All you ISCW Gurus

burbankmarcburbankmarc Member Posts: 460
in CCNP
Hey all,

I'm having problems with a site-to-site VPN tunnel, I though you ISCW pro's could help me out (and it might be useful for learning).

The phase 1 happens fine and the ISAKMP goes into QM_IDLE state. But the IPSec tunnel never comes up. Here's my debug:
Looking for a matching key for a.b.c.d in default
002769: Dec 17 16:02:23.516 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:0:N/A:0): : success
002770: Dec 17 16:02:23.516 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:0:N/A:0):found peer pre-shared key matching a.b.c.d
002771: Dec 17 16:02:23.516 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:0:N/A:0): local preshared key found
002772: Dec 17 16:02:23.516 EST: ISAKMP : Scanning profiles for xauth ...
002773: Dec 17 16:02:23.516 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
002774: Dec 17 16:02:23.516 EST: ISAKMP:      encryption 3DES-CBC
002775: Dec 17 16:02:23.516 EST: ISAKMP:      hash SHA
002776: Dec 17 16:02:23.516 EST: ISAKMP:      default group 2
002777: Dec 17 16:02:23.516 EST: ISAKMP:      auth pre-share
002778: Dec 17 16:02:23.516 EST: ISAKMP:      life type in seconds
002779: Dec 17 16:02:23.516 EST: ISAKMP:      life duration (basic) of 3600
002780: Dec 17 16:02:23.516 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:0:N/A:0):atts are acceptable. Next payload is 0
002781: Dec 17 16:02:23.520 EST: CryptoEngine0: generating alg parameter for connid 2
002782: Dec 17 16:02:23.560 EST: CRYPTO_ENGINE: Dh phase 1 status: 0
002783: Dec 17 16:02:23.560 EST: CRYPTO_ENGINE: Dh phase 1 status: OK
002784: Dec 17 16:02:23.560 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
002785: Dec 17 16:02:23.560 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2 

002786: Dec 17 16:02:23.564 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) MM_SA_SETUP
002787: Dec 17 16:02:23.568 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
002788: Dec 17 16:02:23.568 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3 

002789: Dec 17 16:02:23.672 EST: ISAKMP (0:134217730): received packet from a.b.c.d dport 500 sport 500 Global (I) MM_SA_SETUP
002790: Dec 17 16:02:23.672 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
002791: Dec 17 16:02:23.672 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4 

002792: Dec 17 16:02:23.672 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing KE payload. message ID = 0
002793: Dec 17 16:02:23.672 EST: CryptoEngine0: generating alg parameter for connid 0
002794: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing NONCE payload. message ID = 0
002795: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:0:N/A:0):Looking for a matching key for a.b.c.d in default
002796: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:0:N/A:0): : success
002797: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):found peer pre-shared key matching a.b.c.d
002798: Dec 17 16:02:23.724 EST: CryptoEngine0: create ISAKMP SKEYID for conn id 2
002799: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):SKEYID state generated
002800: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing vendor id payload
002801: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): vendor ID seems Unity/DPD but major 215 mismatch
002802: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): vendor ID is XAUTH
002803: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing vendor id payload
002804: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): vendor ID is DPD
002805: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing vendor id payload
002806: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): vendor ID is Unity
002807: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
002808: Dec 17 16:02:23.724 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4 

002809: Dec 17 16:02:23.740 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Send initial contact
002810: Dec 17 16:02:23.740 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
002811: Dec 17 16:02:23.740 EST: ISAKMP (0:134217730): ID payload 
    next-payload : 8
    type         : 1 
    address      : w.x.y.z 
    protocol     : 17 
    port         : 500 
    length       : 12
002812: Dec 17 16:02:23.740 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Total payload length: 12
002813: Dec 17 16:02:23.740 EST: CryptoEngine0: generate hmac context for conn id 2
002814: Dec 17 16:02:23.740 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) MM_KEY_EXCH
002815: Dec 17 16:02:23.740 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
002816: Dec 17 16:02:23.740 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5 

002817: Dec 17 16:02:23.800 EST: ISAKMP (0:134217730): received packet from a.b.c.d dport 500 sport 500 Global (I) MM_KEY_EXCH
002818: Dec 17 16:02:23.800 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing ID payload. message ID = 0
002819: Dec 17 16:02:23.800 EST: ISAKMP (0:134217730): ID payload 
    next-payload : 8
    type         : 2 
    FQDN name    : plano1PIX.arch.com 
    protocol     : 17 
    port         : 500 
    length       : 26
002820: Dec 17 16:02:23.800 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):: peer matches *none* of the profiles
002821: Dec 17 16:02:23.800 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing HASH payload. message ID = 0
002822: Dec 17 16:02:23.800 EST: CryptoEngine0: generate hmac context for conn id 2
002823: Dec 17 16:02:23.800 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):SA authentication status:
    authenticated
002824: Dec 17 16:02:23.800 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):SA has been authenticated with a.b.c.d
002825: Dec 17 16:02:23.804 EST: ISAKMP: Trying to insert a peer w.x.y.z/a.b.c.d/500/,  and inserted successfully 44E29838.
002826: Dec 17 16:02:23.804 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
002827: Dec 17 16:02:23.804 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6 

002828: Dec 17 16:02:23.804 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
002829: Dec 17 16:02:23.804 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6 

002830: Dec 17 16:02:23.808 EST: CryptoEngine0: clear dh number for conn id 1
002831: Dec 17 16:02:23.808 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
002832: Dec 17 16:02:23.808 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

002833: Dec 17 16:02:23.812 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):beginning Quick Mode exchange, M-ID of -1763274414
002834: Dec 17 16:02:23.816 EST: CryptoEngine0: generate hmac context for conn id 2
002835: Dec 17 16:02:23.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE      
002836: Dec 17 16:02:23.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Node -1763274414, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
002837: Dec 17 16:02:23.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
002838: Dec 17 16:02:23.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
002839: Dec 17 16:02:23.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

002840: Dec 17 16:02:23.884 EST: ISAKMP (0:134217730): received packet from a.b.c.d dport 500 sport 500 Global (I) QM_IDLE      
002841: Dec 17 16:02:23.884 EST: ISAKMP: set new node 540195207 to QM_IDLE      
002842: Dec 17 16:02:23.884 EST: CryptoEngine0: generate hmac context for conn id 2
002843: Dec 17 16:02:23.884 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing HASH payload. message ID = 540195207
002844: Dec 17 16:02:23.884 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 0
    spi 0, message ID = 540195207, sa = 44E910C4
002845: Dec 17 16:02:23.884 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):peer does not do paranoid keepalives.

002846: Dec 17 16:02:23.884 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):deleting node 540195207 error FALSE reason "Informational (in) state 1"
002847: Dec 17 16:02:23.888 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
002848: Dec 17 16:02:23.888 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

002849: Dec 17 16:02:23.888 EST: IPSEC(key_engine): got a queue event with 1 kei messages
002850: Dec 17 16:02:23.888 EST: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
002851: Dec 17 16:02:23.888 EST: IPSEC(key_engine_delete_sas): delete all SAs shared with peer a.b.c.d    
002852: Dec 17 16:02:33.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 QM_IDLE       -1763274414 ...
002853: Dec 17 16:02:33.816 EST: ISAKMP (0:134217730): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
002854: Dec 17 16:02:33.816 EST: ISAKMP (0:134217730): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
002855: Dec 17 16:02:33.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 -1763274414 QM_IDLE      
002856: Dec 17 16:02:33.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE      
002857: Dec 17 16:02:43.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 QM_IDLE       -1763274414 ...
002858: Dec 17 16:02:43.816 EST: ISAKMP (0:134217730): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
002859: Dec 17 16:02:43.816 EST: ISAKMP (0:134217730): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
002860: Dec 17 16:02:43.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 -1763274414 QM_IDLE      
002861: Dec 17 16:02:43.816 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE      
002862: Dec 17 16:02:53.381 EST: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= w.x.y.z, remote= a.b.c.d, 
    local_proxy= 172.26.1.1/255.255.255.255/0/0 (type=1), 
    remote_proxy= 10.50.50.102/255.255.255.255/0/0 (type=1)
002863: Dec 17 16:02:53.381 EST: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= w.x.y.z, remote= a.b.c.d, 
    local_proxy= 172.26.1.1/255.255.255.255/0/0 (type=1), 
    remote_proxy= 10.50.50.102/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0xD77FD304(3615478532), conn_id= 0, keysize= 0, flags= 0x400A
002864: Dec 17 16:02:53.381 EST: ISAKMP: received ke message (1/1)
002865: Dec 17 16:02:53.381 EST: ISAKMP: set new node 0 to QM_IDLE      
002866: Dec 17 16:02:53.381 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE      )
002867: Dec 17 16:02:53.381 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):beginning Quick Mode exchange, M-ID of 1708338459
002868: Dec 17 16:02:53.381 EST: CryptoEngine0: generate hmac context for conn id 2
002869: Dec 17 16:02:53.385 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE      
002870: Dec 17 16:02:53.385 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Node 1708338459, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
002871: Dec 17 16:02:53.385 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
002872: Dec 17 16:02:53.445 EST: ISAKMP (0:134217730): received packet from a.b.c.d dport 500 sport 500 Global (I) QM_IDLE      
002873: Dec 17 16:02:53.445 EST: ISAKMP: set new node 207928184 to QM_IDLE      
002874: Dec 17 16:02:53.445 EST: CryptoEngine0: generate hmac context for conn id 2
002875: Dec 17 16:02:53.445 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing HASH payload. message ID = 207928184
002876: Dec 17 16:02:53.445 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 0
    spi 0, message ID = 207928184, sa = 44E910C4
002877: Dec 17 16:02:53.445 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):peer does not do paranoid keepalives.

002878: Dec 17 16:02:53.445 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):deleting node 207928184 error FALSE reason "Informational (in) state 1"
002879: Dec 17 16:02:53.445 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
002880: Dec 17 16:02:53.445 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

002881: Dec 17 16:02:53.449 EST: IPSEC(key_engine): got a queue event with 1 kei messages
002882: Dec 17 16:02:53.449 EST: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
002883: Dec 17 16:02:53.449 EST: IPSEC(key_engine_delete_sas): delete all SAs shared with peer a.b.c.d    
002884: Dec 17 16:02:53.817 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 QM_IDLE       -1763274414 ...
002885: Dec 17 16:02:53.817 EST: ISAKMP (0:134217730): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
002886: Dec 17 16:02:53.817 EST: ISAKMP (0:134217730): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
002887: Dec 17 16:02:53.817 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 -1763274414 QM_IDLE      
002888: Dec 17 16:02:53.817 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE      
002889: Dec 17 16:02:57.809 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:1:SW:1):purging SA., sa=44702F8C, delme=44702F8C
002890: Dec 17 16:02:57.809 EST: CryptoEngine0: delete connection 1
002891: Dec 17 16:03:03.385 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 QM_IDLE       1708338459 ...
002892: Dec 17 16:03:03.385 EST: ISAKMP (0:134217730): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
002893: Dec 17 16:03:03.385 EST: ISAKMP (0:134217730): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
002894: Dec 17 16:03:03.385 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 1708338459 QM_IDLE      
002895: Dec 17 16:03:03.385 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE      
002896: Dec 17 16:03:03.817 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 QM_IDLE       -1763274414 ...
002897: Dec 17 16:03:03.817 EST: ISAKMP (0:134217730): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
002898: Dec 17 16:03:03.817 EST: ISAKMP (0:134217730): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
002899: Dec 17 16:03:03.817 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 -1763274414 QM_IDLE      
002900: Dec 17 16:03:03.817 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE      
002901: Dec 17 16:03:13.385 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 QM_IDLE       1708338459 ...
002902: Dec 17 16:03:13.385 EST: ISAKMP (0:134217730): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
002903: Dec 17 16:03:13.385 EST: ISAKMP (0:134217730): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
002904: Dec 17 16:03:13.385 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 1708338459 QM_IDLE      
002905: Dec 17 16:03:13.385 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE      
002906: Dec 17 16:03:13.817 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 QM_IDLE       -1763274414 ...
002907: Dec 17 16:03:13.817 EST: ISAKMP (0:134217730): incrementing error counter on node, attempt 5 of 5: retransmit phase 2
002908: Dec 17 16:03:13.817 EST: ISAKMP (0:134217730): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
002909: Dec 17 16:03:13.817 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): retransmitting phase 2 -1763274414 QM_IDLE      
002910: Dec 17 16:03:13.817 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE      
002911: Dec 17 16:03:13.889 EST: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:2:SW:1):purging node 540195207
Any Ideas?
· Share on FacebookShare on Twitter
«1

Comments

  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    Ok I am by no means a guru of any kind however, I noticed the following line in your debug:

    "002876: Dec 17 16:02:53.445 EST: ISAKMPicon_sad.gif0:2:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 0
    spi 0, message ID = 207928184, sa = 44E910C4"

    According the following page this indicates that there is a transform set mis-match.

    Ref:
    Appendix B - Sample Problem Scenarios

    I could totally be making this up though, but just my 2 cents.
    Modular Learning - Learn Something New

    SE Notebook
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    Thank you, how the hell did you find that so fast?

    I searched for as many odd looking lines in that debug as I could, I mostly just got forwarded to weird russian sites.

    But again thank you.
    · Share on FacebookShare on Twitter
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    I have no idea to be honest I just used my CCNA:S book to review the steps to phase 1 / phase 2 and that line just seem to stand out....quick google of the cisco.com site and thats what I came up with.

    Glad I was able to help :D

    Side Note: Lets hope I can do that again when it comes time to the test icon_wink.gif
    Modular Learning - Learn Something New

    SE Notebook
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Was that the problem? Mismatch transform set?
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    I only have the config for one side, which is quite long, what info are you looking for? It'd probably be easier to read than the whole config.
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    running config with the crypto info is easier than little pieces here and there. For me at least. So I can see the entire picture. And without the other side, it may not be very useful. Based on the description, there could be a problem with your interesting traffic ACL. I didnt really se anything that jumps out at me besides the line that was mentioned earlier.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    Here you are:
    crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key KEY address a.b.c.d
crypto ipsec transform-set transet1 esp-3des esp-sha-hmac
crypto map map1 1 ipsec-isakmp 
 set peer a.b.c.d
 set transform-set transet1 
 match address crypto-map
ip access-list crypto-map
 permit ip host 172.26.1.1 host 10.50.50.117
 permit ip host 172.26.1.1 host 10.50.50.102

interface Serial0/0/1:0.1 point-to-point
 ip address w.x.y.z 255.255.255.252
 ip nat outside
 no cdp enable
 crypto map map1
end
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Show crypto isakmp policy
    show cryptyo ipsec transform-set
    show access-lists or show ip access-lists (specify which acls are for interesting traffic)
    show crypto map

    Being able to see both sides is pretty important, at least to me. I am by no means an expert though.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • jason_lundejason_lunde Member Posts: 567
    can you run a debug crypto ipsec and post that?
    edit: nevermind looks like you did :)
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    I dont see anything missing with the single config. The ACL may need to be changed from host to network;

    permit ip 172.26.1.0 0.0.0.255 10.50.50.0 0.0.0.255

    It might work either way though, as long as the traffic comes from an IP that matches the IP hosts specified. Have you tried a ping with a source of the host listed in the acl?
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Can you also give us an output of the SAs?

    show crypto isakmp sa
    show crypto ipsec sa
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    The 172.26.1.1 is a NAT address. So all traffic I want going through the tunnel will be NAT'd to that address.

    To generate the interesting traffic I created a loopback interface of 100.100.100.1 that gets NAT'd.

    The debugs I posted above are from pings to 10.50.50.102.

    I know the NAT is good because that shows up in my nat table.

    *EDIT*

    the ipsec sa never comes up. The isakmp goes into QM_IDLE for a bit but is then removed.
    incrementing error counter on node, attempt 5 of 5

    Once that 5th attempt fails thats when the isakmp sa gets deleted.
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Its really hard not being able to see the other side, at least for me. Also not knowing what's in between the two sites is difficult as well. Stupid question, but are you sure your routing between the two sites is good to go? You able to reach one side from the other? I know it's site to site so you're probably blocking pings from the net right?
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • jason_lundejason_lunde Member Posts: 567
    I happen to bet its a crypto acl mismatch. taken from a webpage:
    When crypto ACLs specify inconsistent scopes of addresses between two peers, the expected result is that ISAKMP SA negotiation will complete successfully, but IPsec SA negotiation will fail.

    The acl's on the endpoint are supposed to be the exact reverse of each other. Without seeing the other side though it is hard to say. SysAdmin may be right.
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    jason_lunde wrote: »
    I happen to bet its a crypto acl mismatch. taken from a webpage:
    When crypto ACLs specify inconsistent scopes of addresses between two peers, the expected result is that ISAKMP SA negotiation will complete successfully, but IPsec SA negotiation will fail.

    The acl's on the endpoint are supposed to be the exact reverse of each other. Without seeing the other side though it is hard to say. SysAdmin may be right.

    I'm labbing that now, I'll see if I can duplicate it. It's really hard being blind to the other config, you have to trust its not something as simple as an acl mismatch. That's rough.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    I am able to ping the other site, so connectivity is good. I'm not blocking esp, ahs, or udp isakmp for the other dude.

    However, I know our crypto ACLs are slightly different, so you might be on to something. I thought the crypto ACLs were more locally significant. He's allowing the 172.26.1.0/29 subnet to the 10.50.50.0/24 subnet I think.
    · Share on FacebookShare on Twitter
  • ilcram19-2ilcram19-2 Banned Posts: 436
    i dont see your deny statement on the config

    for example


    ip nat inside source list NATED interface fasx/x overload

    ip access list extended NATED
    deny ip host 172.26.1.1 host 10.50.50.117
    deny ip host 172.26.1.1 host 10.50.50.102
    permit ip 172.26.1.0 0.0.0.255 any

    other wise is going to try to nat the traffic on the vpn
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    Here's my nat acl:
    do sh access-l crypto-nat
Extended IP access list crypto-nat
    10 permit ip host 172.16.1.35 host 10.50.50.117
    40 permit ip host 100.100.100.1 host 10.50.50.117 (8 matches)
    50 permit ip host 100.100.100.1 host 10.50.50.102 (57 matches
    · Share on FacebookShare on Twitter
  • ilcram19-2ilcram19-2 Banned Posts: 436
    burbankmarc wrote: »
    Here you are:
    ------------PHASE1 looks ok--------------------------------------
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key KEY address a.b.c.d
-----------------------------------------------------------
======phase 2================================
crypto ipsec transform-set transet1 esp-3des esp-sha-hmac <--tunnel mode loooks ok
-------------cryto map looks ok--------------------------------------
crypto map map1 1 ipsec-isakmp 
 set peer a.b.c.d
 set transform-set transet1 
 match address crypto-map
--------------ACL looks OK-------make sure they match or the the traffic u r sending is there
ip access-list crypto-map
 permit ip host 172.26.1.1 host 10.50.50.117
 permit ip host 172.26.1.1 host 10.50.50.102
===========interface config looks ok ================
interface Serial0/0/1:0.1 point-to-point
 ip address w.x.y.z 255.255.255.252
 ip nat outside
 no cdp enable
 crypto map map1
end

make sure everything is the same on the other side and that you have your nat as well

    looks ok see the notes
    · Share on FacebookShare on Twitter
  • ilcram19-2ilcram19-2 Banned Posts: 436
    burbankmarc wrote: »
    Here's my nat acl:
    do sh access-l crypto-nat
Extended IP access list crypto-nat
    10 deny ip host 172.16.1.35 host 10.50.50.117
    40 permit ip host 100.100.100.1 host 10.50.50.117 (8 matches)
    50 permit ip host 100.100.100.1 host 10.50.50.102 (57 matches


    thas your problem u need to deny so the traffic wont be nated
    · Share on FacebookShare on Twitter
  • ilcram19-2ilcram19-2 Banned Posts: 436
    Extended IP access list crypto-nat
    1 deny ip host 172.26.1.1 host 10.50.50.117
    2 deny ip host 172.26.1.1 host 10.50.50.102
    10 permit ip host 172.16.1.35 host 10.50.50.117
    40 permit ip host 100.100.100.1 host 10.50.50.117 (8 matches)
    50 permit ip host 100.100.100.1 host 10.50.50.102
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    ilcram19-2 wrote: »
    thas your problem u need to deny so the traffic wont be nated

    the NAT address is 172.26.1.1, 172.16.35.1 is an internal machine.
    · Share on FacebookShare on Twitter
  • burbankmarcburbankmarc Member Posts: 460
    ilcram19-2 wrote: »
    Extended IP access list crypto-nat
    1 deny ip host 172.26.1.1 host 10.50.50.117
    2 deny ip host 172.26.1.1 host 10.50.50.102
    10 permit ip host 172.16.1.35 host 10.50.50.117
    40 permit ip host 100.100.100.1 host 10.50.50.117 (8 matches)
    50 permit ip host 100.100.100.1 host 10.50.50.102


    Ok I added that, and here's some output.
    do sh access-l crypto-nat          
Extended IP access list crypto-nat
    1 deny ip host 172.26.1.1 host 10.50.50.102
    10 permit ip host 172.16.1.35 host 10.50.50.117
    40 permit ip host 100.100.100.1 host 10.50.50.117 (8 matches)
    50 permit ip host 100.100.100.1 host 10.50.50.102 (57 matches)
rtr1-ches-va(config-ext-nacl)#exit
rtr1-ches-va(config)#exit
rtr1-ches-va#ping 10.50.50.102 so l0

rtr1-ches-va#sh crypto isakmp sa
dst             src             state          conn-id slot status
a.b.c.d     w.x.y.z  QM_IDLE              1    0 ACTIVE

rtr1-ches-va#sh crypto ipsec sa

interface: Serial0/0/1:0.1
    Crypto map tag: cryptomap1, local addr w.x.y.z

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.50.50.102/255.255.255.255/0/0)
   current_peer a.b.c.d port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 118, #recv errors 0

     local crypto endpt.: w.x.y.z, remote crypto endpt.: a.b.c.d
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:
          
     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.26.1.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.50.50.117/255.255.255.255/0/0)
   current_peer a.b.c.d port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 9, #recv errors 0

     local crypto endpt.: w.x.y.z, remote crypto endpt.: a.b.c.d
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

    Look, some send errors.
    · Share on FacebookShare on Twitter
  • ilcram19-2ilcram19-2 Banned Posts: 436
    burbankmarc wrote: »
    the NAT address is 172.26.1.1, 172.16.35.1 is an internal machine.

    if that is what you want to go over the tunne than that what need to be deny

    here is how it looks on a router for vpn, the local subnet is 10.1.18.0/24
    and remote subnet is 10.1.2.0/24 and 172.29.100.0/27

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800

    crypto isakmp key xxxxxx address xxxxx


    crypto map hhpmaps 1 ipsec-isakmp
    set peer xxxxxxx
    set transform-set USA-Tunnels
    match address houston-hhp
    qos pre-classify

    Extended IP access list houston-hhp
    10 permit ip 10.1.18.0 0.0.0.255 10.1.2.0 0.0.0.255 (9215321 matches)
    20 permit ip 10.1.18.0 0.0.0.255 172.29.100.0 0.0.0.31 (8513 matches)


    interface FastEthernet0/0
    description "To WAN"
    ip address xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ip nbar protocol-discovery
    ip flow ingress
    ip flow egress
    ip nat outside
    ip virtual-reassembly
    zone-member security internet
    load-interval 30
    duplex auto
    speed auto
    crypto map hhpmaps<
    map

    look at acls
    deny local to destination as shown below


    Extended IP access list NATED
    10 deny ip 10.1.18.0 0.0.0.255 172.29.100.0 0.0.0.31 (8764 matches)
    20 deny ip 10.1.18.0 0.0.0.255 10.1.2.0 0.0.0.255 (10217928 matches)
    30 deny ip 10.1.18.0 0.0.0.255 192.168.2.0 0.0.0.255
    40 permit ip 10.1.18.0 0.0.0.255 any (11811 matches)
    50 permit ip 10.33.3.128 0.0.0.127 any (1668 matches)
    60 permit ip 10.33.3.0 0.0.0.127 any (28215 matches)

    ip nat inside source list NATED interface FastEthernet0/0 overload
    · Share on FacebookShare on Twitter
  • ilcram19-2ilcram19-2 Banned Posts: 436
    your phase 1 (ISKMP) is ok, is your phase 2 ipsec that seems to be the issue
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Not so great witht the nat statements, so i'll take my bow lol. I think you're in good hands now, i'll sit back and observe unless needed. You really should get the other guys config though, because if his is incorrect you still wont pass traffic. For instance if his ACL is wrong, yours could be correct and still not work.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • ilcram19-2ilcram19-2 Banned Posts: 436
    just practice this is actually pretty easy i've setup thousends of ipsec tunnels but i dont really do them anymore i rather do gre/ipsec they allow me to do more thing routing qos etc,
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Same here ilcram, the only time i've done just ipsec is for the ISCW. Everything real world for me has been secure gre.

    ACL is simplified using GRE tunnels as well. You dont have to account for anything but the GRE traffic in your interesting traffic.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Ok, so I would bet a dollar (times are tough!) that your buddy on the other side's ACL is incorrect. I labbed this real quick and dirty and when I configured both sides correctly, I got a tunnel, nice and clean.

    Then I cleared session on both sides, changed the acl to something incorrect (I left the correct source, but gave a bogus destination) and tried to generate some interesting traffic. This resulted in phase 1 completion, but no phase 2, thus no traffic was able to pass. It is most likely the ACL on the other side is incorrect.
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
  • SysAdmin4066SysAdmin4066 Member Posts: 443
    Any resolution on this?
    In Progress: CCIE R&S Written Scheduled July 17th (Tentative)

    Next Up: CCIE R&S Lab
    · Share on FacebookShare on Twitter
Sign In or Register to comment.