Understanding IKE Phase I and II
Hi, I have been through the concept a lot of time but what confuses me is encryption algorithm and DH key, how they go hand in hand in the IKE phase and II. I understand phase I authenticates the vpn peers and negotiates the ISAKMP policy which includes DH Exchange and symmetric encryption e.g. DES or TDES. What i fail to understand is what DH Exchange (key derived from public/private function) is used for, does it encrypt the IKE2 exchage already encrypted with DES/TDES/AES.
Also if m not using PFS in Phase II, would i be using the same DH key derived at the time of phase I, if yes is that secure enough?
Another question is when the peers authenticate each other and while the IKE phase I policies are being exchanged, does that happen in clear text?
Could someone please explain the step by step proceedings in the two phases specifically emphasizing on DH Exchange and how it is used with encryption algorithms.
Regards
Sonu
Sonu,
It looks like you want to go back to RFC to have a look. We have also a series of documents explaining IKEv1 and going with debugging.
What you're missing is that in IKEv1 (main mode), messages 5 and 6 are already encyrpted, while the previous ones, including DH exchange are not.
MM5 and MM6 is when we exchange identities. Those need to be protected, hence the DH negotiation before.
Phase 2 is a separate exchange protected with result of phase 1. The role of DH in phase 2 is to make sure that encryption keys are not derived from previous key material.
Start here:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bce100.shtml
https://supportforums.cisco.com/docs/DOC-18522
M.
Similar Messages
-
Pre shared keys used in IKE Phase 1
Hi Everyone,
Need to confirm if we can use the Pre shared keys in Aggressive mode and also in Main mode during IKE Phase1
Regards
MAheshThe pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same pre-shared key is configured on each IPSec peer. IKE peers authenticate each other by computing and sending a keyed hash of data that includes the pre-shared key.
-
Hi everyone,
Need to confirm during IKE Phase 1
we use port UDP 500
IKE Phase 2 we use ports
ESP -50
NAT-T UDP 4500
TCP-1000 ESP -50
NAT-T UDP 4500
TCP-1000
Regards
MaheshIKE phase 1 (main mode/aggressive mode) is udp src and dst 500
IKE phase 2 could be:
IP protocol 50 (ESP)
NAT-T is udp src (client) ephemeral dst (server) udp 4500
The tcp encapsulation found in the older VPN clients was src (client) ephemeral dst (server) tcp 10000 (10,000 in US resp. 10.000 in most of the other world) -
ISAKMP NEGOTIATION IN IKE PHASE 1
When ISAKMP begins in ike phase 1 to look for an ISAKMP policy that is same on both peers. I have two queries
1. Which peer will send all their policies to match?
2. Which peer will try to find a match?
calling peer,called peer, in both casesI suppose you mean "normal" IPsec VPN (no DMVPN)
Calling peer is offeres policy (from ISAKMP policy configuration) and called peer sends answer (match or not)
M. -
Cisco Energywise Phase 1 and Phase 2
Hello,
In need to understand the difference between Cisco Energywise Phase 1 and Cisco Energywise Phase 2.
What I am familiar with is Phase 2 allows for power management of PCs and Laptops and Phase 1 includes power management PoE endpoints. However are there any other fundamental differences in the releases.
Regards,
GeorgeHi George,
One of the main parts of Phase 2 is the release of the Cisco EnergyWise Orchestrator
Check it out;
http://www.cisco.com/en/US/products/ps10797/index.html
Cheers!
Rob -
IPsec VTI over NAT IKE Phase I Failure
Hey everyone,
I have two routers and an ASA with one of the routers sitting behind the ASA. I have a VTI configuration between the two routers, the regular GRE traffic passes through just fine but after applying an IPsec profile to the interfaces, IKE Phase I never completes. I have the configurations and debugs posted below. Thank you in advance for your help. I have confirmed reachability and there are no access list issues.
Router 1:
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set SEC
interface Tunnel2
ip address 172.16.1.1 255.255.255.252
tunnel source 200.1.1.1
tunnel destination 200.1.1.2
tunnel protection ipsec profile IPSEC
crypto isakmp key SECURITYKEY address 200.1.1.2
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
ASA:
static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255
Router 2:
interface Tunnel121
ip address 172.16.1.2 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 10.1.1.1
tunnel destination 200.1.1.1
tunnel protection ipsec profile IPSEC
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
crypto ipsec profile IPSEC
set transform-set SEC
crypto isakmp key SECURITYKEY address 200.1.1.1
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
R2#debug crypto isakmp
R2#
R2#
May 7 14:30:35 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:35 CDT: ISAKMP (0:134218443): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:36 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 -1092494630 QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:46 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP: received ke message (3/1)
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP:(0:715:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP: set new node 1345361410 to QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):purging node 1345361410
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP: Unlocking IKE struct 0x656AA2B0 for isadb_mark_sa_deleted(), count 0
May 7 14:30:52 CDT: ISAKMP: Deleting peer node by peer_reap for 200.1.1.1: 656AA2B0
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting node -1092494630 error FALSE reason "IKE deleted"
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 7 14:30:55 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:05 CDT: ISAKMP:(0:715:SW:1):purging node 1843499205
May 7 14:31:05 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:15 CDT: ISAKMP:(0:715:SW:1):purging SA., sa=64E4AB14, delme=64E4AB14
May 7 14:31:42 CDT: ISAKMP:(0:716:SW:1):purging node -1092494630
May 7 14:31:45 CDT: ISAKMP (0:0): received packet from 200.1.1.1 dport 500 sport 500 Global (N) NEW SA
May 7 14:31:45 CDT: ISAKMP: Created a peer struct for 200.1.1.1, peer port 500
May 7 14:31:45 CDT: ISAKMP: New peer created peer = 0x656AA2B0 peer_handle = 0x80000514
May 7 14:31:45 CDT: ISAKMP: Locking peer struct 0x656AA2B0, IKE refcount 1 for crypto_isakmp_process_block
May 7 14:31:45 CDT: ISAKMP: local port 500, remote port 500
May 7 14:31:45 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 7 14:31:45 CDT: ISAKMP : Scanning profiles for xauth ...
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 1
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption 3DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 5
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:134218445): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): constructed NAT-T vendor-07 ID
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing KE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NONCE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SKEYID state generated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is Unity
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is DPD
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): speaking to another IOS box!
May 7 14:31:45 CDT: ISAKMP (0:134218445): NAT found, the node inside NAT
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing ID payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):: peer matches *none* of the profiles
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing HASH payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.1.1 remote 200.1.1.1 remote port 4500
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA has been authenticated with 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Detected port floating to port = 4500
May 7 14:31:45 CDT: ISAKMP: Trying to insert a peer 10.1.1.1/200.1.1.1/4500/, and inserted successfully 656AA2B0.
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Setting UDP ENC peer struct 0x661D688C sa= 0x64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 10.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Total payload length: 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 7 14:31:52 CDT: ISAKMP: received ke message (1/1)
May 7 14:31:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):beginning Quick Mode exchange, M-ID of -1201835538
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): retransmitting due to retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:31:56 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
R2#
R2#
R2#un
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 QM_IDLE -1201835538 ...
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 -1201835538 QM_IDLE
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
The specific portion of the debug that has caught my attention is as follows toward the end:
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.Thank you for the suggestions Sokakkar. I did just what you asked with
undebug all
debug crypto condition peer ipv4
debug crypto isakmp
this is a production environment and I have altered the information for privacy reasons. So I am not able to reload either of the devices.
The debugs are as follows:
R1 DEBUGS:
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#
*May 8 20:14:18.668: ISAKMP:(6151):purging node -1205767715
*May 8 20:14:28.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:28.144: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:28.144: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FED9E4
*May 8 20:14:28.144: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:28.144: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:28.144: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:28.144: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:28.144: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:28.144: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:28.144: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.356: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:28.356: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.356: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:28.356: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:28.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.356: ISAKMP:(0): local preshared key found
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:28.356: ISAKMP: encryption AES-CBC
*May 8 20:14:28.356: ISAKMP: keylength of 256
*May 8 20:14:28.356: ISAKMP: hash SHA
*May 8 20:14:28.356: ISAKMP: default group 5
*May 8 20:14:28.356: ISAKMP: auth pre-share
*May 8 20:14:28.356: ISAKMP: life type in seconds
*May 8 20:14:28.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:28.360: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:28.360: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:28.360: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.360: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.360: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:28.360: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:28.360: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:28.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:28.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:28.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is Unity
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is DPD
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): speaking to another IOS box!
*May 8 20:14:28.672: ISAKMP (0:6153): NAT found, the node outside NAT
*May 8 20:14:28.672: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.672: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:28.672: ISAKMP:(6151):purging SA., sa=45291908, delme=45291908
*May 8 20:14:28.672: ISAKMP:(6153):Send initial contact
*May 8 20:14:28.672: ISAKMP:(6153):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:28.672: ISAKMP (0:6153): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:28.672: ISAKMP:(6153):Total payload length: 12
*May 8 20:14:28.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:28.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
*May 8 20:14:28.676: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.676: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:33.780: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.1.1.2 has no SA and is not an initialization offer
R1#
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:38.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:48.664: ISAKMP:(6152):purging node 1194713063
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:48.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:58.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:58.140: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:58.140: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FEE170
*May 8 20:14:58.140: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:58.140: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:58.140: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:58.140: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:58.140: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:58.140: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:58.140: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.352: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:58.352: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.352: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:58.352: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.356: ISAKMP:(0): local preshared key found
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:58.356: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:58.356: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.356: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:58.356: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:58.356: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:58.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:58.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:58.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is Unity
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is DPD
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): speaking to another IOS box!
*May 8 20:14:58.668: ISAKMP (0:6154): NAT found, the node outside NAT
*May 8 20:14:58.668: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.668: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:58.668: ISAKMP:(6152):purging SA., sa=45FEB894, delme=45FEB894
*May 8 20:14:58.668: ISAKMP:(6154):Send initial contact
*May 8 20:14:58.668: ISAKMP:(6154):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:58.668: ISAKMP (0:6154): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:58.668: ISAKMP:(6154):Total payload length: 12
*May 8 20:14:58.672: ISAKMP:(6154): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6154):Sending an IKE IPv4 Packet.
*May 8 20:14:58.672: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.672: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:58.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R2 DEBUGS:
R2#debug crypto isakmp
Crypto ISAKMP debugging is on
R2#
May 8 15:17:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):beginning Quick Mode exchange, M-ID of -1574699992
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Node -1574699992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:17:52 CDT: ISAKMP:(0:1990:SW:1):purging SA., sa=64E62620, delme=64E62620
May 8 15:17:57 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:17:58 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:08 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP: local port 500, remote port 500
May 8 15:18:17 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 1
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption 3DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 5
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:134219720): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): constructed NAT-T vendor-07 ID
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing KE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NONCE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SKEYID state generated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is Unity
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is DPD
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): speaking to another IOS box!
May 8 15:18:17 CDT: ISAKMP (0:134219720): NAT found, the node inside NAT
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 8 15:18:17 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing ID payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):: peer matches *none* of the profiles
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing HASH payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.64.11.253 remote 200.1.1.1 remote port 4500
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):received initial contact, deleting SA
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):peer does not do paranoid keepalives.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA has been authenticated with 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Detected port floating to port = 4500
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Setting UDP ENC peer struct 0x0 sa= 0x64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP: set new node 231359858 to QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):purging node 231359858
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 10.64.11.253
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Total payload length: 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting node -1574699992 error FALSE reason "IKE deleted"
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R2#
May 8 15:18:22 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):beginning Quick Mode exchange, M-ID of 1324849371
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Node 1324849371, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:18:27 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:27 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:28 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 QM_IDLE 1324849371 ...
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 1324849371 QM_IDLE
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:37 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:37 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:38 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
R2#
R2#
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDL -
Hi.
I'm setting up the remote site side of a vpn and can only find the IKE Phase 1 settings in ASDM. Can someone tell me where I can find the phase 2 settings? Thanks.Which ASDM version that you are using? If you are using 6.4 above, you use below link to configure it:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080bb8500.shtml#hq-asa
If you have older version of ASDM you can use below link:
http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/sitvpn_p.html -
You seems not to understand what I mean and what I'm having like problem. I still have my payment receipt from October of this year when I bought 9 songs in the iTunes Store from my iPhone 4S. The problem is from all the 9 songs I've paid for, only 7 are still available from this list on my iPhone. There is no possibility to download the other 2 without paying for them. I've spoke to the lady from Mississippi on the phone 2 days ago from about 2 hours calling from Belgium but unfortunately she couldn't help me. It's the 3rd time I complain about this. How many time shall I pay for the same songs?? If you can access my music list and my past receipts payment you will be able to find out what I mean. I went back on iTunes I've found the the songs I already downloaded in October that should be on my playlist but if I click on them it will charge me again 0,99 cents. It's been 3 years I've been using the same apple ID with my iPhones. I just wand to get my songs back without having to pay them twice or 3 times
1. iTunes won't offer cloud downloads for songs that it "thinks" are in your library, even if it "knows" the files are missing. If you've exhaustively searched for the missing files and there is no prospect of repair by restoring to them to their original locations, or connecting to new ones, then delete that tracks that display both the missing exclamation mark and are of media kind Purchased/Protected AAC audio file. Don't hide from iTunes in the cloud when asked, close iTunes, then reopen. You can download from the cloud links or iTunes Store > Quicklinks > Purchased > Music > Not on this computer > All songs > Download all.
2. Why? Not sure, perhaps 3rd party tools or accidental key presses combined with previously hidden warning messages when trying to organize the library. There is a hint that using the feature to downsample media as it is synced to a device may also be involved, though I've not replicated it. Whatever the reason a backup would protect your media.
tt2 -
Now, I understand how the backup and restore the backup features function. However, if I don't want to transfer the music that I have on iTunes to my phone, how do I avoid it? How do I not transfer the music or take it out of my iPhone if it is already there? I really do not want any music on my iPhone because I have an iPod for that. Thanks. Hope someone can help.
When you connect your phone and start iTunes on the left side you will see your phone listed under devices.Click on te icon next to it that looks like a battery. Click on the music button at the top and uncheck the sync music box.
-
Need some help in understanding Capturing Phase .
Hi ,
I have some confusion in understanding Capturing Phase .
I have described a scenario below , please let me know will this be an example for Capturing Phase ??
Assume i have a Form containing a Button inside a Application Container .
When the Button is clicked on the Form , if i add a Event Listener using this.addEventListener(MouseEvent.click , callMe)
Will this be an exmple of an Capturing Phase ??
Please guide meAddEventListner(MouseEvent.CLICK, callMe, true)
-
ATTN: Oracle North American Payroll Customers: End of Year Phase 1 and Q3 2007 Statutory Update Released!
Dear Oracle North American HCM Customer,
North American End of Year Phase 1 and the United States (US) Third
Quarter Statutory Updates (Q3), 2007 have been released!
US Q3 2007 Statutory Update patch numbers:
* R11i: 6155000
* R12: 6155000
*Note – FPK RUP2 is not required for the US Q3 2007 Statutory Update
End of Year Phase 1 (includes Q3 Statutory Update) patch numbers:
· R11i: 6133333
* R12: 6133333 (targetted for October 8th release)
We would like to make you aware of several important points. Please read
this entire note carefully.
1. US Q3 2007 Statutory Update highlights
2. End of Year Phase 1 highlights
3. Other Important Notes
4. Lifetime Support Policy: Coverage for Applications
5. R11i HRMS Product Information
6. Payroll Recommended Patches
7. HR Recommended Patches
8. Other Information
A. US Q3 2007 Statutory Update highlights
* JIT and School District Updates
* Miscellaneous Statutory Bug Fixes
Please see the readmes on Metalink for full details:
3rd Qtr 2007 US Payroll Readme for Rel 11i – Note: 458431.1
B. End of Year Phase 1 highlights
US:
* JIT/Geocode updates
* Annual Geocode Patch Released
o Patch 6117000 11i one-off released 04-Sep-2007
o Included in EOY Phase 1
o Readme Note: 456835.1
* Wage Accumulation
o Significant enhancement to the way the application
accumulates wages for reporting
o Joint project with Vertex to enhance processing of
reciprocity rules at state and local levels
o Changes within the Vertex engine allow for improved handling
of multiple work jurisdictions
o Provides users with the ability to control how work taxes
affect taxes at residence locations and if wages should be
accumulated at employee’s residence location
o Readme Note: 460678.1
o
Note:
Quantum 2.9.1 will be the pre-requisite for End of Year 2007 processing
Additional Updates included in 2.9.1:
o 5520588 – Resident State Tax Not given credit for Work State
County Tax Withheld (Lives in NY works where ‘local’ tax is
withheld)
o 5897764 - FIT W/H Should be 35% After $1M Supplemental Wages
even if Employee is Exempt
o 5937604 - Delaware state income tax is being over-withheld
on the second (and subsequent) supplemental payments in the
same pay period.
o 5730236 - YTD EI Deduction Stopped at 729.29 INSTEAD OF 729.30
Evergreen Forms:
The following forms are available from Evergreen for W-2s and 1099-Rs
· Blank perforated W-2 #5208 Window envelope 4444-1
· Blank perforated 1099-R #5179 Window envelope 6161-1
· Preprinted W-2 #5218 Window envelope 5151-1
· Preprinted 1099-R #7159-4 Window envelope 7777-1
**Note: This is the last year we will support the preprinted W-2 and
1099R. For EOY 2008 we will only support the pdf version of these two
reports that print on blank forms.
Customers can order forms at 800-248-2898 or go to www.evergrn.com
<http://www.evergrn.com>
RR Donnelley (formerly Moore) Forms:
The following forms are available from RR Donnelley (formerly Moore) for
W-2s and 1099-Rs
* Blank perforated W-2 (with printed instructions on back) -
LW28700BW (50 PK)
* Blank perforated W-2 (with printed instructions on back) -
LW28700B (2000 BULK)
* Blank perforated W-2 (blank on back) - LW28700BLANKW (50 PK)
* Blank perforated W-2 (blank on back) - LW28700BLANK (2000 BULK)
* Window envelope for W-2 - 7987E
* Blank perforated 1099R (with printed instructions on back) -LR4UPB
(50 PK)
* Blank perforated 1099R (with printed instructions on back)
LR4UPBBULK (2000 BULK)
* Blank perforated 1099R (blank on back) - L4UPBLANK (50 PK)
* Blank perforated 1099R (blank on back) - L4UPBLANKBULK (2000 BULK)
* Window envelope for 1099R - DW4ALT
Customers can order forms at 877-526-3885 – reference Oracle customer #
521836
Canada:
* Miscellaneous Bug Fixes
Mexico:
* Miscellaneous Bug Fixes
Please see the readme on Metalink for full details:
US 2007 Payroll Year End Phase 1 Readme Rel 11i Note 456990.1
US 2007 Payroll Year End Phase 1 Readme Rel 12Note 456991.1
MX 2007 Payroll Year End Phase 1 Readme Rel 11i NOTE.458559.1
MX 2007 Payroll Year End Phase 1 Readme Rel 12 NOTE.458566.1
CA 2007 Payroll Year End Phase 1 Readme Rel 11i NOTE.458561.1
CA 2007 Payroll Year End Phase 1 Readme Rel 12 NOTE.458563.1
C. Other Important Notes
US Check/Deposit Advice XML
There are some additional dependencies for this patch that were not
originally communicated. Applying the EOY Phase 1 patch first satisfies
these dependencies. If there is a need to apply this patch prior to
applying EOY Phase 1 we are exploring possible alternative
pre-requisites and will send out a notice late next week with more
information.
* 11i one-off Patch 6399100 released 21-Sep-2007
* R12 will be part of Release Update (RUP) 12.0.4
Oracle will de-support the Live Checkwriter and Deposit Advice for US
and Canada beginning with 2007 EOY Phase 1. Archive Checkwriter and
Deposit Advice will continue to be supported. What this means is that
new code changes and bug fixes will not be tested on the Live
Checkwriter and Deposit Advice. Additionally, enhancements made to the
Archive version will NOT be made for the Live version.
Desupport of Standard Tax Interface
Oracle no longer supports the Standard Tax interface. Taxes will
continue to be calculated and tax rate changes from the Vertex Data
Updates will continue. New code changes and bug fixes will not be tested
on the Standard Interface and we cannot guarantee that all functionality
will continue to work. Additionally, enhancements made to taxes will NOT
be made for the Standard Tax Interface. We strongly recommend that you
upgrade immediately to the Enhanced Tax interface.
Vertex Customer Café:
The Customer Café is a comprehensive online information source
specifically for Vertex customers. It’s easier than ever to get the
support and information you need to maximize your investment in Vertex
products. Some of the many benefits to using the Customer Café include:
o Access to monthly data download files, release bulletins, schedules
and considerations.
o Early notification bulletins, late rate notifications, and support
notices.
o Online Knowledge Center that provides quick answers to questions and
issues.
o Online inquiry submission
o Access to fully-indexed online documentation for all Vertex software
products.
o Easy access to Vertex software training information and registration.
To register for the Customer Café, just visit the Vertex website at
www.vertexinc.com <http://www.vertexinc.com/>.
Year End Information for Payroll:
Family pack K rollup 2 (5337777) is mandatory for R11i Year End and is a
pre-requisite for Year End Phase 1. This patch was released on Friday,
June 22, 2007.
The R12 RUP (12.0.2) is mandatory for year end for R12
For the complete R12 Payroll Mandatory Patch List see Metalink Note 386434.1
For the complete R11i Payroll Mandatory Patch List see Metalink Note
111499.1
<http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=111499.1
<http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=111499.1>>
For additional non-mandatory North American Payroll patches see Metalink
Note 74292.1
<http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=74292.1
<http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=74292.1>>
D. Lifetime Support Policy: Coverage for Applications
Important Reminder:
Please pay attention to the Oracle E-Business Suite Support dates for
your point release. Statutory or regulatory updates are not available
beyond the ‘Extended Support Date’.
11.5.7 came out of Premier Support in May 2007
11.5.8 will come out of Premier Support in Nov 2007
11.5.9 will come out of Premier Support in Jun 2008
Extended Support has not been offered for 11.5.7, 11.5.8 or 11.5.9
Premier and Extended Support include - Tax legal and regulatory updates
Sustaining Support Does NOT include new tax, legal, and regulatory updates.
For the full definitions of what this means to an 11.5.7/11.5.8 customer
please read the full fact sheet available at:-
http://www.oracle.com/support/library/data-sheet/oracle-lifetime-support-policy-datasheet.pdf
*NOTE: For 2007 Payroll Year End, minimally you will need to be on 11.5.9.
E. R11i HRMS Product Information
For the latest Oracle HRMS Product Family - Release 11i Information,
please see Metalink Note:135266.1
This page contains important information including:
* High Priority Alerts
* Mandatory Patches
* Family Packs and Minipacks
* Latest Legislative Data - hrglobal.drv
* Maintenance Pack Information
F. Payroll Recommended Patches
The Payroll recommended patch spreadsheet Metalink Note 74292.1 contains
additional features and functions.
G. HR Recommended Patches
The HR Recommended spreadsheet contains a list of patches needed to be
in compliance for HR Statutory reporting i.e. EEO-1, VETS-100 etc.
The spreadsheet is located on Metalink in Note number: 273196.1
H. Other Information
1. MetaLink - http://metalink.oracle.com <http://metalink.oracle.com/>
<http://metalink.oracle.com/>
MetaLink is a customer resource provided by Oracle World-wide Support.
The Applications section of Metalink contains all the latest product
documentation and documentation updates for Oracle’s products.
2. Payroll World
Payroll World is an email distribution list for North American Oracle
Payroll customers used to quickly disseminate information regarding
product updates, patches, and statutory changes. To be added to this
email distribution list, send e-mail to: [email protected]
<mailto:[email protected]>
Subject: Oracle North American Payroll World Contact Update with your
contact name, CSI number, and company name
3. Metalink Service Request profiles:
Please update all Service Request profiles on Metalink with any updates
to Database Version, Product Version, and/or contact information
Metalink->UserProfile button
4. Information for NEW North American Payroll customers:
A pamphlet is available for all North American Payroll customers
explaining Vertex, Payroll World, SIG's, etc.
The North American Payroll Handout document can be located in Metalink
Note 316077.1Chris,
If you are referring to (Patch 7395025 - Q3 2008 JIT SQWL UPDATE FOR R11I), then you can apply it on 11.5.9. Just make sure you have all pre-req. patches applied.
Note: 737173.1 - 2008 US Payroll Year End Phase 1 Readme Rel 11i
https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=737173.1 -
Two phase commit and bean managed transactions
To all the Transaction GURUS!
Hi guys (-and gals).
I've been doing J2EE for quite a while, but today was my first at
XA-Transactions and Bean Managed Transactions.
Why am I doing this?
====================
Well I have to be able to controll the transactionalbehaviour of my
bean
during runtime, since some bean calls would cause a transactional
overflow due to the stress they would cause to the system, whereas
smaller bean calls need to run in one transaction.
-> Therefore I need Bean Managed Transactions
Since the bean does a call on two Database Connections it has to use a
XA-Transaction.
-> Therefore I need XA-Transactions.
Abstract
========
- I just can't get a User TransAction into the right Status it stays
in 'STATUS_NO_TRANSACTION' all the time
- Therefore the SQL Commands can be comitted 'java.sql.SQLException:
Does not support SQL execution with no global transaction'
- Therefore I can't do a rollback 'java.lang.IllegalStateException:
Transaction does not exist'
- Therefore I wrote this mail.
I don't want to be a smart-"ass" writing such a detailed and indepth
mail. I just would like to show that I tried, and would like to have
some replies from you guys.
Below are my configurations, code and logfiles.
Thanx for taking your time and hope that the other people may learn
something as well.
cu
Stefan
Scenario
========
used Software
Bea Weblogic (WL) 6.0 SPx (not real sure which SP i have)
Oracle 8.1.6 using the API-Version 8
I configured the system as follows:
(ofcourse I 'xxx'ed out all of the confidential data, sorry guys;-))
excerpt from:
config.xml
<JDBCConnectionPool CapacityIncrement="5"
DriverName="oracle.jdbc.driver.OracleDriver" InitialCapacity="2"
LoginDelaySeconds="1" MaxCapacity="5" Name="oraclePool"
Properties="user=xxx;password=xxx;dll=ocijdbc8;protocol=thin"
RefreshMinutes="5" Targets="fbsserver" TestConnectionsOnRelease="true"
TestTableName="languages" URL="jdbc:oracle:thin:@xxx:1521:xxx "/>
<!-- Since this is our Main Datasource I would not like to use a XA
Transaction due to performance Issues
and the TxDataSource:
-->
<JDBCTxDataSource EnableTwoPhaseCommit="true"
JNDIName="finstral.datasource.fbs" Name="finstral Content Datasource"
PoolName="oraclePool" Targets="fbsserver"/>
<!-- no comment required -I hope.
Next comes the "special" Pool
-->
<JDBCConnectionPool CapacityIncrement="5"
DriverName="weblogic.jdbc.oci.xa.XADataSource" InitialCapacity="1"
LoginDelaySeconds="1" MaxCapacity="2" Name="oracleSecurityPool"
Properties="user=xxx;password=xxx;server=xxx.xxx.xxx"
RefreshMinutes="5" Targets="fbsserver" TestConnectionsOnRelease="true"
TestTableName="Users" SupportsLocalTransaction="true"/>
<!-- Well since there can only be one none XARessourceManager involved
in a 2PC
(keyword: Two Phase Commit) I will have to use a XACapable Driver for
the other
Datasource. Due to all the bugs in the oracle.xxx driver. I'll be
using the jdriver for oci.
I activated 'SupportsLocalTransaction' hoping it would solve my
problem - without effect. I just left in there now, since it made
sense me. Not?
Again the TxDataSource:
-->
<JDBCTxDataSource EnableTwoPhaseCommit="true"
JNDIName="finstral.datasource.fbssecurity" Name="finstral Security
Datasource" PoolName="oracleSecurityPool" Targets="fbsserver"/>
<!-- The System starts right up and can locate the test tables and
everything. So I think all of this stuff is working here -->
ejb-jar.xml
<ejb-jar>
<enterprise-beans>
<session>
<ejb-name>TPCTestBean</ejb-name>
<home>de.sitewaerts.futuna.common.test.tpcbean.TPCHome</home>
<remote>de.sitewaerts.futuna.common.test.tpcbean.TPC</remote>
<ejb-class>de.sitewaerts.futuna.common.test.tpcbean.TPCBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Bean</transaction-type>
</session>
</enterprise-beans>
<assembly-descriptor/>
</ejb-jar>
<!-- Originally I had the assembly-descriptor full of transaction
requirements. I thought since
the bean is handling all of the transaction stuff itself, it might get
confused by the 'container-transaction'
properties, and deleted them. Do I need them anyway?-->
weblogic-ejb-jar.xml
<weblogic-ejb-jar>
<weblogic-enterprise-bean>
<ejb-name>TPCTestBean</ejb-name>
<stateless-session-descriptor/>
<jndi-name>finstral/ejb/test_tpc</jndi-name>
</weblogic-enterprise-bean>
</weblogic-ejb-jar>
<!-- Nothing I have to explain here -->
BeanCode (from the implementingBeanClass:
'de.sitewaerts.futuna.common.test.tpcbean.TPCBean')
public void setupTables() throws RemoteException
UserTransaction tx = getTransaction();
//getTransaction calls: 'tx = sCtx.getUserTransaction()' and does
some errorhandling
log.info("Die Transaktion vor den Connections: "+tx.toString());
//Sorry bout the German. You should get the Message though.
log.info("Der Transaktionsstatus vor den Connections:
"+transactionStatus(tx));
Connection conSecurity = getConnection(DATASOURCE_SECURITY, tx);
//gets a Connection via a DataSourceName from the JNDI tree
Connection conContent = getConnection(DATASOURCE_CONTENT, tx);
log.info("Die frische Connection conSecurity: "+conSecurity);
log.info("Die frische Connection conContent: "+conContent);
tearDownTable(conSecurity);
//Does nothing special
tearDownTable(conContent);
log.info("Die Transaktion nach dem Teardown: "+tx.toString());
log.info("Der Transaktionsstatus nach dem Teardown:
"+transactionStatus(tx));
Statement stmt = null;
try
stmt = conSecurity.createStatement();
//Well its getting interesting now.....
log.info("Die Transaktion vor dem createtable: "+tx.toString());
log.info("Der Transaktionsstatus vor dem createtable:
"+transactionStatus(tx));
log.info("Die Connection conSecurity vor dem createtable:
"+conSecurity);
log.info("Die Connection conContent vor dem createtable:
"+conContent);
stmt.executeUpdate(CREATE_TABLE);
//above is the row 91 -> throws: 'java.sql.SQLException: Does
not support SQL execution with no global transaction'
stmt.close();
stmt = conContent.createStatement();
stmt.executeUpdate(CREATE_TABLE);
stmt.close();
commitTransaction(tx);
catch (SQLException sqle)
log.error("Konnte kein table init machen", sqle);
rollbackTransaction(tx);
//The Code for this method is below
throw new EJBException(sqle);
finally
closeConnection(conSecurity);
closeConnection(conContent);
protected void rollbackTransaction(UserTransaction tx)
log.info("Der Transaktionsstatus vor dem Rollback:
"+transactionStatus(tx));
log.info("Die Transaktion vor dem Rollback: "+tx.toString());
try
tx.rollback();
//above is row 200 -> throws: 'java.lang.IllegalStateException:
Transaction does not exist'
log.info("Der Transaktionsstatus nach dem Rollback:
"+transactionStatus(tx));
log.info("Die Transaktion nach dem Rollback: "+tx.toString());
catch (Exception e)
log.error("Konnte die Transaktion nicht backrollen.", e);
throw new EJBException(e);
Log Excerpt
===========
INFO setupTables() (66) - Die Transaktion vor den Connections:
[email protected]
INFO setupTables() (67) - Der Transaktionsstatus vor den Connections:
STATUS_NO_TRANSACTION
INFO setupTables() (72) - Die frische Connection conSecurity:
weblogic.jdbc.rmi.SerialConnection@7c6daa
INFO setupTables() (73) - Die frische Connection conContent:
weblogic.jdbc.rmi.SerialConnection@3b425
INFO setupTables() (78) - Die Transaktion nach dem Teardown:
[email protected]
INFO setupTables() (79) - Der Transaktionsstatus nach dem Teardown:
STATUS_NO_TRANSACTION
INFO setupTables() (86) - Die Transaktion vor dem createtable:
[email protected]
INFO setupTables() (87) - Der Transaktionsstatus vor dem createtable:
STATUS_NO_TRANSACTION
INFO setupTables() (88) - Die Connection conSecurity vor dem
createtable: weblogic.jdbc.rmi.SerialConnection@7c6daa
INFO setupTables() (89) - Die Connection conContent vor dem
createtable: weblogic.jdbc.rmi.SerialConnection@3b425
ERROR setupTables() (101) - Konnte kein table init machen
java.sql.SQLException: Does not support SQL execution with no global
transaction
at
weblogic.jdbc.oci.xa.XAConnection.beforeExecute(XAConnection.java:137)
at
weblogic.jdbc.oci.xa.Statement.executeUpdate(Statement.java:112)
at weblogic.jdbc.jta.Statement.executeUpdate(Statement.java:185)
at
weblogic.jdbc.rmi.internal.StatementImpl.executeUpdate(StatementImpl.jav
a:42)
at
weblogic.jdbc.rmi.SerialStatement.executeUpdate(SerialStatement.java:54)
at
de.sitewaerts.futuna.common.test.tpcbean.TPCBean.setupTables(TPCBean.jav
a:91)
at
de.sitewaerts.futuna.common.test.tpcbean.TPCBeanImpl.setupTables(TPCBean
Impl.java:130)
at
de.sitewaerts.futuna.common.test.tpcbean.TPCBeanEOImpl.setupTables(TPCBe
anEOImpl.java:64)
at
de.sitewaerts.futuna.common.test.TwoPhaseCommitUnitTest.setUp(TwoPhaseCo
mmitUnitTest.java:51)
at
org.apache.commons.cactus.AbstractTestCase.runBareServerTest(AbstractTes
tCase.java:297)
at
org.apache.commons.cactus.server.ServletTestCaller.callTestMethod(Servle
tTestCaller.java:148)
at
org.apache.commons.cactus.server.ServletTestCaller.doTest(ServletTestCal
ler.java:199)
at
org.apache.commons.cactus.server.ServletTestRedirector.doPost(ServletTes
tRedirector.java:149)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.
java:213)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServl
etContext.java:1265)
at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.
java:1631)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
INFO rollbackTransaction() (196) - Der Transaktionsstatus vor dem
Rollback: STATUS_NO_TRANSACTION
INFO rollbackTransaction() (197) - Die Transaktion vor dem Rollback:
[email protected]
ERROR rollbackTransaction() (206) - Konnte die Transaktion nicht
backrollen.
java.lang.IllegalStateException: Transaction does not exist
at
weblogic.transaction.internal.TransactionManagerImpl.rollback(Transactio
nManagerImpl.java:228)
at
weblogic.transaction.internal.TransactionManagerImpl.rollback(Transactio
nManagerImpl.java:222)
at
de.sitewaerts.futuna.common.test.tpcbean.TPCBean.rollbackTransaction(TPC
Bean.java:200)
at
de.sitewaerts.futuna.common.test.tpcbean.TPCBean.setupTables(TPCBean.jav
a:102)
at
de.sitewaerts.futuna.common.test.tpcbean.TPCBeanImpl.setupTables(TPCBean
Impl.java:130)
at
de.sitewaerts.futuna.common.test.tpcbean.TPCBeanEOImpl.setupTables(TPCBe
anEOImpl.java:64)
at
de.sitewaerts.futuna.common.test.TwoPhaseCommitUnitTest.setUp(TwoPhaseCo
mmitUnitTest.java:51)
at
org.apache.commons.cactus.AbstractTestCase.runBareServerTest(AbstractTes
tCase.java:297)
at
org.apache.commons.cactus.server.ServletTestCaller.callTestMethod(Servle
tTestCaller.java:148)
at
org.apache.commons.cactus.server.ServletTestCaller.doTest(ServletTestCal
ler.java:199)
at
org.apache.commons.cactus.server.ServletTestRedirector.doPost(ServletTes
tRedirector.java:149)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.
java:213)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServl
etContext.java:1265)
at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.
java:1631)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
CONCLUSION
==========
I'm going nuts.
I just don't get it.
The transaction is the same. I don't change the Connection. I start
the Transaction at the beginning before I do anything!
Please guys help me out.
Thx alot.
Stefan "it's three o'clock in the morning, my girlfriend left me, and
my only friend is that stupid linux pinguine" Siprell
Software-Development
<<<<<<<<<<<<<<<<<<<<<<<<<<<
<sitewaerts> GmbH
Hebelstraße 15
D-76131 Karlsruhe
Tel: +49 (721) 920 918 22
Fax: +49 (721) 920 918 29
http://www.sitewaerts.de
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hi Priscilla
(did you ever see the movie ? :-))
Well I moved away from the idea of using bean managed transaction. I'll
be using Container Managed Transactions. To modify the
transactionalbehaviour I'll write proxymethods which have certain
different containermanaged transaction properties, but which all call
the same private methods.
But it works! Here is my experience:
- I was doing a DDL statement: I was trying to create new Tables, which
is a definite "no-go"
- pay careful attention to:
http://edocs.bea.com/wls/docs60/jta/trxejb.html#1051405
and
http://edocs.bea.com/wls/docs60/jta/trxejb.html#1051741
and use these Settings for the Pool, don't ask me why, but it took me
hours to find it out by myself:
<JDBCConnectionPool CapacityIncrement="5"
DriverName="weblogic.jdbc.oci.xa.XADataSource" InitialCapacity="1"
LoginDelaySeconds="1" MaxCapacity="2" Name="oracleSecurityPool"
Properties="user=xxx; password=xxx; server=xxx.xxx.xxx"
RefreshMinutes="5" Targets="fbsserver" TestConnectionsOnRelease="true"
TestTableName="Users" SupportsLocalTransaction="true"/>
where as the server (shown as: xxx.xxx.xxx) is the TNS Name of the
Oracle Driver.
It works great.
Another thing you guys might want to do is write a simple StatelessSB
which does JDBC calls and two different database Connections.
Then write a UnitTest which calls this bean a couple hundred times (with
the same transaction). Have one test do clean writes, and another which
causes some SQL-Exception (too long Data Columns, or likewise).
Always count the entries and see if everything worked out. We're using
this SetupConstruction to test new combinations of AS(sorry Priscilla) /
Database / Db-Drivers to have a "standard test".
I know my two cents were uncalled for, but it might save you some
time.....
thanx for your help
Stefan
-----Ursprüngliche Nachricht-----
Von: Priscilla Fung [mailto:[email protected]]
Bereitgestellt: Donnerstag, 2. August 2001 21:42
Bereitgestellt in: transaction
Unterhaltung: Two phase commit and bean managed transactions
Betreff: Re: Two phase commit and bean managed transactions
Hi Stefan,
Looks like you have not actually begun a transaction by calling
UserTransaction.begin(),
so your setupTables method is really executing with no transaction
context.
Priscilla
Stefan Siprell <[email protected]> wrote:
>To all the Transaction GURUS!
>
>Hi guys (-and gals).
>I've been doing J2EE for quite a while, but today was my first at
>XA-Transactions and Bean Managed Transactions.
>
>Why am I doing this?
>====================
>Well I have to be able to controll the transactionalbehaviour of my
>bean
>during runtime, since some bean calls would cause a transactional
>overflow due to the stress they would cause to the system, whereas
>smaller bean calls need to run in one transaction.
>-> Therefore I need Bean Managed Transactions
>Since the bean does a call on two Database Connections it has to use
>a
>XA-Transaction.
>-> Therefore I need XA-Transactions.
>
>Abstract
>========
>- I just can't get a User TransAction into the right Status it stays
>in 'STATUS_NO_TRANSACTION' all the time
>- Therefore the SQL Commands can be comitted 'java.sql.SQLException:
>Does not support SQL execution with no global transaction'
>- Therefore I can't do a rollback 'java.lang.IllegalStateException:
>Transaction does not exist'
>- Therefore I wrote this mail.
>
>I don't want to be a smart-"ass" writing such a detailed and indepth
>mail. I just would like to show that I tried, and would like to have
>some replies from you guys.
>
>Below are my configurations, code and logfiles.
>
>Thanx for taking your time and hope that the other people may learn
>something as well.
>
>cu
>
>Stefan
>
>
>Scenario
>========
>
>used Software
>-------------
>Bea Weblogic (WL) 6.0 SPx (not real sure which SP i have)
>Oracle 8.1.6 using the API-Version 8
>
>
>I configured the system as follows:
>(ofcourse I 'xxx'ed out all of the confidential data, sorry guys;-))
>excerpt from:
>
>config.xml
>----------
><JDBCConnectionPool CapacityIncrement="5"
>DriverName="oracle.jdbc.driver.OracleDriver" InitialCapacity="2"
>LoginDelaySeconds="1" MaxCapacity="5" Name="oraclePool"
>Properties="user=xxx;password=xxx;dll=ocijdbc8;protocol=thin"
>RefreshMinutes="5" Targets="fbsserver" TestConnectionsOnRelease="true"
>TestTableName="languages" URL="jdbc:oracle:thin:@xxx:1521:xxx "/>
>
><!-- Since this is our Main Datasource I would not like to use a XA
>Transaction due to performance Issues
>and the TxDataSource:
>-->
>
><JDBCTxDataSource EnableTwoPhaseCommit="true"
>JNDIName="finstral.datasource.fbs" Name="finstral Content Datasource"
>PoolName="oraclePool" Targets="fbsserver"/>
>
><!-- no comment required -I hope.
>Next comes the "special" Pool
>-->
>
><JDBCConnectionPool CapacityIncrement="5"
>DriverName="weblogic.jdbc.oci.xa.XADataSource" InitialCapacity="1"
>LoginDelaySeconds="1" MaxCapacity="2" Name="oracleSecurityPool"
>Properties="user=xxx;password=xxx;server=xxx.xxx.xxx"
>RefreshMinutes="5" Targets="fbsserver" TestConnectionsOnRelease="true"
>TestTableName="Users" SupportsLocalTransaction="true"/>
>
><!-- Well since there can only be one none XARessourceManager involved
>in a 2PC
>(keyword: Two Phase Commit) I will have to use a XACapable Driver for
>the other
>Datasource. Due to all the bugs in the oracle.xxx driver. I'll be
>using the jdriver for oci.
>I activated 'SupportsLocalTransaction' hoping it would solve my
>problem - without effect. I just left in there now, since it made
>sense me. Not?
>Again the TxDataSource:
>-->
>
><JDBCTxDataSource EnableTwoPhaseCommit="true"
>JNDIName="finstral.datasource.fbssecurity" Name="finstral Security
>Datasource" PoolName="oracleSecurityPool" Targets="fbsserver"/>
>
><!-- The System starts right up and can locate the test tables and
>everything. So I think all of this stuff is working here -->
>
>
>
>ejb-jar.xml
>-----------
><ejb-jar>
> <enterprise-beans>
> <session>
> <ejb-name>TPCTestBean</ejb-name>
>
><home>de.sitewaerts.futuna.common.test.tpcbean.TPCHome</home>
>
><remote>de.sitewaerts.futuna.common.test.tpcbean.TPC</remote>
>
><ejb-class>de.sitewaerts.futuna.common.test.tpcbean.TPCBean</ejb-class>
> <session-type>Stateless</session-type>
> <transaction-type>Bean</transaction-type>
> </session>
> </enterprise-beans>
> <assembly-descriptor/>
></ejb-jar>
>
><!-- Originally I had the assembly-descriptor full of transaction
>requirements. I thought since
>the bean is handling all of the transaction stuff itself, it might get
>confused by the 'container-transaction'
>properties, and deleted them. Do I need them anyway?-->
>
>weblogic-ejb-jar.xml
>--------------------
><weblogic-ejb-jar>
> <weblogic-enterprise-bean>
> <ejb-name>TPCTestBean</ejb-name>
> <stateless-session-descriptor/>
> <jndi-name>finstral/ejb/test_tpc</jndi-name>
> </weblogic-enterprise-bean>
></weblogic-ejb-jar>
>
><!-- Nothing I have to explain here -->
>
>BeanCode (from the implementingBeanClass:
>'de.sitewaerts.futuna.common.test.tpcbean.TPCBean')
>-----------------------------------------------------------------------
>---------------------
>
> public void setupTables() throws RemoteException
> {
> UserTransaction tx = getTransaction();
> //getTransaction calls: 'tx = sCtx.getUserTransaction()' and does
>some errorhandling
>
> log.info("Die Transaktion vor den Connections: "+tx.toString());
> //Sorry bout the German. You should get the Message though.
> log.info("Der Transaktionsstatus vor den Connections:
>"+transactionStatus(tx));
>
> Connection conSecurity = getConnection(DATASOURCE_SECURITY, tx);
> //gets a Connection via a DataSourceName from the JNDI tree
> Connection conContent = getConnection(DATASOURCE_CONTENT, tx);
>
> log.info("Die frische Connection conSecurity: "+conSecurity);
> log.info("Die frische Connection conContent: "+conContent);
>
> tearDownTable(conSecurity);
> //Does nothing special
> tearDownTable(conContent);
>
> log.info("Die Transaktion nach dem Teardown: "+tx.toString());
> log.info("Der Transaktionsstatus nach dem Teardown:
>"+transactionStatus(tx));
>
> Statement stmt = null;
> try
> {
> stmt = conSecurity.createStatement();
> //Well its getting interesting now.....
>
> log.info("Die Transaktion vor dem createtable: "+tx.toString());
> log.info("Der Transaktionsstatus vor dem createtable:
>"+transactionStatus(tx));
> log.info("Die Connection conSecurity vor dem createtable:
>"+conSecurity);
> log.info("Die Connection conContent vor dem createtable:
>"+conContent);
>
> stmt.executeUpdate(CREATE_TABLE);
> //above is the row 91 -> throws: 'java.sql.SQLException: Does
>not support SQL execution with no global transaction'
>
> stmt.close();
>
> stmt = conContent.createStatement();
> stmt.executeUpdate(CREATE_TABLE);
> stmt.close();
> commitTransaction(tx);
> }
> catch (SQLException sqle)
> {
> log.error("Konnte kein table init machen", sqle);
> rollbackTransaction(tx);
> //The Code for this method is below
> throw new EJBException(sqle);
> }
> finally
> {
> closeConnection(conSecurity);
> closeConnection(conContent);
> }
> }
>
> protected void rollbackTransaction(UserTransaction tx)
> {
> log.info("Der Transaktionsstatus vor dem Rollback:
>"+transactionStatus(tx));
> log.info("Die Transaktion vor dem Rollback: "+tx.toString());
> try
> {
> tx.rollback();
> //above is row 200 -> throws: 'java.lang.IllegalStateException:
>Transaction does not exist'
> log.info("Der Transaktionsstatus nach dem Rollback:
>"+transactionStatus(tx));
> log.info("Die Transaktion nach dem Rollback: "+tx.toString());
> }
> catch (Exception e)
> {
> log.error("Konnte die Transaktion nicht backrollen.", e);
> throw new EJBException(e);
> }
> }
>
>Log Excerpt
>===========
>INFO setupTables() (66) - Die Transaktion vor den Connections:
>[email protected]
>INFO setupTables() (67) - Der Transaktionsstatus vor den Connections:
>STATUS_NO_TRANSACTION
>INFO setupTables() (72) - Die frische Connection conSecurity:
>weblogic.jdbc.rmi.SerialConnection@7c6daa
>INFO setupTables() (73) - Die frische Connection conContent:
>weblogic.jdbc.rmi.SerialConnection@3b425
>INFO setupTables() (78) - Die Transaktion nach dem Teardown:
>[email protected]
>INFO setupTables() (79) - Der Transaktionsstatus nach dem Teardown:
>STATUS_NO_TRANSACTION
>INFO setupTables() (86) - Die Transaktion vor dem createtable:
>[email protected]
>INFO setupTables() (87) - Der Transaktionsstatus vor dem createtable:
>STATUS_NO_TRANSACTION
>INFO setupTables() (88) - Die Connection conSecurity vor dem
>createtable: weblogic.jdbc.rmi.SerialConnection@7c6daa
>INFO setupTables() (89) - Die Connection conContent vor dem
>createtable: weblogic.jdbc.rmi.SerialConnection@3b425
>ERROR setupTables() (101) - Konnte kein table init machen
>java.sql.SQLException: Does not support SQL execution with no global
>transaction
> at
>weblogic.jdbc.oci.xa.XAConnection.beforeExecute(XAConnection.java:137)
> at
>weblogic.jdbc.oci.xa.Statement.executeUpdate(Statement.java:112)
> at weblogic.jdbc.jta.Statement.executeUpdate(Statement.java:185)
> at
>weblogic.jdbc.rmi.internal.StatementImpl.executeUpdate(StatementImpl.ja
v
>a:42)
> at
>weblogic.jdbc.rmi.SerialStatement.executeUpdate(SerialStatement.java:54
> at
>de.sitewaerts.futuna.common.test.tpcbean.TPCBean.setupTables(TPCBean.ja
v
>a:91)
> at
>de.sitewaerts.futuna.common.test.tpcbean.TPCBeanImpl.setupTables(TPCBea
n
>Impl.java:130)
> at
>de.sitewaerts.futuna.common.test.tpcbean.TPCBeanEOImpl.setupTables(TPCB
e
>anEOImpl.java:64)
> at
>de.sitewaerts.futuna.common.test.TwoPhaseCommitUnitTest.setUp(TwoPhaseC
o
>mmitUnitTest.java:51)
> at
>org.apache.commons.cactus.AbstractTestCase.runBareServerTest(AbstractTe
s
>tCase.java:297)
> at
>org.apache.commons.cactus.server.ServletTestCaller.callTestMethod(Servl
e
>tTestCaller.java:148)
> at
>org.apache.commons.cactus.server.ServletTestCaller.doTest(ServletTestCa
l
>ler.java:199)
> at
>org.apache.commons.cactus.server.ServletTestRedirector.doPost(ServletTe
s
>tRedirector.java:149)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
> at
>weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl
>java:213)
> at
>weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServ
l
>etContext.java:1265)
> at
>weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl
>java:1631)
> at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
> at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
>INFO rollbackTransaction() (196) - Der Transaktionsstatus vor dem
>Rollback: STATUS_NO_TRANSACTION
>INFO rollbackTransaction() (197) - Die Transaktion vor dem Rollback:
>[email protected]
>ERROR rollbackTransaction() (206) - Konnte die Transaktion nicht
>backrollen.
>java.lang.IllegalStateException: Transaction does not exist
> at
>weblogic.transaction.internal.TransactionManagerImpl.rollback(Transacti
o
>nManagerImpl.java:228)
> at
>weblogic.transaction.internal.TransactionManagerImpl.rollback(Transacti
o
>nManagerImpl.java:222)
> at
>de.sitewaerts.futuna.common.test.tpcbean.TPCBean.rollbackTransaction(TP
C
>Bean.java:200)
> at
>de.sitewaerts.futuna.common.test.tpcbean.TPCBean.setupTables(TPCBean.ja
v
>a:102)
> at
>de.sitewaerts.futuna.common.test.tpcbean.TPCBeanImpl.setupTables(TPCBea
n
>Impl.java:130)
> at
>de.sitewaerts.futuna.common.test.tpcbean.TPCBeanEOImpl.setupTables(TPCB
e
>anEOImpl.java:64)
> at
>de.sitewaerts.futuna.common.test.TwoPhaseCommitUnitTest.setUp(TwoPhaseC
o
>mmitUnitTest.java:51)
> at
>org.apache.commons.cactus.AbstractTestCase.runBareServerTest(AbstractTe
s
>tCase.java:297)
> at
>org.apache.commons.cactus.server.ServletTestCaller.callTestMethod(Servl
e
>tTestCaller.java:148)
> at
>org.apache.commons.cactus.server.ServletTestCaller.doTest(ServletTestCa
l
>ler.java:199)
> at
>org.apache.commons.cactus.server.ServletTestRedirector.doPost(ServletTe
s
>tRedirector.java:149)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
> at
>weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl
>java:213)
> at
>weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServ
l
>etContext.java:1265)
> at
>weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl
>java:1631)
> at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:137)
> at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:120)
>
>
>CONCLUSION
>==========
>I'm going nuts.
>I just don't get it.
>The transaction is the same. I don't change the Connection. I start
>the Transaction at the beginning before I do anything!
>Please guys help me out.
>Thx alot.
>
>Stefan "it's three o'clock in the morning, my girlfriend left me, and
>my only friend is that stupid linux pinguine" Siprell
>Software-Development
><<<<<<<<<<<<<<<<<<<<<<<<<<<
><sitewaerts> GmbH
>Hebelstraße 15
>D-76131 Karlsruhe
>
>Tel: +49 (721) 920 918 22
>Fax: +49 (721) 920 918 29
>http://www.sitewaerts.de
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
>
>
-
In an inbuild example of can .. that CAN transmit periodic vi .. i am unable to understand how the extended and standard frame is set?
plz help me .. stuck up very badly
thanks
mahadev
Solved!
Go to Solution.I suggest this KB which explains usage of Ext IDs with NI-CAN
http://digital.ni.com/public.nsf/allkb/2FA120A37EDBC51D86256854004FB0C7 -
cucm 10.1version - any free training videos and hand guides on understanding voice gateway h323 and SIP and how to configure one? thanks
Learncisco gives a very good introduction to CUCM - I recommend you start there.
-
Netflix movie resolution phases in and out of high and low.
When I'm watching a netflix movie even with WiFi the resolution phases in and out of high and low resolution. Does anyone know what is causing this?
Yes, you download speed is changing. If the download speed is not great enough for HD it reverts to SD.
Maybe you are looking for
-
I have several new ASA-5520 boxes. All are configured with version 7.06 (Cisco recomendation) and in active/standby configuration. The problem is that the ACLs seem to disapear. For example; I have an outside access list that have about 20 lines. Eve
-
My iCloud storage is very nearly full but i can't find out how to manage it!
I keep recieving an e-mail saying that my icloud backup is almost full but i have no idea how to manage this. I don't want to purchase more back up, is there a way of managing it?
-
What is my Mac and does it have blu-ray?
I would like to know if my iMac supports blu-ray? It came out before the 2011 model and would also like to know what it is called?
-
Looking for some help with building insert statements...
Hi, I am using some sql to build some insert statements for me to update a set of tables in our qa environments. The scripts that I have created were working great until someone added a column to some of the tables in the qa env which in turn makes m
-
AppleTV sound stuttering on playing local videos
Is anyone having this problem? I have some mp4's (400 kbps) located inside AppleTV. I was able to play back with no issues a couple of weeks ago. Yesterday, when I ran the same video, the mp4's are played back with stuttering sound. I have the same i