address      : 173.46.8.98
        protocol     : 17
        port         : 0
        length       : 12
Nov 19 22:46:29.806: ISAKMP:(9023): processing HASH payload. message ID = 0
Nov 19 22:46:29.806: ISAKMP:received payload type 17
Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is DPD
Nov 19 22:46:29.806: ISAKMP:(9023):SA authentication status:
        authenticated
Nov 19 22:46:29.806: ISAKMP:(9023):SA has been authenticated with 173.46.8.98
Nov 19 22:46:29.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet,  and inserted successfully 10927E8.
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM5  New State = IKE_I_MM6

Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6  New State = IKE_I_MM6

Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Nov 19 22:46:29.806: ISAKMP:(9023):beginning Quick Mode exchange, M-ID of 2851020903
Nov 19 22:46:29.806: ISAKMP:(9023):QM Initiator gets spi
Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE     
Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.806: ISAKMP:(9023):Node 2851020903, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE     
Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE     
Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398
Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
        spi 0, message ID = 1512038398, sa = 0x1235BF68
Nov 19 22:46:29.810: ISAKMP:(9023):peer does not do paranoid keepalives.

Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node 1512038398 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Nov 19 22:46:29.810: ISAKMP: set new node 260072841 to QM_IDLE     
Nov 19 22:46:29.810: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE     
Nov 19 22:46:29.810: ISAKMP:(9023):Sending an IKE IPv4 Packet.
Nov 19 22:46:29.810: ISAKMP:(9023):purging node 260072841
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 173.46.8.98)
Nov 19 22:46:29.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:29.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:29.810: ISAKMP:(9023):deleting node -1443946393 error FALSE reason "IKE deleted"
Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#
GTO-ClientEdge-RT1#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
173.46.8.98     192.33.232.209  MM_NO_STATE       9023 ACTIVE (deleted) veridian-ike-prof

IPv6 Crypto ISAKMP SA

GTO-ClientEdge-RT1#
Nov 19 22:46:59.702: ISAKMP:(0): SA request profile is veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
Nov 19 22:46:59.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x8000001A
Nov 19 22:46:59.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
Nov 19 22:46:59.702: ISAKMP:(0):Setting client config settings 1CA9BE8
Nov 19 22:46:59.702: ISAKMP/xauth: initializing AAA request
Nov 19 22:46:59.702: ISAKMP: local port 500, remote port 500
Nov 19 22:46:59.702: ISAKMP: set new node 0 to QM_IDLE     
Nov 19 22:46:59.702: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 1235C984
Nov 19 22:46:59.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
Nov
GTO-ClientEdge 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-03 ID
Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Nov 19 22:46:59.702: ISAKMP:(0): beginning Main Mode exchange
Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Nov 19 22:46:59.702: ISAKMP:(0): processing SA payload. message ID = 0
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.702: ISAKMP:(0): local preshared key found
Nov 19 22:46:59.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
Nov 19 22:46:59.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Nov 19 22:46:59.702: ISAKMP:      encryption AES-CBC
Nov 19 22:46:59.702: ISAKMP:      keylength of 256
Nov 19 22:46:59.702: ISAKMP:      hash SHA
Nov 19 22:46:59.702: ISAKMP:      default group 5
Nov 19 22:46:59.702: ISAKMP:      auth pre-share
Nov 19 22:46:59.702: ISAKMP:      life type in seconds
Nov 19 22:46:59.702: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Nov 19 22:46:59.702: ISAKMP:(0):atts are acceptable. Next payload is 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:actual life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:life: 0
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa vpi_length:4
Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Nov 19 22:46:59.702: ISAKMP:(0):Returning Actual lifetime: 86400
Nov 19 22:46:59.702: ISAKMP:(0)::Started lifetime timer: 86400.

Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Nov 19 22:46:59.798: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
Nov 19 22:46:59.798: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.798: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Nov 19 22:46:59.798: ISAKMP:(0): processing KE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0): processing NONCE payload. message ID = 0
Nov 19 22:46:59.802: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is Unity
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID seems Unity/DPD but major 108 mismatch
Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is XAUTH
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024): speaking to another IOS box!
Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.802: ISAKMP:(9024):vendor ID seems Unity/DPD but hash mismatch
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): His hash no match - this node outside NAT
Nov 19 22:46:59.802: ISAKMP:received payload type 20
Nov 19 22:46:59.802: ISAKMP (9024): No NAT Found for self or peer
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4  New State = IKE_I_MM4

Nov 19 22:46:59.802: ISAKMP:(9024):Send initial contact
Nov 19 22:46:59.802: ISAKMP:(9024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 19 22:46:59.802: ISAKMP (9024): ID payload
        next-payload : 8
        type         : 1
        address      : 192.33.232.209
        protocol     : 17
        port         : 500
        length       : 12
Nov 19 22:46:59.802: ISAKMP:(9024):Total payload length: 12
Nov 19 22:46:59.802: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Nov 19 22:46:59.802: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4  New State = IKE_I_MM5

Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024): processing ID payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP (9024): ID payload
        next-payload : 8
        type         : 1
        address      : 173.46.8.98
        protocol     : 17
        port         : 0
        length       : 12
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 0
Nov 19 22:46:59.806: ISAKMP:received payload type 17
Nov 19 22:46:59.806: ISAKMP:(9024): processing vendor id payload
Nov 19 22:46:59.806: ISAKMP:(9024): vendor ID is DPD
Nov 19 22:46:59.806: ISAKMP:(9024):SA authentication status:
        authenticated
Nov 19 22:46:59.806: ISAKMP:(9024):SA has been authenticated with 173.46.8.98
Nov 19 22:46:59.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet,  and inserted successfully 10927E8.
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM5  New State = IKE_I_MM6

Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6  New State = IKE_I_MM6

Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Nov 19 22:46:59.806: ISAKMP:(9024):beginning Quick Mode exchange, M-ID of 920032514
Nov 19 22:46:59.806: ISAKMP:(9024):QM Initiator gets spi
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE     
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):Node 920032514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE     
Nov 19 22:46:59.806: ISAKMP: set new node -165090978 to QM_IDLE     
Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 4129876318
Nov 19 22:46:59.806: ISAKMP:(9024): processing NOTIFY INVALID_ID_INFO protocol 1
        spi 0, message ID = 4129876318, sa = 0x1235C984
Nov 19 22:46:59.806: ISAKMP:(9024):peer does not do paranoid keepalives.

Nov 19 22:46:59.806: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 173.46.8.98)
Nov 19 22:46:59.806: ISAKMP:(9024):deleting node -165090978 error FALSE reason "Informational (in) state 1"
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Nov 19 22:46:59.806: ISAKMP: set new node 1564252651 to QM_IDLE     
Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE     
Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
Nov 19 22:46:59.806: ISAKMP:(9024):purging node 1564252651
Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Nov 19 22:46:59.810: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 173.46.8.98)
Nov 19 22:46:59.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
Nov 19 22:46:59.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
Nov 19 22:46:59.810: ISAKMP:(9024):deleting node 920032514 error FALSE reason "IKE deleted"
Nov 19 22:46:59.810: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 19 22:46:59.810: ISAKMP:(9024):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Nov 19 22:46:59.810: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#

2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

ASA doesn't like what you're sending.

Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE     

Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE     

Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398

Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1

Check what's happening around QM1 on ASA.

For reference working debugs:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml

I found the answer to this. The debug on the router doesn't give me the detail. The debug on the ASA does. I am using IOS 15.1(4)M4. It supports object group however object group doesn't support with IPSec. Once I changed the ACL the tunnel works.

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1132617