Aggressive Mode IKE
We used to use IPSEC VPN, but now use Anyconnect SSL VPN. We have a third party scan our firewall externally, and they are recommending that we disable Aggressive Mode IKE. Is this only used for IPSec VPN's? Is it safe to remove this from our configuration on our ASA 5505?
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Thank You.
Hi Bill,
The aggresive mode (3 pkt exchange) is only used for the IPsec remote access. The site to site VPN uses main mode (6 pkt exchange). If you do not have any site to site VPN you can disable these commands however if you do have site to site VPN then removing these will break them.
There is nothing called aggressive mode in Anyconnect. Anyconnect uses a totally different protocol called SSL (TCP/UDP port 443).
Hope this answers your question.
Thanks,
Vishnu Sharma
Similar Messages
-
IKE Aggressive mode vulnerability
Hello All,
I am currently working on a project to remove security vulnerability present in the network due to IKE Aggressive mode. Below is my understanding:
1. In aggressive mode, initiator and responder IDs are sent in clear text, as against main mode and this is the vulnerability we are trying to remove.
2. For Site to Site VPNs we can disable the aggressive mode, but this is not possible to achieve in Client to Site VPNs till we are using PSKs.
I am seeking help on below points based upon my understanding:
1. Validation of my understanding
2. In case we go for certificate based authentication instead of using PSKs, can we disable the aggressive mode and remove the vulnerability. If yes, is it a mandate to have a local CA server installed or can we go for a publicly hosted CA server.
Please advice.Hi Vikas,
Your understanding is correct. More info on this...
http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html
If you go with certificate- yes you can mitigate the issue. Some firms go with practice of frequently changing & longer PSK.
Also, if you have second level authentication ex:RSA for successful authentication, this can be acceptable.
You can go with a local MS CA server-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml
You can as well use a IOS router as CA server.
Hth
MS -
Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode
Hi, I have 10 site-to-site VPN's, they consist of Cisco 837's and 877's. I run a security scan (Qualys vulnerability scanning) against the public IP of the routers and half of them come back with the vulnerability below. They are all using the latest IOS and all connect to a Cisco Concentrator.
Here is the vulnerability, that means nothing to me, is it anything to worry about, all pre-shared keys are 8 characters or more and have letters, numbers, and symbols and capital letters:
Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode
THREAT:
IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.
IMPACT:
Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.
SOLUTION:
IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.
Note that this attack method has been known and discussed within the IETF IPSec Working Group. The risk was considered as acceptable. For more information on this, visit http://www.vpnc.org/ietf-ipsec/99.ipsec/thrd2.html#01451.The description of the vulnerability specifies IKE aggressive mode. So my first question would be whether you are using IKE in aggressive mode or in main mode? In my experience most router based site to site VPN use main mode (though aggressive mode is an option) while many Remote Access VPN use aggressive mode. So which mode are you using?
The second part of my response goes back to what I said in my earlier response. What kind of key are you using? How long is it and how strong is it? When you think about it any time we authenticate using shared keys there is some degree of vulnerability to brute force attack. The longer the key and the stronger the key the more you have mitigated the risk.
HTH
Rick -
Hi,
I have VPN 3005 with 4.7.2 OS (latest one to date). I am looking to disable Aggressive Mode processing (stick to Main Mode only) for Remove VPN clients. Please note, Remote VPN clients and NOT LAN-to-LAN connections.
So far I cannot see how this can be done.
TAC engineer is not coming up with good answers as well.
Anyhow has an idea?
Thanks!
DavidI don't think you can make Remote Access VPN on
the Concentrator work with Main mode, unless
you decide to use Certificate instead of
pre-shared key:
"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters" -
Aggressive Mode and Encryption
Hi Everyone.
I read below
Aggressive mode does not give identity protection of the two IKE peers, unless digital certificates are used. This means VPN peers exchange their identities without encryption (clear text). It is not as secure as main mode.
Currently we have setup RA VPN without digital certs sp does it mean that pre shared keys which are exchanged between client and ASA are
clear text without any encryption.?
Regards
MAheshMahesh,
RFC answers those questions
start with
http://tools.ietf.org/html/rfc2409
Just to make a simple quote (a bit out of context, but here goes)
While the last roundtrip of Main Mode (and optionally the last
message of Aggressive Mode) is encrypted it is not, strictly
speaking, authenticated.
To encrypt you need to agree on a key. have a look at aggresive mode exchange :-)
M. -
Aggressive mode PSK hash attack
Hello All,
I am wondering if Aggressive Mode PSK hash attack can be applied to Main Mode negotiation while using wildacrd crypto IKE like:
crypto isakmp key xxxxx address 0.0.0.0 0.0.0.0?
I know that using ike-scan tool there is a possibility of obtaining hashed PSK from remote peer while using aggressive mode for IKE, so wondering if the same applies for wildcard PSK, but using Main Mode.
Thanks!To exchange Identities (i.e. perform authnetication) you would need to have already SKEYID calculated, which requires PSK, and DH exchange.
Thus you cannot properly protect MM5 or MM6, if you had wrong PSK. Those are the only moments AFAIR where PSK is being used in exchange.
The weakness of using one wildcard PSK is that once it's compromised entire domain is at risk.
I don't see any practical means of getting PSK from MM exchange. -
How to verify ISAKMP Aggressive mode using show command only?
How to verify ISAKMP Aggressive mode using show command only?
Ah OK, my mistake. I was thinking ASA - I believe you are using an IOS-based VPN.
The state after establishment should be "QM Idle" (quick mode) - whether the Phase 1 was MM or AM.
I think you'll only see the AM in the debugs (like you have) or if you watch the output of the "show cry isa sa" command during establishment of the Phase 1 SA. If you're quick, you may see it cycle through as shown in this reference:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s3.html#wp5743341910 -
Phase I Main Mode Vs. Aggressive Mode
Hi,
I have a quick question; if I have site-to-site VPN and one side is configured for Phase I Main Mode and the other is configured for Aggressive mode, will the VPN work?
Regards,
HaithamHi Haitham
AFAIK no it should not work because aggresive mode uses just 3 packets in the exchange and main mode uses 6 packets so the information contained in the exchanges between the two peers would not match.
HTH
Jon -
We wanted to know if there is a way to disable âAggressive modeâ on the VPN concentrator.
For example, on the ASA, we can do it using the command âisakmp am-disableâ
On a router we can do it using the command âcrypto isakmp aggressive-mode disableâ.
Is there a similar command on the VPN concentrator ?
Your help is appriciated.Fadi,
Are you using Pre-Shared Keys or Certificates for Authentication. Please refer the below link for information on VPN Client AM and MM.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet090
0aecd801a9de9.html
Aggressive Mode is the default and the only mode available for Pre-shared key and Main Mode is only available for the Cert authentication.
So, it is my understanding that it is not possible for VPN clients to use main mode to authenticate to the VPN3000 with pre-shared keys.
Regards,
Arul
*Pls rate if it helps* -
I have a 5510 ASA with one site to site vpn and about 200 users on vpn client. I was curious if I remove Aggressive Mode or disable it. How will that effect the site to site and vpn clients? Will there be an outage by disabling? To my understanding the only thing i need to do on the firewall is add the crypto isakmp am-disable command. Do I need to reconfigure anything else or just disable aggressive mode? How will the change affect the end-users or network? Do I need to edit the PCF file on the client?
ASA Software
Device Manager Version 6.2(5) Cisco Adaptive Security Appliance Software Version 8.0(5)
VPN Client
5.0.0.7.0290You can disable the Aggressive mode for L2L tunnel however if you disable aggresive mode in Dynamic map as well then all VPN clients will fails since remote user can connect only in Aggressive mode only unless client is using Certificate based authentication. This is as per design.
Hope this helps.
Regards,
Anuj -
Recommendation of UDLD aggressive mode on the Basic VSS.
Hello
I would like to confirm the following informatino below.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/Borderless_Campus_Network_1.0/Borderless_Campus_1.0_Design_Guide.pdf
(omit)
It is recommended to avoid implementing UDLD in aggressive mode as well as fast UDLD on the Cisco
Catalyst switches deployed with redundant supervisor modules.
According to this information, I think the UDLD mode above is not reconmeded the redundant SUP in one chassis.
However how about using Basic-VSS (not Quad-VSS) ? Is it also recomended to avoid UDLD aggressive mode and Fast UDLD?
Best Regards,
Masanobu HiyoshiVPN clients ONLY use aggressive mode. That's
just the way it is. If you want to use Main
Mode in remote access clients, use other
vendors besides Cisco -
Pre shared keys used in IKE Phase 1
Hi Everyone,
Need to confirm if we can use the Pre shared keys in Aggressive mode and also in Main mode during IKE Phase1
Regards
MAheshThe pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same pre-shared key is configured on each IPSec peer. IKE peers authenticate each other by computing and sending a keyed hash of data that includes the pre-shared key.
-
881 VPN fails after 24hrs/IKE key lifetime
Hi all,
This is my first post on the support forms and I only just got my CCNA, so please bear with me and don't shoot me if I pose a slightly newbish perspective on things. Thanks in advance.
We've got a central office (actually quite small) where several IPSec connections connect to. Two of these connections are Cisco 881 routers. One of them works fine, the other craps out after 24 hours (coincidentally also the IKE key lifetime). When I mean "craps out", it means the VPN worked fine from the get go, until 24 hours later. Only a reload will bring back the VPN tunnel. I've verified my PFS and DPD configurations are solid, because these kind of symptoms would most likely occur when these configurations aren't in order.
The two 881 configurations are quite similar. The only differences between the two are some details in the PPPoE configurations and (quite obviously) the IP address space for the two sites. Both operate on the premise of a point to point connection (no multipoint stuff going on here).
I have examined all I can. It took me two weeks to make sure I exhausted all my options before I post my issue here.
Here is a brief list of things I've done.
- Checked configuration of central router (which is a Mikrotik RB800 btw)
- Verified that the central router is not the cause of the VPN not coming back. Rebooted it as a last resort; VPN stays down. Rebooted 881, VPN comes back.
- I've downgraded the 881 firmware image from version 152.4.M2 to 151.4.M4 (the succesful 881 was running the 151.4.M4 image, and I found some Ipsec issues in the caveat for version 152.4.M2), but to no avail.
- I've tried to clear several crypto components hoping to restore key exchanging, also to no avail. Only a reload will suffice.
I've included the 881's config:
Building configuration...Current configuration : 7795 bytes
! Last configuration change at 15:37:50 Paris Tue May 28 2013 by admin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname <<removed>>
boot-start-marker
boot system flash c880data-universalk9-mz.151-4.M4.bin
boot-end-marker
logging buffered 102400
enable secret 4 <<removed>>
no aaa new-model
memory-size iomem 10
clock timezone Paris 1 0
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki token default removal timeout 0
!no ip source-route
ip dhcp excluded-address 192.168.4.1 192.168.4.9
ip dhcp excluded-address 192.168.4.199 192.168.4.254
ip dhcp pool Main
network 192.168.4.0 255.255.255.0
dns-server 192.168.4.250 8.8.4.4
default-router 192.168.4.250
lease infinite
ip cef
ip domain lookup source-interface Dialer1
ip domain name <<removed>>
ip name-server 8.8.4.4
ip name-server 192.168.58.199
no ipv6 cef
password encryption aes!
object-group network SUBNET_DUITSLAND
description Hele subnet IC Duitsland
192.168.4.0 255.255.255.0
object-group network SUBNET_IC_ARNHEM
description Hele subnet IC Arnhem
192.168.58.0 255.255.255.0
object-group network WAN_IC_ARNHEM
description Het WAN IP adres van IC Arnhem
host <<removed>>
vtp mode transparent
username <<removed>> privilege 15 view root secret 4 <<removed>>
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 102
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 105
class-map type inspect match-all ccp-cls--1
match access-group name Outgoing
class-map type inspect match-all ccp-cls--2
match access-group name Incoming
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
pass
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
zone security Inside
zone security Outside
zone-pair security sdm-zp-Inside-Outside source Inside destination Outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-Outside-Inside source Outside destination Inside
service-policy type inspect ccp-policy-ccp-cls--2
crypto logging ezvpn
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key <<removed>> address <<removed>>
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to CO
set peer <<removed>>
set transform-set ESP-AES256-SHA
set pfs group5
match address 104
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description DeutscheTelekom$ETH-WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface Vlan1
description $FW_INSIDE$
ip address 192.168.4.250 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security Inside
ip tcp adjust-mss 1412
interface Dialer1
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
zone-member security Outside
encapsulation ppp
no ip route-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname <<removed>>
ppp chap password 7 <<removed>>
ppp pap sent-username <<removed>> password 7 <<removed>>
ppp ipcp dns request
ppp ipcp address accept
crypto map SDM_CMAP_1
ip forward-protocol nd
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip access-list extended Incoming
remark CCP_ACL Category=128
permit ip any object-group SUBNET_DUITSLAND
ip access-list extended Outgoing
remark CCP_ACL Category=128
permit ip object-group SUBNET_DUITSLAND any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 permit <<removed>>
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.58.0 0.0.0.255
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip host <<removed>> any
access-list 101 permit ip 192.168.58.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 103
line con 0
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
password 7 <<removed>>
login local
transport input ssh
ntp update-calendar
ntp server de.pool.ntp.org prefer
end
Also, I have some ISAKMP debug output (when the VPN fails, I can still reach the router via the internet):
.May 29 08:31:22.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:28.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:30.016: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:31:30.016: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:31:30.016: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:31:30.016: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:30.016: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:34.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:40.016: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:40.844: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:46.380: ISAKMP:(0):purging node 297623767
.May 29 08:31:46.380: ISAKMP:(0):purging node -1266458641
.May 29 08:31:46.452: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:49.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:50.016: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:52.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:56.381: ISAKMP:(0):purging SA., sa=874CF15C, delme=874CF15C
.May 29 08:31:58.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:00.017: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:00.017: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP: Unlocking peer struct 0x874792E0 for isadb_mark_sa_deleted(), count 0
.May 29 08:32:00.017: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 874792E0
.May 29 08:32:00.017: ISAKMP:(0):deleting node -118750948 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):deleting node -1193365643 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:32:00.017: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA.May 29 08:32:02.037: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:32:02.037: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:32:02.037: ISAKMP: New peer created peer = 0x875BF6B8 peer_handle = 0x8000000A
.May 29 08:32:02.037: ISAKMP: Locking peer struct 0x875BF6B8, refcount 1 for isakmp_initiator
.May 29 08:32:02.037: ISAKMP: local port 500, remote port 500
.May 29 08:32:02.037: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:02.037: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85C6B420
.May 29 08:32:02.037: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:32:02.037: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:32:02.037: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:32:02.041: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:32:02.041: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1.May 29 08:32:02.041: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:32:02.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:02.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:04.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:10.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:12.041: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:16.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:22.041: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:22.449: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:28.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:32.038: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:32.038: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:32:32.038: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:32:32.038: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:32.042: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:34.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:40.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:42.042: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:46.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:50.018: ISAKMP:(0):purging node -118750948
.May 29 08:32:50.018: ISAKMP:(0):purging node -1193365643
.May 29 08:32:51.346: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:52.042: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:52.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:58.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:33:00.019: ISAKMP:(0):purging SA., sa=875BE8B8, delme=875BE8B8
.May 29 08:33:02.043: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:02.043: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP: Unlocking peer struct 0x875BF6B8 for isadb_mark_sa_deleted(), count 0
.May 29 08:33:02.043: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 875BF6B8
.May 29 08:33:02.043: ISAKMP:(0):deleting node 1839947115 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):deleting node -1221586275 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:33:02.043: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA.May 29 08:33:02.455: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:33:02.455: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:33:02.455: ISAKMP: New peer created peer = 0x874792E0 peer_handle = 0x8000000B
.May 29 08:33:02.455: ISAKMP: Locking peer struct 0x874792E0, refcount 1 for isakmp_initiator
.May 29 08:33:02.455: ISAKMP: local port 500, remote port 500
.May 29 08:33:02.455: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:33:02.455: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87060E68
.May 29 08:33:02.455: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:33:02.455: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:33:02.455: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:33:02.455: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1.May 29 08:33:02.455: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:33:02.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:02.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:33:04.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>ndebug crypto isakmp
.May 29 08:33:10.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>o debug crypto isakmp
Crypto ISAKMP debugging is off
IC-Deutschland#
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:12.455: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
Can anyone shed some light as what could be going on?
Much obliged!Unfortunately I do not have a support contract for our hardware. I wouldn't even know how to get one.
However, we do pay top dollar for the equipment and it seems one it's components doesn't work as advertised. So if no support is given I will have to try warrenty instead. This does mean I have to replace the unit with a competitor brand which isn't something I'm keen to do because I want to use Cisco as our main brand. This issue effectively nukes my entire plan.
Given our work load, CPU power isn't an issue. The encryption level is set to this level because I'm paranoid. Which I reckon is a good thing when it comes to network security (correct me if I'm wrong). Do you suspect these settings could be of any influence in this particular case?
If I remember correctly I used the "debug crypto isakmp" or "debug crypto isakmp errors" and "debug crypto ipsec" (also perhaps with the "error" suffix), I'm not sure. -
Hi everyone,
Need to confirm during IKE Phase 1
we use port UDP 500
IKE Phase 2 we use ports
ESP -50
NAT-T UDP 4500
TCP-1000 ESP -50
NAT-T UDP 4500
TCP-1000
Regards
MaheshIKE phase 1 (main mode/aggressive mode) is udp src and dst 500
IKE phase 2 could be:
IP protocol 50 (ESP)
NAT-T is udp src (client) ephemeral dst (server) udp 4500
The tcp encapsulation found in the older VPN clients was src (client) ephemeral dst (server) tcp 10000 (10,000 in US resp. 10.000 in most of the other world) -
IPsec VTI over NAT IKE Phase I Failure
Hey everyone,
I have two routers and an ASA with one of the routers sitting behind the ASA. I have a VTI configuration between the two routers, the regular GRE traffic passes through just fine but after applying an IPsec profile to the interfaces, IKE Phase I never completes. I have the configurations and debugs posted below. Thank you in advance for your help. I have confirmed reachability and there are no access list issues.
Router 1:
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set SEC
interface Tunnel2
ip address 172.16.1.1 255.255.255.252
tunnel source 200.1.1.1
tunnel destination 200.1.1.2
tunnel protection ipsec profile IPSEC
crypto isakmp key SECURITYKEY address 200.1.1.2
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
ASA:
static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255
Router 2:
interface Tunnel121
ip address 172.16.1.2 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 10.1.1.1
tunnel destination 200.1.1.1
tunnel protection ipsec profile IPSEC
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set SEC
crypto isakmp key SECURITYKEY address 200.1.1.1
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
R2#debug crypto isakmp
R2#
R2#
May 7 14:30:35 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:35 CDT: ISAKMP (0:134218443): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:36 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 -1092494630 QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:46 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP: received ke message (3/1)
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP:(0:715:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP: set new node 1345361410 to QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):purging node 1345361410
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP: Unlocking IKE struct 0x656AA2B0 for isadb_mark_sa_deleted(), count 0
May 7 14:30:52 CDT: ISAKMP: Deleting peer node by peer_reap for 200.1.1.1: 656AA2B0
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting node -1092494630 error FALSE reason "IKE deleted"
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 7 14:30:55 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:05 CDT: ISAKMP:(0:715:SW:1):purging node 1843499205
May 7 14:31:05 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:15 CDT: ISAKMP:(0:715:SW:1):purging SA., sa=64E4AB14, delme=64E4AB14
May 7 14:31:42 CDT: ISAKMP:(0:716:SW:1):purging node -1092494630
May 7 14:31:45 CDT: ISAKMP (0:0): received packet from 200.1.1.1 dport 500 sport 500 Global (N) NEW SA
May 7 14:31:45 CDT: ISAKMP: Created a peer struct for 200.1.1.1, peer port 500
May 7 14:31:45 CDT: ISAKMP: New peer created peer = 0x656AA2B0 peer_handle = 0x80000514
May 7 14:31:45 CDT: ISAKMP: Locking peer struct 0x656AA2B0, IKE refcount 1 for crypto_isakmp_process_block
May 7 14:31:45 CDT: ISAKMP: local port 500, remote port 500
May 7 14:31:45 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 7 14:31:45 CDT: ISAKMP : Scanning profiles for xauth ...
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 1
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption 3DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 5
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:134218445): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): constructed NAT-T vendor-07 ID
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing KE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NONCE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SKEYID state generated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is Unity
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is DPD
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): speaking to another IOS box!
May 7 14:31:45 CDT: ISAKMP (0:134218445): NAT found, the node inside NAT
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing ID payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):: peer matches *none* of the profiles
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing HASH payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.1.1 remote 200.1.1.1 remote port 4500
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA has been authenticated with 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Detected port floating to port = 4500
May 7 14:31:45 CDT: ISAKMP: Trying to insert a peer 10.1.1.1/200.1.1.1/4500/, and inserted successfully 656AA2B0.
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Setting UDP ENC peer struct 0x661D688C sa= 0x64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 10.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Total payload length: 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 7 14:31:52 CDT: ISAKMP: received ke message (1/1)
May 7 14:31:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):beginning Quick Mode exchange, M-ID of -1201835538
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): retransmitting due to retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:31:56 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
R2#
R2#
R2#un
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 QM_IDLE -1201835538 ...
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 -1201835538 QM_IDLE
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
The specific portion of the debug that has caught my attention is as follows toward the end:
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.Thank you for the suggestions Sokakkar. I did just what you asked with
undebug all
debug crypto condition peer ipv4
debug crypto isakmp
this is a production environment and I have altered the information for privacy reasons. So I am not able to reload either of the devices.
The debugs are as follows:
R1 DEBUGS:
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#
*May 8 20:14:18.668: ISAKMP:(6151):purging node -1205767715
*May 8 20:14:28.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:28.144: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:28.144: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FED9E4
*May 8 20:14:28.144: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:28.144: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:28.144: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:28.144: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:28.144: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:28.144: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:28.144: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.356: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:28.356: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.356: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:28.356: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:28.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.356: ISAKMP:(0): local preshared key found
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:28.356: ISAKMP: encryption AES-CBC
*May 8 20:14:28.356: ISAKMP: keylength of 256
*May 8 20:14:28.356: ISAKMP: hash SHA
*May 8 20:14:28.356: ISAKMP: default group 5
*May 8 20:14:28.356: ISAKMP: auth pre-share
*May 8 20:14:28.356: ISAKMP: life type in seconds
*May 8 20:14:28.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:28.360: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:28.360: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:28.360: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.360: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.360: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:28.360: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:28.360: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:28.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:28.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:28.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is Unity
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is DPD
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): speaking to another IOS box!
*May 8 20:14:28.672: ISAKMP (0:6153): NAT found, the node outside NAT
*May 8 20:14:28.672: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.672: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:28.672: ISAKMP:(6151):purging SA., sa=45291908, delme=45291908
*May 8 20:14:28.672: ISAKMP:(6153):Send initial contact
*May 8 20:14:28.672: ISAKMP:(6153):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:28.672: ISAKMP (0:6153): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:28.672: ISAKMP:(6153):Total payload length: 12
*May 8 20:14:28.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:28.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
*May 8 20:14:28.676: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.676: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:33.780: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.1.1.2 has no SA and is not an initialization offer
R1#
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:38.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:48.664: ISAKMP:(6152):purging node 1194713063
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:48.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:58.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:58.140: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:58.140: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FEE170
*May 8 20:14:58.140: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:58.140: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:58.140: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:58.140: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:58.140: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:58.140: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:58.140: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.352: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:58.352: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.352: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:58.352: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.356: ISAKMP:(0): local preshared key found
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:58.356: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:58.356: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.356: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:58.356: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:58.356: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:58.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:58.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:58.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is Unity
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is DPD
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): speaking to another IOS box!
*May 8 20:14:58.668: ISAKMP (0:6154): NAT found, the node outside NAT
*May 8 20:14:58.668: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.668: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:58.668: ISAKMP:(6152):purging SA., sa=45FEB894, delme=45FEB894
*May 8 20:14:58.668: ISAKMP:(6154):Send initial contact
*May 8 20:14:58.668: ISAKMP:(6154):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:58.668: ISAKMP (0:6154): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:58.668: ISAKMP:(6154):Total payload length: 12
*May 8 20:14:58.672: ISAKMP:(6154): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6154):Sending an IKE IPv4 Packet.
*May 8 20:14:58.672: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.672: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:58.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R2 DEBUGS:
R2#debug crypto isakmp
Crypto ISAKMP debugging is on
R2#
May 8 15:17:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):beginning Quick Mode exchange, M-ID of -1574699992
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Node -1574699992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:17:52 CDT: ISAKMP:(0:1990:SW:1):purging SA., sa=64E62620, delme=64E62620
May 8 15:17:57 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:17:58 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:08 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP: local port 500, remote port 500
May 8 15:18:17 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 1
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption 3DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 5
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:134219720): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): constructed NAT-T vendor-07 ID
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing KE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NONCE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SKEYID state generated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is Unity
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is DPD
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): speaking to another IOS box!
May 8 15:18:17 CDT: ISAKMP (0:134219720): NAT found, the node inside NAT
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 8 15:18:17 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing ID payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):: peer matches *none* of the profiles
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing HASH payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.64.11.253 remote 200.1.1.1 remote port 4500
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):received initial contact, deleting SA
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):peer does not do paranoid keepalives.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA has been authenticated with 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Detected port floating to port = 4500
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Setting UDP ENC peer struct 0x0 sa= 0x64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP: set new node 231359858 to QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):purging node 231359858
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 10.64.11.253
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Total payload length: 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting node -1574699992 error FALSE reason "IKE deleted"
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R2#
May 8 15:18:22 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):beginning Quick Mode exchange, M-ID of 1324849371
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Node 1324849371, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:18:27 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:27 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:28 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 QM_IDLE 1324849371 ...
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 1324849371 QM_IDLE
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:37 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:37 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:38 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
R2#
R2#
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDL
Maybe you are looking for
-
Creation of dynamic internal table is not synchronous
In my code following lines are used to create a dynamic table. REFRESH : INCTABL . CLEAR INCTABL . INCTABL-LINE = 'data: begin of dyntab occurs 10,'. APPEND INCTABL. INCTABL-LINE = 'zpltnamec like zvendplt-zpltnamec,'. APPEND INCTABL. INCTA
-
How do i fix my signal problems?
I upgraded from a Blackberry to a iPhone5. Everything on the phone works much better on the new phone eccept when i make or receive calls. The signal bars are always close to full but it sounds like there is almost no coverage. Please if anyone could
-
Slow processing in full screen mode
Hi All I recently upgraded my camera to an EOS 5d mk 2. I take photos in full RAW, so resulting images are around 26 MB.I then import these as managed reference files into Aperture. No issue with import to Aperture or image quality. However, when vie
-
hi !! i did very nice my iweb with very nice fonts i did publish, i go to visit! and all my fonts are diferents , what can i do for fix that? thanks alot! Message was edited by: Am Rock
-
Hello Community, We have a requirement where we need to be able to grant different permission level for the attachment within the opportunity. For example, I have 3 attachments in the attachment tab within opportunity, and I want to make sure one of