L2L IPSec - PIX501 to VPN 3000 - Tunnel rejected: Policy not found...(long post)

mattsnow · Apr 5, 2007

I have a PIX 501 that is behind a linksys router that supports IPSec passthrough trying to establish a LAN-to-LAN tunnel to my VPN 3000 Concentrator in my office. Here is some background on the configuration as it stands:

PIX 501(6.1(3)):
| inside: 192.168.30.1/24
| outside: 172.16.1.150/25
|
V
Linksys WRT54G(DD-WRT v0.24):
| inside: 172.16.1.254/24
| outside: 68.x.x.243/24
V
[internet]
|
|
V
VPN 3000 Concentrator(4.0.1):
private: 172.16.3.2/22
public: 63.x.x.3/27

The Tunnel appears to come up under LAN-to-LAN sessions, but only the Bytes Rx increments when a client behind the pix501 trys to access a host in the 172.16.x.x subnet. The only information that appears in the concentrator logs is the Tunnel Rejected: policy not found.

I have one other PIX 501 running 6.3(5) at another location with an identical configuration, just different internal subnet and it works perfectly! I am starting to lose hair over this and am hoping someone here can help.

I've configured the concentrator with the following.

Configuration-> Policy Management-> Traffic Management-> Network Lists
Network List named "matt-corp" containing the following networks
172.16.0.0/0.0.255.255
192.168.30.0/0.0.0.255

Configuration-> System-> Tunneling Protocols-> IPSec-> LAN-to-LAN
LAN-to-LAN connection named "matt" with these settings:
Peers: 68.x.x.243
digital cert: none(use preshared keys)
Preshared Key: cisco123
authentication: ESP/MD5/HMAC-128
Encryption: 3DES-168
IKE Proposal: IKE-3DES-MD5
Filter: none
IPSec NAT-T: Enabled
No bandwitdh policy or routing.
Local Network: Network List "matt-corp"
Remote Network: Network List "matt-corp"

I've not made any changes to SAs(Configuration-> Policy Management-> Traffic Management-> Security Associations), or Rules (Configuration-> Policy Management-> Traffic Management-> Rules).

mattsnow · Apr 5, 2007

52548 04/05/2007 12:16:24.440 SEV=8 IKEDBG/0 RPT=17219 68.x.x.243
RECEIVED Message (msgid=0) with payloads :
HDR + SA (1) + NONE (0)
total length : 84

52550 04/05/2007 12:16:24.440 SEV=9 IKEDBG/0 RPT=17220 68.x.x.243
processing SA payload

52551 04/05/2007 12:16:24.450 SEV=8 IKEDBG/0 RPT=17221
Proposal # 1, Transform # 1, Type ISAKMP, Id IKE
Parsing received transform:
Phase 1 failure against global IKE proposal # 1:
Mismatched attr types for class Auth Method:
Rcv'd: Preshared Key
Cfg'd: XAUTH with Preshared Key (Initiator authenticated)

52557 04/05/2007 12:16:24.450 SEV=7 IKEDBG/0 RPT=17222 68.x.x.243
Oakley proposal is acceptable

52558 04/05/2007 12:16:24.450 SEV=9 IKEDBG/0 RPT=17223 68.x.x.243
processing IKE SA

52559 04/05/2007 12:16:24.450 SEV=8 IKEDBG/0 RPT=17224
Proposal # 1, Transform # 1, Type ISAKMP, Id IKE
Parsing received transform:
Phase 1 failure against global IKE proposal # 1:
Mismatched attr types for class Auth Method:
Rcv'd: Preshared Key
Cfg'd: XAUTH with Preshared Key (Initiator authenticated)

52565 04/05/2007 12:16:24.450 SEV=7 IKEDBG/28 RPT=994 68.x.x.243
IKE SA Proposal # 1, Transform # 1 acceptable
Matches global IKE entry # 2 Proposal (IKE-3DES-MD5)

52567 04/05/2007 12:16:24.450 SEV=9 IKEDBG/0 RPT=17225 68.x.x.243
constructing ISA_SA for isakmp

52568 04/05/2007 12:16:24.450 SEV=9 IKEDBG/46 RPT=5909 68.x.x.243
constructing Fragmentation VID + extended capabilities payload

52569 04/05/2007 12:16:24.550 SEV=8 IKEDBG/0 RPT=17226 68.x.x.243
SENDING Message (msgid=0) with payloads :
HDR + SA (1) + VENDOR (13)
total length : 108

52571 04/05/2007 12:16:25.140 SEV=8 IKEDBG/0 RPT=17227 68.x.x.243
RECEIVED Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0)
total length : 244

52574 04/05/2007 12:16:25.140 SEV=8 IKEDBG/0 RPT=17228 68.x.x.243
RECEIVED Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0)
total length : 244

52577 04/05/2007 12:16:25.140 SEV=9 IKEDBG/0 RPT=17229 68.x.x.243
processing ke payload

52578 04/05/2007 12:16:25.140 SEV=9 IKEDBG/0 RPT=17230 68.x.x.243
processing ISA_KE

52579 04/05/2007 12:16:25.140 SEV=9 IKEDBG/1 RPT=20987 68.x.x.243
processing nonce payload

52580 04/05/2007 12:16:25.140 SEV=9 IKEDBG/47 RPT=4207 68.x.x.243
processing VID payload

52581 04/05/2007 12:16:25.140 SEV=9 IKEDBG/49 RPT=3149 68.x.x.243
Received Cisco Unity client VID

52582 04/05/2007 12:16:25.140 SEV=9 IKEDBG/47 RPT=4208 68.x.x.243
processing VID payload

52583 04/05/2007 12:16:25.140 SEV=9 IKEDBG/49 RPT=3150 68.x.x.243
Received DPD VID

52584 04/05/2007 12:16:25.140 SEV=9 IKEDBG/47 RPT=4209 68.x.x.243
processing VID payload

52585 04/05/2007 12:16:25.140 SEV=9 IKEDBG/38 RPT=2156 68.x.x.243
Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000025)

52586 04/05/2007 12:16:25.240 SEV=9 IKEDBG/0 RPT=17231 68.x.x.243
constructing ke payload

52587 04/05/2007 12:16:25.240 SEV=9 IKEDBG/1 RPT=20988 68.x.x.243
constructing nonce payload

52588 04/05/2007 12:16:25.250 SEV=9 IKEDBG/46 RPT=5910 68.x.x.243
constructing Cisco Unity VID payload

52589 04/05/2007 12:16:25.250 SEV=9 IKEDBG/46 RPT=5911 68.x.x.243
constructing xauth V6 VID payload

52590 04/05/2007 12:16:25.250 SEV=9 IKEDBG/48 RPT=2195 68.x.x.243
Send IOS VID

52591 04/05/2007 12:16:25.250 SEV=9 IKEDBG/38 RPT=2157 68.x.x.243
Constructing VPN 3000 spoofing IOS Vendor ID payload (version: 1.0.0, capabiliti
es: 20000409)

52593 04/05/2007 12:16:25.250 SEV=9 IKEDBG/46 RPT=5912 68.x.x.243
constructing VID payload

52594 04/05/2007 12:16:25.250 SEV=9 IKEDBG/48 RPT=2196 68.x.x.243
Send Altiga GW VID

52595 04/05/2007 12:16:25.250 SEV=9 IKEDBG/0 RPT=17232 68.x.x.243
Generating keys for Responder...

52596 04/05/2007 12:16:25.270 SEV=8 IKEDBG/0 RPT=17233 68.x.x.243
SENDING Message (msgid=0) with payloads :
HDR + KE (4) + NONCE (10)
total length : 256

52598 04/05/2007 12:16:26.290 SEV=8 IKEDBG/0 RPT=17234 68.x.x.243
RECEIVED Message (msgid=0) with payloads :
HDR + ID (5) + HASH (8) + NONE (0)
total length : 76

52600 04/05/2007 12:16:26.290 SEV=9 IKEDBG/1 RPT=20989 68.x.x.243
Group [68.x.x.243]
Processing ID

52601 04/05/2007 12:16:26.290 SEV=9 IKEDBG/0 RPT=17235 68.x.x.243
Group [68.x.x.243]
processing hash

52602 04/05/2007 12:16:26.290 SEV=9 IKEDBG/0 RPT=17236 68.x.x.243
Group [68.x.x.243]
computing hash

52603 04/05/2007 12:16:26.290 SEV=9 IKEDBG/23 RPT=1094 68.x.x.243
Group [68.x.x.243]
Starting group lookup for peer 68.x.x.243

52604 04/05/2007 12:16:26.390 SEV=7 IKEDBG/0 RPT=17237 68.x.x.243
Group [68.x.x.243]
Found Phase 1 Group (68.x.x.243)

52605 04/05/2007 12:16:26.390 SEV=9 IKEDBG/19 RPT=4785 68.x.x.243
Group [68.x.x.243]
IKEGetUserAttributes: IP Compression = disabled

52606 04/05/2007 12:16:26.390 SEV=9 IKEDBG/19 RPT=4786 68.x.x.243
Group [68.x.x.243]
IKEGetUserAttributes: Split Tunneling Policy = Disabled

52607 04/05/2007 12:16:26.390 SEV=9 IKEDBG/1 RPT=20990 68.x.x.243
Group [68.x.x.243]
constructing ID

52608 04/05/2007 12:16:26.390 SEV=9 IKEDBG/0 RPT=17238
Group [68.x.x.243]
construct hash payload

52609 04/05/2007 12:16:26.390 SEV=9 IKEDBG/0 RPT=17239 68.x.x.243
Group [68.x.x.243]
computing hash

52610 04/05/2007 12:16:26.390 SEV=9 IKEDBG/34 RPT=909 68.x.x.243
Constructing IOS keep alive payload: proposal=32767/32767 sec.

52611 04/05/2007 12:16:26.390 SEV=9 IKEDBG/46 RPT=5913 68.x.x.243
Group [68.x.x.243]
constructing dpd vid payload

52612 04/05/2007 12:16:26.390 SEV=8 IKEDBG/0 RPT=17240 68.x.x.243
SENDING Message (msgid=0) with payloads :
HDR + ID (5) + HASH (8)
total length : 92

52614 04/05/2007 12:16:26.390 SEV=4 IKE/119 RPT=1059 68.x.x.243
Group [68.x.x.243]
PHASE 1 COMPLETED

52615 04/05/2007 12:16:26.390 SEV=6 IKE/121 RPT=1059 68.x.x.243
Keep-alive type for this connection: DPD

52616 04/05/2007 12:16:26.390 SEV=7 IKEDBG/0 RPT=17241 68.x.x.243
Group [68.x.x.243]
Starting phase 1 rekey timer: 82080000 (ms)

52617 04/05/2007 12:16:26.390 SEV=4 AUTH/22 RPT=1062
User [68.x.x.243], Group [68.x.x.243] connected

52618 04/05/2007 12:16:26.390 SEV=4 AUTH/84 RPT=905
LAN-to-LAN tunnel to headend device 68.x.x.243 connected

52619 04/05/2007 12:16:26.980 SEV=8 IKEDBG/0 RPT=17242 68.x.x.243
RECEIVED Message (msgid=23627eb1) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 76

52621 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17243 68.x.x.243
Group [68.x.x.243]
processing hash

52622 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17244 68.x.x.243
Group [68.x.x.243]
Processing Notify payload

52623 04/05/2007 12:16:26.980 SEV=6 IKE/0 RPT=4446
Received unexpected event EV_ACTIVATE_NEW_SA in state MM_ACTIVE

52624 04/05/2007 12:16:26.980 SEV=8 IKEDBG/0 RPT=17245 68.x.x.243
RECEIVED Message (msgid=f15eede) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
total length : 164

52627 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17246 68.x.x.243
Group [68.x.x.243]
processing hash

52628 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17247 68.x.x.243
Group [68.x.x.243]
processing SA payload

52629 04/05/2007 12:16:26.980 SEV=9 IKEDBG/1 RPT=20991 68.x.x.243
Group [68.x.x.243]
processing nonce payload

52630 04/05/2007 12:16:26.980 SEV=9 IKEDBG/1 RPT=20992 68.x.x.243
Group [68.x.x.243]
Processing ID

52631 04/05/2007 12:16:26.980 SEV=5 IKE/35 RPT=3198 68.x.x.243
Group [68.x.x.243]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.168.30.0, Mask 255.255.255.0, Protocol 0, Port 0

52634 04/05/2007 12:16:26.980 SEV=9 IKEDBG/1 RPT=20993 68.x.x.243
Group [68.x.x.243]
Processing ID

52635 04/05/2007 12:16:26.980 SEV=5 IKE/34 RPT=3367 68.x.x.243
Group [68.x.x.243]
Received local IP Proxy Subnet data in ID Payload:
Address 172.16.0.0, Mask 255.255.0.0, Protocol 0, Port 0

52638 04/05/2007 12:16:26.980 SEV=8 IKEDBG/0 RPT=17248
QM IsRekeyed old sa not found by addr

52639 04/05/2007 12:16:26.980 SEV=5 IKE/66 RPT=702 68.x.x.243
Group [68.x.x.243]
IKE Remote Peer configured for SA: L2L: spnpix3

52640 04/05/2007 12:16:26.980 SEV=9 IKEDBG/0 RPT=17249 68.x.x.243
Group [68.x.x.243]
processing IPSEC SA

52641 04/05/2007 12:16:26.980 SEV=7 IKEDBG/27 RPT=702 68.x.x.243
Group [68.x.x.243]
IPSec SA Proposal # 1, Transform # 1 acceptable
Matches global IPSec SA entry # 10 Proposal (L2L: spnpix3)

52644 04/05/2007 12:16:26.980 SEV=7 IKEDBG/0 RPT=17250 68.x.x.243
Group [68.x.x.243]
IKE: requesting SPI!

52645 04/05/2007 12:16:26.990 SEV=9 IPSECDBG/6 RPT=5951
IPSEC key message parse - msgtype 6, len 208, vers 1, pid 00000000, seq 1774, er
r 0, type 2, mode 0, state 32, label 0, pad 0, spi 00000000, encrKeyLen 0, hashK
eyLen 0, ivlen 0, alg 0, hmacAlg 0, lifetype 0, lifetime1 631724, lifetime2 0, d
sId 300

52649 04/05/2007 12:16:26.990 SEV=9 IPSECDBG/1 RPT=18137
Processing KEY_GETSPI msg!

52650 04/05/2007 12:16:26.990 SEV=7 IPSECDBG/13 RPT=1774
Reserved SPI 1100517644

52651 04/05/2007 12:16:26.990 SEV=8 IKEDBG/6 RPT=1774
IKE got SPI from key engine: SPI = 0x4198910c

52652 04/05/2007 12:16:26.990 SEV=9 IKEDBG/0 RPT=17251 68.x.x.243
Group [68.x.x.243]
oakley constucting quick mode

52653 04/05/2007 12:16:26.990 SEV=9 IKEDBG/0 RPT=17252 68.x.x.243
Group [68.x.x.243]
constructing blank hash

mattsnow · Apr 5, 2007

52654 04/05/2007 12:16:26.990 SEV=9 IKEDBG/0 RPT=17253 68.x.x.243
Group [68.x.x.243]
constructing ISA_SA for ipsec

52655 04/05/2007 12:16:26.990 SEV=9 IKEDBG/1 RPT=20994 68.x.x.243
Group [68.x.x.243]
constructing ipsec nonce payload

52656 04/05/2007 12:16:26.990 SEV=9 IKEDBG/1 RPT=20995 68.x.x.243
Group [68.x.x.243]
constructing proxy ID

52657 04/05/2007 12:16:26.990 SEV=7 IKEDBG/0 RPT=17254 68.x.x.243
Group [68.x.x.243]
Transmitting Proxy Id:
Remote subnet: 192.168.30.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 172.16.0.0 mask 255.255.0.0 Protocol 0 Port 0

52661 04/05/2007 12:16:26.990 SEV=9 IKEDBG/0 RPT=17255 68.x.x.243
Group [68.x.x.243]
constructing qm hash

52662 04/05/2007 12:16:27.000 SEV=8 IKEDBG/0 RPT=17256 68.x.x.243
SENDING Message (msgid=f15eede) with payloads :
HDR + HASH (8) + SA (1)
total length : 164

52664 04/05/2007 12:16:27.690 SEV=8 IKEDBG/0 RPT=17257 68.x.x.243
RECEIVED Message (msgid=f15eede) with payloads :
HDR + HASH (8) + NONE (0)
total length : 48

52666 04/05/2007 12:16:27.700 SEV=9 IKEDBG/0 RPT=17258 68.x.x.243
Group [68.x.x.243]
processing hash

52667 04/05/2007 12:16:27.700 SEV=9 IKEDBG/0 RPT=17259 68.x.x.243
Group [68.x.x.243]
loading all IPSEC SAs

52668 04/05/2007 12:16:27.700 SEV=9 IKEDBG/1 RPT=20996 68.x.x.243
Group [68.x.x.243]
Generating Quick Mode Key!

52669 04/05/2007 12:16:27.700 SEV=9 IKEDBG/1 RPT=20997 68.x.x.243
Group [68.x.x.243]
Generating Quick Mode Key!

52670 04/05/2007 12:16:27.700 SEV=7 IKEDBG/0 RPT=17260 68.x.x.243
Group [68.x.x.243]
Loading subnet:
Dst: 172.16.0.0 mask: 255.255.0.0
Src: 192.168.30.0 mask: 255.255.255.0

52673 04/05/2007 12:16:27.700 SEV=4 IKE/49 RPT=807 68.x.x.243
Group [68.x.x.243]
Security negotiation complete for LAN-to-LAN Group (68.x.x.243)
Responder, Inbound SPI = 0x4198910c, Outbound SPI = 0x9a044cb0

52676 04/05/2007 12:16:27.700 SEV=9 IPSECDBG/6 RPT=5952
IPSEC key message parse - msgtype 1, len 335, vers 1, pid 00000000, seq 0, err 0
, type 2, mode 1, state 8256, label 0, pad 0, spi 9a044cb0, encrKeyLen 24, hashK
eyLen 16, ivlen 8, alg 2, hmacAlg 3, lifetype 0, lifetime1 631724, lifetime2 0,
dsId 0

52680 04/05/2007 12:16:27.700 SEV=9 IPSECDBG/1 RPT=18138
Processing KEY_ADD msg!

52681 04/05/2007 12:16:27.700 SEV=9 IPSECDBG/1 RPT=18139
key_msghdr2secassoc(): Enter

52682 04/05/2007 12:16:27.700 SEV=7 IPSECDBG/1 RPT=18140
No USER filter configured

52683 04/05/2007 12:16:27.700 SEV=9 IPSECDBG/1 RPT=18141
KeyProcessAdd: Enter

52684 04/05/2007 12:16:27.710 SEV=8 IPSECDBG/1 RPT=18142
KeyProcessAdd: Adding outbound SA

52685 04/05/2007 12:16:27.710 SEV=8 IPSECDBG/1 RPT=18143
KeyProcessAdd: src 172.16.0.0 mask 0.0.255.255, dst 192.168.30.0 mask 0.0.0.255

52686 04/05/2007 12:16:27.710 SEV=8 IPSECDBG/1 RPT=18144
KeyProcessAdd: FilterIpsecAddIkeSa success

52687 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/6 RPT=5953
IPSEC key message parse - msgtype 3, len 335, vers 1, pid 00000000, seq 0, err 0
, type 2, mode 1, state 8224, label 0, pad 0, spi 4198910c, encrKeyLen 24, hashK
eyLen 16, ivlen 8, alg 2, hmacAlg 3, lifetype 0, lifetime1 631724, lifetime2 0,
dsId 0

52691 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/1 RPT=18145
Processing KEY_UPDATE msg!

52692 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/1 RPT=18146
Update inbound SA addresses

52693 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/1 RPT=18147
key_msghdr2secassoc(): Enter

52694 04/05/2007 12:16:27.710 SEV=7 IPSECDBG/1 RPT=18148
No USER filter configured

52695 04/05/2007 12:16:27.710 SEV=9 IPSECDBG/1 RPT=18149
KeyProcessUpdate: Enter

52696 04/05/2007 12:16:27.710 SEV=8 IPSECDBG/1 RPT=18150
KeyProcessUpdate: success

52697 04/05/2007 12:16:27.710 SEV=8 IKEDBG/7 RPT=807
IKE got a KEY_ADD msg for SA: SPI = 0x9a044cb0

52698 04/05/2007 12:16:27.710 SEV=8 IKEDBG/0 RPT=17261
pitcher: rcv KEY_UPDATE, spi 0x4198910c

52699 04/05/2007 12:16:27.710 SEV=4 IKE/120 RPT=807 68.x.x.243
Group [68.x.x.243]
PHASE 2 COMPLETED (msgid=0f15eede)

52700 04/05/2007 12:16:30.860 SEV=7 IPSECDBG/10 RPT=3719
IPSEC ipsec_output() can call key_acquire() because 10 seconds have elapsed sinc
e last IKE negotiation began (src 0xac10011f, dst 0x0104f01c)

52744 04/05/2007 12:16:35.010 SEV=9 IPSECDBG/6 RPT=5955
IPSEC key message parse - msgtype 2, len 274, vers 1, pid 00000000, seq 0, err 0
, type 2, mode 0, state 64, label 0, pad 0, spi 3d4a98ee, encrKeyLen 0, hashKeyL
en 0, ivlen 0, alg 0, hmacAlg 0, lifetype 0, lifetime1 631724, lifetime2 0, dsId
0

52748 04/05/2007 12:16:35.010 SEV=9 IPSECDBG/1 RPT=18152
Processing KEY_DELETE msg!

52749 04/05/2007 12:16:35.010 SEV=9 IPSECDBG/1 RPT=18153
key_msghdr2secassoc(): Enter

52750 04/05/2007 12:16:35.010 SEV=7 IPSECDBG/1 RPT=18154
No USER filter configured

52751 04/05/2007 12:16:35.010 SEV=8 IKEDBG/0 RPT=17279
pitcher: received key delete msg, spi 0x70d92766

52752 04/05/2007 12:16:35.010 SEV=8 IKEDBG/0 RPT=17280
pitcher: received key delete msg, spi 0x3d4a98ee

52753 04/05/2007 12:16:35.040 SEV=4 DNS/6 RPT=2299
Unable to resolve hostname:

52754 04/05/2007 12:16:35.040 SEV=2 EVENT/41 RPT=2299
Event log can't resolve hostname ()

52755 04/05/2007 12:16:35.230 SEV=9 IPSECDBG/17 RPT=32177
Received an IPSEC-over-NAT-T NAT keepalive packet

52756 04/05/2007 12:16:35.760 SEV=9 IPSECDBG/17 RPT=32178
Received an IPSEC-over-NAT-T NAT keepalive packet

52757 04/05/2007 12:16:40.860 SEV=7 IPSECDBG/10 RPT=3720
IPSEC ipsec_output() can call key_acquire() because 10 seconds have elapsed sinc
e last IKE negotiation began (src 0xac10011f, dst 0x0104f01c)

mattsnow · Apr 5, 2007

52760 04/05/2007 12:16:40.860 SEV=8 IKEDBG/0 RPT=17281
pitcher: received a key acquire message!

52761 04/05/2007 12:16:41.710 SEV=9 IPSECDBG/17 RPT=32179
Received an IPSEC-over-NAT-T NAT keepalive packet

52762 04/05/2007 12:16:44.540 SEV=9 IKEDBG/36 RPT=15756 68.x.x.243
Group [68.x.x.243]
Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e25)

52764 04/05/2007 12:16:44.540 SEV=9 IKEDBG/0 RPT=17282 68.x.x.243
Group [68.x.x.243]
constructing blank hash

52765 04/05/2007 12:16:44.540 SEV=9 IKEDBG/0 RPT=17283 68.x.x.243
Group [68.x.x.243]
constructing qm hash

52766 04/05/2007 12:16:44.540 SEV=8 IKEDBG/0 RPT=17284 68.x.x.243
SENDING Message (msgid=114d9c64) with payloads :
HDR + HASH (8) + NOTIFY (11)
total length : 80

52768 04/05/2007 12:16:44.560 SEV=8 IKEDBG/0 RPT=17285 68.x.x.243
RECEIVED Message (msgid=9864d3d1) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 80

52770 04/05/2007 12:16:44.560 SEV=9 IKEDBG/0 RPT=17286 68.x.x.243
Group [68.x.x.243]
processing hash

52771 04/05/2007 12:16:44.560 SEV=9 IKEDBG/0 RPT=17287 68.x.x.243
Group [68.x.x.243]
Processing Notify payload

52772 04/05/2007 12:16:45.230 SEV=9 IPSECDBG/17 RPT=32180
Received an IPSEC-over-NAT-T NAT keepalive packet

52773 04/05/2007 12:16:52.770 SEV=4 IKEDBG/0 RPT=17288
QM FSM error (P2 struct &0x1e275b8, mess id 0xa54a668d)!

52805 04/05/2007 12:17:04.540 SEV=9 IKEDBG/36 RPT=15758 68.x.x.243
Group [68.x.x.243]
Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e26)

52807 04/05/2007 12:17:04.540 SEV=9 IKEDBG/0 RPT=17301 68.x.x.243
Group [68.x.x.243]
constructing blank hash

52808 04/05/2007 12:17:04.540 SEV=9 IKEDBG/0 RPT=17302 68.x.x.243
Group [68.x.x.243]
constructing qm hash

52809 04/05/2007 12:17:04.540 SEV=8 IKEDBG/0 RPT=17303 68.x.x.243
SENDING Message (msgid=9ae67981) with payloads :
HDR + HASH (8) + NOTIFY (11)
total length : 80

52811 04/05/2007 12:17:04.560 SEV=8 IKEDBG/0 RPT=17304 68.x.x.243
RECEIVED Message (msgid=5293ae87) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 80

52813 04/05/2007 12:17:04.560 SEV=9 IKEDBG/0 RPT=17305 68.x.x.243
Group [68.x.x.243]
processing hash

52814 04/05/2007 12:17:04.560 SEV=9 IKEDBG/0 RPT=17306 68.x.x.243
Group [68.x.x.243]
Processing Notify payload

52815 04/05/2007 12:17:04.850 SEV=9 IPSECDBG/17 RPT=32181
Received an IPSEC-over-NAT-T NAT keepalive packet

52816 04/05/2007 12:17:05.230 SEV=9 IPSECDBG/17 RPT=32182
Received an IPSEC-over-NAT-T NAT keepalive packet

52817 04/05/2007 12:17:05.640 SEV=7 IPSECDBG/10 RPT=3721
IPSEC ipsec_output() can call key_acquire() because 24 seconds have elapsed sinc
e last IKE negotiation began (src 0xac100102, dst 0x0104f01c)

52819 04/05/2007 12:17:05.640 SEV=7 IPSECDBG/14 RPT=3723
Sending KEY_ACQUIRE to IKE for src 172.16.1.2, dst 192.168.15.22

52820 04/05/2007 12:17:05.640 SEV=8 IKEDBG/0 RPT=17307
pitcher: received a key acquire message!

52821 04/05/2007 12:17:05.640 SEV=4 IKE/41 RPT=1079
IKE Initiator: New Phase 2, Intf 2, IKE Peer 205.173.134.137
local Proxy Address 172.16.0.0, remote Proxy Address 192.168.15.0,
SA (L2L: Flex1-VPN)

52824 04/05/2007 12:17:05.640 SEV=9 IKEDBG/0 RPT=17308 205.173.134.137
Group [205.173.134.137]
Oakley begin quick mode

52825 04/05/2007 12:17:05.640 SEV=9 IPSECDBG/6 RPT=5957
IPSEC key message parse - msgtype 6, len 208, vers 1, pid 00000000, seq 1775, er
r 0, type 2, mode 0, state 32, label 0, pad 0, spi 00000000, encrKeyLen 0, hashK
eyLen 0, ivlen 0, alg 0, hmacAlg 0, lifetype 0, lifetime1 631724, lifetime2 0, d
sId 300

52829 04/05/2007 12:17:05.640 SEV=9 IPSECDBG/1 RPT=18157
Processing KEY_GETSPI msg!

52830 04/05/2007 12:17:05.650 SEV=7 IPSECDBG/13 RPT=1775
Reserved SPI 934163155

52831 04/05/2007 12:17:05.650 SEV=8 IKEDBG/6 RPT=1775
IKE got SPI from key engine: SPI = 0x37ae32d3

52882 04/05/2007 12:17:24.540 SEV=9 IKEDBG/36 RPT=15761 68.x.x.243
Group [68.x.x.243]
Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e27)

52884 04/05/2007 12:17:24.540 SEV=9 IKEDBG/0 RPT=17333 68.x.x.243
Group [68.x.x.243]
constructing blank hash

52885 04/05/2007 12:17:24.540 SEV=9 IKEDBG/0 RPT=17334 68.x.x.243
Group [68.x.x.243]
constructing qm hash

52886 04/05/2007 12:17:24.540 SEV=8 IKEDBG/0 RPT=17335 68.x.x.243
SENDING Message (msgid=49f01833) with payloads :
HDR + HASH (8) + NOTIFY (11)
total length : 80

52888 04/05/2007 12:17:24.560 SEV=8 IKEDBG/0 RPT=17336 68.x.x.243
RECEIVED Message (msgid=26297c2f) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 80

52890 04/05/2007 12:17:24.560 SEV=9 IKEDBG/0 RPT=17337 68.x.x.243
Group [68.x.x.243]
processing hash

52891 04/05/2007 12:17:24.560 SEV=9 IKEDBG/0 RPT=17338 68.x.x.243
Group [68.x.x.243]
Processing Notify payload

52892 04/05/2007 12:17:25.230 SEV=9 IPSECDBG/17 RPT=32185
Received an IPSEC-over-NAT-T NAT keepalive packet

52937 04/05/2007 12:17:44.540 SEV=9 IKEDBG/36 RPT=15764 68.x.x.243
Group [68.x.x.243]
Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e28)

52939 04/05/2007 12:17:44.540 SEV=9 IKEDBG/0 RPT=17358 68.x.x.243
Group [68.x.x.243]
constructing blank hash

52940 04/05/2007 12:17:44.540 SEV=9 IKEDBG/0 RPT=17359 68.x.x.243
Group [68.x.x.243]
constructing qm hash

52941 04/05/2007 12:17:44.540 SEV=8 IKEDBG/0 RPT=17360 68.x.x.243
SENDING Message (msgid=fc6952c4) with payloads :
HDR + HASH (8) + NOTIFY (11)
total length : 80

52943 04/05/2007 12:17:44.560 SEV=8 IKEDBG/0 RPT=17361 68.x.x.243
RECEIVED Message (msgid=75e5c835) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 80

52945 04/05/2007 12:17:44.560 SEV=9 IKEDBG/0 RPT=17362 68.x.x.243
Group [68.x.x.243]
processing hash

52946 04/05/2007 12:17:44.560 SEV=9 IKEDBG/0 RPT=17363 68.x.x.243
Group [68.x.x.243]
Processing Notify payload

52947 04/05/2007 12:17:45.230 SEV=9 IPSECDBG/17 RPT=32188
Received an IPSEC-over-NAT-T NAT keepalive packet

52948 04/05/2007 12:17:52.110 SEV=9 IPSECDBG/17 RPT=32189
Received an IPSEC-over-NAT-T NAT keepalive packet

52959 04/05/2007 12:17:58.490 SEV=8 IKEDBG/0 RPT=17370 68.x.x.243
RECEIVED Message (msgid=6ed3c92b) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
total length : 164

52962 04/05/2007 12:17:58.490 SEV=9 IKEDBG/0 RPT=17371 68.x.x.243
Group [68.x.x.243]
processing hash

52963 04/05/2007 12:17:58.490 SEV=9 IKEDBG/0 RPT=17372 68.x.x.243
Group [68.x.x.243]
processing SA payload

52964 04/05/2007 12:17:58.490 SEV=9 IKEDBG/1 RPT=21000 68.x.x.243
Group [68.x.x.243]
processing nonce payload

52965 04/05/2007 12:17:58.490 SEV=9 IKEDBG/1 RPT=21001 68.x.x.243
Group [68.x.x.243]
Processing ID

52966 04/05/2007 12:17:58.490 SEV=5 IKE/35 RPT=3199 68.x.x.243
Group [68.x.x.243]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.168.30.0, Mask 255.255.255.0, Protocol 0, Port 0

52969 04/05/2007 12:17:58.490 SEV=9 IKEDBG/1 RPT=21002 68.x.x.243
Group [68.x.x.243]
Processing ID

52970 04/05/2007 12:17:58.490 SEV=5 IKE/34 RPT=3368 68.x.x.243
Group [68.x.x.243]
Received local IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

52973 04/05/2007 12:17:58.500 SEV=8 IKEDBG/0 RPT=17373
QM IsRekeyed old sa not found by addr

52974 04/05/2007 12:17:58.500 SEV=4 IKE/61 RPT=2668 68.x.x.243
Group [68.x.x.243]
Tunnel rejected: Policy not found for Src:192.168.30.0, Dst: 0.0.0.0!

52976 04/05/2007 12:17:58.500 SEV=4 IKEDBG/0 RPT=17374
QM FSM error (P2 struct &0x1e8c5e4, mess id 0x6ed3c92b)!

52977 04/05/2007 12:17:58.500 SEV=7 IKEDBG/65 RPT=3676 68.x.x.243
Group [68.x.x.243]
IKE QM Responder FSM error history (struct &0x1e8c5e4)
<state>, <event>:
QM_DONE, EV_ERROR
QM_BLD_MSG2, EV_NEGO_SA
QM_BLD_MSG2, EV_IS_REKEY
QM_BLD_MSG2, EV_CONFIRM_SA

mattsnow · Apr 5, 2007

52982 04/05/2007 12:17:58.500 SEV=9 IKEDBG/0 RPT=17375
sending delete/delete with reason message

52983 04/05/2007 12:17:58.500 SEV=6 IKE/0 RPT=4449 68.x.x.243
Group [68.x.x.243]
Removing peer from correlator table failed, no match!

52996 04/05/2007 12:18:04.540 SEV=9 IKEDBG/36 RPT=15767 68.x.x.243
Group [68.x.x.243]
Sending keep-alive of type DPD R-U-THERE (seq number 0x3f102e29)

52998 04/05/2007 12:18:04.540 SEV=9 IKEDBG/0 RPT=17382 68.x.x.243
Group [68.x.x.243]
constructing blank hash

52999 04/05/2007 12:18:04.540 SEV=9 IKEDBG/0 RPT=17383 68.x.x.243
Group [68.x.x.243]
constructing qm hash

53000 04/05/2007 12:18:04.540 SEV=8 IKEDBG/0 RPT=17384 68.x.x.243
SENDING Message (msgid=90d310b9) with payloads :
HDR + HASH (8) + NOTIFY (11)
total length : 80

53002 04/05/2007 12:18:04.560 SEV=8 IKEDBG/0 RPT=17385 68.x.x.243
RECEIVED Message (msgid=b1e17710) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 80

53004 04/05/2007 12:18:04.560 SEV=9 IKEDBG/0 RPT=17386 68.x.x.243
Group [68.x.x.243]
processing hash

53005 04/05/2007 12:18:04.560 SEV=9 IKEDBG/0 RPT=17387 68.x.x.243
Group [68.x.x.243]
Processing Notify payload

53006 04/05/2007 12:18:04.840 SEV=9 IPSECDBG/17 RPT=32190
Received an IPSEC-over-NAT-T NAT keepalive packet

53007 04/05/2007 12:18:05.230 SEV=9 IPSECDBG/17 RPT=32191
Received an IPSEC-over-NAT-T NAT keepalive packet

53018 04/05/2007 12:18:12.310 SEV=9 IPSECDBG/17 RPT=32192
Received an IPSEC-over-NAT-T NAT keepalive packet

53019 04/05/2007 12:18:14.020 SEV=8 IKEDBG/0 RPT=17394 68.x.x.243
RECEIVED Message (msgid=6ed3c92b) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
total length : 164

53022 04/05/2007 12:18:14.020 SEV=9 IKEDBG/0 RPT=17395 68.x.x.243
Group [68.x.x.243]
processing hash

53023 04/05/2007 12:18:14.020 SEV=9 IKEDBG/0 RPT=17396 68.x.x.243
Group [68.x.x.243]
processing SA payload

53024 04/05/2007 12:18:14.020 SEV=9 IKEDBG/1 RPT=21003 68.x.x.243
Group [68.x.x.243]
processing nonce payload

53025 04/05/2007 12:18:14.020 SEV=9 IKEDBG/1 RPT=21004 68.x.x.243
Group [68.x.x.243]
Processing ID

53026 04/05/2007 12:18:14.020 SEV=5 IKE/35 RPT=3200 68.x.x.243
Group [68.x.x.243]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.168.30.0, Mask 255.255.255.0, Protocol 0, Port 0

53029 04/05/2007 12:18:14.020 SEV=9 IKEDBG/1 RPT=21005 68.x.x.243
Group [68.x.x.243]
Processing ID

53030 04/05/2007 12:18:14.020 SEV=5 IKE/34 RPT=3369 68.x.x.243
Group [68.x.x.243]
Received local IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

53033 04/05/2007 12:18:14.020 SEV=8 IKEDBG/0 RPT=17397
QM IsRekeyed old sa not found by addr

53034 04/05/2007 12:18:14.020 SEV=4 IKE/61 RPT=2669 68.x.x.243
Group [68.x.x.243]
Tunnel rejected: Policy not found for Src:192.168.30.0, Dst: 0.0.0.0!

53036 04/05/2007 12:18:14.020 SEV=4 IKEDBG/0 RPT=17398
QM FSM error (P2 struct &0x1d671a4, mess id 0x6ed3c92b)!

53037 04/05/2007 12:18:14.020 SEV=7 IKEDBG/65 RPT=3677 68.x.x.243
Group [68.x.x.243]
IKE QM Responder FSM error history (struct &0x1d671a4)
<state>, <event>:
QM_DONE, EV_ERROR
QM_BLD_MSG2, EV_NEGO_SA
QM_BLD_MSG2, EV_IS_REKEY
QM_BLD_MSG2, EV_CONFIRM_SA

53042 04/05/2007 12:18:14.020 SEV=9 IKEDBG/0 RPT=17399
sending delete/delete with reason message

53043 04/05/2007 12:18:14.020 SEV=6 IKE/0 RPT=4450 68.x.x.243
Group [68.x.x.243]
Removing peer from correlator table failed, no match!

mattsnow · Apr 5, 2007

And finally, here is the debug output from the PIX 501:

spnpix3# debug crypto ipsec
spnpix3# debug crypto isakmp
spnpix3# debug crypto engine
spnpix3#
VPN Peer: ISAKMP: Added new peer: ip:63.x.x.3 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:63.x.x.3 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 24
ISAKMP (0): Total payload length: 28
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 253095646:f15eedeIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x9a044cb0(2583973040) for SA
from 63.x.x.3 to 172.16.1.150 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 253095646

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 63.x.x.3, src= 172.16.1.150,
dest_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
src_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 253095646

ISAKMP (0): processing ID payload. message ID = 253095646
ISAKMP (0): processing ID payload. message ID = 253095646map_alloc_entry: allocating entry 1
map_alloc_entry: allocating entry 2

ISAKMP (0): Creating IPSec SAs
inbound SA from 63.x.x.3 to 172.16.1.150 (proxy 172.16.0.0 to 192.168.30.0)
has spi 2583973040 and conn_id 1 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytes
outbound SA from 172.16.1.150 to 63.x.x.3 (proxy 192.168.30.0 to 172.16.0.0)
has spi 1100517644 and conn_id 2 and flags 4
lifetime of 28800 seconds
lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 172.16.1.150, src= 63.x.x.3,
dest_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
src_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0x9a044cb0(2583973040), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.) src= 172.16.1.150, dest= 63.x.x.3,
src_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
dest_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 28800s and 4608000kb,
spi= 0x4198910c(1100517644), conn_id= 2, keysize= 0, flags= 0x4

VPN Peer: IPSEC: Peer ip:63.x.x.3 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:63.x.x.3 Ref cnt incremented to:3 Total VPN Peers:1
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 290298980
ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2598795649
ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1240471603
ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 4234760900
ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1859373355:6ed3c92bIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xc4b036c4(3299882692) for SA
from 63.x.x.3 to 172.16.1.150 for prot 3

crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2429751481
ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3352187060
ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANSIPSEC(key_engine): request timer fired: count = 1,
(identity) local= 172.16.1.150, remote= 63.x.x.3,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2...
ISAKMP (0): beginning Quick Mode exchange, M-ID of 2024501992:78ab72e8IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x93ce7cd3(2479783123) for SA
from 63.x.x.3 to 172.16.1.150 for prot 3

crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3551383499
ISAMKP (0): received DPD_R_U_THERE from peer 63.x.x.3
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 172.16.1.150, remote= 63.x.x.3,
local_proxy= 192.168.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): deleting IPSEC SAs with peer at 63.x.x.3IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 63.x.x.3
map_free_entry: freeing entry 1
CRYPTO(epa_release_conn): released conn 1

VPN Peer: IPSEC: Peer ip:63.x.x.3 Decrementing Ref cnt to:2 Total VPN Peers:1map_free_entry: freeing entry 2
CRYPTO(epa_release_conn): released conn 2

VPN Peer: IPSEC: Peer ip:63.x.x.3 Decrementing Ref cnt to:1 Total VPN Peers:1
ISAKMP (0): deleting SA: src 172.16.1.150, dst 63.x.x.3
crypto_isakmp_process_block: src 63.x.x.3, dest 172.16.1.150
ISADB: reaper checking SA 0x8095aa20, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:63.x.x.3 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:63.x.x.3 Total VPN peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 63.x.x.3

L2L IPSec - PIX501 to VPN 3000 - Tunnel rejected: Policy not found...(long post)

mattsnow

Advertisements

mattsnow

Advertisements

mattsnow

mattsnow

mattsnow

mattsnow

Advertisements

Want to reply to this thread or ask your own question?

Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface.

Cisco 3000 L2L Tunnel Troubles

vpn 3000 pix L2L Trouble

Cisco 3000 - IPSec tunnel issue

IPsec tunnel between Concentrator 3000 behind pix and Firebox X700's

L2L tunnel, concentrator 3000 to PIX ?

Is it possible to split tunnel on permanant l2l VPN?

ASA: L2L VPN tunnel Drops Every 24 hours

L2L IPSec - PIX501 to VPN 3000 - Tunnel rejected: Policy not found...(long post)

Advertisements

Advertisements

Advertisements

Want to reply to this thread or ask your own question?

Useful Searches