VPN problem

Discussion in 'Cisco' started by Ned, Aug 29, 2006.

  1. Ned

    Ned Guest

    When I try to VPN into my network I am getting debug messages on my
    PIX:

    pixfirewall#
    pixfirewall# IPSEC(validate_proposal): invalid local address
    191.196.37.5
    IPSEC(validate_proposal): invalid local address 191.191.37.5
    IPSEC(validate_proposal): invalid local address 191.191.37.5
    IPSEC(validate_proposal): invalid local address 191.191.37.5

    The address is correct in that users on the iunside can browse out from
    that interface and I can PING it from the outside. ( I have changed the
    addresses for this posting...)

    I also get this debug:

    debug crypto isakmp
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:13
    dpt:500
    OAK_AG exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    *************************************************
    Any ideas? TIA, Ned
    Ned, Aug 29, 2006
    #1
    1. Advertising

  2. Ned

    Ned Guest

    Ned wrote:
    > When I try to VPN into my network I am getting debug messages on my
    > PIX:
    >
    > pixfirewall#
    > pixfirewall# IPSEC(validate_proposal): invalid local address
    > 191.196.37.5
    > IPSEC(validate_proposal): invalid local address 191.191.37.5
    > IPSEC(validate_proposal): invalid local address 191.191.37.5
    > IPSEC(validate_proposal): invalid local address 191.191.37.5
    >
    > The address is correct in that users on the iunside can browse out from
    > that interface and I can PING it from the outside. ( I have changed the
    > addresses for this posting...)
    >
    > I also get this debug:
    >
    > debug crypto isakmp
    > crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5 spt:13
    > dpt:500
    > OAK_AG exchange
    > ISAKMP (0): processing SA payload. message ID = 0
    >
    > ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash SHA
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share (init)
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 256
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    > ISAKMP: encryption AES-CBC
    > ISAKMP: hash MD5
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share (init)
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    > ISAKMP: keylength of 256
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ********************************


    I also get this debug output:

    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP (0): processing NOTIFY payload 11 protocol 1
    spi 0, message ID = 2387466550IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with
    191.191.37.35

    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP: phase 2 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP (0): processing NOTIFY payload 11 protocol 1
    spi 0, message ID = 1206514397IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with
    191.191.37.35

    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:191.191.37.35, dest:191.191.37.5
    spt:1027 dpt:4500
    ISAKMP (0): processing DELETE payload. message ID = 1118155919, spi
    size = 4IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

    VPN Peer: ISAKMP: Peer ip:191.191.37.35/1027 Ref cnt decremented to:0
    Total VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:191.191.37.35/1027 Total VPN
    peers:0IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with 191.191.37.5




    > Any ideas? TIA, Ned
    Ned, Aug 30, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Elise
    Replies:
    6
    Views:
    814
    John Rennie
    May 22, 2004
  2. Mike Doty
    Replies:
    1
    Views:
    589
  3. Jaros³aw Skórka

    VPN - Cisco IOS <-> VPN Client - problem

    Jaros³aw Skórka, Feb 1, 2005, in forum: Cisco
    Replies:
    1
    Views:
    3,110
  4. mw
    Replies:
    2
    Views:
    3,269
  5. pasatealinux
    Replies:
    1
    Views:
    2,039
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page