Site to Site VPN error on Cisco ASA5500 and router 1800

Discussion in 'Cisco' started by Young, Jan 4, 2008.

  1. Young

    Young Guest

    Hi All,
    When I configured site to site VPN between Cisco ASA 5500 (outside IP
    address: 1.2.3.4, inside ip: 192.168.0.50) and 1800 router (outside IP
    address 5.6.7.8, inside ip: 192.168.46.1), I got the following error
    and can not establish VPN tunnel:

    1. Error on ASA 5500:

    |11:45:35|713904|||IP = 5.6.7.8, Received encrypted packet with no
    matching SA, dropping
    |11:45:35|113019|||Group = 5.6.7.8, Username = 5.6.7.8, IP = 5.6.7.8,
    Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:
    00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
    |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, Removing peer from
    correlator table failed, no match!
    |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, QM FSM error (P2
    struct &0x97f6d50, mess id 0xba4d2406)!
    |11:45:35|713904|||Group = 5.6.7.8, IP = 5.6.7.8, All IPSec SA
    proposals found unacceptable!
    |11:45:35|713119|||Group = 5.6.7.8, IP = 5.6.7.8, PHASE 1 COMPLETED
    |11:45:35|113009|||AAA retrieved default group policy (LAN-LAN) for
    user = 5.6.7.8
    |11:45:35|713903|||Group = 5.6.7.8, IP = 5.6.7.8, Freeing previously
    allocated memory for authorization-dn-attributes
    |11:45:35|713172|||Group = 5.6.7.8, IP = 5.6.7.8, Automatic NAT
    Detection Status: Remote end is NOT behind a NAT device This
    end is NOT behind a NAT device

    2. Debug info on 1800 router:

    13:28:50 Local7.Debug 192.168.46.1 2448:
    13:28:50 Local7.Debug 192.168.46.1 2447: *Jan 4 18:29:17.255: ISAKMP:
    (2018):Old State = IKE_DEST_SA New State = IKE_DEST_SA
    13:28:50 Local7.Debug 192.168.46.1 2446: *Jan 4 18:29:17.255: ISAKMP:
    (2018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    13:28:50 Local7.Debug 192.168.46.1 2445: *Jan 4 18:29:17.255:
    crypto_engine: Delete IKE SA
    13:28:50 Local7.Debug 192.168.46.1 2444: *Jan 4 18:29:17.251: crypto
    engine: deleting IKE SA SW:18
    13:28:50 Local7.Debug 192.168.46.1 2443: *Jan 4 18:29:17.251: ISAKMP:
    (2018):deleting node 853657057 error FALSE reason "IKE deleted"
    13:28:49 Local7.Debug 192.168.46.1 2442: *Jan 4 18:29:17.251: ISAKMP:
    (2018):deleting node -533182858 error FALSE reason "IKE deleted"
    13:28:49 Local7.Debug 192.168.46.1 2441: *Jan 4 18:29:17.251: ISAKMP:
    (2018):deleting node 28797199 error FALSE reason "IKE deleted"
    13:28:49 Local7.Debug 192.168.46.1 2440: *Jan 4 18:29:17.251: ISAKMP:
    (2018):deleting SA reason "No reason" state (I) QM_IDLE (peer
    1.2.3.4)
    13:28:49 Local7.Debug 192.168.46.1 2439:
    13:28:49 Local7.Debug 192.168.46.1 2438: *Jan 4 18:29:17.251: ISAKMP:
    (2018):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
    13:28:49 Local7.Debug 192.168.46.1 2437: *Jan 4 18:29:17.251: ISAKMP:
    (2018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    13:28:49 Local7.Debug 192.168.46.1 2436: *Jan 4 18:29:17.251: ISAKMP:
    (2018):purging node -751303044
    13:28:49 Local7.Debug 192.168.46.1 2435: *Jan 4 18:29:17.251: ISAKMP:
    (2018):Sending an IKE IPv4 Packet.
    13:28:49 Local7.Debug 192.168.46.1 2434: *Jan 4 18:29:17.251: ISAKMP:
    (2018): sending packet to 1.2.3.4 my_port 500 peer_port 500 (I)
    QM_IDLE
    13:28:49 Local7.Debug 192.168.46.1 2433: *Jan 4 18:29:17.251:
    crypto_engine: Encrypt IKE packet
    13:28:49 Local7.Debug 192.168.46.1 2432: *Jan 4 18:29:17.251:
    crypto_engine: Generate IKE hash
    13:28:49 Local7.Debug 192.168.46.1 2431: *Jan 4 18:29:17.251:
    ISAKMP: set new node -751303044 to QM_IDLE
    13:28:49 Local7.Debug 192.168.46.1 2430: *Jan 4 18:29:17.251: ISAKMP:
    (2018):deleting node 853657057 error FALSE reason "Informational (in)
    state 1"
    13:28:49 Local7.Debug 192.168.46.1 2429: *Jan 4 18:29:17.251: ISAKMP:
    (2018):deleting SA reason "No reason" state (I) QM_IDLE (peer
    1.2.3.4)
    13:28:49 Local7.Debug 192.168.46.1 2428:
    13:28:49 Local7.Debug 192.168.46.1 2427: *Jan 4 18:29:17.251: ISAKMP:
    (2018):peer does not do paranoid keepalives.
    13:28:49 Local7.Debug 192.168.46.1 2426: *Jan 4 18:29:17.251: ISAKMP:
    (2018): processing DELETE payload. message ID = 853657057
    13:28:49 Local7.Debug 192.168.46.1 2425: *Jan 4 18:29:17.251: ISAKMP:
    (2018): processing HASH payload. message ID = 853657057
    13:28:49 Local7.Debug 192.168.46.1 2424: *Jan 4 18:29:17.251:
    crypto_engine: Generate IKE hash
    13:28:49 Local7.Debug 192.168.46.1 2423: *Jan 4 18:29:17.251:
    crypto_engine: Decrypt IKE packet
    13:28:49 Local7.Debug 192.168.46.1 2422: *Jan 4 18:29:17.251:
    ISAKMP: set new node 853657057 to QM_IDLE
    13:28:49 Local7.Debug 192.168.46.1 2421: *Jan 4 18:29:17.251: ISAKMP
    (0:2018): received packet from 1.2.3.4 dport 500 sport 500 Global (I)
    QM_IDLE
    13:28:49 Local7.Debug 192.168.46.1 2420:
    13:28:49 Local7.Debug 192.168.46.1 2419: *Jan 4 18:29:17.251: ISAKMP:
    (2018):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    13:28:49 Local7.Debug 192.168.46.1 2418: *Jan 4 18:29:17.251: ISAKMP:
    (2018):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    13:28:49 Local7.Debug 192.168.46.1 2417: *Jan 4 18:29:17.251: ISAKMP:
    (2018):deleting node -533182858 error FALSE reason "Informational (in)
    state 1"
    13:28:49 Local7.Debug 192.168.46.1 2416: <009>spi 0, message ID =
    -533182858, sa = 84B02BB0
    13:28:49 Local7.Debug 192.168.46.1 2415: *Jan 4 18:29:17.251: ISAKMP:
    (2018): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    13:28:49 Local7.Debug 192.168.46.1 2414: *Jan 4 18:29:17.251: ISAKMP:
    (2018): processing HASH payload. message ID = -533182858
    13:28:49 Local7.Debug 192.168.46.1 2413: *Jan 4 18:29:17.251:
    crypto_engine: Generate IKE hash
    13:28:49 Local7.Debug 192.168.46.1 2412: *Jan 4 18:29:17.251:
    crypto_engine: Decrypt IKE packet
    13:28:49 Local7.Debug 192.168.46.1 2411: *Jan 4 18:29:17.247:
    ISAKMP: set new node -533182858 to QM_IDLE
    13:28:49 Local7.Debug 192.168.46.1 2410: *Jan 4 18:29:17.247: ISAKMP
    (0:2018): received packet from 1.2.3.4 dport 500 sport 500 Global (I)
    QM_IDLE

    I compared IPsec, IKE site to site VPN setting on both end using ASDM/
    SDM, I can not find any different, but it still show me the same error
    messages.
    I appreciate if some one can help out this.

    Thank you,
    Young
     
    Young, Jan 4, 2008
    #1
    1. Advertising

  2. Young

    Guest

    Hi Young

    Can you post your config files?

    cu ivo
     
    , Jan 6, 2008
    #2
    1. Advertising

  3. Young

    Young Guest

    On Jan 6, 5:07 am, ""
    <> wrote:
    > Hi Young
    >
    > Can you post your config files?
    >
    > cu ivo


    The following is the part of VPN configuration on both end, can you
    advise me what I have to correct. Thank you.

    1. On ASA 5510:

    ASA Version 7.2(3)
    !
    hostname asa5510
    domain-name test.com
    enable password Q2REeCxc0Wlu3zej encrypted
    names
    name 1.2.3.4 WAN description WAN
    !
    interface Ethernet0/0
    description WAN
    nameif WAN
    security-level 10
    ip address WAN 255.255.255.248
    ospf cost 10
    !
    interface Ethernet0/1
    description LAN
    nameif LAN
    security-level 90
    ip address 192.168.0.50 255.255.255.0
    ospf cost 10
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    ospf cost 10
    management-only
    !

    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface

    access-list LAN_nat0_outbound extended permit ip 192.168.0.0
    255.255.255.0 192.168.46.0 255.255.255.0
    access-list LAN_nat0_outbound extended permit ip 192.168.46.0
    255.255.255.0 192.168.0.0 255.255.255.0
    access-list testing_splitTunnelAcl standard permit 192.168.0.0
    255.255.255.0
    access-list management_nat0_outbound extended permit ip 192.168.0.0
    255.255.255.0 192.168.46.0 255.255.255.0
    access-list WAN_1_cryptomap extended permit ip 192.168.0.0
    255.255.255.0 192.168.46.0 255.255.255.0

    global (WAN) 1 interface
    nat (LAN) 0 access-list LAN_nat0_outbound
    nat (LAN) 1 192.168.0.0 255.255.255.0
    nat (management) 0 access-list management_nat0_outbound
    .
    .
    .

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 86400
    crypto dynamic-map LAN_dyn_map 20 set pfs
    crypto dynamic-map LAN_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map LAN_dyn_map 20 set security-association lifetime
    seconds 28800
    crypto dynamic-map WAN_dyn_map 20 set pfs
    crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map WAN_dyn_map 20 set security-association lifetime
    seconds 28800
    crypto dynamic-map WAN_dyn_map 40 set pfs
    crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto dynamic-map WAN_dyn_map 40 set security-association lifetime
    seconds 28800
    crypto dynamic-map WAN_dyn_map 60 set pfs
    crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA
    crypto dynamic-map WAN_dyn_map 60 set security-association lifetime
    seconds 28800
    crypto dynamic-map WAN_dyn_map 80 set pfs
    crypto dynamic-map WAN_dyn_map 80 set transform-set ESP-3DES-SHA
    crypto dynamic-map WAN_dyn_map 80 set security-association lifetime
    seconds 28800
    crypto map LAN_map 65535 ipsec-isakmp dynamic LAN_dyn_map
    crypto map LAN_map interface LAN
    crypto map WAN_map 1 match address WAN_1_cryptomap
    crypto map WAN_map 1 set pfs
    crypto map WAN_map 1 set peer 5.6.7.8
    crypto map WAN_map 1 set transform-set ESP-3DES-SHA
    crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
    crypto map WAN_map interface WAN

    crypto isakmp enable WAN
    crypto isakmp enable LAN
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 20
    no vpn-addr-assign aaa


    group-policy testing internal
    group-policy testing attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value testing_splitTunnelAcl
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    password-storage disable
    ip-comp enable
    re-xauth enable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac enable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools value ClientVPN
    smartcard-removal-disconnect enable
    client-firewall none
    client-access-rule none
    webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain
    criteria have not been met or due to some specific group policy, you
    do not have permission to use any of the VPN features. Contact your IT
    administrator for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate

    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key Test

    tunnel-group 5.6.7.8 type ipsec-l2l
    tunnel-group 5.6.7.8 ipsec-attributes
    pre-shared-key Test
    tunnel-group-map default-group TestVPN
    .
    .
    .
    End


    2. On Cisco 1800 Router
    version 12.4

    hostname 1800
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key test address 1.2.3.4 255.255.255.248 no-xauth
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to1.2.3.4
    set peer 1.2.3.4
    set security-association lifetime seconds 86400
    set transform-set ESP-3DES-SHA
    match address 102
    !
    !
    interface FastEthernet0
    description $FW_OUTSIDE$$ETH-WAN$
    ip address 5.6.7.8 255.255.255.248
    ip nat outside
    ip virtual-reassembly
    zone-member security out-zone
    duplex auto
    speed auto
    crypto map SDM_CMAP_1
    !
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address 192.168.46.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    zone-member security in-zone

    !
    ip access-list extended SDM_AH
    remark SDM_ACL Category=1
    permit ahp any any
    ip access-list extended SDM_ESP
    remark SDM_ACL Category=1
    permit esp any any
    ip access-list extended SDM_GRE
    remark SDM_ACL Category=0
    permit gre any any
    ip access-list extended SDM_HTTPS
    remark SDM_ACL Category=1
    permit tcp any any eq 443
    ip access-list extended SDM_SHELL
    remark SDM_ACL Category=1
    permit tcp any any eq cmd
    ip access-list extended SDM_SSH
    remark SDM_ACL Category=1
    permit tcp any any eq 22
    ip access-list extended To-test
    remark SDM_ACL Category=128

    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 10.10.10.0 0.0.0.7
    access-list 100 remark SDM_ACL Category=128
    access-list 100 permit ip host 255.255.255.255 any
    access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    access-list 101 remark SDM_ACL Category=128
    access-list 101 permit ip any any
    access-list 102 remark SDM_ACL Category=4
    access-list 102 remark IPSec Rule
    access-list 102 permit ip 192.168.46.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 103 remark SDM_ACL Category=128
    access-list 103 permit ip host 1.2.3.4 any
    access-list 104 remark SDM_ACL Category=0
    access-list 104 remark IPSec Rule
    access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.46.0 0.0.0.255
    access-list 106 remark SDM_ACL Category=0
    access-list 106 remark IPSec Rule
    access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.46.0 0.0.0.255
    access-list 107 remark SDM_ACL Category=2
    access-list 107 remark IPSec Rule
    access-list 107 deny ip 192.168.46.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 107 permit ip 192.168.46.0 0.0.0.255 any
    !
    !
    route-map SDM_RMAP_2 permit 1
    match ip address 107
     
    Young, Jan 7, 2008
    #3
  4. Young

    CeykoVer Guest

    "Young" <> wrote in message
    news:...
    > Hi All,
    > When I configured site to site VPN between Cisco ASA 5500 (outside IP
    > address: 1.2.3.4, inside ip: 192.168.0.50) and 1800 router (outside IP
    > address 5.6.7.8, inside ip: 192.168.46.1), I got the following error
    > and can not establish VPN tunnel:
    >
    > 1. Error on ASA 5500:
    >
    > |11:45:35|713904|||IP = 5.6.7.8, Received encrypted packet with no
    > matching SA, dropping
    > |11:45:35|113019|||Group = 5.6.7.8, Username = 5.6.7.8, IP = 5.6.7.8,
    > Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:
    > 00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
    > |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, Removing peer from
    > correlator table failed, no match!
    > |11:45:35|713902|||Group = 5.6.7.8, IP = 5.6.7.8, QM FSM error (P2
    > struct &0x97f6d50, mess id 0xba4d2406)!
    > |11:45:35|713904|||Group = 5.6.7.8, IP = 5.6.7.8, All IPSec SA
    > proposals found unacceptable!
    > |11:45:35|713119|||Group = 5.6.7.8, IP = 5.6.7.8, PHASE 1 COMPLETED
    > |11:45:35|113009|||AAA retrieved default group policy (LAN-LAN) for
    > user = 5.6.7.8
    > |11:45:35|713903|||Group = 5.6.7.8, IP = 5.6.7.8, Freeing previously
    > allocated memory for authorization-dn-attributes
    > |11:45:35|713172|||Group = 5.6.7.8, IP = 5.6.7.8, Automatic NAT
    > Detection Status: Remote end is NOT behind a NAT device This
    > end is NOT behind a NAT device
    >
    > 2. Debug info on 1800 router:
    >
    > 13:28:50 Local7.Debug 192.168.46.1 2448:
    > 13:28:50 Local7.Debug 192.168.46.1 2447: *Jan 4 18:29:17.255: ISAKMP:
    > (2018):Old State = IKE_DEST_SA New State = IKE_DEST_SA
    > 13:28:50 Local7.Debug 192.168.46.1 2446: *Jan 4 18:29:17.255: ISAKMP:
    > (2018):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    > 13:28:50 Local7.Debug 192.168.46.1 2445: *Jan 4 18:29:17.255:
    > crypto_engine: Delete IKE SA
    > 13:28:50 Local7.Debug 192.168.46.1 2444: *Jan 4 18:29:17.251: crypto
    > engine: deleting IKE SA SW:18
    > 13:28:50 Local7.Debug 192.168.46.1 2443: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):deleting node 853657057 error FALSE reason "IKE deleted"
    > 13:28:49 Local7.Debug 192.168.46.1 2442: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):deleting node -533182858 error FALSE reason "IKE deleted"
    > 13:28:49 Local7.Debug 192.168.46.1 2441: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):deleting node 28797199 error FALSE reason "IKE deleted"
    > 13:28:49 Local7.Debug 192.168.46.1 2440: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):deleting SA reason "No reason" state (I) QM_IDLE (peer
    > 1.2.3.4)
    > 13:28:49 Local7.Debug 192.168.46.1 2439:
    > 13:28:49 Local7.Debug 192.168.46.1 2438: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
    > 13:28:49 Local7.Debug 192.168.46.1 2437: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    > 13:28:49 Local7.Debug 192.168.46.1 2436: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):purging node -751303044
    > 13:28:49 Local7.Debug 192.168.46.1 2435: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):Sending an IKE IPv4 Packet.
    > 13:28:49 Local7.Debug 192.168.46.1 2434: *Jan 4 18:29:17.251: ISAKMP:
    > (2018): sending packet to 1.2.3.4 my_port 500 peer_port 500 (I)
    > QM_IDLE
    > 13:28:49 Local7.Debug 192.168.46.1 2433: *Jan 4 18:29:17.251:
    > crypto_engine: Encrypt IKE packet
    > 13:28:49 Local7.Debug 192.168.46.1 2432: *Jan 4 18:29:17.251:
    > crypto_engine: Generate IKE hash
    > 13:28:49 Local7.Debug 192.168.46.1 2431: *Jan 4 18:29:17.251:
    > ISAKMP: set new node -751303044 to QM_IDLE
    > 13:28:49 Local7.Debug 192.168.46.1 2430: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):deleting node 853657057 error FALSE reason "Informational (in)
    > state 1"
    > 13:28:49 Local7.Debug 192.168.46.1 2429: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):deleting SA reason "No reason" state (I) QM_IDLE (peer
    > 1.2.3.4)
    > 13:28:49 Local7.Debug 192.168.46.1 2428:
    > 13:28:49 Local7.Debug 192.168.46.1 2427: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):peer does not do paranoid keepalives.
    > 13:28:49 Local7.Debug 192.168.46.1 2426: *Jan 4 18:29:17.251: ISAKMP:
    > (2018): processing DELETE payload. message ID = 853657057
    > 13:28:49 Local7.Debug 192.168.46.1 2425: *Jan 4 18:29:17.251: ISAKMP:
    > (2018): processing HASH payload. message ID = 853657057
    > 13:28:49 Local7.Debug 192.168.46.1 2424: *Jan 4 18:29:17.251:
    > crypto_engine: Generate IKE hash
    > 13:28:49 Local7.Debug 192.168.46.1 2423: *Jan 4 18:29:17.251:
    > crypto_engine: Decrypt IKE packet
    > 13:28:49 Local7.Debug 192.168.46.1 2422: *Jan 4 18:29:17.251:
    > ISAKMP: set new node 853657057 to QM_IDLE
    > 13:28:49 Local7.Debug 192.168.46.1 2421: *Jan 4 18:29:17.251: ISAKMP
    > (0:2018): received packet from 1.2.3.4 dport 500 sport 500 Global (I)
    > QM_IDLE
    > 13:28:49 Local7.Debug 192.168.46.1 2420:
    > 13:28:49 Local7.Debug 192.168.46.1 2419: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
    > 13:28:49 Local7.Debug 192.168.46.1 2418: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    > 13:28:49 Local7.Debug 192.168.46.1 2417: *Jan 4 18:29:17.251: ISAKMP:
    > (2018):deleting node -533182858 error FALSE reason "Informational (in)
    > state 1"
    > 13:28:49 Local7.Debug 192.168.46.1 2416: <009>spi 0, message ID =
    > -533182858, sa = 84B02BB0
    > 13:28:49 Local7.Debug 192.168.46.1 2415: *Jan 4 18:29:17.251: ISAKMP:
    > (2018): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    > 13:28:49 Local7.Debug 192.168.46.1 2414: *Jan 4 18:29:17.251: ISAKMP:
    > (2018): processing HASH payload. message ID = -533182858
    > 13:28:49 Local7.Debug 192.168.46.1 2413: *Jan 4 18:29:17.251:
    > crypto_engine: Generate IKE hash
    > 13:28:49 Local7.Debug 192.168.46.1 2412: *Jan 4 18:29:17.251:
    > crypto_engine: Decrypt IKE packet
    > 13:28:49 Local7.Debug 192.168.46.1 2411: *Jan 4 18:29:17.247:
    > ISAKMP: set new node -533182858 to QM_IDLE
    > 13:28:49 Local7.Debug 192.168.46.1 2410: *Jan 4 18:29:17.247: ISAKMP
    > (0:2018): received packet from 1.2.3.4 dport 500 sport 500 Global (I)
    > QM_IDLE
    >
    > I compared IPsec, IKE site to site VPN setting on both end using ASDM/
    > SDM, I can not find any different, but it still show me the same error
    > messages.
    > I appreciate if some one can help out this.
    >
    > Thank you,
    > Young


    Do the crypto maps match on both sides? I believe they should.
     
    CeykoVer, Jan 9, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    1,540
  2. Young
    Replies:
    2
    Views:
    5,083
    nonameforyou
    Aug 22, 2012
  3. Young
    Replies:
    0
    Views:
    3,809
    Young
    Jan 17, 2008
  4. dave
    Replies:
    5
    Views:
    3,351
    Jens Haase
    Jan 21, 2008
  5. Mike
    Replies:
    1
    Views:
    688
    Jacques Virchaux
    Jan 14, 2009
Loading...

Share This Page