• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5286
  • Last Modified:

VPN between Cisco 1811 and 3 Cisco spokes (ASA 5510, PIX 515E, Concentrator 3000 Series)

Hello Experts

I set up a VPN between our Cisco 1811 Router and a VPN 3000 Concentrator, the VPN tunnel came up ( Its configs were policy 10, key 11111111111 , transform-set OUR-CLIENT1 and hence its own crpyto map which I applied to the interface).The VPN came up immediately when I pinged the remote host. We needed to do more VPN Connections on the same router this time with ASA 5510 - OUR-CLIENT2 and PIX 515E - OUR-CLIENT3. The configuration were done and the Crypto map applied to the interface, but none of the tunnels came up.

I have included the running configs on 1811 Router plus some debug output.

Something also happens which I dont understand, When I ping some of the hosts in the OUR-CLIENT3 the output of show crypto isakmp sa says ACTIVE then says DELETED if I stop ping or ping another host in the Encryption domain. (Output is below running config)

X.X.X.X is my public IP
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 12
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key 11111111111 address A.A.A.A
crypto isakmp key 22222222222 address B.B.B.B
crypto isakmp key 33333333333 address C.C.C.C
!
!
crypto ipsec transform-set OUR-CLIENT1 esp-3des esp-md5-hmac
crypto ipsec transform-set OUR-CLIENT2 esp-3des esp-sha-hmac
crypto ipsec transform-set OUR-CLIENT3 esp-3des esp-md5-hmac
!
crypto map TRANSFORM_OUT 15 ipsec-isakmp
 set peer A.A.A.A
 set transform-set OUR-CLIENT1
 match address CLIENT1_ACL
crypto map TRANSFORM_OUT 16 ipsec-isakmp
 set peer C.C.C.C
 set transform-set OUR-CLIENT3
 match address CLIENT2_ACL
crypto map TRANSFORM_OUT 17 ipsec-isakmp
 set peer B.B.B.B
 set transform-set OUR-CLIENT2
 match address CLIENT3_ACL
!
!
!
!
interface Tunnel0
 ip address 172.16.16.2 255.255.255.252
 tunnel source 192.168.200.1
 tunnel destination 10.10.100.2
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1
 description <<connects ***>>
 ip address X.X.X.X 255.255.255.192
 duplex auto
 speed auto
 crypto map TRANSFORM_OUT
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description <<Connects iDirect>>
 ip address 192.168.200.1 255.255.255.0
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 41.221.43.129
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.10.100.0 255.255.255.248 192.168.200.2
ip route 10.230.230.0 255.255.255.252 Tunnel0
!
!
no ip http server
no ip http secure-server
!
ip access-list extended CLIENT3_ACL
 permit ip 10.1.1.16 0.0.0.15 host 172.16.16.22
 permit ip 10.1.1.32 0.0.0.15 host 172.16.16.22
 permit ip 10.230.230.0 0.0.0.3 host 172.16.16.22
 permit ip 192.168.200.0 0.0.0.255 host 172.16.16.22
ip access-list extended CLIENT1_ACL
 permit ip 10.1.1.16 0.0.0.15 host 10.154.0.76
 permit ip 10.1.1.32 0.0.0.15 host 10.154.0.76
 permit ip 10.230.230.0 0.0.0.3 host 10.154.0.76
 permit ip 192.168.200.0 0.0.0.255 host 10.154.0.76
ip access-list extended CLIENT2_ACL
 permit ip 10.1.1.16 0.0.0.15 10.246.14.0 0.0.0.255
 permit ip 10.1.1.16 0.0.0.15 10.246.12.0 0.0.0.255
!
!
!
!
========================================================================


#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src            state          conn-id slot status
X.X.X.X         A.A.A.A     QM_IDLE           2057    0 ACTIVE
C.C.C.C        X.X.X.X     MM_SA_SETUP          0    0 ACTIVE
C.C.C.C        X.X.X.X     MM_NO_STATE       2059    0 ACTIVE (deleted)
C.C.C.C        X.X.X.X     MM_NO_STATE       2058    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA


CRUISE#show debugging            
*Feb 17 12:25:49.951: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= X.X.X.X, remote= C.C.C.C,
    local_proxy= 10.1.1.16/255.255.255.240/0/0 (type=4),
    remote_proxy= 10.246.12.0/255.255.255.0/0/0 (type=4)
*Feb 17 12:25:49.963: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= X.X.X.X, remote= C.C.C.C,
    local_proxy= 10.1.1.16/255.255.255.240/0/0 (type=4),
    remote_proxy= 10.246.12.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 17 12:25:54.563: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 17 12:26:19.963: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= X.X.X.X, remote= C.C.C.C,
    local_proxy= 10.1.1.16/255.255.255.240/0/0 (type=4),
    remote_proxy= 10.246.12.0/255.255.255.0/0/0 (type=4)
*Feb 17 12:26:19.963: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= X.X.X.X, remote= C.C.C.C,
    local_proxy= 10.1.1.16/255.255.255.240/0/0 (type=4),
    remote_proxy= 10.246.12.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 17 12:26:24.607: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 17 12:26:42.539: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= X.X.X.X, remote= C.C.C.C,
    local_proxy= 10.1.1.16/255.255.255.240/0/0 (type=4),
    remote_proxy= 10.246.14.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 17 12:26:47.175: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 17 12:26:49.963: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= X.X.X.X, remote= C.C.C.C,
    local_proxy= 10.1.1.16/255.255.255.240/0/0 (type=4),
    remote_proxy= 10.246.12.0/255.255.255.0/0/0 (type=4)
*Feb 17 12:27:12.539: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= X.X.X.X, remote= C.C.C.C,
    local_proxy= 10.1.1.16/255.255.255.240/0/0 (type=4),
    remote_proxy= 10.246.14.0/255.255.255.0/0/0 (type=4)
*Feb 17 12:27:12.539: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= X.X.X.X, remote= C.C.C.C,
    local_proxy= 10.1.1.16/255.255.255.240/0/0 (type=4),
    remote_proxy= 10.246.14.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 17 12:27:17.163: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Debug crypto engine
*Feb 17 12:56:27.791: crypto_engine: Decrypt IKE packet
*Feb 17 12:56:27.791: crypto_engine: Generate IKE hash
*Feb 17 12:56:27.791: crypto_engine: Generate IKE hash
*Feb 17 12:56:27.791: crypto_engine: Encrypt IKE packet
*Feb 17 12:56:33.155: crypto_engine: Create DH shared secret
*Feb 17 12:56:33.155: crypto_engine: Modular Exponentiation
*Feb 17 12:56:33.187: crypto_engine: Create IKE SA
*Feb 17 12:56:33.187: crypto engine: deleting DH phase 2 SW:44
*Feb 17 12:56:33.187: crypto_engine: Delete DH shared secret
*Feb 17 12:56:33.187: crypto_engine: Generate IKE hash
*Feb 17 12:56:33.187: crypto_engine: Encrypt IKE packet
*Feb 17 12:56:34.363: crypto_engine: Decrypt IKE packet
*Feb 17 12:56:34.363: crypto_engine: Generate IKE hash
*Feb 17 12:56:34.363: crypto_engine: Generate IKE hash
*Feb 17 12:56:34.363: crypto_engine: Encrypt IKE packet
*Feb 17 12:56:34.367: crypto_engine: Decrypt IKE packet
*Feb 17 12:56:34.367: crypto_engine: Generate IKE hash
*Feb 17 12:56:35.511: crypto_engine: Decrypt IKE packet
*Feb 17 12:56:35.511: crypto_engine: Generate IKE hash
*Feb 17 12:56:35.515: crypto_engine: Generate IKE hash
*Feb 17 12:56:35.515: crypto_engine: Encrypt IKE packet
*Feb 17 12:56:35.515: crypto engine: deleting IKE SA SW:38
*Feb 17 12:56:35.515: crypto_engine: Delete IKE SA
*Feb 17 12:56:47.791: crypto_engine: Decrypt IKE packet
*Feb 17 12:56:47.791: crypto_engine: Generate IKE hash
*Feb 17 12:56:47.791: crypto_engine: Generate IKE hash
*Feb 17 12:56:47.791: crypto_engine: Encrypt IKE packet
*Feb 17 12:57:07.791: crypto_engine: Decrypt IKE packet
*Feb 17 12:57:07.791: crypto_engine: Generate IKE hash
*Feb 17 12:57:07.791: crypto_engine: Generate IKE hash
*Feb 17 12:57:07.791: crypto_engine: Encrypt IKE packet
0
cellulant
Asked:
cellulant
  • 8
  • 4
3 Solutions
 
asavenerCommented:
Please provide the output from "show crypto ipsec sa" and "debug crypto isakmp".
0
 
cellulantAuthor Commented:
Hello there,

I have tried to maintain the same configs that I had changed ie my  public IP: X.X.X.X , OUR-CLIENT2: B.B.B.B , OUR-CLIENT3: C.C.C.C


CRUISE#sho crypto ipsec sa

interface: FastEthernet1
    Crypto map tag: TRANSFORM-OUT, local addr X.X.X.X

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.16/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (10.154.0.76/255.255.255.255/0/0)
   current_peer A.A.A.A port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 42, #pkts encrypt: 42, #pkts digest: 42
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: A.A.A.A
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x36FF37A4(922695588)

     inbound esp sas:
      spi: 0x133E60F4(322855156)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 15, flow_id: Motorola SEC 2.0:15, crypto map: TRANSFORM-OUT
        sa timing: remaining key lifetime (k/sec): (4470158/217)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x36FF37A4(922695588)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 16, flow_id: Motorola SEC 2.0:16, crypto map: TRANSFORM-OUT
        sa timing: remaining key lifetime (k/sec): (4470158/181)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.32/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.22/255.255.255.255/0/0)
   current_peer B.B.B.B port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: B.B.B.B
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:
         
     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.32/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (10.154.0.76/255.255.255.255/0/0)
   current_peer A.A.A.A port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: A.A.A.A
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.22/255.255.255.255/0/0)
   current_peer B.B.B.B port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
         
     local crypto endpt.: X.X.X.X, remote crypto endpt.: B.B.B.B
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.16/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (10.246.12.0/255.255.255.0/0/0)
   current_peer C.C.C.C port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3819, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: C.C.C.C
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.16/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (10.246.14.0/255.255.255.0/0/0)
   current_peer C.C.C.C port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 275, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: C.C.C.C
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.154.0.76/255.255.255.255/0/0)
   current_peer A.A.A.A port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: A.A.A.A
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:
         
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.230.230.0/255.255.255.252/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.22/255.255.255.255/0/0)
   current_peer B.B.B.B port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: B.B.B.B
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.230.230.0/255.255.255.252/0/0)
   remote ident (addr/mask/prot/port): (10.154.0.76/255.255.255.255/0/0)
   current_peer A.A.A.A port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: A.A.A.A
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.16/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (172.16.16.22/255.255.255.255/0/0)
   current_peer B.B.B.B port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: B.B.B.B
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

=================================================================================

# debug crypto isakmp
Crypto ISAKMP debugging is on
*Feb 17 19:28:57.050: ISAKMP (0:2189): received packet from A.A.A.A dport 500 sport 500 Global (R) QM_IDLE      
*Feb 17 19:28:57.050: ISAKMP: set new node 1494379890 to QM_IDLE      
*Feb 17 19:28:57.050: ISAKMP:(2189): processing HASH payload. message ID = 1494379890
*Feb 17 19:28:57.050: ISAKMP:(2189): processing NOTIFY DPD/R_U_THERE protocol 1
    spi 0, message ID = 1494379890, sa = 83CAE2C4
*Feb 17 19:28:57.050: ISAKMP:(2189):deleting node 1494379890 error FALSE reason "Informational (in) state 1"
*Feb 17 19:28:57.050: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 17 19:28:57.050: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:28:57.050: ISAKMP:(2189):DPD/R_U_THERE received from peer A.A.A.A, sequence 0x48EE6242
*Feb 17 19:28:57.050: ISAKMP: set new node 1348618121 to QM_IDLE      
*Feb 17 19:28:57.050: ISAKMP:(2189):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
    spi 2212791712, message ID = 1348618121
*Feb 17 19:28:57.050: ISAKMP:(2189): seq. no 0x48EE6242
*Feb 17 19:28:57.050: ISAKMP:(2189): sending packet to A.A.A.A my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 17 19:28:57.050: ISAKMP:(2189):purging node 1348618121
*Feb 17 19:28:57.050: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Feb 17 19:28:57.050: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:29:07.050: ISAKMP:(2189):purging node -875180725
*Feb 17 19:29:17.046: ISAKMP (0:2189): received packet from A.A.A.A dport 500 sport 500 Global (R) QM_IDLE      
*Feb 17 19:29:17.046: ISAKMP: set new node -670804904 to QM_IDLE      
*Feb 17 19:29:17.046: ISAKMP:(2189): processing HASH payload. message ID = -670804904
*Feb 17 19:29:17.050: ISAKMP:(2189): processing NOTIFY DPD/R_U_THERE protocol 1
    spi 0, message ID = -670804904, sa = 83CAE2C4
*Feb 17 19:29:17.050: ISAKMP:(2189):deleting node -670804904 error FALSE reason "Informational (in) state 1"
*Feb 17 19:29:17.050: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 17 19:29:17.050: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:29:17.050: ISAKMP:(2189):DPD/R_U_THERE received from peer A.A.A.A, sequence 0x48EE6243
*Feb 17 19:29:17.050: ISAKMP: set new node 163342315 to QM_IDLE      
*Feb 17 19:29:17.050: ISAKMP:(2189):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
    spi 2212791712, message ID = 163342315
*Feb 17 19:29:17.050: ISAKMP:(2189): seq. no 0x48EE6243
*Feb 17 19:29:17.050: ISAKMP:(2189): sending packet to A.A.A.A my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 17 19:29:17.050: ISAKMP:(2189):purging node 163342315
*Feb 17 19:29:17.050: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Feb 17 19:29:17.050: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:29:27.050: ISAKMP:(2189):purging node -1236433935
*Feb 17 19:29:37.054: ISAKMP (0:2189): received packet from A.A.A.A dport 500 sport 500 Global (R) QM_IDLE      
*Feb 17 19:29:37.054: ISAKMP: set new node 317312583 to QM_IDLE      
*Feb 17 19:29:37.054: ISAKMP:(2189): processing HASH payload. message ID = 317312583
*Feb 17 19:29:37.054: ISAKMP:(2189): processing NOTIFY DPD/R_U_THERE protocol 1
    spi 0, message ID = 317312583, sa = 83CAE2C4
*Feb 17 19:29:37.054: ISAKMP:(2189):deleting node 317312583 error FALSE reason "Informational (in) state 1"
*Feb 17 19:29:37.054: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 17 19:29:37.054: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:29:37.054: ISAKMP:(2189):DPD/R_U_THERE received from peer A.A.A.A, sequence 0x48EE6244
*Feb 17 19:29:37.054: ISAKMP: set new node -797098290 to QM_IDLE      
*Feb 17 19:29:37.054: ISAKMP:(2189):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
    spi 2212791712, message ID = -797098290
*Feb 17 19:29:37.054: ISAKMP:(2189): seq. no 0x48EE6244
*Feb 17 19:29:37.054: ISAKMP:(2189): sending packet to A.A.A.A my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 17 19:29:37.054: ISAKMP:(2189):purging node -797098290
*Feb 17 19:29:37.054: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Feb 17 19:29:37.054: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:29:47.050: ISAKMP:(2189):purging node 1494379890
*Feb 17 19:29:57.046: ISAKMP (0:2189): received packet from A.A.A.A dport 500 sport 500 Global (R) QM_IDLE      
*Feb 17 19:29:57.046: ISAKMP: set new node 1882596640 to QM_IDLE      
*Feb 17 19:29:57.046: ISAKMP:(2189): processing HASH payload. message ID = 1882596640
*Feb 17 19:29:57.046: ISAKMP:(2189): processing NOTIFY DPD/R_U_THERE protocol 1
    spi 0, message ID = 1882596640, sa = 83CAE2C4
*Feb 17 19:29:57.046: ISAKMP:(2189):deleting node 1882596640 error FALSE reason "Informational (in) state 1"
*Feb 17 19:29:57.046: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 17 19:29:57.046: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:29:57.046: ISAKMP:(2189):DPD/R_U_THERE received from peer A.A.A.A, sequence 0x48EE6245
*Feb 17 19:29:57.050: ISAKMP: set new node -497331868 to QM_IDLE      
*Feb 17 19:29:57.050: ISAKMP:(2189):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
    spi 2212791712, message ID = -497331868
*Feb 17 19:29:57.050: ISAKMP:(2189): seq. no 0x48EE6245
*Feb 17 19:29:57.050: ISAKMP:(2189): sending packet to A.A.A.A my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 17 19:29:57.050: ISAKMP:(2189):purging node -497331868
*Feb 17 19:29:57.050: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Feb 17 19:29:57.050: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:30:07.050: ISAKMP:(2189):purging node -670804904
*Feb 17 19:30:17.050: ISAKMP (0:2189): received packet from A.A.A.A dport 500 sport 500 Global (R) QM_IDLE      
*Feb 17 19:30:17.050: ISAKMP: set new node -1818365042 to QM_IDLE      
*Feb 17 19:30:17.050: ISAKMP:(2189): processing HASH payload. message ID = -1818365042
*Feb 17 19:30:17.050: ISAKMP:(2189): processing NOTIFY DPD/R_U_THERE protocol 1
    spi 0, message ID = -1818365042, sa = 83CAE2C4
*Feb 17 19:30:17.050: ISAKMP:(2189):deleting node -1818365042 error FALSE reason "Informational (in) state 1"
*Feb 17 19:30:17.050: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 17 19:30:17.050: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:30:17.050: ISAKMP:(2189):DPD/R_U_THERE received from peer A.A.A.A, sequence 0x48EE6246
*Feb 17 19:30:17.050: ISAKMP: set new node 1844378453 to QM_IDLE      
*Feb 17 19:30:17.050: ISAKMP:(2189):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
    spi 2212791712, message ID = 1844378453
*Feb 17 19:30:17.050: ISAKMP:(2189): seq. no 0x48EE6246
*Feb 17 19:30:17.050: ISAKMP:(2189): sending packet to A.A.A.A my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 17 19:30:17.050: ISAKMP:(2189):purging node 1844378453
*Feb 17 19:30:17.050: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Feb 17 19:30:17.050: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:30:27.054: ISAKMP:(2189):purging node 317312583
*Feb 17 19:30:37.046: ISAKMP (0:2189): received packet from A.A.A.A dport 500 sport 500 Global (R) QM_IDLE      
*Feb 17 19:30:37.046: ISAKMP: set new node -525497790 to QM_IDLE      
*Feb 17 19:30:37.046: ISAKMP:(2189): processing HASH payload. message ID = -525497790
*Feb 17 19:30:37.046: ISAKMP:(2189): processing NOTIFY DPD/R_U_THERE protocol 1
    spi 0, message ID = -525497790, sa = 83CAE2C4
*Feb 17 19:30:37.046: ISAKMP:(2189):deleting node -525497790 error FALSE reason "Informational (in) state 1"
*Feb 17 19:30:37.046: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 17 19:30:37.046: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:30:37.046: ISAKMP:(2189):DPD/R_U_THERE received from peer A.A.A.A, sequence 0x48EE6247
*Feb 17 19:30:37.046: ISAKMP: set new node 951416685 to QM_IDLE      
*Feb 17 19:30:37.046: ISAKMP:(2189):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
    spi 2212791712, message ID = 951416685
*Feb 17 19:30:37.046: ISAKMP:(2189): seq. no 0x48EE6247
*Feb 17 19:30:37.046: ISAKMP:(2189): sending packet to A.A.A.A my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 17 19:30:37.050: ISAKMP:(2189):purging node 951416685
*Feb 17 19:30:37.050: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Feb 17 19:30:37.050: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Feb 17 19:30:57.046: ISAKMP (0:2189): received packet from A.A.A.A dport 500 sport 500 Global (R) QM_IDLE      
*Feb 17 19:30:57.046: ISAKMP: set new node -1252329337 to QM_IDLE      
*Feb 17 19:30:57.046: ISAKMP:(2189): processing HASH payload. message ID = -1252329337
*Feb 17 19:30:57.046: ISAKMP:(2189): processing NOTIFY DPD/R_U_THERE protocol 1
    spi 0, message ID = -1252329337, sa = 83CAE2C4
*Feb 17 19:30:57.046: ISAKMP:(2189):deleting node -1252329337 error FALSE reason "Informational (in) state 1"
*Feb 17 19:30:57.046: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 17 19:30:57.046: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 17 19:30:57.046: ISAKMP:(2189):DPD/R_U_THERE received from peer A.A.A.A, sequence 0x48EE6248
*Feb 17 19:30:57.046: ISAKMP: set new node -1552283858 to QM_IDLE      
*Feb 17 19:30:57.046: ISAKMP:(2189):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
    spi 2212791712, message ID = -1552283858
*Feb 17 19:30:57.046: ISAKMP:(2189): seq. no 0x48EE6248
*Feb 17 19:30:57.046: ISAKMP:(2189): sending packet to A.A.A.A my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 17 19:30:57.046: ISAKMP:(2189):purging node -1552283858
CRUISE#
CRUISE#
*Feb 17 19:30:57.046: ISAKMP:(2189):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Feb 17 19:30:57.050: ISAKMP:(2189):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


0
 
asavenerCommented:
OK.

"interface: FastEthernet1
    Crypto map tag: TRANSFORM-OUT, local addr X.X.X.X

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.16/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port): (10.154.0.76/255.255.255.255/0/0)
   current_peer A.A.A.A port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 42, #pkts encrypt: 42, #pkts digest: 42
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0"

This shows that the VPN to A.A.A.A. negotiated successfully, and your router is sending traffic over the VPN, but it is not getting any return traffic.  ESP or UDP/4500 traffic is likely being blocked on one or both ends.


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
asavenerCommented:
You will need to try sending traffic to B.B.B.B and C.C.C.C subnets and providing the debug output before I can assist further.
0
 
cellulantAuthor Commented:
Hello experts

Here is the requested output while pinging the hosts in the 3 remote networks.
Plus what does the lines below mean?
Please note 172.16.16.22 in remote peer B.B.B.B network, 10.246.12.42, 10.246.14.99, 10.246.14.200 in remote peer C.C.C.C network.


*Feb 18 13:45:40.037: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:45:41.097: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:46:10.541: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:46:11.673: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:46:40.573: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:46:41.641: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:47:10.557: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:47:11.581: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:47:40.577: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:47:41.605: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:48:11.593: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.
*Feb 18 13:48:12.713: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from B.B.B.B was not encrypted and it should've been.


===========================================================================================================================

#sho crypto ipsec sa

interface: FastEthernet1
Crypto map tag: TRANSFORM_TZ, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.32/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (172.16.16.22/255.255.255.255/0/0)
current_peer B.B.B.B port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: B.B.B.B
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.16.22/255.255.255.255/0/0)
current_peer B.B.B.B port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: B.B.B.B
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.16/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.246.12.0/255.255.255.0/0/0)
current_peer C.C.C.C port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4573, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: C.C.C.C
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.16/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.246.14.0/255.255.255.0/0/0)
current_peer C.C.C.C port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 652, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: C.C.C.C
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.230.230.0/255.255.255.252/0/0)
remote ident (addr/mask/prot/port): (172.16.16.22/255.255.255.255/0/0)
current_peer B.B.B.B port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: B.B.B.B
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.16/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (172.16.16.22/255.255.255.255/0/0)
current_peer B.B.B.B port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 242, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: B.B.B.B
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


===========================================================================================================================

#debug crypto isakmp
*Feb 18 13:45:14.353: ISAKMP:(2272): processing vendor id payload
*Feb 18 13:45:14.353: ISAKMP:(2272): vendor ID seems Unity/DPD but major 183 mismatch
*Feb 18 13:45:14.353: ISAKMP:(2272): vendor ID is XAUTH
*Feb 18 13:45:14.353: ISAKMP:(2272): processing vendor id payload
*Feb 18 13:45:14.353: ISAKMP:(2272): speaking to another IOS box!
*Feb 18 13:45:14.353: ISAKMP:(2272): processing vendor id payload
*Feb 18 13:45:14.353: ISAKMP:(2272):vendor ID seems Unity/DPD but hash mismatch
*Feb 18 13:45:14.353: ISAKMP:(2272):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 18 13:45:14.353: ISAKMP:(2272):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Feb 18 13:45:14.353: ISAKMP:(2272):Send initial contact
*Feb 18 13:45:14.353: ISAKMP:(2272):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Feb 18 13:45:14.353: ISAKMP (0:2272): ID payload
next-payload : 8
type : 1
address : X.X.X.X
protocol : 17
port : 500
length : 12
*Feb 18 13:45:14.353: ISAKMP:(2272):Total payload length: 12
*Feb 18 13:45:14.353: ISAKMP:(2272): sending packet to C.C.C.C my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Feb 18 13:45:14.357: ISAKMP:(2272):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 18 13:45:14.357: ISAKMP:(2272):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Feb 18 13:45:15.001: ISAKMP (0:2210): received packet from 41.223.4.74 dport 500 sport 500 Global (R) QM_IDLE
*Feb 18 13:45:15.001: ISAKMP: set new node 374281267 to QM_IDLE
*Feb 18 13:45:15.001: ISAKMP:(2210): processing HASH payload. message ID = 374281267
*Feb 18 13:45:15.005: ISAKMP:(2210): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 374281267, sa = 82F570A4
*Feb 18 13:45:15.005: ISAKMP:(2210):deleting node 374281267 error FALSE reason "Informational (in) state 1"
*Feb 18 13:45:15.005: ISAKMP:(2210):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 18 13:45:15.005: ISAKMP:(2210):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Feb 18 13:45:15.005: ISAKMP:(2210):DPD/R_U_THERE received from peer 41.223.4.74, sequence 0x38BE4037
*Feb 18 13:45:15.005: ISAKMP: set new node 1101778314 to QM_IDLE
*Feb 18 13:45:15.005: ISAKMP:(2210):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2212791712, message ID = 1101778314
*Feb 18 13:45:15.005: ISAKMP:(2210): seq. no 0x38BE4037
*Feb 18 13:45:15.005: ISAKMP:(2210): sending packet to 41.223.4.74 my_port 500 peer_port 500 (R) QM_IDLE
*Feb 18 13:45:15.005: ISAKMP:(2210):purging node 1101778314
*Feb 18 13:45:15.005: ISAKMP:(2210):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Feb 18 13:45:15.005: ISAKMP:(2210):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Feb 18 13:45:15.493: ISAKMP (0:2272): received packet from C.C.C.C dport 500 sport 500 Global (I) MM_KEY_EXCH
*Feb 18 13:45:15.493: ISAKMP:(2272): processing ID payload. message ID = 0
*Feb 18 13:45:15.493: ISAKMP (0:2272): ID payload
next-payload : 8
type : 1
address : C.C.C.C
protocol : 17
port : 500
length : 12
*Feb 18 13:45:15.493: ISAKMP:(0):: peer matches *none* of the profiles
*Feb 18 13:45:15.493: ISAKMP:(2272): processing HASH payload. message ID = 0
*Feb 18 13:45:15.497: ISAKMP:received payload type 17
*Feb 18 13:45:15.497: ISAKMP:(2272): processing vendor id payload
*Feb 18 13:45:15.497: ISAKMP:(2272): vendor ID is DPD
*Feb 18 13:45:15.497: ISAKMP:(2272):SA authentication status:
authenticated
*Feb 18 13:45:15.497: ISAKMP:(2272):SA has been authenticated with C.C.C.C
*Feb 18 13:45:15.497: ISAKMP: Trying to insert a peer X.X.X.X/C.C.C.C/500/, and inserted successfully 83CAEA08.
*Feb 18 13:45:15.497: ISAKMP:(2272):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 18 13:45:15.497: ISAKMP:(2272):Old State = IKE_I_MM5 New State = IKE_I_MM6

*Feb 18 13:45:15.497: ISAKMP:(2272):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 18 13:45:15.497: ISAKMP:(2272):Old State = IKE_I_MM6 New State = IKE_I_MM6

*Feb 18 13:45:15.497: ISAKMP:(2272):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 18 13:45:15.497: ISAKMP:(2272):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

*Feb 18 13:45:15.497: ISAKMP:(2272):beginning Quick Mode exchange, M-ID of 1244389838
*Feb 18 13:45:15.497: ISAKMP:(2272):QM Initiator gets spi
*Feb 18 13:45:15.497: ISAKMP:(2272): sending packet to C.C.C.C my_port 500 peer_port 500 (I) QM_IDLE
*Feb 18 13:45:15.497: ISAKMP:(2272):Node 1244389838, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Feb 18 13:45:15.497: ISAKMP:(2272):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Feb 18 13:45:15.497: ISAKMP:(2272):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb 18 13:45:15.497: ISAKMP:(2272):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Feb 18 13:45:15.501: ISAKMP (0:2272): received packet from C.C.C.C dport 500 sport 500 Global (I) QM_IDLE
*Feb 18 13:45:15.501: ISAKMP: set new node -1052746579 to QM_IDLE
*Feb 18 13:45:15.501: ISAKMP:(2272): processing HASH payload. message ID = -1052746579
*Feb 18 13:45:15.501: ISAKMP:(2272): processing NOTIFY RESPONDER_LIFETIME protocol 1
spi 0, message ID = -1052746579, sa = 83F71DC4unde
*Feb 18 13:45:15.501: ISAKMP:(2272):SA authentication status:
authenticated
*Feb 18 13:45:15.501: ISAKMP:(2272): processing responder lifetime
*Feb 18 13:45:15.501: ISAKMP:(2272): start processing isakmp responder lifetime
*Feb 18 13:45:15.501: ISAKMP:(2272): restart ike sa timer to 28800 secs
*Feb 18 13:45:15.501: ISAKMP:(2272):deleting node -1052746579 error FALSE reason "Informational (in) state 1"
*Feb 18 13:45:15.501: ISAKMP:(2272):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 18 13:45:15.501: ISAKMP:(2272):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Feb 18 13:45:16.633: ISAKMP (0:2272): received packet from C.C.C.C dport 500 sport 500 Global (I) QM_IDLE
*Feb 18 13:45:16.633: ISAKMP: set new node 1600344173 to QM_IDLE
*Feb 18 13:45:16.633: ISAKMP:(2272): processing HASH payload. message ID = 1600344173
*Feb 18 13:45:16.633: ISAKMP:(2272): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 1600344173, sa = 83F71DC4
*Feb 18 13:45:16.633: ISAKMP:(2272):peer does not do paranoid keepalives.

*Feb 18 13:45:16.633: ISAKMP:(2272):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer C.C.C.C)
*Feb 18 13:45:16.633: ISAKMP:(2272):deleting node 1600344173 error FALSE reason "Informational (in) state 1"
*Feb 18 13:45:16.633: ISAKMP:(2272):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 18 13:45:16.637: ISAKMP:(2272):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Feb 18 13:45:16.637: ISAKMP (0:2272): received packet from C.C.C.C dport 500 sport 500 Global (I) QM_IDLE
*Feb 18 13:45:16.637: ISAKMP: set new node -982030559 to QM_IDLE
*Feb 18 13:45:16.637: ISAKMP:(2272): sending packet to C.C.C.C my_port 500 peer_port 500 (I) QM_IDLE
*Feb 18 13:45:16.637: ISAKMP:(2272):purging node -982030559
*Feb 18 13:45:16.637: ISAKMP:(2272):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 18 13:45:16.637: ISAKMP:(2272):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Feb 18 13:45:16.637: ISAKMP:(2272):deleting SA reason "No reason" state (I) QM_IDLE (peer C.C.C.C)
*Feb 18 13:45:16.637: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Feb 18 13:45:16.637: ISAKMP: Unlocking peer struct 0x83CAEA08 for isadb_mark_sa_deleted(), count 0
*Feb 18 13:45:16.637: ISAKMP: Deleting peer node by peer_reap for C.C.C.C: 83CAEA08bug
*Feb 18 13:45:16.637: ISAKMP:(2272):deleting node 1244389838 error FALSE reason "IKE deleted"
*Feb 18 13:45:16.637: ISAKMP:(2272):deleting node -1052746579 error FALSE reason "IKE deleted"
*Feb 18 13:45:16.637: ISAKMP:(2272):deleting node 1600344173 error FALSE reason "IKE deleted"
*Feb 18 13:45:16.637: ISAKMP:(2272):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 18 13:45:16.637: ISAKMP:(2272):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Feb 18 13:49:32.261: ISAKMP:(2283):purging SA., sa=83F71C44, delme=83F71C44
*Feb 18 13:49:33.181: ISAKMP:(2289): retransmitting phase 1 MM_KEY_EXCH...
*Feb 18 13:49:33.181: ISAKMP:(2289):peer does not do paranoid keepalives.
0
 
asavenerCommented:
"*Feb 18 13:45:15.493: ISAKMP:(0):: peer matches *none* of the profiles"

Check to make sure you have configuration lines on the remote routers similar to:

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
0
 
cellulantAuthor Commented:
Hello asavener,

The clients have the same policy same as mine, even as per the several outputs it seems we are doing well with Phase 1. However I'm still confused about Client B.B.B.B running an ASA 5510.
0
 
cellulantAuthor Commented:
Hello Experts,

The VPN problem is still there, here is the specific output of  'debug crypto isakmp' for this client B.B.B.B while pinging two of his IPs



0
 
cellulantAuthor Commented:
Hello Experts,

The VPN problem is still there, here is the specific output of  'debug crypto isakmp' for this client B.B.B.B while pinging two of his IPs



0
 
cellulantAuthor Commented:
Hello Experts,

The VPN problem is still there, here is the specific output of  'debug crypto isakmp' for this client B.B.B.B while pinging two of his IPs



0
 
cellulantAuthor Commented:
Hello Experts,

The VPN problem is still there, here is the specific output of  'debug crypto isakmp' for this client B.B.B.B while pinging two of his IPs



0
 
cellulantAuthor Commented:
Sorry could not attach file

Here is the debug:

*Feb 23 13:29:40.895: ISAKMP:(0):src A.A.A.A dst B.B.B.B, SA is not authenticated
*Feb 23 13:29:40.895: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 23 13:29:40.895: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer B.B.B.B)
*Feb 23 13:29:40.895: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer B.B.B.B)
*Feb 23 13:29:40.895: ISAKMP: Unlocking peer struct 0x83EF09E8 for isadb_mark_sa_deleted(), count 0
*Feb 23 13:29:40.895: ISAKMP: Deleting peer node by peer_reap for B.B.B.B: 83EF09E8
*Feb 23 13:29:40.895: ISAKMP:(0):deleting node 1502273187 error FALSE reason "IKE deleted"
*Feb 23 13:29:40.895: ISAKMP:(0):deleting node -2111271292 error FALSE reason "IKE deleted"
*Feb 23 13:29:40.895: ISAKMP:(0):deleting node 482362286 error FALSE reason "IKE deleted"
*Feb 23 13:29:40.895: ISAKMP:(0):deleting node -712618117 error FALSE reason "IKE deleted"
*Feb 23 13:29:40.895: ISAKMP:(0):deleting node -1687229861 error FALSE reason "IKE deleted"
*Feb 23 13:29:40.895: ISAKMP:(0):deleting node -1368185130 error FALSE reason "IKE deleted"
*Feb 23 13:29:40.895: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 23 13:29:40.895: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_DEST_SA
c
*Feb 23 13:29:43.979: ISAKMP:(2306):purging SA., sa=833C08BC, delme=833C08BC
*Feb 23 13:29:44.299: ISAKMP:(0): SA request profile is (NULL)
*Feb 23 13:29:44.299: ISAKMP: Created a peer struct for B.B.B.B, peer port 500
*Feb 23 13:29:44.299: ISAKMP: New peer created peer = 0x82F57FA4 peer_handle = 0x80001BB2
*Feb 23 13:29:44.299: ISAKMP: Locking peer struct 0x82F57FA4, refcount 1 for isakmp_initiator
*Feb 23 13:29:44.299: ISAKMP: local port 500, remote port 500
*Feb 23 13:29:44.299: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:29:44.299: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83EE3C70
*Feb 23 13:29:44.299: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb 23 13:29:44.299: ISAKMP:(0):found peer pre-shared key matching B.B.B.B
*Feb 23 13:29:44.299: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb 23 13:29:44.299: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb 23 13:29:44.299: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb 23 13:29:44.299: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb 23 13:29:44.299: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Feb 23 13:29:44.299: ISAKMP:(0): beginning Main Mode exchange
*Feb 23 13:29:44.299: ISAKMP:(0): sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 23 13:29:44.671: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:29:44.671: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
*Feb 23 13:29:44.671: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 23 13:29:44.671: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 23 13:29:44.819: ISAKMP (0:0): received packet from B.B.B.B dport 500 sport 500 Global (I) MM_NO_STATE
*Feb 23 13:29:44.819: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 23 13:29:44.819: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Feb 23 13:29:44.819: ISAKMP:(0): processing SA payload. message ID = 0
*Feb 23 13:29:44.819: ISAKMP:(0): processing vendor id payload
*Feb 23 13:29:44.819: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 23 13:29:44.819: ISAKMP:(0):found peer pre-shared key matching B.B.B.B
*Feb 23 13:29:44.819: ISAKMP:(0): local preshared key found
*Feb 23 13:29:44.819: ISAKMP : Scanning profiles for xauth ...
*Feb 23 13:29:44.819: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Feb 23 13:29:44.819: ISAKMP:      encryption 3DES-CBC
*Feb 23 13:29:44.819: ISAKMP:      hash SHA
*Feb 23 13:29:44.819: ISAKMP:      default group 2
*Feb 23 13:29:44.819: ISAKMP:      auth pre-share
*Feb 23 13:29:44.819: ISAKMP:      life type in seconds
*Feb 23 13:29:44.819: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Feb 23 13:29:44.819: ISAKMP:(0):Hash algorithm offered does not match policy!
*Feb 23 13:29:44.823: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Feb 23 13:29:44.823: ISAKMP:(0):Checking ISAKMP transform 2 against priority 11 policy
*Feb 23 13:29:44.823: ISAKMP:      encryption 3DES-CBC
*Feb 23 13:29:44.823: ISAKMP:      hash SHA
*Feb 23 13:29:44.823: ISAKMP:      default group 2
*Feb 23 13:29:44.823: ISAKMP:      auth pre-share
*Feb 23 13:29:44.823: ISAKMP:      life type in seconds
*Feb 23 13:29:44.823: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Feb 23 13:29:44.823: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb 23 13:29:44.823: ISAKMP:(0): processing vendor id payload
*Feb 23 13:29:44.823: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 23 13:29:44.823: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 23 13:29:44.823: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Feb 23 13:29:44.823: ISAKMP:(0): sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 23 13:29:44.823: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 23 13:29:44.823: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Feb 23 13:29:54.823: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 23 13:29:54.823: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 23 13:29:54.823: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 23 13:29:54.823: ISAKMP:(0): sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 23 13:29:54.983: ISAKMP (0:0): received packet from B.B.B.B dport 500 sport 500 Global (I) MM_SA_SETUP
*Feb 23 13:29:54.983: ISAKMP:(0):Notify has no hash. Rejected.
*Feb 23 13:29:54.983: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM3
*Feb 23 13:29:54.983: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 23 13:29:54.983: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM3

*Feb 23 13:29:54.983: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at B.B.B.B
*Feb 23 13:30:14.299: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:30:14.299: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
*Feb 23 13:30:14.299: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 23 13:30:14.299: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 23 13:30:14.671: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:30:14.671: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
*Feb 23 13:30:14.671: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 23 13:30:14.671: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 23 13:30:30.895: ISAKMP:(0):purging node 1502273187
*Feb 23 13:30:30.895: ISAKMP:(0):purging node -2111271292
*Feb 23 13:30:30.895: ISAKMP:(0):purging node 482362286
*Feb 23 13:30:30.895: ISAKMP:(0):purging node -712618117
*Feb 23 13:30:30.895: ISAKMP:(0):purging node -1687229861
*Feb 23 13:30:30.895: ISAKMP:(0):purging node -1368185130
*Feb 23 13:30:40.895: ISAKMP:(0):purging SA., sa=833BFF80, delme=833BFF80
*Feb 23 13:30:44.583: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:30:44.583: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
*Feb 23 13:30:44.583: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 23 13:30:44.583: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 23 13:30:44.671: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:30:44.671: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
*Feb 23 13:30:44.671: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 23 13:30:44.671: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 23 13:30:59.299: ISAKMP: quick mode timer expired.
*Feb 23 13:30:59.299: ISAKMP:(0):src A.A.A.A dst B.B.B.B, SA is not authenticated
*Feb 23 13:30:59.299: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 23 13:30:59.299: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer B.B.B.B)
*Feb 23 13:30:59.299: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer B.B.B.B)
*Feb 23 13:30:59.299: ISAKMP: Unlocking peer struct 0x82F57FA4 for isadb_mark_sa_deleted(), count 0
*Feb 23 13:30:59.299: ISAKMP: Deleting peer node by peer_reap for B.B.B.B: 82F57FA4
*Feb 23 13:30:59.299: ISAKMP:(0):deleting node 495697146 error FALSE reason "IKE deleted"
*Feb 23 13:30:59.299: ISAKMP:(0):deleting node 1034301133 error FALSE reason "IKE deleted"
*Feb 23 13:30:59.299: ISAKMP:(0):deleting node 861399215 error FALSE reason "IKE deleted"
*Feb 23 13:30:59.299: ISAKMP:(0):deleting node -1458457589 error FALSE reason "IKE deleted"
*Feb 23 13:30:59.299: ISAKMP:(0):deleting node 1148969708 error FALSE reason "IKE deleted"
*Feb 23 13:30:59.299: ISAKMP:(0):deleting node -1696011823 error FALSE reason "IKE deleted"
*Feb 23 13:30:59.299: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 23 13:30:59.299: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_DEST_SA

*Feb 23 13:31:14.579: ISAKMP:(0): SA request profile is (NULL)
*Feb 23 13:31:14.579: ISAKMP: Created a peer struct for B.B.B.B, peer port 500
*Feb 23 13:31:14.579: ISAKMP: New peer created peer = 0x8355D60C peer_handle = 0x80001C89
*Feb 23 13:31:14.579: ISAKMP: Locking peer struct 0x8355D60C, refcount 1 for isakmp_initiator
*Feb 23 13:31:14.579: ISAKMP: local port 500, remote port 500
*Feb 23 13:31:14.579: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:31:14.579: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83CAE578
*Feb 23 13:31:14.579: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb 23 13:31:14.579: ISAKMP:(0):found peer pre-shared key matching B.B.B.B
*Feb 23 13:31:14.579: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb 23 13:31:14.579: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb 23 13:31:14.579: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb 23 13:31:14.579: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb 23 13:31:14.579: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Feb 23 13:31:14.579: ISAKMP:(0): beginning Main Mode exchange
*Feb 23 13:31:14.579: ISAKMP:(0): sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 23 13:31:14.671: ISAKMP (0:0): received packet from B.B.B.B dport 500 sport 500 Global (I) MM_NO_STATE
*Feb 23 13:31:14.671: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 23 13:31:14.671: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Feb 23 13:31:14.671: ISAKMP:(0): processing SA payload. message ID = 0
*Feb 23 13:31:14.671: ISAKMP:(0): processing vendor id payload
*Feb 23 13:31:14.671: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 23 13:31:14.671: ISAKMP:(0):found peer pre-shared key matching B.B.B.B
*Feb 23 13:31:14.671: ISAKMP:(0): local preshared key found
*Feb 23 13:31:14.671: ISAKMP : Scanning profiles for xauth ...
*Feb 23 13:31:14.671: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Feb 23 13:31:14.671: ISAKMP:      encryption 3DES-CBC
*Feb 23 13:31:14.671: ISAKMP:      hash SHA
*Feb 23 13:31:14.671: ISAKMP:      default group 2
*Feb 23 13:31:14.671: ISAKMP:      auth pre-share
*Feb 23 13:31:14.671: ISAKMP:      life type in seconds
*Feb 23 13:31:14.671: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Feb 23 13:31:14.671: ISAKMP:(0):Hash algorithm offered does not match policy!
*Feb 23 13:31:14.671: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Feb 23 13:31:14.671: ISAKMP:(0):Checking ISAKMP transform 2 against priority 11 policy
*Feb 23 13:31:14.671: ISAKMP:      encryption 3DES-CBC
*Feb 23 13:31:14.671: ISAKMP:      hash SHA
*Feb 23 13:31:14.671: ISAKMP:      default group 2
*Feb 23 13:31:14.671: ISAKMP:      auth pre-share
*Feb 23 13:31:14.671: ISAKMP:      life type in seconds
*Feb 23 13:31:14.671: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Feb 23 13:31:14.671: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb 23 13:31:14.671: ISAKMP:(0): processing vendor id payload
*Feb 23 13:31:14.671: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 23 13:31:14.671: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 23 13:31:14.671: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Feb 23 13:31:14.671: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:31:14.671: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
*Feb 23 13:31:14.671: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 23 13:31:14.671: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 23 13:31:14.675: ISAKMP:(0): sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 23 13:31:14.675: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 23 13:31:14.675: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Feb 23 13:31:24.675: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 23 13:31:24.675: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 23 13:31:24.675: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 23 13:31:24.675: ISAKMP:(0): sending packet to B.B.B.B my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 23 13:31:24.831: ISAKMP (0:0): received packet from B.B.B.B dport 500 sport 500 Global (I) MM_SA_SETUP
*Feb 23 13:31:24.831: ISAKMP:(0):Notify has no hash. Rejected.
*Feb 23 13:31:24.831: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM3
*Feb 23 13:31:24.831: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 23 13:31:24.831: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM3

*Feb 23 13:31:24.831: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at B.B.B.B
*Feb 23 13:31:44.735: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:31:44.735: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
*Feb 23 13:31:44.735: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 23 13:31:44.735: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 23 13:31:45.315: ISAKMP: set new node 0 to QM_IDLE      
*Feb 23 13:31:45.315: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local A.A.A.A, remote B.B.B.B)
*Feb 23 13:31:45.315: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 23 13:31:45.315: ISAKMP: Error while processing KMI message 0, error 2.
*Feb 23 13:31:49.299: ISAKMP:(0):purging node 495697146
*Feb 23 13:31:49.299: ISAKMP:(0):purging node 1034301133
*Feb 23 13:31:49.299: ISAKMP:(0):purging node 861399215
*Feb 23 13:31:49.299: ISAKMP:(0):purging node -1458457589
*Feb 23 13:31:49.299: ISAKMP:(0):purging node 1148969708
*Feb 23 13:31:49.299: ISAKMP:(0):purging node -1696011823
*Feb 23 13:31:59.299: ISAKMP:(0):purging SA., sa=83EE3C70, delme=83EE3C70
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now