tech2010
asked on
Cisco Router to ASA VPN "received encrypted packet with no matching sa dropping"
I have got cisco 3750 and ASA and getting the "error message received encrypted packet with no matching sa dropping"
After googling i have come across usually you get the error message when there is an ACL mismatch however i am sure ACLs are same please see the config below and advise:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 21.21.21.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.6.200 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list policy-nat extended permit ip 10.10.6.0 255.255.255.0 192.168.3.0 255.255.255.0 log
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 192.168.2.0 access-list policy-nat
route outside 0.0.0.0 0.0.0.0 21.21.21.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 12.12.12.1
crypto map outside_map 20 set transform-set CISCO
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group 172.162.1.2 type ipsec-l2l
tunnel-group 12.12.12.1 type ipsec-l2l
tunnel-group 12.12.12.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d41d8cd98f0
: end
========================
Building configuration...
Current configuration : 1387 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$k7RW$jxBDdzyfM9LzSC3Ih5
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 21.21.21.1
!
!
crypto ipsec transform-set CISCO esp-des esp-md5-hmac
!
crypto map outside_map 20 ipsec-isakmp
set peer 21.21.21.1
set transform-set CISCO
set pfs group2
match address 150
!
!
interface Loopback0
ip address 10.10.6.100 255.255.255.0
!
interface FastEthernet0/0
ip address 12.12.12.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside_map
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.12.12.2
!
!
ip http server
no ip http secure-server
ip nat inside source static network 10.10.6.0 192.168.3.0 /24 no-alias
!
access-list 150 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
=====================
Router Debug
====================
*Mar 1 02:35:21.047: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 02:35:21.051: ISAKMP: Created a peer struct for 21.21.21.1, peer port 500
*Mar 1 02:35:21.051: ISAKMP: New peer created peer = 0x67BDDBA4 peer_handle = 0x8000001B
*Mar 1 02:35:21.055: ISAKMP: Locking peer struct 0x67BDDBA4, refcount 1 for isakmp_initiator
*Mar 1 02:35:21.059: ISAKMP: local port 500, remote port 500
*Mar 1 02:35:21.059: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 02:35:21.063: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 677474E8
*Mar 1 02:35:21.067: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 1 02:35:21.067: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 1 02:35:21.067: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 02:35:21.067: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 02:35:21.067: ISAKMP:(0): beginning Main Mode exchange
*Mar 1 02:35:21.067: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 02:35:21.067: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.143: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 02:35:21.147: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:35:21.151: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 02:35:21.155: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 02:35:21.155: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 1 02:35:21.155: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 02:35:21.155: ISAKMP:(0): local preshared key found
*Mar 1 02:35:21.155: ISAKMP : Scanning profiles for xauth ...
*Mar 1 02:35:21.155: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 02:35:21.155: ISAKMP: encryption DES-CBC
*Mar 1 02:35:21.155: ISAKMP: hash MD5
*Mar 1 02:35:21.155: ISAKMP: default group 2
*Mar 1 02:35:21.155: ISAKMP: auth pre-share
*Mar 1 02:35:21.155: ISAKMP: life type in seconds
*Mar 1 02:35:21.155: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 02:35:21.155: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 1 02:35:21.155: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 1 02:35:21.155: ISAKMP:(0):Acceptable atts:life: 0
*Mar 1 02:35:21.155: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 1 02:35:21.155: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 1 02:35:21.155: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 1 02:35:21.155: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 02:35:21.155: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 1 02:35:21.155: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:35:21.155: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 02:35:21.155: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 02:35:21.155: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.155: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:35:21.155: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 02:35:21.395: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 02:35:21.395: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:35:21.395: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 02:35:21.395: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 02:35:21.395: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 02:35:21.395: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.395: ISAKMP:(1018): vendor ID is Unity
*Mar 1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.395: ISAKMP:(1018): vendor ID seems Unity/DPD but major 149 mismatch
*Mar 1 02:35:21.395: ISAKMP:(1018): vendor ID is XAUTH
*Mar 1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.395: ISAKMP:(1018): speaking to another IOS box!
*Mar 1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.395: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
*Mar 1 02:35:21.395: ISAKMP:received payload type 20
*Mar 1 02:35:21.395: ISAKMP:received payload type 20
*Mar 1 02:35:21.395: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:35:21.395: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 02:35:21.395: ISAKMP:(1018):Send initial contact
*Mar 1 02:35:21.395: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 02:35:21.395: ISAKMP (0:1018): ID payload
next-payload : 8
type : 1
address : 12.12.12.1
protocol : 17
port : 500
length : 12
*Mar 1 02:35:21.395: ISAKMP:(1018):Total payload length: 12
*Mar 1 02:35:21.395: ISAKMP:(1018): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:35:21.395: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.395: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:35:21.395: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 02:35:21.411: ISAKMP:(1016):purging SA., sa=67746644, delme=67746644
*Mar 1 02:35:21.547: ISAKMP (0:1018): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 02:35:21.551: ISAKMP:(1018): processing ID payload. message ID = 0
*Mar 1 02:35:21.551: ISAKMP (0:1018): ID payload
next-payload : 8
type : 1
address : 21.21.21.1
protocol : 17
port : 0
length : 12
*Mar 1 02:35:21.551: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 1 02:35:21.551: ISAKMP:(1018): processing HASH payload. message ID = 0
*Mar 1 02:35:21.551: ISAKMP:received payload type 17
*Mar 1 02:35:21.551: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.551: ISAKMP:(1018): vendor ID is DPD
*Mar 1 02:35:21.551: ISAKMP:(1018):SA authentication status:
authenticated
*Mar 1 02:35:21.551: ISAKMP:(1018):SA has been authenticated with 21.21.21.1
*Mar 1 02:35:21.551: ISAKMP: Trying to insert a peer 12.12.12.1/21.21.21.1/500/
*Mar 1 02:35:21.551: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:35:21.551: ISAKMP:(1018):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 02:35:21.551: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:35:21.551: ISAKMP:(1018):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 02:35:21.551: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:35:21.551: ISAKMP:(1018):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 1 02:35:21.551: ISAKMP:(1018):beginning Quick Mode exchange, M-ID of -209682273
*Mar 1 02:35:21.551: ISAKMP:(1018):QM Initiator gets spi
*Mar 1 02:35:21.559: ISAKMP:(1018): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 02:35:21.559: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.567: ISAKMP:(1018):Node -209682273, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 02:35:21.567: ISAKMP:(1018):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 02:35:21.571: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 02:35:21.575: ISAKMP:(1018):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 02:35:21.703: ISAKMP (0:1018): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 02:35:21.707: ISAKMP: set new node -1840271890 to QM_IDLE
*Mar 1 02:35:21.711: ISAKMP:(1018): processing HASH payload. message ID = -1840271890
*Mar 1 02:35:21.715: ISAKMP:(1018): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = -1840271890, sa = 677474E8
*Mar 1 02:35:21.719: ISAKMP:(1018):deleting node -1840271890 error FALSE reason "Informational (in) state 1"
*Mar 1 02:35:21.719: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 02:35:21.719: ISAKMP:(1018):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 02:35:21.775: ISAKMP (0:1018): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 02:35:21.779: ISAKMP: set new node -1719484999 to QM_IDLE
*Mar 1 02:35:21.783: ISAKMP:(1018): processing HASH payload. message ID = -1719484999
*Mar 1 02:35:21.783: ISAKMP:(1018): processing DELETE payload. message ID = -1719484999
*Mar 1 02:35:21.783: ISAKMP:(1018):peer does not do paranoid keepalives.
*Mar 1 02:35:21.783: ISAKMP:(1018):deleting SA reason "No reason" state (I) QM_IDLE (peer 21.21.21.1)
*Mar 1 02:35:21.783: ISAKMP:(1018):deleting node -1719484999 error FALSE reason "Informational (in) state 1"
*Mar 1 02:35:21.783: ISAKMP: set new node 343106909 to QM_IDLE
*Mar 1 02:35:21.783: ISAKMP:(1018): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 02:35:21.783: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.787: ISAKMP:(1018):purging node 343106909
*Mar 1 02:35:21.791: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 02:35:21.795: ISAKMP:(1018):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 1 02:35:21.803: ISAKMP:(1018):deleting SA reason "No reason" state (I) QM_IDLE (peer 21.21.21.1)
*Mar 1 02:35:21.807: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Mar 1 02:35:21.811: ISAKMP: Unlocking peer struct 0x67BDDBA4 for isadb_mark_sa_deleted(), count 0
*Mar 1 02:35:21.815: ISAKMP: Deleting peer node by peer_reap for 21.21.21.1: 67BDDBA4
*Mar 1 02:35:21.823: ISAKMP:(1018):deleting node -209682273 error FALSE reason "IKE deleted"
*Mar 1 02:35:21.827: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:35:21.831: ISAKMP:(1018):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 1 02:35:41.847: ISAKMP:(1017):purging node 1263461345
*Mar 1 02:35:41.915: ISAKMP:(1017):purging node -974081689
*Mar 1 02:35:41.915: ISAKMP:(1017):purging node -248042527
R1#
*Mar 1 02:35:51.915: ISAKMP:(1017):purging SA., sa=67747EE4, delme=67747EE4
==================
ASA Debug
===================
Nov 30 02:36:18 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd8acd6d8, mess id 0xf1372be1)!
Nov 30 02:36:18 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
Nov 30 02:36:48 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd8acc308, mess id 0xf380809f)!
Nov 30 02:36:48 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
After googling i have come across usually you get the error message when there is an ACL mismatch however i am sure ACLs are same please see the config below and advise:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 21.21.21.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.6.200 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list policy-nat extended permit ip 10.10.6.0 255.255.255.0 192.168.3.0 255.255.255.0 log
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 192.168.2.0 access-list policy-nat
route outside 0.0.0.0 0.0.0.0 21.21.21.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set CISCO esp-des esp-md5-hmac
crypto map outside_map 20 match address new
crypto map outside_map 20 set peer 12.12.12.1
crypto map outside_map 20 set transform-set CISCO
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
tunnel-group 172.162.1.2 type ipsec-l2l
tunnel-group 12.12.12.1 type ipsec-l2l
tunnel-group 12.12.12.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d41d8cd98f0
: end
========================
Building configuration...
Current configuration : 1387 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$k7RW$jxBDdzyfM9LzSC3Ih5
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 21.21.21.1
!
!
crypto ipsec transform-set CISCO esp-des esp-md5-hmac
!
crypto map outside_map 20 ipsec-isakmp
set peer 21.21.21.1
set transform-set CISCO
set pfs group2
match address 150
!
!
interface Loopback0
ip address 10.10.6.100 255.255.255.0
!
interface FastEthernet0/0
ip address 12.12.12.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside_map
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.12.12.2
!
!
ip http server
no ip http secure-server
ip nat inside source static network 10.10.6.0 192.168.3.0 /24 no-alias
!
access-list 150 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
=====================
Router Debug
====================
*Mar 1 02:35:21.047: ISAKMP:(0): SA request profile is (NULL)
*Mar 1 02:35:21.051: ISAKMP: Created a peer struct for 21.21.21.1, peer port 500
*Mar 1 02:35:21.051: ISAKMP: New peer created peer = 0x67BDDBA4 peer_handle = 0x8000001B
*Mar 1 02:35:21.055: ISAKMP: Locking peer struct 0x67BDDBA4, refcount 1 for isakmp_initiator
*Mar 1 02:35:21.059: ISAKMP: local port 500, remote port 500
*Mar 1 02:35:21.059: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 02:35:21.063: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 677474E8
*Mar 1 02:35:21.067: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 1 02:35:21.067: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 1 02:35:21.067: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 1 02:35:21.067: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 02:35:21.067: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 02:35:21.067: ISAKMP:(0): beginning Main Mode exchange
*Mar 1 02:35:21.067: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 02:35:21.067: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.143: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 02:35:21.147: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:35:21.151: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 02:35:21.155: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 02:35:21.155: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 1 02:35:21.155: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 02:35:21.155: ISAKMP:(0): local preshared key found
*Mar 1 02:35:21.155: ISAKMP : Scanning profiles for xauth ...
*Mar 1 02:35:21.155: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 02:35:21.155: ISAKMP: encryption DES-CBC
*Mar 1 02:35:21.155: ISAKMP: hash MD5
*Mar 1 02:35:21.155: ISAKMP: default group 2
*Mar 1 02:35:21.155: ISAKMP: auth pre-share
*Mar 1 02:35:21.155: ISAKMP: life type in seconds
*Mar 1 02:35:21.155: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 02:35:21.155: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 1 02:35:21.155: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 1 02:35:21.155: ISAKMP:(0):Acceptable atts:life: 0
*Mar 1 02:35:21.155: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 1 02:35:21.155: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 1 02:35:21.155: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 1 02:35:21.155: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 02:35:21.155: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 1 02:35:21.155: ISAKMP:(0): processing vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 1 02:35:21.155: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 1 02:35:21.155: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:35:21.155: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 02:35:21.155: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 02:35:21.155: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.155: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:35:21.155: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 02:35:21.395: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 02:35:21.395: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:35:21.395: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 02:35:21.395: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 02:35:21.395: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 02:35:21.395: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.395: ISAKMP:(1018): vendor ID is Unity
*Mar 1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.395: ISAKMP:(1018): vendor ID seems Unity/DPD but major 149 mismatch
*Mar 1 02:35:21.395: ISAKMP:(1018): vendor ID is XAUTH
*Mar 1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.395: ISAKMP:(1018): speaking to another IOS box!
*Mar 1 02:35:21.395: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.395: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
*Mar 1 02:35:21.395: ISAKMP:received payload type 20
*Mar 1 02:35:21.395: ISAKMP:received payload type 20
*Mar 1 02:35:21.395: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:35:21.395: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 02:35:21.395: ISAKMP:(1018):Send initial contact
*Mar 1 02:35:21.395: ISAKMP:(1018):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 02:35:21.395: ISAKMP (0:1018): ID payload
next-payload : 8
type : 1
address : 12.12.12.1
protocol : 17
port : 500
length : 12
*Mar 1 02:35:21.395: ISAKMP:(1018):Total payload length: 12
*Mar 1 02:35:21.395: ISAKMP:(1018): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:35:21.395: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.395: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:35:21.395: ISAKMP:(1018):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 02:35:21.411: ISAKMP:(1016):purging SA., sa=67746644, delme=67746644
*Mar 1 02:35:21.547: ISAKMP (0:1018): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 02:35:21.551: ISAKMP:(1018): processing ID payload. message ID = 0
*Mar 1 02:35:21.551: ISAKMP (0:1018): ID payload
next-payload : 8
type : 1
address : 21.21.21.1
protocol : 17
port : 0
length : 12
*Mar 1 02:35:21.551: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 1 02:35:21.551: ISAKMP:(1018): processing HASH payload. message ID = 0
*Mar 1 02:35:21.551: ISAKMP:received payload type 17
*Mar 1 02:35:21.551: ISAKMP:(1018): processing vendor id payload
*Mar 1 02:35:21.551: ISAKMP:(1018): vendor ID is DPD
*Mar 1 02:35:21.551: ISAKMP:(1018):SA authentication status:
authenticated
*Mar 1 02:35:21.551: ISAKMP:(1018):SA has been authenticated with 21.21.21.1
*Mar 1 02:35:21.551: ISAKMP: Trying to insert a peer 12.12.12.1/21.21.21.1/500/
*Mar 1 02:35:21.551: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:35:21.551: ISAKMP:(1018):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 02:35:21.551: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:35:21.551: ISAKMP:(1018):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 02:35:21.551: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:35:21.551: ISAKMP:(1018):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 1 02:35:21.551: ISAKMP:(1018):beginning Quick Mode exchange, M-ID of -209682273
*Mar 1 02:35:21.551: ISAKMP:(1018):QM Initiator gets spi
*Mar 1 02:35:21.559: ISAKMP:(1018): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 02:35:21.559: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.567: ISAKMP:(1018):Node -209682273, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 02:35:21.567: ISAKMP:(1018):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 02:35:21.571: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 02:35:21.575: ISAKMP:(1018):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 02:35:21.703: ISAKMP (0:1018): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 02:35:21.707: ISAKMP: set new node -1840271890 to QM_IDLE
*Mar 1 02:35:21.711: ISAKMP:(1018): processing HASH payload. message ID = -1840271890
*Mar 1 02:35:21.715: ISAKMP:(1018): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = -1840271890, sa = 677474E8
*Mar 1 02:35:21.719: ISAKMP:(1018):deleting node -1840271890 error FALSE reason "Informational (in) state 1"
*Mar 1 02:35:21.719: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 02:35:21.719: ISAKMP:(1018):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 02:35:21.775: ISAKMP (0:1018): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 02:35:21.779: ISAKMP: set new node -1719484999 to QM_IDLE
*Mar 1 02:35:21.783: ISAKMP:(1018): processing HASH payload. message ID = -1719484999
*Mar 1 02:35:21.783: ISAKMP:(1018): processing DELETE payload. message ID = -1719484999
*Mar 1 02:35:21.783: ISAKMP:(1018):peer does not do paranoid keepalives.
*Mar 1 02:35:21.783: ISAKMP:(1018):deleting SA reason "No reason" state (I) QM_IDLE (peer 21.21.21.1)
*Mar 1 02:35:21.783: ISAKMP:(1018):deleting node -1719484999 error FALSE reason "Informational (in) state 1"
*Mar 1 02:35:21.783: ISAKMP: set new node 343106909 to QM_IDLE
*Mar 1 02:35:21.783: ISAKMP:(1018): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 02:35:21.783: ISAKMP:(1018):Sending an IKE IPv4 Packet.
*Mar 1 02:35:21.787: ISAKMP:(1018):purging node 343106909
*Mar 1 02:35:21.791: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 02:35:21.795: ISAKMP:(1018):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 1 02:35:21.803: ISAKMP:(1018):deleting SA reason "No reason" state (I) QM_IDLE (peer 21.21.21.1)
*Mar 1 02:35:21.807: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Mar 1 02:35:21.811: ISAKMP: Unlocking peer struct 0x67BDDBA4 for isadb_mark_sa_deleted(), count 0
*Mar 1 02:35:21.815: ISAKMP: Deleting peer node by peer_reap for 21.21.21.1: 67BDDBA4
*Mar 1 02:35:21.823: ISAKMP:(1018):deleting node -209682273 error FALSE reason "IKE deleted"
*Mar 1 02:35:21.827: ISAKMP:(1018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:35:21.831: ISAKMP:(1018):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 1 02:35:41.847: ISAKMP:(1017):purging node 1263461345
*Mar 1 02:35:41.915: ISAKMP:(1017):purging node -974081689
*Mar 1 02:35:41.915: ISAKMP:(1017):purging node -248042527
R1#
*Mar 1 02:35:51.915: ISAKMP:(1017):purging SA., sa=67747EE4, delme=67747EE4
==================
ASA Debug
===================
Nov 30 02:36:18 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd8acd6d8, mess id 0xf1372be1)!
Nov 30 02:36:18 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
Nov 30 02:36:48 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd8acc308, mess id 0xf380809f)!
Nov 30 02:36:48 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
ASKER
Thanks for your response : do i need no nat when i am using static and actually ip addresses are overlapping.
After adding that command its still not jumping to phase II.
nat (inside) 0 access-list new
static (inside,outside) 192.168.2.0 access-list policy-nat
ciscoasa# shNov 30 22:22:54 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd8acd328, mess id 0xbc808a64)!
Nov 30 22:22:54 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
Nov 30 22:23:19 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd88ef720, mess id 0xa88819d3)!
Nov 30 22:23:19 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
*Mar 1 22:22:16.082: ISAKMP: Locking peer struct 0x67BDE634, refcount 1 for isakmp_initiator
*Mar 1 22:22:16.086: ISAKMP: local port 500, remote port 500
*Mar 1 22:22:16.086: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 22:22:16.090: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67707D24
*Mar 1 22:22:16.094: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 1 22:22:16.094: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Ma
R1#
R1#
R1#
R1#r 1 22:22:16.094: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 22:22:16.094: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 22:22:16.094: ISAKMP:(0): beginning Main Mode exchange
*Mar 1 22:22:16.094: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 22:22:16.094: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.158: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 22:22:16.166: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:22:16.166: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 22:22:16.170: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 22:22:16.170: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 1 22:22:16.170: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 22:22:16.170: ISAKMP:(0): local preshared key found
*Mar 1 22:22:16.170: ISAKMP : Scanning profiles for xauth ...
*Mar 1 22:22:16.170: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 22:22:16.170: ISAKMP: encryption DES-CBC
*Mar 1 22:22:16.170: ISAKMP: hash MD5
*Mar 1 22:22:16.170: ISAKMP: default group 2
*Mar 1 22:22:16.170: ISAKMP: auth pre-share
*Mar 1 22:22:16.170: ISAKMP: life type in seconds
*Mar 1 22:22:16.170: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 22:22:16.170: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 1 22:22:16.170: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 1 22:22:16.170: ISAKMP:(0):Acceptable atts:life: 0
*Mar 1 22:22:16.170: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 1 22:22:16.170: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 1 22:22:16.170: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 1 22:22:16.170: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 22:22:16.170: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 1 22:22:16.170: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 22:22:16.170: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 22:22:16.170: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 22:22:16.170: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.170: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 22:22:16.170: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 22:22:16.370: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 22:22:16.370: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:22:16.370: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 22:22:16.370: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 22:22:16.370: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 22:22:16.370: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.370: ISAKMP:(1024): vendor ID is Unity
*Mar 1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.370: ISAKMP:(1024): vendor ID seems Unity/DPD but major 200 mismatch
*Mar 1 22:22:16.370: ISAKMP:(1024): vendor ID is XAUTH
*Mar 1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.370: ISAKMP:(1024): speaking to another IOS box!
*Mar 1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.370: ISAKMP:(1024):vendor ID seems Unity/DPD but hash mismatch
*Mar 1 22:22:16.370: ISAKMP:received payload type 20
*Mar 1 22:22:16.370: ISAKMP:received payload type 20
*Mar 1 22:22:16.370: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 22:22:16.370: ISAKMP:(1024):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 22:22:16.370: ISAKMP:(1024):Send initial contact
*Mar 1 22:22:16.370: ISAKMP:(1024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 22:22:16.370: ISAKMP (0:1024): ID payload
next-payload : 8
type : 1
address : 12.12.12.1
protocol : 17
port : 500
length : 12
*Mar 1 22:22:16.370: ISAKMP:(1024):Total payload length: 12
*Mar 1 22:22:16.370: ISAKMP:(1024): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 22:22:16.370: ISAKMP:(1024):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.370: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 22:22:16.370: ISAKMP:(1024):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 22:22:16.514: ISAKMP (0:1024): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 22:22:16.514: ISAKMP:(1024): processing ID payload. message ID = 0
*Mar 1 22:22:16.514: ISAKMP (0:1024): ID payload
next-payload : 8
type : 1
address : 21.21.21.1
protocol : 17
port : 0
length : 12
*Mar 1 22:22:16.514: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 1 22:22:16.514: ISAKMP:(1024): processing HASH payload. message ID = 0
*Mar 1 22:22:16.514: ISAKMP:received payload type 17
*Mar 1 22:22:16.514: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.514: ISAKMP:(1024): vendor ID is DPD
*Mar 1 22:22:16.514: ISAKMP:(1024):SA authentication status:
authenticated
*Mar 1 22:22:16.514: ISAKMP:(1024):SA has been authenticated with 21.21.21.1
*Mar 1 22:22:16.514: ISAKMP: Trying to insert a peer 12.12.12.1/21.21.21.1/500/
*Mar 1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 1 22:22:16.514: ISAKMP:(1024):beginning Quick Mode exchange, M-ID of -1467475501
*Mar 1 22:22:16.514: ISAKMP:(1024):QM Initiator gets spi
*Mar 1 22:22:16.514: ISAKMP:(1024): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 22:22:16.514: ISAKMP:(1024):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.514: ISAKMP:(1024):Node -1467475501, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 22:22:16.674: ISAKMP (0:1024): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 22:22:16.674: ISAKMP: set new node 4648004 to QM_IDLE
*Mar 1 22:22:16.674: ISAKMP:(1024): processing HASH payload. message ID = 4648004
*Mar 1 22:22:16.674: ISAKMP:(1024): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = 4648004, sa = 67707D24
*Mar 1 22:22:16.674: ISAKMP:(1024):deleting node 4648004 error FALSE reason "Informational (in) state 1"
*Mar 1 22:22:16.674: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 22:22:16.674: ISAKMP:(1024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 22:22:16.762: ISAKMP (0:1024): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 22:22:16.766: ISAKMP: set new node -1262945668 to QM_IDLE
*Mar 1 22:22:16.766: ISAKMP:(1024): processing HASH payload. message ID = -1262945668
*Mar 1 22:22:16.766: ISAKMP:(1024): processing DELETE payload. message ID = -1262945668
*Mar 1 22:22:16.766: ISAKMP:(1024):peer does not do paranoid keepalives.
*Mar 1 22:22:16.766: ISAKMP:(1024):deleting SA reason "No reason" state (I) QM_IDLE (peer 21.21.21.1)
*Mar 1 22:22:16.766: ISAKMP:(1024):deleting node -1262945668 error FALSE reason "Informational (in) state 1"
*Mar 1 22:22:16.766: ISAKMP: set new node -1995485776 to QM_IDLE
*Mar 1 22:22:16.766: ISAKMP:(1024): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 22:22:16.766: ISAKMP:(1024):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.766: ISAKMP:(1024):purging node -1995485776
*Mar 1 22:22:16.766: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 22:22:16.766: ISAKMP:(1024):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 1 22:22:16.766: ISAKMP:(1024):deleting SA reason "No reason" state (I) QM_IDLE (peer 21.21.21.1)
*Mar 1 22:22:16.766: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Mar 1 22:22:16.766: ISAKMP: Unlocking peer struct 0x67BDE634 for isadb_mark_sa_deleted(), count 0
*Mar 1 22:22:16.766: ISAKMP: Deleting peer node by peer_reap for 21.21.21.1: 67BDE634
*Mar 1 22:22:16.766: ISAKMP:(1024):deleting node -1467475501 error FALSE reason "IKE deleted"
*Mar 1 22:22:16.766: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:22:16.766: ISAKMP:(1024):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 1 22:22:36.690: ISAKMP:(1023):purging node 2024059111
*Mar 1 22:22:36.770: ISAKMP:(1023):purging node 810283079
*Mar 1 22:22:36.774: ISAKMP:(1023):purging node -1132426652
*Mar 1 22:22:46.770: ISAKMP:(1023):purging SA., sa=67708AA8, delme=67708AA8
*Mar 1 22:23:06.674: ISAKMP:(1024):purging node 4648004
*Mar 1 22:23:06.766: ISAKMP:(1024):purging node -1262945668
*Mar 1 22:23:06.770: ISAKMP:(1024):purging node -1467475501
*Mar 1 22:23:16.766: ISAKMP:(1024):purging SA., sa=67707D24, delme=67707D24
After adding that command its still not jumping to phase II.
nat (inside) 0 access-list new
static (inside,outside) 192.168.2.0 access-list policy-nat
ciscoasa# shNov 30 22:22:54 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd8acd328, mess id 0xbc808a64)!
Nov 30 22:22:54 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
Nov 30 22:23:19 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, QM FSM error (P2 struct &0xd88ef720, mess id 0xa88819d3)!
Nov 30 22:23:19 [IKEv1]: Group = 12.12.12.1, IP = 12.12.12.1, Removing peer from correlator table failed, no match!
*Mar 1 22:22:16.082: ISAKMP: Locking peer struct 0x67BDE634, refcount 1 for isakmp_initiator
*Mar 1 22:22:16.086: ISAKMP: local port 500, remote port 500
*Mar 1 22:22:16.086: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 22:22:16.090: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67707D24
*Mar 1 22:22:16.094: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 1 22:22:16.094: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 1 22:22:16.094: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Ma
R1#
R1#
R1#
R1#r 1 22:22:16.094: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 22:22:16.094: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 22:22:16.094: ISAKMP:(0): beginning Main Mode exchange
*Mar 1 22:22:16.094: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 22:22:16.094: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.158: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 22:22:16.166: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:22:16.166: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 22:22:16.170: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 22:22:16.170: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 1 22:22:16.170: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 22:22:16.170: ISAKMP:(0): local preshared key found
*Mar 1 22:22:16.170: ISAKMP : Scanning profiles for xauth ...
*Mar 1 22:22:16.170: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 22:22:16.170: ISAKMP: encryption DES-CBC
*Mar 1 22:22:16.170: ISAKMP: hash MD5
*Mar 1 22:22:16.170: ISAKMP: default group 2
*Mar 1 22:22:16.170: ISAKMP: auth pre-share
*Mar 1 22:22:16.170: ISAKMP: life type in seconds
*Mar 1 22:22:16.170: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 22:22:16.170: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar 1 22:22:16.170: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 1 22:22:16.170: ISAKMP:(0):Acceptable atts:life: 0
*Mar 1 22:22:16.170: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 1 22:22:16.170: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 1 22:22:16.170: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 1 22:22:16.170: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 1 22:22:16.170: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 1 22:22:16.170: ISAKMP:(0): processing vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 1 22:22:16.170: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 1 22:22:16.170: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 22:22:16.170: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 22:22:16.170: ISAKMP:(0): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 22:22:16.170: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.170: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 22:22:16.170: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 22:22:16.370: ISAKMP (0:0): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 22:22:16.370: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:22:16.370: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 22:22:16.370: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 1 22:22:16.370: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 1 22:22:16.370: ISAKMP:(0):found peer pre-shared key matching 21.21.21.1
*Mar 1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.370: ISAKMP:(1024): vendor ID is Unity
*Mar 1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.370: ISAKMP:(1024): vendor ID seems Unity/DPD but major 200 mismatch
*Mar 1 22:22:16.370: ISAKMP:(1024): vendor ID is XAUTH
*Mar 1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.370: ISAKMP:(1024): speaking to another IOS box!
*Mar 1 22:22:16.370: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.370: ISAKMP:(1024):vendor ID seems Unity/DPD but hash mismatch
*Mar 1 22:22:16.370: ISAKMP:received payload type 20
*Mar 1 22:22:16.370: ISAKMP:received payload type 20
*Mar 1 22:22:16.370: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 22:22:16.370: ISAKMP:(1024):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 22:22:16.370: ISAKMP:(1024):Send initial contact
*Mar 1 22:22:16.370: ISAKMP:(1024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 22:22:16.370: ISAKMP (0:1024): ID payload
next-payload : 8
type : 1
address : 12.12.12.1
protocol : 17
port : 500
length : 12
*Mar 1 22:22:16.370: ISAKMP:(1024):Total payload length: 12
*Mar 1 22:22:16.370: ISAKMP:(1024): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 22:22:16.370: ISAKMP:(1024):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.370: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 22:22:16.370: ISAKMP:(1024):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 22:22:16.514: ISAKMP (0:1024): received packet from 21.21.21.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar 1 22:22:16.514: ISAKMP:(1024): processing ID payload. message ID = 0
*Mar 1 22:22:16.514: ISAKMP (0:1024): ID payload
next-payload : 8
type : 1
address : 21.21.21.1
protocol : 17
port : 0
length : 12
*Mar 1 22:22:16.514: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 1 22:22:16.514: ISAKMP:(1024): processing HASH payload. message ID = 0
*Mar 1 22:22:16.514: ISAKMP:received payload type 17
*Mar 1 22:22:16.514: ISAKMP:(1024): processing vendor id payload
*Mar 1 22:22:16.514: ISAKMP:(1024): vendor ID is DPD
*Mar 1 22:22:16.514: ISAKMP:(1024):SA authentication status:
authenticated
*Mar 1 22:22:16.514: ISAKMP:(1024):SA has been authenticated with 21.21.21.1
*Mar 1 22:22:16.514: ISAKMP: Trying to insert a peer 12.12.12.1/21.21.21.1/500/
*Mar 1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Mar 1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Mar 1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Mar 1 22:22:16.514: ISAKMP:(1024):beginning Quick Mode exchange, M-ID of -1467475501
*Mar 1 22:22:16.514: ISAKMP:(1024):QM Initiator gets spi
*Mar 1 22:22:16.514: ISAKMP:(1024): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 22:22:16.514: ISAKMP:(1024):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.514: ISAKMP:(1024):Node -1467475501, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 22:22:16.514: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 1 22:22:16.514: ISAKMP:(1024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 22:22:16.674: ISAKMP (0:1024): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 22:22:16.674: ISAKMP: set new node 4648004 to QM_IDLE
*Mar 1 22:22:16.674: ISAKMP:(1024): processing HASH payload. message ID = 4648004
*Mar 1 22:22:16.674: ISAKMP:(1024): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = 4648004, sa = 67707D24
*Mar 1 22:22:16.674: ISAKMP:(1024):deleting node 4648004 error FALSE reason "Informational (in) state 1"
*Mar 1 22:22:16.674: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 22:22:16.674: ISAKMP:(1024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 1 22:22:16.762: ISAKMP (0:1024): received packet from 21.21.21.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 22:22:16.766: ISAKMP: set new node -1262945668 to QM_IDLE
*Mar 1 22:22:16.766: ISAKMP:(1024): processing HASH payload. message ID = -1262945668
*Mar 1 22:22:16.766: ISAKMP:(1024): processing DELETE payload. message ID = -1262945668
*Mar 1 22:22:16.766: ISAKMP:(1024):peer does not do paranoid keepalives.
*Mar 1 22:22:16.766: ISAKMP:(1024):deleting SA reason "No reason" state (I) QM_IDLE (peer 21.21.21.1)
*Mar 1 22:22:16.766: ISAKMP:(1024):deleting node -1262945668 error FALSE reason "Informational (in) state 1"
*Mar 1 22:22:16.766: ISAKMP: set new node -1995485776 to QM_IDLE
*Mar 1 22:22:16.766: ISAKMP:(1024): sending packet to 21.21.21.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 22:22:16.766: ISAKMP:(1024):Sending an IKE IPv4 Packet.
*Mar 1 22:22:16.766: ISAKMP:(1024):purging node -1995485776
*Mar 1 22:22:16.766: ISAKMP:(1024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 22:22:16.766: ISAKMP:(1024):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 1 22:22:16.766: ISAKMP:(1024):deleting SA reason "No reason" state (I) QM_IDLE (peer 21.21.21.1)
*Mar 1 22:22:16.766: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Mar 1 22:22:16.766: ISAKMP: Unlocking peer struct 0x67BDE634 for isadb_mark_sa_deleted(), count 0
*Mar 1 22:22:16.766: ISAKMP: Deleting peer node by peer_reap for 21.21.21.1: 67BDE634
*Mar 1 22:22:16.766: ISAKMP:(1024):deleting node -1467475501 error FALSE reason "IKE deleted"
*Mar 1 22:22:16.766: ISAKMP:(1024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 22:22:16.766: ISAKMP:(1024):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 1 22:22:36.690: ISAKMP:(1023):purging node 2024059111
*Mar 1 22:22:36.770: ISAKMP:(1023):purging node 810283079
*Mar 1 22:22:36.774: ISAKMP:(1023):purging node -1132426652
*Mar 1 22:22:46.770: ISAKMP:(1023):purging SA., sa=67708AA8, delme=67708AA8
*Mar 1 22:23:06.674: ISAKMP:(1024):purging node 4648004
*Mar 1 22:23:06.766: ISAKMP:(1024):purging node -1262945668
*Mar 1 22:23:06.770: ISAKMP:(1024):purging node -1467475501
*Mar 1 22:23:16.766: ISAKMP:(1024):purging SA., sa=67707D24, delme=67707D24
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am experiencing a similar issue. I'm not that experienced with configuring ASAs. I have worked more with IOS devices. How do I configure this NONAT so I can establish my phase 2?
It also wouldn't hurt to recreate the key at both ends with something simple (letters and numbers to test) to verify that any unusual characters in the key are not causing the problem. It shouldn't be an issue with v8 but I have had that problem with v7.