Problems S2SVPN Cisoc Watchguard after upgrade IOS

Discussion in 'Cisco' started by Tom Pouce, Dec 1, 2006.

  1. Tom Pouce

    Tom Pouce Guest

    Grr,

    I've upgraded my VPN router from 12.2.23 to 12.3.14T
    Now the Tunnel to a Wacthguard WFS 7.0 isn't working anymore.
    "debug crypto isakmp" give following.
    Downgrading is no issue, because we need some new fnctionalities in the new
    IOS.

    Any solution?

    Dec 1 11:39:05: ISAKMP (0:0): received packet from 10.20.30.40 dport 500
    sport 500 Global (N) NEW SA

    Dec 1 11:39:05: ISAKMP: Created a peer struct for 10.20.30.40, peer port
    500

    Dec 1 11:39:05: ISAKMP: New peer created peer = 0x6560EE98 peer_handle =
    0x8000011C

    Dec 1 11:39:05: ISAKMP: Locking peer struct 0x6560EE98, IKE refcount 1 for
    crypto_isakmp_process_block

    Dec 1 11:39:05: ISAKMP: local port 500, remote port 500

    Dec 1 11:39:05: ISAKMP: Find a dup sa in the avl tree during calling
    isadb_insert sa = 656157AC

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State =
    IKE_R_MM1



    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing vendor id payload

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157
    mismatch

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing vendor id payload

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 221
    mismatch

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing vendor id payload

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123
    mismatch

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): processing vendor id payload

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 0
    mismatch

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Looking for a matching key for
    10.20.30.40 in default

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): : success

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching
    10.20.30.40

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0): local preshared key found

    Dec 1 11:39:05: ISAKMP : Scanning profiles for xauth ...

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against
    priority 4 policy

    Dec 1 11:39:05: ISAKMP: encryption 3DES-CBC

    Dec 1 11:39:05: ISAKMP: hash MD5

    Dec 1 11:39:05: ISAKMP: auth pre-share

    Dec 1 11:39:05: ISAKMP: life type in seconds

    Dec 1 11:39:05: ISAKMP: life duration (basic) of 28800

    Dec 1 11:39:05: ISAKMP: life type in kilobytes

    Dec 1 11:39:05: ISAKMP: life duration (basic) of 32000

    Dec 1 11:39:05: ISAKMP: default group 2

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not
    match policy!

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is
    0

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against
    priority 5 policy

    Dec 1 11:39:05: ISAKMP: encryption 3DES-CBC

    Dec 1 11:39:05: ISAKMP: hash MD5

    Dec 1 11:39:05: ISAKMP: auth pre-share

    Dec 1 11:39:05: ISAKMP: life type in seconds

    Dec 1 11:39:05: ISAKMP: life duration (basic) of 28800

    Dec 1 11:39:05: ISAKMP: life type in kilobytes

    Dec 1 11:39:05: ISAKMP: life duration (basic) of 32000

    Dec 1 11:39:05: ISAKMP: default group 2

    Dec 1 11:39:05: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): processing vendor id payload

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID seems Unity/DPD but major 157
    mismatch

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID is NAT-T v3

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): processing vendor id payload

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID seems Unity/DPD but major 221
    mismatch

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): processing vendor id payload

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID seems Unity/DPD but major 123
    mismatch

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID is NAT-T v2

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): processing vendor id payload

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): vendor ID seems Unity/DPD but major 0
    mismatch

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL,
    IKE_PROCESS_MAIN_MODE

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM1 New State =
    IKE_R_MM1



    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): constructed NAT-T vendor-03 ID

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port
    500 peer_port 500 (R) MM_SA_SETUP

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL,
    IKE_PROCESS_COMPLETE

    Dec 1 11:39:05: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM1 New State =
    IKE_R_MM2



    Dec 1 11:39:06: ISAKMP (0:134217798): received packet from 10.20.30.40
    dport 500 sport 500 Global (R) MM_SA_SETUP

    Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

    Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM2 New State =
    IKE_R_MM3



    Dec 1 11:39:06: ISAKMP:(0:70:SW:1): processing KE payload. message ID = 0

    Dec 1 11:39:06: ISAKMP:(0:70:SW:1): processing NONCE payload. message ID =
    0

    Dec 1 11:39:06: ISAKMP:(0:0:N/A:0):Looking for a matching key for
    10.20.30.40 in default

    Dec 1 11:39:06: ISAKMP:(0:0:N/A:0): : success

    Dec 1 11:39:06: ISAKMP:(0:70:SW:1):found peer pre-shared key matching
    10.20.30.40

    Dec 1 11:39:06: ISAKMP:(0:70:SW:1):SKEYID state generated

    Dec 1 11:39:06: ISAKMP:received payload type 20

    Dec 1 11:39:06: ISAKMP (0:134217798): NAT found, the node inside NAT

    Dec 1 11:39:06: ISAKMP:received payload type 20

    Dec 1 11:39:06: ISAKMP (0:134217798): NAT found, both nodes are all located
    inside NAT

    Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL,
    IKE_PROCESS_MAIN_MODE

    Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM3 New State =
    IKE_R_MM3



    Dec 1 11:39:06: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port
    500 peer_port 500 (R) MM_KEY_EXCH

    Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL,
    IKE_PROCESS_COMPLETE

    Dec 1 11:39:06: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM3 New State =
    IKE_R_MM4



    Dec 1 11:39:16: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

    Dec 1 11:39:16: ISAKMP:(0:70:SW:1):incrementing error counter on sa:
    retransmit phase 1

    Dec 1 11:39:16: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

    Dec 1 11:39:16: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port
    500 peer_port 500 (R) MM_KEY_EXCH

    Dec 1 11:39:26: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

    Dec 1 11:39:26: ISAKMP:(0:70:SW:1):incrementing error counter on sa:
    retransmit phase 1

    Dec 1 11:39:26: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

    Dec 1 11:39:26: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port
    500 peer_port 500 (R) MM_KEY_EXCH

    Dec 1 11:39:36: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

    Dec 1 11:39:36: ISAKMP:(0:70:SW:1):incrementing error counter on sa:
    retransmit phase 1

    Dec 1 11:39:36: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

    Dec 1 11:39:36: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port
    500 peer_port 500 (R) MM_KEY_EXCH

    Dec 1 11:39:36: ISAKMP:(0:69:SW:1):purging SA., sa=656150C0, delme=656150C0

    Dec 1 11:39:46: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

    Dec 1 11:39:46: ISAKMP:(0:70:SW:1):incrementing error counter on sa:
    retransmit phase 1

    Dec 1 11:39:46: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

    Dec 1 11:39:46: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port
    500 peer_port 500 (R) MM_KEY_EXCH

    Dec 1 11:39:56: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

    Dec 1 11:39:56: ISAKMP:(0:70:SW:1):incrementing error counter on sa:
    retransmit phase 1

    Dec 1 11:39:56: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH

    Dec 1 11:39:56: ISAKMP:(0:70:SW:1): sending packet to 10.20.30.40 my_port
    500 peer_port 500 (R) MM_KEY_EXCH

    Dec 1 11:40:06: ISAKMP:(0:70:SW:1): retransmitting phase 1 MM_KEY_EXCH...

    Dec 1 11:40:06: ISAKMP:(0:70:SW:1):peer does not do paranoid keepalives.



    Dec 1 11:40:06: ISAKMP:(0:70:SW:1):deleting SA reason "Death by
    retransmission P1" state (R) MM_KEY_EXCH (peer 10.20.30.40)

    Dec 1 11:40:06: ISAKMP:(0:70:SW:1):deleting SA reason "Death by
    retransmission P1" state (R) MM_KEY_EXCH (peer 10.20.30.40)

    Dec 1 11:40:06: ISAKMP: Unlocking IKE struct 0x6560EE98 for
    isadb_mark_sa_deleted(), count 0

    Dec 1 11:40:06: ISAKMP: Deleting peer node by peer_reap for 10.20.30.40:
    6560EE98

    Dec 1 11:40:06: ISAKMP:(0:70:SW:1):Input = IKE_MESG_INTERNAL,
    IKE_PHASE1_DEL

    Dec 1 11:40:06: ISAKMP:(0:70:SW:1):Old State = IKE_R_MM4 New State =
    IKE_DEST_SA
     
    Tom Pouce, Dec 1, 2006
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.