IPv6 / IPSec / VRF

All, I am trying to configure IPv6 IPSec (with tunnel protection mode) on a tunnel interface within a VRF, not the global routing table.  I have searched google and found the following post in which a user is discussing a very similar situation.  Near the end of the thread, he posts a response from a TAC engineer listing some bug IDs, but I cannot find any info on those in the bug toolkit.
https://supportforums.cisco.com/thread/2119892
Has anyone heard or seen anything relating to this issue?  I will continue to search as well.  Thanks.
P.S.  I can make the configuration work in the global context, but when I change the crypto keyring, isakmp profile, tunnel interface (using both 'vrf forwarding' and 'tunnel vrf' commands), it does not work.  Show commands display the following:
R1#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
IPv6 Crypto ISAKMP SA
dst: FEC0:0:0:1::1
src: FEC0:0:0:1::2
state: MM_SA_SETUP     conn-id:      0 status: ACTIVE
R1#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: FEC0:0:0:1::2 port 500
  IKE SA: local FEC0:0:0:1::1/500
          remote FEC0:0:0:1::2/500 Inactive
R1#show crypto ipsec sa
R1#
So it looks like the IKE SA comes up, but for some reason, the IPSec SA does not come up (debugging shows phase 1 timing out "death by retransmission", which makes me think routing within the crypto/ipv6/vrf setup is not working properly).  Any thoughts or comments are appreciated.  Thanks.

So, in playing around with this setup, i changed the tunnel mode to ipv6 with no encryption, just to see if I could get the tunnel to get to up/up state.  I was not able to initially, but just for fun I added a static route to the global routing table for the tunnel destination ipv6 address and used the nexthop-vrf keyword and boom, the tunnel went to UP/UP!
So it looks like for some reason the "tunnel vrf" command is not taking effect and the tunnel is trying to use the global table rather than the vrf specific table to reach the tunnel endpoint.  It looks like this is a problem with the "tunnel vrf" command referencing an IPv6-enabled vrf.

Similar Messages

  • IPSec VRF Aware (Crypto Map)

    Hello!
    I have some problem with configuring vrf aware Ipsec (Crypto Map).
    Any traffic (from subnet 10.6.6.248/29) do not pass trouth router, but if i run command "ping vrf inside 10.5.5.1 source gi 0/1.737" it working well.  
    Configuration below:
    ip vrf outside
     rd 1:1
    ip vrf inside
     rd 2:2
    track 10 ip sla 10 reachability
    ip sla schedule 10 life forever start-time now
    crypto keyring outside vrf outside 
      pre-shared-key address 10.10.10.100 key XXXXXX
    crypto isakmp policy 20
     encr aes 256
     authentication pre-share
     group 2
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 10 periodic
    crypto isakmp profile AS_outside
       vrf inside
       keyring outside
       match identity address 10.10.10.100 255.255.255.255 outside
       isakmp authorization list default
    crypto ipsec transform-set ESP-AESesp-aes 256 esp-sha-hmac 
     mode tunnel
    crypto ipsec df-bit clear
    crypto map outside 10 ipsec-isakmp 
     set peer 10.10.10.100
     set security-association idle-time 3600
     set transform-set ESP-AES 
     set pfs group2
     set isakmp-profile AS_outside
     match address inside_access
    ip route vrf inside 10.5.5.0 255.255.255.0 GigabitEthernet0/0.806 10.10.10.100 track 10
    ip access-list extended inside_access
     permit ip 10.6.6.248 0.0.0.7 10.5.5.0 0.0.0.255
    icmp-echo 10.10.10.100 source-interface GigabitEthernet0/0.806
     vrf outside
    interface GigabitEthernet0/0.806
    ip vrf forwarding outside
    ip address 10.10.10.101 255.255.255.0
    crypto-map outside
    interface GigabitEthernet0/1.737
    ip vrf forwarding inside
    ip address 10.6.6.252 255.255.255.248

    Hello Frank!
    >>  1. You may want to consider removing the "track 10" from your static route to eliminate any issues that this could be causing.
    I tried it before. Nothing changes.
    >> 2. If you teardown the tunnel, can the traffic from your end client (not the ping generated locally) cause the tunnel to build? If not, you may want to use netflow or ACL counters to verify that your packets are hitting the inside interface.
    It is also checked. netflow present counters and ACL counters not present. Source ip is 10.6.6.254/29.
    show command below:
    ISR-vpn-1#show ip cef vrf inside exact-route  10.6.6.254 10.5.5.1
     10.6.6.254  -> 10.5.5.1 => IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
    ISR-vpn-1#show ip cef vrf inside 10.24.1.0/24 internal                
    10.5.5.0/24, epoch 0, RIB[S], refcount 5, per-destination sharing
      sources: RIB 
      feature space:
       NetFlow: Origin AS 0, Peer AS 0, Mask Bits 24
      ifnums:
       GigabitEthernet0/0.806(24): 10.10.10.100
      path 22D160E8, path list 22AC27E8, share 1/1, type attached nexthop, for IPv4
      nexthop 10.10.10.100 GigabitEthernet0/0.806, adjacency IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)
      output chain: IP adj out of GigabitEthernet0/0.806, addr 10.10.10.100 (incomplete)

  • How to configure OSPFv3 with VRF in IOS (a guide)

    Hi everybody,
         I recently found myself in need of configuring VRF segregated IPv6 routing with OSPFv3 in a pair of IOS 6500s. After a bit of research, I found that although the latest IOS releases for the 6500 (15.1(1)SY for the Sup720 and Sup2T) support configuring OSPFv3 on VRFs, Cisco has yet to release any documentation pertaining to its configuration other then command references. So, I thought I would share some of the pertinent and important details I discovered along the way to getting this working and collect them all in one place to help out anyone else who is trying to do this.
    1. The first thing you need to do is turn it on. Make sure you have enabled IPv6 routing with the "ipv6 unicast-routing" command and IPv6 VRFs with the "mls ipv6 vrf" command. Without these enabled, everything you try that seems like it should work will fail.
    2. You must use the new style VRF definition commands, the old "ip vrf <name>" commands are for IPv4 only. The new style of configuring the VRFs is "vrf definition <name>", under these VRFs you must specify the IP versions you want to run with the "address-family ipv4" and "address-family ipv6" commands. Also the command to place an interface into these VRFs is slightly different as well. On an interface, you must use the "vrf forwarding <name>" command instead of the old "ip vrf forwarding <name>" command.
    3. For OSPFv3 instances, the VRF is defined after you enter the proccess by using the "address-family ipv6 unicast vrf <name>" command. OSPFv2 instances are still define the VRF at the same time as the process using the traditional "router ospf <proccess> vrf <name>" command.
    4. After you get this all configured the "show ipv6 ospf" commands will no longer work. You need to use the "show ospfv3 vrf" commands instead.
    I have attached a sample configuration of what I did. If anyone out there knows this better than I do, please correct anything I got wrong and/or add anything you think would be helpful. I would just like there to be a good source of info available for this subject, so people don't have to waste their time figuring this out the hard way.
    Best Regards,
    Greg

    Greg,
    Greate information.
    Thanks for posting This!!!
    Reza

  • IPv4 LAN over IPv6 WAN

    With IPv6 I am most concerned today with receiving an IPv6 address from my ISP for my Spoke networks.  I don't have plans to convert my Spoke LANs  or Internal application servers to IPV6 anytime soon.  Reviewing all the books and technical documentation out there, I don't see discussion about how to get my IPv4 traffic tunneled through the Internet via an IPv6 carrier, a 4to6 tunnel.  Currently I'm running DMVPN which appears to support IPv6 tunnels, Native and 6to4.  Can anyone provide direction or expertise on how to get IPv4 traffic between Enterprise locations with ISPs move to IPv6 addressing?
    Thanks..

    Ryan,
    If this is a question of connecting LAN in different branches.
    The decently scalable option is GRE (with DMVPN being the neatest).
    On top ASA supports IPv4 in IPv6 IPsec (to other ASAs at this point).
    You might have a bit more challanges if you want to provide access to non-intrernal resources, Internet, partner sites without IPv4 on WANs.
    M.

  • DMVPN on Dual Stack Hub Site

    Hi,
    I have a Dual Stacked DMVPN Hub site, VPN for ether IPv4 oder IPv6 is working properly, but not both at the same time.
    If the IPv4 Peers connect first, then the IPv6 Peers are unable to form an IPsec security association and the other way around. Crypto ISAKMP Phase1 is build correctly.
    A "show crypto ipsec sa" on the Hub shows only sa's for the kind of Peers that connected first. A "show crypto ipsec sa" on the Spoke that is unable to form an security association with the Hub shows an security association, but with no proposals and raising send error counters:
    Spoke (IPv4) SA
    interface: Tunnel1
        Crypto map tag: My-Profile-v4-head-1, local addr 2.2.2.1
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (2.2.2.1/255.255.255.255/47/0)
       remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
       current_peer 1.1.1.1 port 500
         PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 23255, #recv errors 0
         local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
         plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb (none)
         current outbound spi: 0x0(0)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
         outbound ah sas:
         outbound pcp sas:
       protected vrf: (none)
    I'm running IOS Version 15.3(2)T, is there some kind of known bug and/or a workaround for this?
    Interface Configuration
    interface GigabitEthernet0
    description ** Outside **
    ip address 1.1.1.1 255.255.255.0
    duplex auto
    speed auto
    ipv6 address 2001:1:1:1::1/64
    Crypto Configuration
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 14
    crypto isakmp key cisco address 0.0.0.0 no-xauth
    crypto isakmp key cisco address ipv6 ::/0 no-xauth
    crypto isakmp keepalive 10 periodic
    crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
    mode tunnel
    crypto ipsec profile My-Profile-v4
    description ** IPsec Profile fuer IPv4 Peers **
    set transform-set My-Set
    set pfs group2
    crypto ipsec profile My-Profile-v6
    description ** IPsec Profile fuer IPv6 Peers **
    set transform-set My-Set
    set pfs group2
    Tunnel Configuration
    interface Tunnel1
    description ** DMVPN Intranet IPv4 **
    bandwidth 1000
    ip vrf forwarding VPN
    ip address 10.0.10.1 255.255.255.0
    no ip redirects
    ip mtu 1416
    no ip next-hop-self eigrp 65351
    no ip split-horizon eigrp 65351
    ip pim sparse-mode
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    ip nhrp holdtime 360
    ip nhrp shortcut
    ip nhrp redirect
    ip tcp adjust-mss 1360
    load-interval 30
    shutdown
    keepalive 10 3
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile My-Profile-v4 shared
    interface Tunnel2
    description ** DMVPN Intranet IPv6 **
    bandwidth 1000
    ip vrf forwarding VPN
    ip address 10.0.12.1 255.255.255.0
    ip mtu 1416
    no ip next-hop-self eigrp 65351
    no ip split-horizon eigrp 65351
    ip pim sparse-mode
    ip nhrp map multicast dynamic
    ip nhrp network-id 2
    ip nhrp holdtime 360
    ip nhrp shortcut
    ip nhrp redirect
    ip tcp adjust-mss 1360
    load-interval 30
    keepalive 10 3
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint ipv6
    tunnel key 2
    tunnel protection ipsec profile My-Profile-v6 shared
    Regards,
    Thomas

    Hello Marcin,
    it is working now :-)
    First I was running a dual stacked spoke as well, but now I am using one IPv4 and one IPv6 only spoke. The ipsec profiles are "shared", because besides the two shown tunnels I have one more IPv4 and IPv6 Tunnel for Extranetuse. The Spoke sites use "shared" as well, because they build a backup VPN Tunnel to a second Hub router.
    I have removed the "keepalive 10 3" from my Tunnel interfaces and rebooted the routers and everything is working now.
    Here are my final configurations:
    Crypto
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 14
    crypto isakmp key cisco address 0.0.0.0         no-xauth
    crypto isakmp key cisco address ipv6 ::/0 no-xauth
    crypto isakmp keepalive 10 periodic
    crypto ipsec transform-set My-Set esp-aes 256 esp-sha512-hmac
    mode tunnel
    crypto ipsec profile My-Profile-v4
    description ** IPsec Profile fuer IPv4 Peers **
    set transform-set My-Set
    set pfs group2
    crypto ipsec profile My-Profile-v6
    description ** IPsec Profile fuer IPv6 Peers **
    set transform-set My-Set
    set pfs group2
    Tunnel Hub Dual Stacked
    interface Tunnel1
    description ** DMVPN Intranet IPv4 **
    bandwidth 1000
    ip vrf forwarding VPN
    ip address 10.0.10.1 255.255.255.0
    no ip redirects
    ip mtu 1416
    no ip next-hop-self eigrp 65351
    no ip split-horizon eigrp 65351
    ip pim sparse-mode
    ip nhrp map multicast dynamic
    ip nhrp network-id 1
    ip nhrp holdtime 360
    ip nhrp shortcut
    ip nhrp redirect
    ip tcp adjust-mss 1360
    load-interval 30
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile My-Profile-v4 shared
    interface Tunnel2
    description ** DMVPN Intranet IPv6 **
    bandwidth 1000
    ip vrf forwarding VPN
    ip address 10.0.12.1 255.255.255.0
    ip mtu 1416
    no ip next-hop-self eigrp 65351
    no ip split-horizon eigrp 65351
    ip pim sparse-mode
    ip nhrp map multicast dynamic
    ip nhrp network-id 2
    ip nhrp holdtime 360
    ip nhrp shortcut
    ip nhrp redirect
    ip tcp adjust-mss 1360
    load-interval 30
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint ipv6
    tunnel key 2
    tunnel protection ipsec profile My-Profile-v6 shared
    end
    Tunnel Spoke IPv4
    interface Tunnel1
    description ** DMVPN Intranet IPv4 **
    ip vrf forwarding VPN
    ip address 10.0.10.2 255.255.255.0
    no ip redirects
    ip mtu 1416
    ip pim sparse-mode
    ip nhrp map 10.0.10.1 1.1.1.1
    ip nhrp map multicast 1.1.1.1
    ip nhrp network-id 1
    ip nhrp holdtime 360
    ip nhrp nhs 10.0.10.1
    ip nhrp shortcut
    ip tcp adjust-mss 1360
    delay 1000
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint
    tunnel key 1
    tunnel protection ipsec profile My-Profile-v4 shared
    end
    Tunnel Spoke IPv6
    interface Tunnel1
    description ** DMVPN Intranet IPv6 **
    ip vrf forwarding VPN
    ip address 10.0.12.2 255.255.255.0
    no ip redirects
    ip mtu 1416
    ip pim sparse-mode
    ip nhrp map 10.0.12.1 2001:1:1:1::1
    ip nhrp map multicast 2001:1:1:1::1
    ip nhrp network-id 2
    ip nhrp holdtime 360
    ip nhrp nhs 10.0.12.1
    ip nhrp shortcut
    ip tcp adjust-mss 1360
    delay 1000
    tunnel source GigabitEthernet0
    tunnel mode gre multipoint ipv6
    tunnel key 2
    tunnel protection ipsec profile My-Profile-v6 shared
    end
    Thanks again
    Thomas

  • ToS Preservation with egress remarking on inner packet

    Hi, I am using DMVPN/IPSEC/VRFs. On the egress of the DMVPN/VRF tunnel interfaces, I have applied a Service Policy to remark traffic. Hence the remarking occurs on the inner packet header.
    Assuming qos-preclassify is NOT enabled. Does anyone know how 12.4T IOS code should operate (options)
    1. Copy the "remarked" TOS value to the outer headers as part of the TOS preservation feature
    2. Copy the original (pre remarking) TOS value of the inner packet header as part of the TOS preservation feature
    3. Egress inner packet header remarking disables TOS preservation feature.
    4. Other ?
    Problem Space : At remote sites, I can easily perform the QOS remarking on the router LAN ingress interface, rather than on the egress DMVPN tunnel interface. However at the head end, the DMVPN/IPSEC/VRF routers also happen to be MPLS PE devices. Hence remarking on Layer3/4 (IP/Ports) criteria on the ingress interface is not possible as we are dealing with MPLS labels. Hence why I am attempting to do this on the egress on the DMVPN tunnel/VRF interface.
    thanks
    George

    After testing. I can confirm that 2. appears to apply.
    TOS preservation operation utilises the original inner header TOS values, rather than the remarked TOS value.
    Hence even if the inner header is remarked (lets say from CS1 to AF11)on egress, the outer IPSEC header will still have the original TOS settings ie. CS1.
    This aligns with the QoS Order of Operation.
    http://www.cisco.com/en/US/tech/tk543/tk757/technologies_tech_note09186a0080160fc1.shtml
    which states -
    "On the outbound path, common classification happens before any QoS features are applied. A result of this approach is that any QoS features applied on the outbound policy act upon the original priority value. If you need to take actions based on a remarked value on the same router, then you must mark the packets on the incoming interface and apply other QoS actions based on this new priority on the outgoing interface"
    Hopefully the "qos pre-classify" feature should provide the capability to remark both the inner header and outer IPSEC header...back to testing...???
    cheers
    George
    CCIE2980

  • OSPFv3 AF NSSA default-information-originate

    Hi,
    I'm having trouble injecting a default route into OSPFv3 AF NSSA using this config:
    router ospfv3 1520
     auto-cost reference-bandwidth 100000
     address-family ipv6 unicast vrf CUST-1
      redistribute connected route-map SET-TAG-LOCAL
      router-id 100.64.20.9
      capability vrf-lite
      area 1520 nssa default-information-originate
     exit-address-family
    ipv6 route vrf CUST-1 ::/0 2A01:79A0:3000:F8BB::5
    The default route does not get injected into the database. I have to clear the process for this VRF for it to appear in the database:
    ROUTER# sh ospfv3 ipv6 vrf CUST-1 dat | in ::|Type-7
                    Type-7 AS External Link States (Area 1520)
     100.64.20.9     632         0x80000004  2A01:79A0:3000:F8BB::/125
    ROUTER#clear ospfv3 ipv6 vrf CUST-1 process
    Reset selected OSPFv3 processes? [no]: yes
    ROUTER# sh ospfv3 ipv6 vrf I-ST-INSIDE-1 dat | in ::|Type-7
                    Type-7 AS External Link States (Area 1520)
     100.64.20.9     1           0x80000001  ::/0
     100.64.20.9     1           0x80000001  2A01:79A0:3000:F8BB::/125
    ROUTER#
    Any help is greatly appreciated.
    Thanks.
    /JZ

    Hi,
    A quick check of the config guide shows that their examples of default origination in OSPFv3 use the 'default information-originate' command, this can be tied in with a route-map, in order to match a certain condition. i.e. statement is configured under the process, not using the 'area' command.
    1. create prefix -list matching routes (these form the matching condition)
    2. create a route-map - with a permit statement matching the prefix-list.
    3. default information-originate route-map [map name]
    HTH
    Mike

  • BT Infinity still lagging with Fifa on Xbox One (W...

    So I made many posts last year about My unlimited BT Infinity package ( ~55mb down, 16m/b up ) not working with Fifa 14/13 on the 360. I counted about 20 or 30 people experiencing the same issues last year.
    The bad news is its exactly the same on the Xbox one so anyone who had trouble with delay/lag reaching easo.ea.com last year dont waste your time with Infinity if you plan on getting xbox One.
    averaging 120-160ms ping on the servers that xbox one uses in california for Fifa absolute joke. I had a better connection back in 2004 playing team fortress.
    Any word or hope of BT attempiting to look into the long acknowledged pronlem.
    Also random other question but I read Xbox one servers can use ipv6 /ipsec protocols how do we set this up on out bt routers?

    IPV6 is currently not available on BT residential services as to server issues they still happen and nearly always appear at the game servers end and they always seem unwilling to admit to the problems  and similar problems  seem to appear  on  various ISP's world wide  not just BT 
    If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’

  • Hp LaserJet 5200 can not set IP manualy.

    Hi!
    In my HP LaserJet 5200, field where input IP address (configuration -> JetDirect -> TCP/IP) is empty.
    How I can set IP addres?
    Thank you!

    This printer needs "JetDirect" to operate as a network printer.  Or, you would need to set up printer sharing through the computer you have it connected to.
    Do you have any of the following on your printer?
    , optional Connectivity
    for HP LJ5200
    HP Jetdirect 175x Fast Ethernet Print Server (J6035G), HP Jetdirect en3700 Fast Ethernet Print Server (J7942G), HP Jetdirect 620n Fast Ethernet Print Server (J7934G), HP Jetdirect 625n Gigabit Ethernet Print Server (J7960G), HP Jetdirect 635n IPv6/IPsec Print Server (J7961G), HP Jetdirect ew2400 802.11g Wireless Print Server (J7951G)
    If your model is not network ready, you'd need to buy a print server.
    For wireless connectivity, you might take a look at Apple's Airport Express, which allows a USB printer to be plugged in to it, and then wireless connectivity from network computers, that are wireless capable.
    If you've had wireless connectivity with this printer before, then you should be able to access it from the computer it's attached to, I'd think, by going to printer settings, and configuring from there.
    Sorry I can't be of more help, as I've not had personal use of that particular model.   Maybe someone will chime in.

  • VRF IPSec to ASA

    I am trying to setup a VRF IPSec to ASA VPN tunnel. VRF IPSec is at head office and ASA is at the customer end. I am successfully establish the tunnel when I initiate a ping from the ASA end (ping was successful). However I am getting error in ipsec stats when I initiate the ping from the head office (ping between the same hosts as before). A debug was captured from the VRF router. I wonder if you can see the problem from the debug. I appreciate your help in advance.        
    GTO-ClientEdge-RT1#sh cry ipse sa    
    interface: GigabitEthernet0/0
        Crypto map tag: gto_share_map, local addr 192.33.232.209
       protected vrf: vrf-veridian
       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       current_peer 173.46.8.98 port 500
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 15, #recv errors 0
         local crypto endpt.: 192.33.232.209, remote crypto endpt.: 173.46.8.98
         path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
         current outbound spi: 0x0(0)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
         outbound ah sas:
         outbound pcp sas:
    Crypto ISAKMP debugging is on
    GTO-ClientEdge-RT1#
    Nov 19 22:46:29.702: ISAKMP:(0): SA request profile is veridian-ike-prof
    Nov 19 22:46:29.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
    Nov 19 22:46:29.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x80000019
    Nov 19 22:46:29.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
    Nov 19 22:46:29.702: ISAKMP:(0):Setting client config settings 131406B8
    Nov 19 22:46:29.702: ISAKMP/xauth: initializing AAA request
    Nov 19 22:46:29.702: ISAKMP: local port 500, remote port 500
    Nov 19 22:46:29.702: ISAKMP: set new node 0 to QM_IDLE     
    Nov 19 22:46:29.702: ISAKMP:(0):insert sa successfully sa = 1235BF68
    Nov 19 22:46:29.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
    Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Nov 19 22:46:29.702: ISAKMP:(0): c
    GTO-ClientEdgeonstructed NAT-T vendor-03 ID
    Nov 19 22:46:29.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Nov 19 22:46:29.702: ISAKMP:(0): beginning Main Mode exchange
    Nov 19 22:46:29.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
    Nov 19 22:46:29.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Nov 19 22:46:29.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
    Nov 19 22:46:29.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Nov 19 22:46:29.702: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Nov 19 22:46:29.702: ISAKMP:(0): processing SA payload. message ID = 0
    Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
    Nov 19 22:46:29.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Nov 19 22:46:29.702: ISAKMP:(0): vendor ID is NAT-T v2
    Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
    Nov 19 22:46:29.702: ISAKMP:(0): processing IKE frag vendor id payload
    Nov 19 22:46:29.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Nov 19 22:46:29.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
    Nov 19 22:46:29.702: ISAKMP:(0): local preshared key found
    Nov 19 22:46:29.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
    Nov 19 22:46:29.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Nov 19 22:46:29.702: ISAKMP:      encryption AES-CBC
    Nov 19 22:46:29.702: ISAKMP:      keylength of 256
    Nov 19 22:46:29.702: ISAKMP:      hash SHA
    Nov 19 22:46:29.702: ISAKMP:      default group 5
    Nov 19 22:46:29.702: ISAKMP:      auth pre-share
    Nov 19 22:46:29.702: ISAKMP:      life type in seconds
    Nov 19 22:46:29.702: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Nov 19 22:46:29.702: ISAKMP:(0):atts are acceptable. Next payload is 0
    Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:actual life: 0
    Nov 19 22:46:29.702: ISAKMP:(0):Acceptable atts:life: 0
    Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa vpi_length:4
    Nov 19 22:46:29.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Nov 19 22:46:29.702: ISAKMP:(0):Returning Actual lifetime: 86400
    Nov 19 22:46:29.702: ISAKMP:(0)::Started lifetime timer: 86400.
    Nov 19 22:46:29.702: ISAKMP:(0): processing vendor id payload
    Nov 19 22:46:29.706: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Nov 19 22:46:29.706: ISAKMP:(0): vendor ID is NAT-T v2
    Nov 19 22:46:29.706: ISAKMP:(0): processing vendor id payload
    Nov 19 22:46:29.706: ISAKMP:(0): processing IKE frag vendor id payload
    Nov 19 22:46:29.706: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Nov 19 22:46:29.706: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
    Nov 19 22:46:29.706: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Nov 19 22:46:29.706: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Nov 19 22:46:29.706: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Nov 19 22:46:29.802: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
    Nov 19 22:46:29.802: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Nov 19 22:46:29.802: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Nov 19 22:46:29.802: ISAKMP:(0): processing KE payload. message ID = 0
    Nov 19 22:46:29.806: ISAKMP:(0): processing NONCE payload. message ID = 0
    Nov 19 22:46:29.806: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
    Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
    Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is Unity
    Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
    Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID seems Unity/DPD but major 86 mismatch
    Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is XAUTH
    Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
    Nov 19 22:46:29.806: ISAKMP:(9023): speaking to another IOS box!
    Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
    Nov 19 22:46:29.806: ISAKMP:(9023):vendor ID seems Unity/DPD but hash mismatch
    Nov 19 22:46:29.806: ISAKMP:received payload type 20
    Nov 19 22:46:29.806: ISAKMP (9023): His hash no match - this node outside NAT
    Nov 19 22:46:29.806: ISAKMP:received payload type 20
    Nov 19 22:46:29.806: ISAKMP (9023): No NAT Found for self or peer
    Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Nov 19 22:46:29.806: ISAKMP:(9023):Send initial contact
    Nov 19 22:46:29.806: ISAKMP:(9023):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    Nov 19 22:46:29.806: ISAKMP (9023): ID payload
            next-payload : 8
            type         : 1
            address      : 192.33.232.209
            protocol     : 17
            port         : 500
            length       : 12
    Nov 19 22:46:29.806: ISAKMP:(9023):Total payload length: 12
    Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
    Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Nov 19 22:46:29.806: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
    Nov 19 22:46:29.806: ISAKMP:(9023): processing ID payload. message ID = 0
    Nov 19 22:46:29.806: ISAKMP (9023): ID payload
            next-payload : 8
            type         : 1
            address      : 173.46.8.98
            protocol     : 17
            port         : 0
            length       : 12
    Nov 19 22:46:29.806: ISAKMP:(9023): processing HASH payload. message ID = 0
    Nov 19 22:46:29.806: ISAKMP:received payload type 17
    Nov 19 22:46:29.806: ISAKMP:(9023): processing vendor id payload
    Nov 19 22:46:29.806: ISAKMP:(9023): vendor ID is DPD
    Nov 19 22:46:29.806: ISAKMP:(9023):SA authentication status:
            authenticated
    Nov 19 22:46:29.806: ISAKMP:(9023):SA has been authenticated with 173.46.8.98
    Nov 19 22:46:29.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet,  and inserted successfully 10927E8.
    Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Nov 19 22:46:29.806: ISAKMP:(9023):beginning Quick Mode exchange, M-ID of 2851020903
    Nov 19 22:46:29.806: ISAKMP:(9023):QM Initiator gets spi
    Nov 19 22:46:29.806: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE     
    Nov 19 22:46:29.806: ISAKMP:(9023):Sending an IKE IPv4 Packet.
    Nov 19 22:46:29.806: ISAKMP:(9023):Node 2851020903, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Nov 19 22:46:29.806: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Nov 19 22:46:29.806: ISAKMP:(9023):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE     
    Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE     
    Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398
    Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
            spi 0, message ID = 1512038398, sa = 0x1235BF68
    Nov 19 22:46:29.810: ISAKMP:(9023):peer does not do paranoid keepalives.
    Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 173.46.8.98)
    Nov 19 22:46:29.810: ISAKMP:(9023):deleting node 1512038398 error FALSE reason "Informational (in) state 1"
    Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Nov 19 22:46:29.810: ISAKMP: set new node 260072841 to QM_IDLE     
    Nov 19 22:46:29.810: ISAKMP:(9023): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE     
    Nov 19 22:46:29.810: ISAKMP:(9023):Sending an IKE IPv4 Packet.
    Nov 19 22:46:29.810: ISAKMP:(9023):purging node 260072841
    Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
    Nov 19 22:46:29.810: ISAKMP:(9023):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 173.46.8.98)
    Nov 19 22:46:29.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
    Nov 19 22:46:29.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
    Nov 19 22:46:29.810: ISAKMP:(9023):deleting node -1443946393 error FALSE reason "IKE deleted"
    Nov 19 22:46:29.810: ISAKMP:(9023):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Nov 19 22:46:29.810: ISAKMP:(9023):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
    Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#
    GTO-ClientEdge-RT1#sh cry isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    173.46.8.98     192.33.232.209  MM_NO_STATE       9023 ACTIVE (deleted) veridian-ike-prof
    IPv6 Crypto ISAKMP SA
    GTO-ClientEdge-RT1#
    Nov 19 22:46:59.702: ISAKMP:(0): SA request profile is veridian-ike-prof
    Nov 19 22:46:59.702: ISAKMP: Created a peer struct for 173.46.8.98, peer port 500
    Nov 19 22:46:59.702: ISAKMP: New peer created peer = 0x10927E8 peer_handle = 0x8000001A
    Nov 19 22:46:59.702: ISAKMP: Locking peer struct 0x10927E8, refcount 1 for isakmp_initiator
    Nov 19 22:46:59.702: ISAKMP:(0):Setting client config settings 1CA9BE8
    Nov 19 22:46:59.702: ISAKMP/xauth: initializing AAA request
    Nov 19 22:46:59.702: ISAKMP: local port 500, remote port 500
    Nov 19 22:46:59.702: ISAKMP: set new node 0 to QM_IDLE     
    Nov 19 22:46:59.702: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 1235C984
    Nov 19 22:46:59.702: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
    Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-07 ID
    Nov
    GTO-ClientEdge 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-03 ID
    Nov 19 22:46:59.702: ISAKMP:(0): constructed NAT-T vendor-02 ID
    Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
    Nov 19 22:46:59.702: ISAKMP:(0): beginning Main Mode exchange
    Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_NO_STATE
    Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Nov 19 22:46:59.702: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE
    Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2
    Nov 19 22:46:59.702: ISAKMP:(0): processing SA payload. message ID = 0
    Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
    Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
    Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
    Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
    Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Nov 19 22:46:59.702: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
    Nov 19 22:46:59.702: ISAKMP:(0): local preshared key found
    Nov 19 22:46:59.702: ISAKMP : Looking for xauth in profile veridian-ike-prof
    Nov 19 22:46:59.702: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
    Nov 19 22:46:59.702: ISAKMP:      encryption AES-CBC
    Nov 19 22:46:59.702: ISAKMP:      keylength of 256
    Nov 19 22:46:59.702: ISAKMP:      hash SHA
    Nov 19 22:46:59.702: ISAKMP:      default group 5
    Nov 19 22:46:59.702: ISAKMP:      auth pre-share
    Nov 19 22:46:59.702: ISAKMP:      life type in seconds
    Nov 19 22:46:59.702: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    Nov 19 22:46:59.702: ISAKMP:(0):atts are acceptable. Next payload is 0
    Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:actual life: 0
    Nov 19 22:46:59.702: ISAKMP:(0):Acceptable atts:life: 0
    Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa vpi_length:4
    Nov 19 22:46:59.702: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    Nov 19 22:46:59.702: ISAKMP:(0):Returning Actual lifetime: 86400
    Nov 19 22:46:59.702: ISAKMP:(0)::Started lifetime timer: 86400.
    Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
    Nov 19 22:46:59.702: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    Nov 19 22:46:59.702: ISAKMP:(0): vendor ID is NAT-T v2
    Nov 19 22:46:59.702: ISAKMP:(0): processing vendor id payload
    Nov 19 22:46:59.702: ISAKMP:(0): processing IKE frag vendor id payload
    Nov 19 22:46:59.702: ISAKMP:(0):Support for IKE Fragmentation not enabled
    Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2
    Nov 19 22:46:59.702: ISAKMP:(0): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_SA_SETUP
    Nov 19 22:46:59.702: ISAKMP:(0):Sending an IKE IPv4 Packet.
    Nov 19 22:46:59.702: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Nov 19 22:46:59.702: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3
    Nov 19 22:46:59.798: ISAKMP (0): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_SA_SETUP
    Nov 19 22:46:59.798: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Nov 19 22:46:59.798: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4
    Nov 19 22:46:59.798: ISAKMP:(0): processing KE payload. message ID = 0
    Nov 19 22:46:59.802: ISAKMP:(0): processing NONCE payload. message ID = 0
    Nov 19 22:46:59.802: ISAKMP:(0):Found ADDRESS key in keyring internet-keyring
    Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
    Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is Unity
    Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
    Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID seems Unity/DPD but major 108 mismatch
    Nov 19 22:46:59.802: ISAKMP:(9024): vendor ID is XAUTH
    Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
    Nov 19 22:46:59.802: ISAKMP:(9024): speaking to another IOS box!
    Nov 19 22:46:59.802: ISAKMP:(9024): processing vendor id payload
    Nov 19 22:46:59.802: ISAKMP:(9024):vendor ID seems Unity/DPD but hash mismatch
    Nov 19 22:46:59.802: ISAKMP:received payload type 20
    Nov 19 22:46:59.802: ISAKMP (9024): His hash no match - this node outside NAT
    Nov 19 22:46:59.802: ISAKMP:received payload type 20
    Nov 19 22:46:59.802: ISAKMP (9024): No NAT Found for self or peer
    Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4  New State = IKE_I_MM4
    Nov 19 22:46:59.802: ISAKMP:(9024):Send initial contact
    Nov 19 22:46:59.802: ISAKMP:(9024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    Nov 19 22:46:59.802: ISAKMP (9024): ID payload
            next-payload : 8
            type         : 1
            address      : 192.33.232.209
            protocol     : 17
            port         : 500
            length       : 12
    Nov 19 22:46:59.802: ISAKMP:(9024):Total payload length: 12
    Nov 19 22:46:59.802: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    Nov 19 22:46:59.802: ISAKMP:(9024):Sending an IKE IPv4 Packet.
    Nov 19 22:46:59.802: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Nov 19 22:46:59.802: ISAKMP:(9024):Old State = IKE_I_MM4  New State = IKE_I_MM5
    Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_KEY_EXCH
    Nov 19 22:46:59.806: ISAKMP:(9024): processing ID payload. message ID = 0
    Nov 19 22:46:59.806: ISAKMP (9024): ID payload
            next-payload : 8
            type         : 1
            address      : 173.46.8.98
            protocol     : 17
            port         : 0
            length       : 12
    Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 0
    Nov 19 22:46:59.806: ISAKMP:received payload type 17
    Nov 19 22:46:59.806: ISAKMP:(9024): processing vendor id payload
    Nov 19 22:46:59.806: ISAKMP:(9024): vendor ID is DPD
    Nov 19 22:46:59.806: ISAKMP:(9024):SA authentication status:
            authenticated
    Nov 19 22:46:59.806: ISAKMP:(9024):SA has been authenticated with 173.46.8.98
    Nov 19 22:46:59.806: ISAKMP: Trying to insert a peer 192.33.232.209/173.46.8.98/500/vrf-internet,  and inserted successfully 10927E8.
    Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM5  New State = IKE_I_MM6
    Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6  New State = IKE_I_MM6
    Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE
    Nov 19 22:46:59.806: ISAKMP:(9024):beginning Quick Mode exchange, M-ID of 920032514
    Nov 19 22:46:59.806: ISAKMP:(9024):QM Initiator gets spi
    Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE     
    Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
    Nov 19 22:46:59.806: ISAKMP:(9024):Node 920032514, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
    Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
    Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
    Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Nov 19 22:46:59.806: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE     
    Nov 19 22:46:59.806: ISAKMP: set new node -165090978 to QM_IDLE     
    Nov 19 22:46:59.806: ISAKMP:(9024): processing HASH payload. message ID = 4129876318
    Nov 19 22:46:59.806: ISAKMP:(9024): processing NOTIFY INVALID_ID_INFO protocol 1
            spi 0, message ID = 4129876318, sa = 0x1235C984
    Nov 19 22:46:59.806: ISAKMP:(9024):peer does not do paranoid keepalives.
    Nov 19 22:46:59.806: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 173.46.8.98)
    Nov 19 22:46:59.806: ISAKMP:(9024):deleting node -165090978 error FALSE reason "Informational (in) state 1"
    Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
    Nov 19 22:46:59.806: ISAKMP: set new node 1564252651 to QM_IDLE     
    Nov 19 22:46:59.806: ISAKMP:(9024): sending packet to 173.46.8.98 my_port 500 peer_port 500 (I) QM_IDLE     
    Nov 19 22:46:59.806: ISAKMP:(9024):Sending an IKE IPv4 Packet.
    Nov 19 22:46:59.806: ISAKMP:(9024):purging node 1564252651
    Nov 19 22:46:59.806: ISAKMP:(9024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    Nov 19 22:46:59.806: ISAKMP:(9024):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA
    Nov 19 22:46:59.810: ISAKMP:(9024):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 173.46.8.98)
    Nov 19 22:46:59.810: ISAKMP: Unlocking peer struct 0x10927E8 for isadb_mark_sa_deleted(), count 0
    Nov 19 22:46:59.810: ISAKMP: Deleting peer node by peer_reap for 173.46.8.98: 10927E8
    Nov 19 22:46:59.810: ISAKMP:(9024):deleting node 920032514 error FALSE reason "IKE deleted"
    Nov 19 22:46:59.810: ISAKMP:(9024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    Nov 19 22:46:59.810: ISAKMP:(9024):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
    Nov 19 22:46:59.810: ISAKMP (9024): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) MM_NO_STATE-RT1#

    ASA doesn't like what you're sending.
    Nov 19 22:46:29.810: ISAKMP (9023): received packet from 173.46.8.98 dport 500 sport 500 vrf-internet (I) QM_IDLE      Nov 19 22:46:29.810: ISAKMP: set new node 1512038398 to QM_IDLE      Nov 19 22:46:29.810: ISAKMP:(9023): processing HASH payload. message ID = 1512038398Nov 19 22:46:29.810: ISAKMP:(9023): processing NOTIFY INVALID_ID_INFO protocol 1
    Check what's happening around QM1 on ASA.
    For reference working debugs:
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml

  • Sourced Based VRFs and IPSEC

    Hi All,
    I have 2 questions.
    1) Does Cisco Router 7600 with SUP720 3BXL supports VRF Selection based on Source IP Address [Layer 3 VPNs]?
    2) We have various clients reaching a Router and we want to forward them to a their company's VRFs, based on their source address (Given by Radius or Statically). Now, Ideally, we want to give to the customer's H.Q. the option to connect to this router using Leased Lines (or Frame Relays) or by using IPSEC (over the internet). Is this possible? Can traffic from an access server arrive to an interface and based on the source, the user will be either forwarded to a VRF or an IPSEC?
    Regards.
    Regards.

    Hello,
    a solution to xour problem could be to have a VRF aware access server and place the customers into their respective VRF right away (the feature is called Multi-VRF aka VRF-lite). IPSec and Dialer interfaces are possible. Based on authentication you could define the VRF and by having a dot1Q trunk to the 7600 which operates as the MPLS PE.
    A second option is to have the trunk to the 7600, VLANs in different VRFs and to do PBR into different VLANs on the CE router/access server.
    Hope this helps! please rate all posts.
    Regards, Martin

  • %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47

    Hi ,
    I am want to crerate a GREover IPsec Tunnel between Cisco ASR 1002 and cisco 3900 i am getting the below error.
    %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /x.x.x.x, src_addr= x.x.x.x, prot= 47
    I have attached the configuration file as well currently working on tunnel 117.
    Site A already have some tunnels up and running but only tunnel 117 is not working which i created now on ASR 1002.
    CAN ANYONE LET ME KNOW WHAT I AM FACING AN ISSUE.

    The first issue that I note is that you have applied the crypto map on the tunnel interface as well as on the physical interface. While there are perhaps still some examples that show this they are based on the operation of quite old IOS versions. The code that you are now running expects the crypto map to be applied only on the physical interface. I suggest that you remove the crypto map from the tunnel interfaces. Try that and let us know if the behavior changes.
    HTH
    Rick

  • Per-session VRF and IPv6

    Hello. I cant get Per-session VRF feature working with IPv6 protocol. IPv4 is working fine.
    Here is what i've got:
    test1 Cleartext-Password := "test"
    Framed-Protocol = PPP,
    Service-Type == Framed-User,
    Cisco-AVPair += "ipv6:delegated-ipv6-pool=ppp_delegate_56_v6_pool_vrf_no_nat",
    Cisco-AVPair += "ip:vrf-id=NoNAT",
    Cisco-AVPair += "ip:ip-unnumbered=Loopback1",
    Cisco-AVPair += "ip:addr-pool=real"
    Cisco-AVPair += "ipv6:ipv6-addr-pool=ppp_link_v6_pool_vrf_no_nat"
    test2 Cleartext-Password := "test"
    Framed-Protocol = PPP,
    Service-Type == Framed-User,
    Cisco-AVPair += "ipv6:delegated-ipv6-pool=ppp_delegate_56_v6_pool",
    Cisco-AVPair += "lcp:interface-config=ip nat inside"
    #sho run
    interface Loopback0
    ip address ****
    ipv6 address 2001:DB8::20/128
    ipv6 enable
    interface Loopback1
    vrf forwarding NoNAT
    ip address *****
    ipv6 address 2001:DB8::21/128
     ipv6 enable
    ipv6 dhcp pool AAA_dhcpv6_pool
    prefix-delegation aaa method-list FREERADIUS
    ip local pool pool192_168 192.168.128.0 192.168.255.254
    ip local pool real *.*.*.* *.*.*.*
    ipv6 local pool ppp_delegate_56_v6_pool 2001:DB8:3::/48 56
    ipv6 local pool ppp_link_v6_pool 2001:DB8:1::/49 64
    ipv6 local pool ppp_delegate_56_v6_pool_vrf_no_nat 2001:DB8:6::/48 56
    ipv6 local pool ppp_link_v6_pool_vrf_no_nat 2001:DB8:4::/49 64
    interface Virtual-Template1
    ip unnumbered Loopback0
    ipv6 unnumbered Loopback0
    ipv6 enable
    no ipv6 nd ra suppress
    ipv6 dhcp server AAA_dhcpv6_pool
    peer default ip address pool pool192_168
    peer default ipv6 pool ppp_link_v6_pool
    ! non-related config skipped
    User test2 receive IPv4 private address and full IPv6 service: address negotiated on the link and delegation DHCPv6 service.
    User test1 receive IPv4 real address only and no IPv6 at all.
    Here is the debug, take a look at the bold line:
    Jul  8 10:13:41: RADIUS(000000DF): Send Access-Request to 10.0.6.10:1812 id 1645/139, len 207
    Jul  8 10:13:41: RADIUS:  authenticator B8 8A 07 F3 D8 90 A5 FE - B0 10 9F 51 B2 4F 7E 0A
    Jul  8 10:13:41: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Jul  8 10:13:41: RADIUS:  User-Name           [1]   6   "test"
    Jul  8 10:13:41: RADIUS:  CHAP-Password       [3]   19  *
    Jul  8 10:13:41: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    Jul  8 10:13:41: RADIUS:  NAS-Port            [5]   6   0
    Jul  8 10:13:41: RADIUS:  NAS-Port-Id         [87]  13  "0/1/0/2.301"
    Jul  8 10:13:41: RADIUS:  Vendor, Cisco       [26]  41
    Jul  8 10:13:41: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=5254.0018.9fb1"
    Jul  8 10:13:41: RADIUS:  Vendor, Cisco       [26]  39
    Jul  8 10:13:41: RADIUS:   Cisco AVpair       [1]   33  "circuit-id-tag=SNR eth 001,0301"
    Jul  8 10:13:41: RADIUS:  Vendor, Cisco       [26]  39
    Jul  8 10:13:41: RADIUS:   Cisco AVpair       [1]   33  "remote-id-tag=f8-f0-82-10-9b-9d"
    Jul  8 10:13:41: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Jul  8 10:13:41: RADIUS:  NAS-IP-Address      [4]   6   10.0.6.21
    Jul  8 10:13:41: RADIUS(000000DF): Sending a IPv4 Radius Packet
    Jul  8 10:13:41: RADIUS(000000DF): Started 5 sec timeout
    Jul  8 10:13:41: RADIUS: Received from id 1645/139 10.0.6.10:1812, Access-Accept, len 236
    Jul  8 10:13:41: RADIUS:  authenticator 9C E6 3B 43 A3 58 06 AB - 17 99 AD 06 FF C6 9A 35
    Jul  8 10:13:41: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Jul  8 10:13:41: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Jul  8 10:13:41: RADIUS:  Vendor, Cisco       [26]  67
    Jul  8 10:13:41: RADIUS:   Cisco AVpair       [1]   61  "ipv6:delegated-ipv6-pool=ppp_delegate_56_v6_pool_vrf_no_nat"
    Jul  8 10:13:41: RADIUS:  Vendor, Cisco       [26]  23
    Jul  8 10:13:41: RADIUS:   Cisco AVpair       [1]   17  "ip:vrf-id=NoNAT"
    Jul  8 10:13:41: RADIUS:  Vendor, Cisco       [26]  34
    Jul  8 10:13:41: RADIUS:   Cisco AVpair       [1]   28  "ip:ip-unnumbered=Loopback1"
    Jul  8 10:13:41: RADIUS:  Vendor, Cisco       [26]  25
    Jul  8 10:13:41: RADIUS:   Cisco AVpair       [1]   19  "ip:addr-pool=real"
    Jul  8 10:13:41: RADIUS:  Vendor, Cisco       [26]  55
    Jul  8 10:13:41: RADIUS:   Cisco AVpair       [1]   49  "ipv6:ipv6-addr-pool=ppp_link_v6_pool_vrf_no_nat"
    Jul  8 10:13:41: RADIUS(000000DF): Received from id 1645/139
    Jul  8 10:13:41: ppp202 PPP SSS: Forwarding request
    Jul  8 10:13:41: ppp202 PPP: Phase is FORWARDING, Attempting Forward
    Jul  8 10:13:41: PPP: Bind ppp202 to Virtual-Access2.1
    Jul  8 10:13:41: Vi2.1 PPP: Static Bind peer_type[3]
    Jul  8 10:13:41: Vi2.1 PPP: Phase is AUTHENTICATING, Authenticated User
    Jul  8 10:13:41: Vi2.1 CHAP: O SUCCESS id 1 len 4
    Jul  8 10:13:41: Vi2.1 PPP: Phase is UP
    Jul  8 10:13:41: Vi2.1 IPCP: Protocol configured, start CP. state[Initial]
    Jul  8 10:13:41: Vi2.1 IPCP: Event[OPEN] State[Initial to Starting]
    Jul  8 10:13:41: Vi2.1 IPCP: O CONFREQ [Starting] id 1 len 10
    Jul  8 10:13:41: Vi2.1 IPCP:    Address *.*.*.8 (0x0306B92EC408)
    Jul  8 10:13:41: Vi2.1 IPCP: Event[UP] State[Starting to REQsent]
    Jul  8 10:13:41: Vi2.1 PPP: Send Message[Static Bind Response]
    Jul  8 10:13:41: Vi2.1 IPCP: I CONFREQ [REQsent] id 1 len 22
    Jul  8 10:13:41: Vi2.1 IPCP:    Address 0.0.0.0 (0x030600000000)
    Jul  8 10:13:41: Vi2.1 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
    Jul  8 10:13:41: Vi2.1 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
    Jul  8 10:13:41: Vi2.1 IPCP AUTHOR: Start.  Her address 0.0.0.0, we want 0.0.0.0
    Jul  8 10:13:41: Vi2.1 IPCP AUTHOR: Says use pool real
    Jul  8 10:13:41: Vi2.1 IPCP AUTHOR: Pool returned *.*.*.11
    Jul  8 10:13:41: Vi2.1 IPCP AUTHOR: Done.  Her address 0.0.0.0, we want *.*.*.11
    Jul  8 10:13:41: Vi2.1 IPCP: O CONFNAK [REQsent] id 1 len 22
    Jul  8 10:13:41: Vi2.1 IPCP:    Address *.*.*.11 (0x0306B92EC50B)
    Jul  8 10:13:41: Vi2.1 IPCP:    PrimaryDNS 8.8.8.8 (0x810608080808)
    Jul  8 10:13:41: Vi2.1 IPCP:    SecondaryDNS 8.8.4.4 (0x830608080404)
    Jul  8 10:13:41: Vi2.1 IPCP: Event[Receive ConfReq-] State[REQsent to REQsent]
    Jul  8 10:13:41: Vi2.1 IPV6CP: I CONFREQ [UNKNOWN] id 1 len 14
    Jul  8 10:13:41: Vi2.1 IPV6CP:    Interface-Id 11BF:9891:6F31:7C15 (0x010A11BF98916F317C15)
    Jul  8 10:13:41: Vi2.1 LCP: O PROTREJ [Open] id 2 len 20 protocol IPV6CP (0x0101000E010A11BF98916F317C15)
    Jul  8 10:13:41: Vi2.1 IPCP: I CONFACK [REQsent] id 1 len 10
    Jul  8 10:13:41: Vi2.1 IPCP:    Address *.*.*.8 (0x0306B92EC408)
    Jul  8 10:13:41: Vi2.1 IPCP: Event[Receive ConfAck] State[REQsent to ACKrcvd]
    Jul  8 10:13:41: Vi2.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 22
    Jul  8 10:13:41: Vi2.1 IPCP:    Address *.*.*.11 (0x0306B92EC50B)
    Jul  8 10:13:41: Vi2.1 IPCP:    PrimaryDNS 8.8.8.8 (0x810608080808)
    Jul  8 10:13:41: Vi2.1 IPCP:    SecondaryDNS 8.8.4.4 (0x830608080404)
    Jul  8 10:13:41: Vi2.1 IPCP: O CONFACK [ACKrcvd] id 2 len 22
    Jul  8 10:13:41: Vi2.1 IPCP:    Address *.*.*.11 (0x0306B92EC50B)
    Jul  8 10:13:41: Vi2.1 IPCP:    PrimaryDNS 8.8.8.8 (0x810608080808)
    Jul  8 10:13:41: Vi2.1 IPCP:    SecondaryDNS 8.8.4.4 (0x830608080404)
    Jul  8 10:13:41: Vi2.1 IPCP: Event[Receive ConfReq+] State[ACKrcvd to Open]
    Jul  8 10:13:41: Vi2.1 IPCP: State is Open
    Jul  8 10:13:41: Vi2.1 Added to neighbor route AVL tree: topoid 2, address *.*.*.11
    Jul  8 10:13:41: Vi2.1 IPCP: Install route to *.*.*.11
    Jul  8 10:13:41: RADIUS/ENCODE(000000DF):Orig. component type = PPPoE
    Jul  8 10:13:41: RADIUS(000000DF): Config NAS IP: 10.0.6.21
    Jul  8 10:13:41: RADIUS(000000DF): Config NAS IPv6: ::
    Jul  8 10:13:41: RADIUS(000000DF): sending
    Jul  8 10:13:41: RADIUS(000000DF): Send Accounting-Request to 10.0.6.10:1813 id 1646/109, len 264
    Any suggestions?

    Fixed one problem and moved into other.
    I've added
    Cisco-AVPair += "lcp:interface-config=ipv6 unnumbered Loopback1"
    to user profile, but stumbled into another problem: router ignores
    Cisco-AVPair += "ipv6:ipv6-addr-pool=ppp_link_v6_pool"
    regardless of vrf, even on usual user profile

  • DMVPN + VRF-Aware IPSec

    Hi,
    Can we club DMVPN and VRF-Aware IPsec features ?
    Regards
    Mahesh

    Million thanks for this.
    This now works after disabling CEF on the public facing interface.
    Regards,
    Zahid

  • 2800s, AIM-VPN-SSL2, vrf aware IPSEC, high CPU low throughput

    We have a couple of new 2821s deployed across a fibre link and they were originally running 12.4 (non T) versions using software encryption. We would get around 8Mb/s throughput. Upgrading to T to use the installed AIM cards we now see the AIM cards in use (show cry isakmp sa det shows then engine as aim vpn), but we still get the same throughput and high CPU. allowing CEF on the interface doubles throughput but with the same high CPU. The only process I can see going high is IP Input. Is this because of vrf aware ipsec - or any other suggestions?

    Hi Nick,
    I am having the same issue. We have a 2851 as a IPSEC VPN headend with an AIM VPN module but we are seeing high CPU usage(80%) with just 4-5mbps worth of traffic. I have an idea that I might have a NAT issue.
    We are currently running, NAT, ZFW, and IPSEC site 2 site VPN on the router.
    When I look at my ZONE firewall policy-map output it is showing all of my VPN traffic as process switched.
    Inspect
    Packet inspection statistics [process switch:fast switch]
    tcp packets: [14809800:0]
    udp packets: [145107:0]
    icmp packets: [20937:12]
    I have disabled the ZFW and still see high cpu although it is a little lower.
    Packets are not fragmented, CEF and fast switching looks to be enabled. I am using a route-map for my nonats. That is the only thing I can think of now.
    I have tried IOS 12.4(20)T3,4 and 12.4(15)T9. Same results.
    Anyone have some ideas?

Maybe you are looking for

  • How to mask a Symbol

    Hi, Can anyone help me on this- I have a symbol in my stage. He is masked by a circle. I want that when I click on the Symbols, the mask expands  and reveals what is behind it. Like this : I followed the threat "I want to know how masking objects or

  • Failed to load Main-Class manifest attribut from .........\ClassCache.jar

    What's apened ? What' is the problem ? Thank's you !

  • DW Tutorial Question (Spry Accordion Widget) Beginner... :-(

    Hi, I've just finished this tutorial (http://www.adobe.com/devnet/dreamweaver/articles/table_to_css_pt2.html) but have a problem with my Spry Accordion Widget, when I preview the site my footer moves when I select a different panels in the widget, I'

  • Using iWeb to Publish to Google Sites

    Does anybody know if you can publish a site created with iWeb to Google Sites? I use me.com so i've never had the need for this and for anything else i use the iWeb FTP function. I have no experience with google Sites. I have a friend who cant afford

  • Safari not caching on iPad?

    When I open a new page then come back to the previous one, rather than just displaying the previous page just as it was when I minimized it by opening a new page Safari tends to redownload the page. This wastes time and bandwidth. I don't think Safar