Quantcast
Channel: IEOC - INE's Online Community
Viewing all articles
Browse latest Browse all 10744

IPSec install failed

$
0
0

Hi,

With the lab IPSec VPNs with Crypto Maps I run into a problem which I think it's a software bug. Phase 1 completes and it looks like phase 2 also completes, but it's not encap and decap packets. When I look on R8 (the receiving site) I see an error messages coming "IPSEC INSTALL FAILED". I was wondering if you guys already run into this problem?

This is config of R7:
crypto isakmp policy 10
  encr aes 256
  hash sha512
  authentication pre-share
  group 24
!
crypto isakmp key CISCO address 155.1.58.8    
crypto ipsec transform-set AES192-SHA384 esp-aes 192 esp-sha384-hmac
  mode tunnel
!
crypto map R7_TO_R8 local-address Loopback0
!
crypto map R7_TO_R8 10 ipsec-isakmp
 set peer 155.1.58.8
 set transform-set AES192-SHA384
 match address R9_TO_R10
!
ip access-list extended R9_TO_R10
  permit ip host 150.1.9.9 host 150.1.10.10
  permit ip host 150.1.9.9 155.1.10.0 0.0.0.255
  permit ip 155.1.9.0 0.0.0.255 host 150.1.10.10
  permit ip 155.1.9.0 0.0.0.255 155.1.10.0 0.0.0.255

The config of R8:
crypto isakmp policy 10
  encr aes 256
  hash sha512
  authentication pre-share
  group 24
!
crypto isakmp key CISCO address 150.1.7.7      
!
crypto ipsec transform-set AES192-SHA384 esp-aes 192 esp-sha384-hmac
  mode tunnel
!
crypto map R7_TO_R8 10 ipsec-isakmp
  set peer 150.1.7.7
  set transform-set AES192-SHA384
  match address R10_TO_R9
!
ip access-list extended R10_TO_R9
  permit ip host 150.1.10.10 host 150.1.9.9
  permit ip host 150.1.10.10 155.1.9.0 0.0.0.255
  permit ip 155.1.10.0 0.0.0.255 host 150.1.9.9
  permit ip 155.1.10.0 0.0.0.255 155.1.9.0 0.0.0.255

The debug at R7 of debug crypto iskamp and debug crypto ipsec:

IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 150.1.7.7:500, remote= 155.1.58.8:500,

    local_proxy= 150.1.9.9/255.255.255.255/256/0,

    remote_proxy= 150.1.10.10/255.255.255.255/256/0,

    protocol= ESP, transform= esp-aes 192 esp-sha384-hmac  (Tunnel), 

    lifedur= 3600s and 4608000kb, 

    spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0

ISAKMP:(0): SA request profile is (NULL)

ISAKMP: Created a peer struct for 155.1.58.8, peer port 500

ISAKMP: New peer created peer = 0x7FE9CAC8A

R7#248 peer_handle = 0x80000002

ISAKMP: Locking peer struct 0x7FE9CAC8A248, refcount 1 for isakmp_initiator

ISAKMP: local port 500, remote port 500

ISAKMP: set new node 0 to QM_IDLE      

ISAKMP:(0):insert sa successfully sa = 7FE9CAC89518

ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

ISAKMP:(0):found peer pre-shared key matching 155.1.58.8

ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

ISAKMP:(0): constructed NAT-T vendor-07 ID

ISAKMP:(0): constructed NAT-T vendor-03 ID

ISAKMP:(0): c

R7#onstructed NAT-T vendor-02 ID

ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

 

ISAKMP:(0): beginning Main Mode exchange

ISAKMP:(0): sending packet to 155.1.58.8 my_port 500 peer_port 500 (I) MM_NO_STATE

ISAKMP:(0):Sending an IKE IPv4 Packet.

ISAKMP (0): received packet from 155.1.58.8 dport 500 sport 500 Global (I) MM_NO_STATE

ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2 

R7#

ISAKMP:(0): processing SA payload. message ID = 0

ISAKMP:(0): processing vendor id payload

ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

ISAKMP (0): vendor ID is NAT-T RFC 3947

ISAKMP:(0):found peer pre-shared key matching 155.1.58.8

ISAKMP:(0): local preshared key found

ISAKMP : Scanning profiles for xauth ...

ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      keylength of 256

ISAKMP:      hash SHA512

ISAKMP:      defau

R7#lt group 24

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 

ISAKMP:(0):atts are acceptable. Next payload is 0

ISAKMP:(0):Acceptable atts:actual life: 0

ISAKMP:(0):Acceptable atts:life: 0

ISAKMP:(0):Fill atts in sa vpi_length:4

ISAKMP:(0):Fill atts in sa life_in_seconds:86400

ISAKMP:(0):Returning Actual lifetime: 86400

ISAKMP:(0)::Started lifetime timer: 86400.

 

ISAKMP:(0): processing vendor id payload

ISAKMP:(0): vendor ID s

R7#eems Unity/DPD but major 69 mismatch

ISAKMP (0): vendor ID is NAT-T RFC 3947

ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2 

 

ISAKMP:(0): sending packet to 155.1.58.8 my_port 500 peer_port 500 (I) MM_SA_SETUP

ISAKMP:(0):Sending an IKE IPv4 Packet.

ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3 

 

ISAKMP (0): received packet from 155.1.58.8 dport 500 sport 500 Glo

R7#bal (I) MM_SA_SETUP

ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4 

 

ISAKMP:(0): processing KE payload. message ID = 0

ISAKMP:(0): processing NONCE payload. message ID = 0

ISAKMP:(0):found peer pre-shared key matching 155.1.58.8

ISAKMP:(1001): processing vendor id payload

ISAKMP:(1001): vendor ID is Unity

ISAKMP:(1001): processing vendor id payload

ISAKMP:(1001): vendor ID is DPD

ISAKMP:(1001): processing vendor id payload

ISAKMP:(1001

R7#): speaking to another IOS box!

ISAKMP:received payload type 20

ISAKMP (1001): His hash no match - this node outside NAT

ISAKMP:received payload type 20

ISAKMP (1001): No NAT Found for self or peer

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM4 

 

ISAKMP:(1001):Send initial contact

ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (1001): ID payload 

        next-payload : 8

        type         

R7#: 1 

        address      : 150.1.7.7 

        protocol     : 17 

        port         : 500 

        length       : 12

ISAKMP:(1001):Total payload length: 12

ISAKMP:(1001): sending packet to 155.1.58.8 my_port 500 peer_port 500 (I) MM_KEY_EXCH

ISAKMP:(1001):Sending an IKE IPv4 Packet.

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1001):Old State = IKE_I_MM4  New State = IKE_I_MM5 

 

ISAKMP (1001): received packet from 155.1.58.8 dport 500 sport 500 Global (I) MM_KEY_EXCH

ISAKMP:(1001): processing I

R7#D payload. message ID = 0

ISAKMP (1001): ID payload 

        next-payload : 8

        type         : 1 

        address      : 155.1.58.8 

        protocol     : 17 

        port         : 500 

        length       : 12

ISAKMP:(0):: peer matches *none* of the profiles

ISAKMP:(1001): processing HASH payload. message ID = 0

ISAKMP:(1001):SA authentication status:

        authenticated

ISAKMP:(1001):SA has been authenticated with 155.1.58.8

ISAKMP: Trying to insert a peer 150.1.7.7/155.1.58.8/500/,  and inserted successfully 7FE9CAC8A248.

ISAK

R7#MP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(1001):Old State = IKE_I_MM5  New State = IKE_I_MM6 

 

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_I_MM6 

 

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1001):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE 

 

ISAKMP:(1001):beginning Quick Mode exchange, M-ID of 2153222787

ISAKMP:(1001):QM Initiator gets spi

ISAKMP:(1001): sending packet to 155

R7#.1.58.8 my_port 500 peer_port 500 (I) QM_IDLE      

ISAKMP:(1001):Sending an IKE IPv4 Packet.

ISAKMP:(1001):Node 2153222787, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

 

ISAKMP (1001): received packet from 155.1.58.8 dport 500 sport 500 Global (I) QM_IDLE      

ISAKMP: set new node 1506800099 to QM_IDLE      

R7#

ISAKMP:(1001): processing HASH payload. message ID = 1506800099

ISAKMP:(1001): processing DELETE payload. message ID = 1506800099

ISAKMP:(1001):peer does not do paranoid keepalives.

 

ISAKMP:(1001):deleting node 1506800099 error FALSE reason "Informational (in) state 1"

IPSEC(key_engine): got a queue event with 1 KMI message(s)

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC: still in use sa: 0x0

IPSEC: sa null

ISAKMP:(1001): retransmitting phase 2 QM_IDLE       2153222787 ...

R7#

ISAKMP (1001): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

ISAKMP (1001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2

ISAKMP:(1001): retransmitting phase 2 2153222787 QM_IDLE      

ISAKMP:(1001): sending packet to 155.1.58.8 my_port 500 peer_port 500 (I) QM_IDLE      

ISAKMP:(1001):Sending an IKE IPv4 Packet.

R7#

ISAKMP:(1001): retransmitting phase 2 QM_IDLE       2153222787 ...

ISAKMP (1001): incrementing error counter on node, attempt 2 of 5: retransmit phase 2

ISAKMP (1001): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2

ISAKMP:(1001): retransmitting phase 2 2153222787 QM_IDLE      

ISAKMP:(1001): sending packet to 155.1.58.8 my_port 500 peer_port 500 (I) QM_IDLE      

ISAKMP:(1001):Sending an IKE IPv4 Packet.

The debug of R8 with debug crypto isakmp and debug crypto ipsec:

ISAKMP (0): received packet from 150.1.7.7 dport 500 sport 500 Global (N) NEW SA

ISAKMP: Created a peer struct for 150.1.7.7, peer port 500

ISAKMP: New peer created peer = 0x7FEA3210C608 peer_handle = 0x80000002

ISAKMP: Locking peer struct 0x7FEA3210C608, refcount 1 for crypto_isakmp_process_block

ISAKMP: local port 500, remote port 500

ISAKMP:(0):insert sa successfully sa = 7FEA3210B8D8

ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1 

 

 

R8#ISAKMP:(0): processing SA payload. message ID = 0

ISAKMP:(0): processing vendor id payload

ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

ISAKMP (0): vendor ID is NAT-T RFC 3947

ISAKMP:(0): processing vendor id payload

ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

ISAKMP (0): vendor ID is NAT-T v7

ISAKMP:(0): processing vendor id payload

ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

ISAKMP:(0): vendor ID is NAT-T v3

ISAKMP:(0): processing vendor id paylo

R8#ad

ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

ISAKMP:(0): vendor ID is NAT-T v2

ISAKMP:(0):found peer pre-shared key matching 150.1.7.7

ISAKMP:(0): local preshared key found

ISAKMP : Scanning profiles for xauth ...

ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

ISAKMP:      encryption AES-CBC

ISAKMP:      keylength of 256

ISAKMP:      hash SHA512

ISAKMP:      default group 24

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life du

R8#ration (VPI) of  0x0 0x1 0x51 0x80 

ISAKMP:(0):atts are acceptable. Next payload is 0

ISAKMP:(0):Acceptable atts:actual life: 0

ISAKMP:(0):Acceptable atts:life: 0

ISAKMP:(0):Fill atts in sa vpi_length:4

ISAKMP:(0):Fill atts in sa life_in_seconds:86400

ISAKMP:(0):Returning Actual lifetime: 86400

ISAKMP:(0)::Started lifetime timer: 86400.

 

ISAKMP:(0): processing vendor id payload

ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

ISAKMP (0): vendor ID is NAT-T RFC 3947

ISAKMP:(0): proces

R8#sing vendor id payload

ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

ISAKMP (0): vendor ID is NAT-T v7

ISAKMP:(0): processing vendor id payload

ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

ISAKMP:(0): vendor ID is NAT-T v3

ISAKMP:(0): processing vendor id payload

ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

ISAKMP:(0): vendor ID is NAT-T v2

ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R

R8#_MM1 

 

ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

ISAKMP:(0): sending packet to 150.1.7.7 my_port 500 peer_port 500 (R) MM_SA_SETUP

ISAKMP:(0):Sending an IKE IPv4 Packet.

ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2 

 

ISAKMP (0): received packet from 150.1.7.7 dport 500 sport 500 Global (R) MM_SA_SETUP

ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3 

 

ISAKMP:(0):

R8# processing KE payload. message ID = 0

ISAKMP:(0): processing NONCE payload. message ID = 0

ISAKMP:(0):found peer pre-shared key matching 150.1.7.7

ISAKMP:(1001): processing vendor id payload

ISAKMP:(1001): vendor ID is DPD

ISAKMP:(1001): processing vendor id payload

ISAKMP:(1001): speaking to another IOS box!

ISAKMP:(1001): processing vendor id payload

ISAKMP:(1001): vendor ID seems Unity/DPD but major 28 mismatch

ISAKMP:(1001): vendor ID is XAUTH

ISAKMP:received payload type 20

ISAKMP (1001): 

R8#His hash no match - this node outside NAT

ISAKMP:received payload type 20

ISAKMP (1001): No NAT Found for self or peer

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM3 

 

ISAKMP:(1001): sending packet to 150.1.7.7 my_port 500 peer_port 500 (R) MM_KEY_EXCH

ISAKMP:(1001):Sending an IKE IPv4 Packet.

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1001):Old State = IKE_R_MM3  New State = IKE_R_MM4 

 

ISAKMP 

R8#(1001): received packet from 150.1.7.7 dport 500 sport 500 Global (R) MM_KEY_EXCH

ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(1001):Old State = IKE_R_MM4  New State = IKE_R_MM5 

 

ISAKMP:(1001): processing ID payload. message ID = 0

ISAKMP (1001): ID payload 

        next-payload : 8

        type         : 1 

        address      : 150.1.7.7 

        protocol     : 17 

        port         : 500 

        length       : 12

ISAKMP:(0):: peer matches *none* of the profiles

ISAKMP:(1001): processing HASH payload. message 

R8#ID = 0

ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT protocol 1

        spi 0, message ID = 0, sa = 0x7FEA3210B8D8

ISAKMP:(1001):SA authentication status:

        authenticated

ISAKMP:(1001):SA has been authenticated with 150.1.7.7

ISAKMP:(1001):SA authentication status:

        authenticated

ISAKMP:(1001): Process initial contact,

bring down existing phase 1 and 2 SA's with local 155.1.58.8 remote 150.1.7.7 remote port 500

ISAKMP: Trying to insert a peer 155.1.58.8/150.1.7.7/500/,  and inserted successfully 7FEA3

R8#210C608.

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

ISAKMP:(1001):Old State = IKE_R_MM5  New State = IKE_R_MM5 

 

IPSEC(key_engine): got a queue event with 1 KMI message(s)

ISAKMP:(1001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (1001): ID payload 

        next-payload : 8

        type         : 1 

        address      : 155.1.58.8 

        protocol     : 17 

        port         : 500 

        length       : 12

ISAKMP:(1001):Total payload length: 12

ISAKMP:(1001): sending packet t

R8#o 150.1.7.7 my_port 500 peer_port 500 (R) MM_KEY_EXCH

ISAKMP:(1001):Sending an IKE IPv4 Packet.

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(1001):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE 

 

ISAKMP:(1001):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

 

ISAKMP (1001): received packet from 150.1.7.7 dport 500 sport 500 Global (R) QM_IDLE      

ISAKMP: set new node 2153222787 to QM_IDLE      

IS

R8#AKMP:(1001): processing HASH payload. message ID = 2153222787

ISAKMP:(1001): processing SA payload. message ID = 2153222787

ISAKMP:(1001):Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES 

ISAKMP:   attributes in transform:

ISAKMP:      encaps is 1 (Tunnel)

ISAKMP:      SA life type in seconds

ISAKMP:      SA life duration (basic) of 3600

ISAKMP:      SA life type in kilobytes

ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 

ISAKMP:      authenticator is HMAC-SHA384

ISAKMP:      k

R8#ey length is 192

ISAKMP:(1001):atts are acceptable.

IPSEC(validate_proposal_request): proposal part #1

IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 155.1.58.8:0, remote= 150.1.7.7:0,

    local_proxy= 150.1.10.10/255.255.255.255/256/0,

    remote_proxy= 150.1.9.9/255.255.255.255/256/0,

    protocol= ESP, transform= NONE  (Tunnel), 

    lifedur= 0s and 0kb, 

    spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0

Crypto mapdb : proxy_match

        src addr     : 150.

R8#1.10.10

        dst addr     : 150.1.9.9

        protocol     : 0

        src port     : 0

        dst port     : 0

ISAKMP:(1001): processing NONCE payload. message ID = 2153222787

ISAKMP:(1001): processing ID payload. message ID = 2153222787

ISAKMP:(1001): processing ID payload. message ID = 2153222787

ISAKMP:(1001):QM Responder gets spi

ISAKMP:(1001):Node 2153222787, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

ISAKMP:(1001):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

ISAKMP:(1001):Node 2153222787, Input = IKE_MES

R8#G_INTERNAL, IKE_GOT_SPI

ISAKMP:(1001):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT

IPSEC(key_engine): got a queue event with 1 KMI message(s)

Crypto mapdb : proxy_match

        src addr     : 150.1.10.10

        dst addr     : 150.1.9.9

        protocol     : 256

        src port     : 0

        dst port     : 0

IPSEC(crypto_ipsec_create_ipsec_sas): Map found R7_TO_R8

IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 150.1.7.7

IPSEC(create_sa): sa created,

  (sa) sa_dest

R8#= 155.1.58.8, sa_proto= 50, 

    sa_spi= 0xD28A2492(3532268690), 

    sa_trans= esp-aes 192 esp-sha384-hmac , sa_conn_id= 1

    sa_lifetime(k/sec)= (4608000/3600)

IPSEC(create_sa): sa created,

  (sa) sa_dest= 150.1.7.7, sa_proto= 50, 

    sa_spi= 0xCA742492(3396609170), 

    sa_trans= esp-aes 192 esp-sha384-hmac , sa_conn_id= 2

    sa_lifetime(k/sec)= (4608000/3600)

 ISAKMP: Failed to find peer index node to update peer_info_list

IPSEC(send_delete_notify_kmi): Inbound/outbound installation failed

R8#, not sending DECR

IPSEC(update_current_outbound_sa): updated peer 150.1.7.7 current outbound sa to SPI 0

IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 155.1.58.8, sa_proto= 50, 

    sa_spi= 0xD28A2492(3532268690), 

    sa_trans= esp-aes 192 esp-sha384-hmac , sa_conn_id= 1

    sa_lifetime(k/sec)= (4608000/3600),

  (identity) local= 155.1.58.8:0, remote= 150.1.7.7:0,

    local_proxy= 150.1.10.10/255.255.255.255/256/0,

    remote_proxy= 150.1.9.9/255.255.255.255/256/0

IPSEC(delete_sa): SA found sa

R8#ving DEL kmi

IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 150.1.7.7, sa_proto= 50, 

    sa_spi= 0xCA742492(3396609170), 

    sa_trans= esp-aes 192 esp-sha384-hmac , sa_conn_id= 2

    sa_lifetime(k/sec)= (4608000/3600),

  (identity) local= 155.1.58.8:0, remote= 150.1.7.7:0,

    local_proxy= 150.1.10.10/255.255.255.255/256/0,

    remote_proxy= 150.1.9.9/255.255.255.255/256/0

IPSEC(send_delete_notify_kmi): not sending KEY_ENG_NOTIFY_DECR_COUNT

IPSEC(ident_send_delete_notify_kmi): not in msg contex

R8#t Ident Delete SA msg: 0

ISAKMP:(1001):IPSec Installation failed...

ISAKMP:(1001):deleting node 2153222787 error TRUE reason "IPSEC install failed"

ISAKMP: set new node 1506800099 to QM_IDLE      

ISAKMP:(1001): sending packet to 150.1.7.7 my_port 500 peer_port 500 (R) QM_IDLE      

ISAKMP:(1001):Sending an IKE IPv4 Packet.

ISAKMP:(1001):purging node 1506800099

ISAKMP:(1001):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

 

ISAKMP

R8# (1001): received packet from 150.1.7.7 dport 500 sport 500 Global (R) QM_IDLE      

ISAKMP:(1001): phase 2 packet is a duplicate of a previous packet.

ISAKMP:(1001): retransmitting due to retransmit phase 2

ISAKMP:(1001): ignoring retransmission,because phase2 node marked dead 2153222787

R8#

ISAKMP (1001): received packet from 150.1.7.7 dport 500 sport 500 Global (R) QM_IDLE      

ISAKMP:(1001): phase 2 packet is a duplicate of a previous packet.

ISAKMP:(1001): retransmitting due to retransmit phase 2

ISAKMP:(1001): ignoring retransmission,because phase2 node marked dead 2153222787 


Viewing all articles
Browse latest Browse all 10744

Trending Articles