VPN Error: 'Received notify: INVALID_ID_INFO'

Can anyone help me understand why the error below,  ‘Received notify: INVALID_ID_INFO’ is occurring, and how to fix it?

The log below was obtained on the 24.xxx.xxx.xxx side of the VPN.
The source PC on the 24.xxx.xxx.xxx end of the VPN is able to ping the destination PC on the 69.yyy.yyy.yyy end of the VPN, which is where I’m located, but the source PC is unable to send data through the VPN to the destination PC.

However, from my side of the VPN, which is at 69.yyy.yyy.yy, if I ping the source PC (on the 24.xxx.xxx.xxx side of the VPN), the tunnel wakes up and the source PC can send data thru the VPN to my end.

Why can’t the source PC itself ‘wake up’ the VPN connection?
Does the log below explain why?


 2 04/07/2011 13:32:19.208 IKE Initiator: Start Quick Mode (Phase 2).  24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 3 04/07/2011 13:32:18.016 IKE Initiator: Aggressive Mode complete  (Phase 1). 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500 AES-128 SHA1 Group 5 lifeSeconds=28800
 4 04/07/2011 13:32:17.112 IKE Initiator: Start Aggressive Mode  negotiation (Phase 1) 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 5 04/07/2011 13:32:16.512 Received notify: INVALID_ID_INFO  69.yyy.yyy.yyy 24.xxx.xxx.xxx

 6 04/07/2011 13:32:16.208 IKE Initiator: Start Quick Mode (Phase 2).  24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 7 04/07/2011 13:32:14.944 IKE Initiator: Aggressive Mode complete  (Phase 1). 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500 AES-128 SHA1 Group 5 lifeSeconds=28800
 8 04/07/2011 13:32:14.112 IKE Initiator: Start Aggressive Mode  negotiation (Phase 1) 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 9 04/07/2011 13:31:54.624 Administrator login allowed 192.168.7.4, 0,  LAN (admin) 192.168.7.1, 80, LAN admin, TCP Web (HTTP)
 10 04/07/2011 13:31:45.288 Web management request allowed 192.168.7.4,  1048, LAN 192.168.7.1, 80, LAN TCP Web (HTTP) 11 04/07/2011 13:31:34.528 Received notify: INVALID_ID_INFO  69.yyy.yyy.yyy 24.xxx.xxx.xxx

 12 04/07/2011 13:31:34.208 IKE Initiator: Start Quick Mode (Phase 2).  24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 13 04/07/2011 13:31:32.672 IKE Initiator: Aggressive Mode complete  (Phase 1). 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500 AES-128 SHA1 Group 5 lifeSeconds=28800

 14 04/07/2011 13:31:31.800 IKE Initiator: Start Aggressive Mode  negotiation (Phase 1) 24.xxx.xxx.xxx, 500 69.yyy.yyy.yyy, 500
 15 04/07/2011 13:31:28.528 Received notify: INVALID_ID_INFO  69.yyy.yyy.yyy 24.xxx.xxx.xxx
ron2468Asked:
Who is Participating?
 
ron2468Connect With a Mentor Author Commented:
The tech on the source side of the VPN was unable to change IKE negotiation - an option for changing was not available for him.  Therefore, we change the VPN tunnel encryption scheme and went with 3DES, which turned out ok.  The tunnel is up and running, and although the original question wasn't technically solved, the tunnel is up, which is what ultimately matters, and I will consider this problem solved.

Thank you for your help.
ron
0
 
SIM50Commented:
Try to change IKE negotiation mode from aggresive to main.
0
 
ron2468Author Commented:
I'm assuming this change has to place on the Source PC side of the VPN?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
SIM50Commented:
Can you check the configuration of the tunnel on both ends?
0
 
ron2468Author Commented:
Can you be a bit more specific on how to do that?  
I'm a novice at this.
Thanks.
0
 
SIM50Commented:
If you use ASDM, go to Configuration and site-to-site VPN. Under connection profiles, you will see all configured tunnels listed. Double click on the one you need, click advanced, crypto map entry. There is an option to change IKE negotiation mode.

If you use the console, you need to find the crypto map for that tunnel and modify the configuration.
Say it is named outside_map 1. The configuration line to remove looks like this:
crypto map outside_map 1 set  phase1-mode aggressive group2

The modified crypto map should look like this if you are using AES-SHA. if you use something else than just replace with the correct one.

crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer <peer IP>
crypto map Outside_map 1 set transform-set ESP-AES-SHA
crypto map Outside_map 1 set security-association lifetime seconds 28800
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
0
 
ron2468Author Commented:
Thank you, your instructions were perfect.

Yes, I use ASDM, and found the tunnel of interest.  It appears that IKE Negotiation Mode is already set to 'main'.  

I suspect that it may be set to aggressive on the source end.  I will be able to check the source end today, and will let you know.
0
 
ron2468Author Commented:
Different encryption method used, tunnel is now up.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.