?
Solved

VPN Error: 'Received notify: INVALID_ID_INFO'

Posted on 2011-04-25
8
Medium Priority
?
2,885 Views
Last Modified: 2012-06-27
Can anyone help me understand why the error below,  ‘Received notify: INVALID_ID_INFO’ is occurring, and how to fix it?

The log below was obtained on the 24.xxx.xxx.xxx side of the VPN.
The source PC on the 24.xxx.xxx.xxx end of the VPN is able to ping the destination PC on the 69.yyy.yyy.yyy end of the VPN, which is where I’m located, but the source PC is unable to send data through the VPN to the destination PC.

However, from my side of the VPN, which is at 69.yyy.yyy.yy, if I ping the source PC (on the 24.xxx.xxx.xxx side of the VPN), the tunnel wakes up and the source PC can send data thru the VPN to my end.

Why can’t the source PC itself ‘wake up’ the VPN connection?
Does the log below explain why?


 2 04/07/2011 13:32:19.208 IKE Initiator: Start Quick Mode (Phase 2).  24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 3 04/07/2011 13:32:18.016 IKE Initiator: Aggressive Mode complete  (Phase 1). 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500 AES-128 SHA1 Group 5 lifeSeconds=28800
 4 04/07/2011 13:32:17.112 IKE Initiator: Start Aggressive Mode  negotiation (Phase 1) 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 5 04/07/2011 13:32:16.512 Received notify: INVALID_ID_INFO  69.yyy.yyy.yyy 24.xxx.xxx.xxx

 6 04/07/2011 13:32:16.208 IKE Initiator: Start Quick Mode (Phase 2).  24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 7 04/07/2011 13:32:14.944 IKE Initiator: Aggressive Mode complete  (Phase 1). 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500 AES-128 SHA1 Group 5 lifeSeconds=28800
 8 04/07/2011 13:32:14.112 IKE Initiator: Start Aggressive Mode  negotiation (Phase 1) 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 9 04/07/2011 13:31:54.624 Administrator login allowed 192.168.7.4, 0,  LAN (admin) 192.168.7.1, 80, LAN admin, TCP Web (HTTP)
 10 04/07/2011 13:31:45.288 Web management request allowed 192.168.7.4,  1048, LAN 192.168.7.1, 80, LAN TCP Web (HTTP) 11 04/07/2011 13:31:34.528 Received notify: INVALID_ID_INFO  69.yyy.yyy.yyy 24.xxx.xxx.xxx

 12 04/07/2011 13:31:34.208 IKE Initiator: Start Quick Mode (Phase 2).  24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 13 04/07/2011 13:31:32.672 IKE Initiator: Aggressive Mode complete  (Phase 1). 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500 AES-128 SHA1 Group 5 lifeSeconds=28800

 14 04/07/2011 13:31:31.800 IKE Initiator: Start Aggressive Mode  negotiation (Phase 1) 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 15 04/07/2011 13:31:28.528 Received notify: INVALID_ID_INFO  69.yyy.yyy.yyy 24.xxx.xxx.xxx
0
Comment
Question by:ron2468
  • 5
  • 3
8 Comments
 
LVL 14

Expert Comment

by:SIM50
ID: 35461645
Try to change IKE negotiation mode from aggresive to main.
0
 

Author Comment

by:ron2468
ID: 35461777
I'm assuming this change has to place on the Source PC side of the VPN?
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35461986
Can you check the configuration of the tunnel on both ends?
0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 

Author Comment

by:ron2468
ID: 35463506
Can you be a bit more specific on how to do that?  
I'm a novice at this.
Thanks.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 35463661
If you use ASDM, go to Configuration and site-to-site VPN. Under connection profiles, you will see all configured tunnels listed. Double click on the one you need, click advanced, crypto map entry. There is an option to change IKE negotiation mode.

If you use the console, you need to find the crypto map for that tunnel and modify the configuration.
Say it is named outside_map 1. The configuration line to remove looks like this:
crypto map outside_map 1 set  phase1-mode aggressive group2

The modified crypto map should look like this if you are using AES-SHA. if you use something else than just replace with the correct one.

crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer <peer IP>
crypto map Outside_map 1 set transform-set ESP-AES-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
0
 

Author Comment

by:ron2468
ID: 35485239
Thank you, your instructions were perfect.

Yes, I use ASDM, and found the tunnel of interest.  It appears that IKE Negotiation Mode is already set to 'main'.  

I suspect that it may be set to aggressive on the source end.  I will be able to check the source end today, and will let you know.
0
 

Accepted Solution

by:
ron2468 earned 0 total points
ID: 35495709
The tech on the source side of the VPN was unable to change IKE negotiation - an option for changing was not available for him.  Therefore, we change the VPN tunnel encryption scheme and went with 3DES, which turned out ok.  The tunnel is up and running, and although the original question wasn't technically solved, the tunnel is up, which is what ultimately matters, and I will consider this problem solved.

Thank you for your help.
ron
0
 

Author Closing Comment

by:ron2468
ID: 35688017
Different encryption method used, tunnel is now up.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question