We help IT Professionals succeed at work.

VPN Error: 'Received notify: INVALID_ID_INFO'

4,982 Views
Last Modified: 2012-06-27
Can anyone help me understand why the error below,  ‘Received notify: INVALID_ID_INFO’ is occurring, and how to fix it?

The log below was obtained on the 24.xxx.xxx.xxx side of the VPN.
The source PC on the 24.xxx.xxx.xxx end of the VPN is able to ping the destination PC on the 69.yyy.yyy.yyy end of the VPN, which is where I’m located, but the source PC is unable to send data through the VPN to the destination PC.

However, from my side of the VPN, which is at 69.yyy.yyy.yy, if I ping the source PC (on the 24.xxx.xxx.xxx side of the VPN), the tunnel wakes up and the source PC can send data thru the VPN to my end.

Why can’t the source PC itself ‘wake up’ the VPN connection?
Does the log below explain why?


 2 04/07/2011 13:32:19.208 IKE Initiator: Start Quick Mode (Phase 2).  24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 3 04/07/2011 13:32:18.016 IKE Initiator: Aggressive Mode complete  (Phase 1). 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500 AES-128 SHA1 Group 5 lifeSeconds=28800
 4 04/07/2011 13:32:17.112 IKE Initiator: Start Aggressive Mode  negotiation (Phase 1) 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 5 04/07/2011 13:32:16.512 Received notify: INVALID_ID_INFO  69.yyy.yyy.yyy 24.xxx.xxx.xxx

 6 04/07/2011 13:32:16.208 IKE Initiator: Start Quick Mode (Phase 2).  24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 7 04/07/2011 13:32:14.944 IKE Initiator: Aggressive Mode complete  (Phase 1). 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500 AES-128 SHA1 Group 5 lifeSeconds=28800
 8 04/07/2011 13:32:14.112 IKE Initiator: Start Aggressive Mode  negotiation (Phase 1) 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 9 04/07/2011 13:31:54.624 Administrator login allowed 192.168.7.4, 0,  LAN (admin) 192.168.7.1, 80, LAN admin, TCP Web (HTTP)
 10 04/07/2011 13:31:45.288 Web management request allowed 192.168.7.4,  1048, LAN 192.168.7.1, 80, LAN TCP Web (HTTP) 11 04/07/2011 13:31:34.528 Received notify: INVALID_ID_INFO  69.yyy.yyy.yyy 24.xxx.xxx.xxx

 12 04/07/2011 13:31:34.208 IKE Initiator: Start Quick Mode (Phase 2).  24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 13 04/07/2011 13:31:32.672 IKE Initiator: Aggressive Mode complete  (Phase 1). 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500 AES-128 SHA1 Group 5 lifeSeconds=28800

 14 04/07/2011 13:31:31.800 IKE Initiator: Start Aggressive Mode  negotiation (Phase 1) 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 15 04/07/2011 13:31:28.528 Received notify: INVALID_ID_INFO  69.yyy.yyy.yyy 24.xxx.xxx.xxx
Comment
Watch Question

Commented:
Try to change IKE negotiation mode from aggresive to main.

Author

Commented:
I'm assuming this change has to place on the Source PC side of the VPN?

Commented:
Can you check the configuration of the tunnel on both ends?

Author

Commented:
Can you be a bit more specific on how to do that?  
I'm a novice at this.
Thanks.

Commented:
If you use ASDM, go to Configuration and site-to-site VPN. Under connection profiles, you will see all configured tunnels listed. Double click on the one you need, click advanced, crypto map entry. There is an option to change IKE negotiation mode.

If you use the console, you need to find the crypto map for that tunnel and modify the configuration.
Say it is named outside_map 1. The configuration line to remove looks like this:
crypto map outside_map 1 set  phase1-mode aggressive group2

The modified crypto map should look like this if you are using AES-SHA. if you use something else than just replace with the correct one.

crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer <peer IP>
crypto map Outside_map 1 set transform-set ESP-AES-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000

Author

Commented:
Thank you, your instructions were perfect.

Yes, I use ASDM, and found the tunnel of interest.  It appears that IKE Negotiation Mode is already set to 'main'.  

I suspect that it may be set to aggressive on the source end.  I will be able to check the source end today, and will let you know.
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Different encryption method used, tunnel is now up.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.