cc/td/doc/product/vpn/solution/aswan15
hometocprevnextglossaryfeedbacksearchhelp

Table of Contents

Sample Problem Scenarios
 Transform Set Mismatch; Tunnel Initiated From CE1
 Access-list Mismatch; Tunnel Initiated From CE1
 Key Mismatch; Tunnel Initiated From CE1
 ISAKMP Policy Mismatch; Tunnel Initiated From CE1
 Crypto Map Not Applied; Tunnel Initiated from CE1
 Missing SAs
 Transform and Proposal Mismatch

Sample Problem Scenarios

This appendix contains the following sample problem scenarios:

Transform Set Mismatch; Tunnel Initiated From CE1

TRANSFORM SET ON CE1:
crypto ipsec transform-set myset esp-des esp-md5-hmac
TRANSFORM SET ON CE2:
crypto ipsec transform-set myset ah-md5-hmac esp-des
DEBUGS ON CE1:
00:27:07: IPSEC(sa_request): ,
(key eng. msg.) src= 10.15.58.10, dest= 10.15.58.38,
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x5AE6C721(1525073697), conn_id= 0, keysize= 0, flags= 0x4004
00:27:07: ISAKMP: received ke message (1/1)
00:27:07: ISAKMP: local port 500, remote port 500
00:27:07: ISAKMP (0:2): beginning Main Mode exchange
00:27:07: ISAKMP (0:2): sending packet to 10.15.58.38 (I) MM_NO_STATE
00:27:07: ISAKMP (0:2): received packet from 10.15.58.38 (I) MM_NO_STATE
00:27:07: ISAKMP (0:2): processing SA payload. message ID = 0
00:27:07: ISAKMP (0:2): found peer pre-shared key matching 10.15.58.38
00:27:07: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 10 policy
00:27:07: ISAKMP: encryption DES-CBC
00:27:07: ISAKMP: hash MD5
00:27:07: ISAKMP: default group 1
00:27:07: ISAKMP: . auth pre-share
00:27:07: ISAKMP (0:2): atts are acceptable. Next payload is 0
00:27:07: CryptoEngine0: generate alg parameter
00:27:07: CRYPTO_ENGINE: Dh phase 1 status: 0
00:27:07: CRYPTO_ENGINE: Dh phase 1 status: 0
00:27:07: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:27:07: ISAKMP (0:2): sending packet to 10.15.58.38 (I) MM_SA_SETUP
00:27:07: ISAKMP (0:2): received packet from 10.15.58.38 (I) MM_SA_SETUP
00:27:07: ISAKMP (0:2): processing KE payload. message ID = 0
00:27:07: CryptoEngine0: generate alg parameter
00:27:07: ISAKMP (0:2): processing NONCE payload. message ID = 0
00:27:07: ISAKMP (0:2): found peer pre-shared key matching 10.15.58.38
00:27:07: CryptoEngine0: create ISAKMP SKEYID for conn id 2
00:27:07: ISAKMP (0:2): SKEYID state generated
00:27:07: ISAKMP (0:2): processing vendor id payload
00:27:07: ISAKMP (0:2): speaking to another IOS box!
00:27:07: ISAKMP (2): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:27:07: ISAKMP (2): Total payload length: 12
00:27:07: CryptoEngine0: generate hmac context for conn id 2
00:27:07: ISAKMP (0:2): sending packet to 10.15.58.38 (I) MM_KEY_EXCH
00:27:07: ISAKMP (0:2): received packet from 10.15.58.38 (I) MM_KEY_EXCH
00:27:07: ISAKMP (0:2): processing ID payload. message ID = 0
00:27:07: ISAKMP (0:2): processing HASH payload. message ID = 0
00:27:07: CryptoEngine0: generate hmac context for conn id 2
00:27:07: ISAKMP (0:2): SA has been authenticated with 10.15.58.38
00:27:07: ISAKMP (0:2): beginning Quick Mode exchange, M-ID of 1536042321
00:27:07: CryptoEngine0: generate hmac context for conn id 2
00:27:07: ISAKMP (0:2): sendin.g packet to 10.15.58.38 (I) QM_IDLE
00:27:07: CryptoEngine0: clear dh number for conn id 1
00:27:07: ISAKMP (0:2): received packet from 10.15.58.38 (I) QM_IDLE
00:27:07: CryptoEngine0: generate hmac context for conn id 2

The following messages indicate that the proposal was rejected.

00:27:07: ISAKMP (0:2): processing HASH payload. message ID = 403023752
00:27:07: ISAKMP (0:2): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 0
spi 0, message ID = 403023752
00:27:07: ISAKMP (0:2): deleting node 403023752 error FALSE reason "informational (in) state
1"
00:27:07: IPSEC(key_engine): got a queue event...
00:27:07: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
00:27:07: IPSEC(key_engine_delete_sas): delete all SAs shared with 10.15.58.38 ...
Success rate is 0 percent (0/5)
ce1#
DEBUGS ON CE2:
00:27:09: ISAKMP (0:0): received packet from 10.15.58.10 (N) NEW SA
00:27:09: ISAKMP: local port 500, remote port 500
00:27:09: ISAKMP (0:2): processing SA payload. message ID = 0
00:27:09: ISAKMP (0:2): found peer pre-shared key matching 10.15.58.10
00:27:09: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 10 policy
00:27:09: ISAKMP: encryption DES-CBC
00:27:09: ISAKMP: hash MD5
00:27:09: ISAKMP: default group 1
00:27:09: ISAKMP: auth pre-share
00:27:09: ISAKMP (0:2): atts are acceptable. Next payload is 0
00:27:09: CryptoEngine0: generate alg parameter
00:27:10: CRYPTO_ENGINE: Dh phase 1 status: 0
00:27:10: CRYPTO_ENGINE: Dh phase 1 status: 0
00:27:10: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:27:10: ISAKMP (0:2): sending packet to 10.15.58.10 (R) MM_SA_SETUP
00:27:10: ISAKMP (0:2): received packet from 10.15.58.10 (R) MM_SA_SETUP
00:27:10: ISAKMP (0:2): processing KE payload. message ID = 0
00:27:10: CryptoEngine0: generate alg parameter
00:27:10: ISAKMP (0:2): processing NONCE payload. message ID = 0
00:27:10: ISAKMP (0:2): found peer pre-shared key matching 10.15.58.10
00:27:10: CryptoEngine0: create ISAKMP SKEYID for conn id 2
00:27:10: ISAKMP (0:2): SKEYID state generated
00:27:10: ISAKMP (0:2): processing vendor id payload
00:27:10: ISAKMP (0:2): speaking to another IOS box!
00:27:10: ISAKMP (0:2): sending packet to 10.15.58.10 (R) MM_KEY_EXCH
00:27:10: ISAKMP (0:2): received packet from 10.15.58.10 (R) MM_KEY_EXCH
00:27:10: ISAKMP (0:2): processing ID payload. message ID = 0
00:27:10: ISAKMP (0:2): processing HASH payload. message ID = 0
00:27:10: CryptoEngine0: generate hmac context for conn id 2
00:27:10: ISAKMP (0:2): SA has been authenticated with 10.15.58.10
00:27:10: ISAKMP (2): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:27:10: ISAKMP (2): Total payload length: 12
00:27:10: CryptoEngine0: generate hmac context for conn id 2
00:27:10: CryptoEngine0: clear dh number for conn id 1
00:27:10: ISAKMP (0:2): sending packet to 10.15.58.10 (R) QM_IDLE
00:27:10: ISAKMP (0:2): received packet from 10.15.58.10 (R) QM_IDLE
00:27:10: CryptoEngine0: generate hmac context for conn id 2
00:27:10: ISAKMP (0:2): processing HASH payload. message ID = 1536042321
00:27:10: ISAKMP (0:2): processing SA payload. message ID = 1536042321
00:27:10: ISAKMP (0:2): Checking IPSec proposal 1
00:27:10: ISAKMP: transform 1, ESP_DES
00:27:10: ISAKMP: attributes in transform:
00:27:10: ISAKMP: encaps is 1
00:27:10: ISAKMP: SA life type in seconds
00:27:10: ISAKMP: SA life duration (basic) of 3600
00:27:10: ISAKMP: SA life type in kilobytes
00:27:10: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
00:27:10: ISAKMP: authenticator is HMAC-MD5

The output from CE2 indicates the reason for sending PROPOSAL_NOT_CHOSEN. (The transform proposal did not match the proposal defined.)

00:27:10: validate proposal 0
00:27:10: IPSEC(validate_proposal): transform proposal (prot 3, trans 2, hmac_alg 1) not supported
00:27:10: ISAKMP (0:2): atts not acceptable. Next payload is 0
00:27:10: ISAKMP (0:2): phase 2 SA not acceptable!
00:27:10: CryptoEngine0: generate hmac context for conn id 2
00:27:10: ISAKMP (0:2): sending packet to 10.15.58.10 (R) QM_IDLE
00:27:10: ISAKMP (0:2): purging node 403023752
00:27:10: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at
10.15.58.10
00:27:10: ISAKMP (0:2): deleting node 1536042321 error FALSE reason
"IKMP_NO_ERR_NO_TRANS"

Access-list Mismatch; Tunnel Initiated From CE1

ACCESS-LIST ON CE1:
Extended IP access list 100
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ACCESS-LIST ON CE2:
Extended IP access list 100
permit ip 192.168.2.0 0.0.0.255 host 192.168.1.1

Debug on CE1:

00:39:17: IPSEC(sa_request): ,
(key eng. msg.) src= 10.15.58.10, dest= 10.15.58.38,
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x86F18EB(141498603), conn_id= 0, keysize= 0, flags= 0x4004
00:39:17: ISAKMP: received ke message (1/1)
00:39:17: ISAKMP: local port 500, remote port 500
00:39:17: ISAKMP (0:1): beginning Main Mode exchange
00:39:17: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_NO_STATE
00:39:17: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_NO_STATE
00:39:17: ISAKMP (0:1): processing SA payload. message ID = 0
00:39:17: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.38
00:39:17: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
00:39:17: ISAKMP: encryption DES-CBC
00:39:17: ISAKMP: hash MD5
00:39:17: ISAKMP: default group 1
00:39:17: ISAKMP: auth pre-share
00:39:17: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:39:17: CryptoEngine0: generate alg parameter
00:39:18: CRYPTO_ENGINE: Dh phase 1 status: 0
00:39:18: CRYPTO_ENGINE: Dh phase 1 status: 0
00:39:18: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:39:18: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_SA_SETUP
00:39:18: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_SA_SETUP
00:39:18: ISAKMP (0:1): processing KE payload. message ID = 0
00:39:18: CryptoEngine0: generate alg parameter
00:39:18: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:39:18: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.38
00:39:18: CryptoEngine0: create ISAKMP SKEYID for conn id 1
00:39:18: ISAKMP (0:1): SKEYID state generated
00:39:18: ISAKMP (0:1): processing vendor i.d payload
00:39:18: ISAKMP (0:1): speaking to another IOS box!
00:39:18: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:39:18: ISAKMP (1): Total payload length: 12
00:39:18: CryptoEngine0: generate hmac context for conn id 1
00:39:18: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_KEY_EXCH
00:39:18: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_KEY_EXCH
00:39:18: ISAKMP (0:1): processing ID payload. message ID = 0
00:39:18: ISAKMP (0:1): processing HASH payload. message ID = 0
00:39:18: CryptoEngine0: generate hmac context for conn id 1
00:39:18: ISAKMP (0:1): SA has been authenticated with 10.15.58.38
00:39:18: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -537199713
00:39:18: CryptoEngine0: generate hmac context for conn id 1
00:39:18: ISAKMP (0:1): sending packet to 10.15.58.38 (I) QM_IDLE
00:39:18: CryptoEngine0: clear dh number for conn id 1
00:39:18: ISAKMP (0:1): received packet from 10.15.58.38 (I) QM_IDLE
00:39:18: CryptoEngine0: generate hmac context for conn id 1

The initiator side (CE1) produced the error message, but you must look at the receiving side (CE2) for details:

00:39:18: ISAKMP (0:1): processing HASH payload. message ID = 400363004
00:39:18: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 141498603, message ID = 400363004
00:39:18: ISAKMP (0:1): deleting spi 141498603 message ID = -537199713
00:39:18: ISAKMP (0:1): deleting node -537199713 error TRUE reason "delete_lar
val"
00:39:18: ISAKMP (0:1): deleting node 400363004 error FALSE reason "informational (in) state 1"....

Debug on CE2:

00:39:20: ISAKMP (0:0): received packet from 10.15.58.10 (N) NEW SA
00:39:20: ISAKMP: local port 500, remote port 500
00:39:20: ISAKMP (0:1): processing SA payload. message ID = 0
00:39:20: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.10
00:39:20: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
00:39:20: ISAKMP: encryption DES-CBC
00:39:20: ISAKMP: hash MD5
00:39:20: ISAKMP: default group 1
00:39:20: ISAKMP: auth pre-share
00:39:20: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:39:20: CryptoEngine0: generate alg parameter
00:39:20: CRYPTO_ENGINE: Dh phase 1 status: 0
00:39:20: CRYPTO_ENGINE: Dh phase 1 status: 0
00:39:20: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:39:20: ISAKMP (0:1): sending packet to 10.15.58.10 (R) MM_SA_SETUP
00:39:20: ISAKMP (0:1): received packet from 10.15.58.10 (R) MM_SA_SETUP
00:39:20: ISAKMP (0:1): processing KE payload. message ID = 0
00:39:20: CryptoEngine0: generate alg parameter
00:39:21: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:39:21: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.10
00:39:21: CryptoEngine0: create ISAKMP SKEYID for conn id 1
00:39:21: ISAKMP (0:1): SKEYID state generated
00:39:21: ISAKMP (0:1): processing vendor id payload
00:39:21: ISAKMP (0:1): speaking to another IOS box!
00:39:21: ISAKMP (0:1): sending packet to 10.15.58.10 (R) MM_KEY_EXCH
00:39:21: ISAKMP (0:1): received packet from 10.15.58.10 (R) MM_KEY_EXCH
00:39:21: ISAKMP (0:1): processing ID payload. message ID = 0
00:39:21: ISAKMP (0:1): processing HASH payload. message ID = 0
00:39:21: CryptoEngine0: generate hmac context for conn id 1
00:39:21: ISAKMP (0:1): SA has been authenticated with 10.15.58.10
00:39:21: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:39:21: ISAKMP (1): Total payload length: 12
00:39:21: CryptoEngine0: generate hmac context for conn id 1
00:39:21: CryptoEngine0: clear dh number for conn id 1
00:39:21: ISAKMP (0:1): sending packet to 10.15.58.10 (R) QM_IDLE
00:39:21: ISAKMP (0:1): received packet from 10.15.58.10 (R) QM_IDLE
00:39:21: CryptoEngine0: generate hmac context for conn id 1
00:39:21: ISAKMP (0:1): processing HASH payload. message ID = -537199713
00:39:21: ISAKMP (0:1): processing SA payload. message ID = -537199713
00:39:21: ISAKMP (0:1): Checking IPSec proposal 1
00:39:21: ISAKMP: transform 1, ESP_DES
00:39:21: ISAKMP: attributes in transform:
00:39:21: ISAKMP: encaps is 1
00:39:21: ISAKMP: SA life type in seconds
00:39:21: ISAKMP: SA life duration (basic) of 3600
00:39:21: ISAKMP: SA life type in kilobytes
00:39:21: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
00:39:21: ISAKMP: authenticator is HMAC-MD5
00:39:21: validate proposal 0
00:39:21: ISAKMP (0:1): atts are acceptable.

In the following output, the errror message "proxy identities not supported" indicates that the access-lists did not match on both sides.

00:39:21: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 10.15.58.38, src= 10.15.58.10,
dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
00:39:21: validate proposal request 0
00:39:21: IPSEC(validate_transform_proposal): proxy identities not supported
00:39:21: ISAKMP (0:1): IPSec policy invalidated proposal
00:39:21: ISAKMP (0:1): phase 2 SA not acceptable!
00:39:21: CryptoEngine0: generate hmac context for conn id 1
00:39:21: ISAKMP (0:1): sending packet to 10.15.58.10 (R) QM_IDLE
00:39:21: ISAKMP (0:1): purging node 400363004
00:39:21: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at
10.15.58.10
00:39:21: ISAKMP (0:1): deleting node -537199713 error FALSE reason
"IKMP_NO_ERR_NO_TRANS"
CE2#

Key Mismatch; Tunnel Initiated From CE1

KEY ON CE1:
crypto isakmp key cisco123 address 10.15.58.38
KEY ON CE2:
crypto isakmp key mykey address 10.15.58.10
DEBUG ON CE1:
00:57:36: IPSEC(sa_request): ,
(key eng. msg.) src= 10.15.58.10, dest= 10.15.58.38,
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x278A45B5(663373237), conn_id= 0, keysize= 0, flags= 0x4004
00:57:36: ISAKMP: received ke message (1/1)
00:57:36: ISAKMP: local port 500, remote port 500
00:57:36: ISAKMP (0:1): beginning Main Mode exchange
00:57:36: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_NO_STATE
00:57:36: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_NO_STATE
00:57:36: ISAKMP (0:1): processing SA payload. message ID = 0
00:57:36: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.38
00:57:36: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
00:57:36: ISAKMP: encryption DES-CBC
00:57:36: ISAKMP: hash MD5
00:57:36: ISAKMP: default group 1
00:57:36: ISAKMP: .
Success rate is 0 percent (0/1)
ce1# auth pre-share
00:57:36: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:57:36: CryptoEngine0: generate alg parameter
00:57:36: CRYPTO_ENGINE: Dh phase 1 status: 0
00:57:36: CRYPTO_ENGINE: Dh phase 1 status: 0
00:57:36: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:57:36: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_SA_SETUP
00:57:36: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_SA_SETUP
00:57:36: ISAKMP (0:1): processing KE payload. message ID = 0
00:57:36: CryptoEngine0: generate alg parameter
00:57:37: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:57:37: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.38
00:57:37: CryptoEngine0: create ISAKMP SKEYID for conn id 1
00:57:37: ISAKMP (0:1): SKEYID state generated
00:57:37: ISAKMP (0:1): processing vendor id payload
00:57:37: ISAKMP (0:1): speaking to another IOS box!
00:57:37: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
00:57:37: ISAKMP (1): Total payload length: 12
00:57:37: CryptoEngine0: generate hmac context for conn id 1
00:57:37: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_KEY_EXCH
00:57:37: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_KEY_EXCH

The following message indicates that the packet could not be verified because the keys do not match.

00:57:37: ISAKMP: reserved not zero on NOTIFY payload!
00:57:37: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.15.58.38 failed its sanity
check or is malformed
DEBUGS OB CE2:
CE2#
00:54:40: ISAKMP (0:0): received packet from 10.15.58.10 (N) NEW SA
00:54:40: ISAKMP: local port 500, remote port 500
00:54:40: ISAKMP (0:1): processing SA payload. message ID = 0
00:54:40: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.10
00:54:40: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
00:54:40: ISAKMP: encryption DES-CBC
00:54:40: ISAKMP: hash MD5
00:54:40: ISAKMP: default group 1
00:54:40: ISAKMP: auth pre-share
00:54:40: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:54:40: CryptoEngine0: generate alg parameter
00:54:40: CRYPTO_ENGINE: Dh phase 1 status: 0
00:54:40: CRYPTO_ENGINE: Dh phase 1 status: 0
00:54:40: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:54:40: ISAKMP (0:1): sending packet to 10.15.58.10 (R) MM_SA_SETUP
00:54:40: ISAKMP (0:1): received packet from 10.15.58.10 (R) MM_SA_SETUP
00:54:40: ISAKMP (0:1): processing KE payload. message ID = 0
00:54:40: CryptoEngine0: generate alg parameter
00:54:40: ISAKMP (0:1): processing NONCE payload. message ID = 0
00:54:40: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.10
00:54:40: CryptoEngine0: create ISAKMP SKEYID for conn id 1
00:54:40: ISAKMP (0:1): SKEYID state generated
00:54:40: ISAKMP (0:1): processing vendor id payload
00:54:40: ISAKMP (0:1): speaking to another IOS box!
00:54:40: ISAKMP (0:1): sending packet to 10.15.58.10 (R) MM_KEY_EXCH

A keyed mismatch problem on the receiving side provides these messages:

00:54:40: ISAKMP (0:1): received packet from 10.15.58.10 (R) MM_KEY_EXCH
00:54:40: ISAKMP: reserved not zero on ID payload!
00:54:40: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.15.58.10 failed its sanity
check or is malformed
00:54:40: ISAKMP (0:1): incrementing error counter on sa: PAYLOAD_MALFORMED

ISAKMP Policy Mismatch; Tunnel Initiated From CE1

POLICY ON CE1:
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
POLICY ON CE2:
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
DEBUG ON CE1:
01:21:24: IPSEC(sa_request): ,
(key eng. msg.) src= 10.15.58.10, dest= 10.15.58.38,
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x3C8A0F6E(1015680878), conn_id= 0, keysize= 0, flags= 0x4004
01:21:24: ISAKMP: received ke message (1/1)
01:21:24: ISAKMP: local port 500, remote port 500
01:21:24: ISAKMP (0:1): beginning Main Mode exchange
01:21:24: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_NO_STATE
01:21:24: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_NO_STATE
01:21:24: ISAKMP (0:1): Notify has no hash. Rejected.

The output that follows from CE1 indicates that the Phase 1 exchange failed:

01:21:24: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer
at 10.15.58.38 .
DEBUG ON CE2:
CE2#
01:21:27: ISAKMP (0:0): received packet from 10.15.58.10 (N) NEW SA
01:21:27: ISAKMP: local port 500, remote port 500
01:21:27: ISAKMP (0:1): processing SA payload. message ID = 0
01:21:27: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.10
01:21:27: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
01:21:27: ISAKMP: encryption DES-CBC
01:21:27: ISAKMP: hash MD5
01:21:27: ISAKMP: default group 1
01:21:27: ISAKMP: auth pre-share
01:21:27: ISAKMP (0:1): atts are not acceptable. Next payload is 0
01:21:27: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 policy
01:21:27: ISAKMP: encryption DES-CBC
01:21:27: ISAKMP: hash MD5
01:21:27: ISAKMP: default group 1
01:21:27: ISAKMP: auth pre-share

The messages below indicate that the Phase 1 negotiation failed. The received attributes (above) should be checked against the defined policy. The same debugs appear if encryption type (des/3des) or authentication type (preshare/RSA) are mismatched.

01:21:27: ISAKMP (0:1): atts are not acceptable. Next payload is 0
01:21:27: ISAKMP (0:1): no offers accepted!
01:21:27: ISAKMP (0:1): phase 1 SA not acceptable!
01:21:27: ISAKMP (0:1): incrementing error counter on sa: construct_fail_ag_init
01:21:27: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at
10.15.58.10
01:21:27: ISAKMP (0:1): sending packet to 10.15.58.10 (R) MM_NO_STATE

Crypto Map Not Applied; Tunnel Initiated from CE1

Crypto Map Not Applied on CE1

The tunnel will not try to come up. Issuing sh access-list will indicate that the matches do not increase.

Crypto Map Not Applied on CE2

If the receiving side does not have a map applied, the initiator starts the tunnel but the tunnel does not come up.

Debug on CE1

01:33:45: IPSEC(sa_request): ,
(key eng. msg.) src= 10.15.58.10, dest= 10.15.58.38,
src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
dest_proxy= 192.168.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xA9B9C3A3(2847523747), conn_id= 0, keysize= 0, flags= 0x4004
01:33:45: ISAKMP: received ke message (1/1)
01:33:45: ISAKMP: local port 500, remote port 500
01:33:45: ISAKMP (0:1): beginning Main Mode exchange
01:33:45: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_NO_STATE
01:33:45: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_NO_STATE
01:33:45: ISAKMP (0:1): processing SA payload. message ID = 0
01:33:45: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.38
01:33:45: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
01:33:45: ISAKMP: encryption DES-CBC
01:33:45: ISAKMP: hash MD5
01:33:45: ISAKMP: default group 1
01:33:45: ISAKMP: .
Success rate is 0 percent (0/1)
ce1# auth pre-share
01:33:45: ISAKMP (0:1): atts are acceptable. Next payload is 0
01:33:45: CryptoEngine0: generate alg parameter
01:33:45: CRYPTO_ENGINE: Dh phase 1 status: 0
01:33:45: CRYPTO_ENGINE: Dh phase 1 status: 0
01:33:45: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
01:33:45: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_SA_SETUP
01:33:45: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_SA_SETUP
01:33:45: ISAKMP (0:1): processing KE payload. message ID = 0
01:33:45: CryptoEngine0: generate alg parameter
01:33:45: ISAKMP (0:1): processing NONCE payload. message ID = 0
01:33:45: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.38
01:33:45: CryptoEngine0: create ISAKMP SKEYID for conn id 1
01:33:45: ISAKMP (0:1): SKEYID state generated
01:33:45: ISAKMP (0:1): processing vendor id payload
01:33:45: ISAKMP (0:1): speaking to another IOS box!
01:33:45: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
01:33:45: ISAKMP (1): Total payload length: 12
01:33:45: CryptoEngine0: generate hmac context for conn id 1
01:33:45: ISAKMP (0:1): sending packet to 10.15.58.38 (I) MM_KEY_EXCH
01:33:45: ISAKMP (0:1): received packet from 10.15.58.38 (I) MM_KEY_EXCH
01:33:45: ISAKMP (0:1): processing ID payload. message ID = 0
01:33:45: ISAKMP (0:1): processing HASH payload. message ID = 0
01:33:45: CryptoEngine0: generate hmac context for conn id 1
01:33:45: ISAKMP (0:1): SA has been authenticated with 10.15.58.38
01:33:45: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of -263684175
01:33:45: CryptoEngine0: generate hmac context for conn id 1
01:33:45: ISAKMP (0:1): sending packet to 10.15.58.38 (I) QM_IDLE
01:33:45: CryptoEngine0: clear dh number for conn id 1
01:33:45: ISAKMP (0:1): received packet from 10.15.58.38 (I) QM_IDLE
01:33:45: CryptoEngine0: generate hmac context for conn id 1
01:33:45: ISAKMP (0:1): processing HASH payload. message ID = 2084297188

An error from the receiving side appears on CE1. Look at the other side (CE2) to determine the problem.

01:33:45: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 0
spi 0, message ID = 2084297188
01:33:45: ISAKMP (0:1): deleting node 2084297188 error FALSE reason "information"
DEBUGS FROM CE2:
01:33:47: ISAKMP (0:0): received packet from 10.15.58.10 (N) NEW SA
01:33:47: ISAKMP: local port 500, remote port 500
01:33:47: ISAKMP (0:1): processing SA payload. message ID = 0
01:33:47: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.10
01:33:47: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
01:33:47: ISAKMP: encryption DES-CBC
01:33:47: ISAKMP: hash MD5
01:33:47: ISAKMP: default group 1
01:33:47: ISAKMP: auth pre-share
01:33:47: ISAKMP (0:1): atts are acceptable. Next payload is 0
01:33:47: CryptoEngine0: generate alg parameter
01:33:48: CRYPTO_ENGINE: Dh phase 1 status: 0
01:33:48: CRYPTO_ENGINE: Dh phase 1 status: 0
01:33:48: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
01:33:48: ISAKMP (0:1): sending packet to 10.15.58.10 (R) MM_SA_SETUP
01:33:48: ISAKMP (0:1): received packet from 10.15.58.10 (R) MM_SA_SETUP
01:33:48: ISAKMP (0:1): processing KE payload. message ID = 0
01:33:48: CryptoEngine0: generate alg parameter
01:33:48: ISAKMP (0:1): processing NONCE payload. message ID = 0
01:33:48: ISAKMP (0:1): found peer pre-shared key matching 10.15.58.10
01:33:48: CryptoEngine0: create ISAKMP SKEYID for conn id 1
01:33:48: ISAKMP (0:1): SKEYID state generated
01:33:48: ISAKMP (0:1): processing vendor id payload
01:33:48: ISAKMP (0:1): speaking to another IOS box!
01:33:48: ISAKMP (0:1): sending packet to 10.15.58.10 (R) MM_KEY_EXCH
01:33:48: ISAKMP (0:1): received packet from 10.15.58.10 (R) MM_KEY_EXCH
01:33:48: ISAKMP (0:1): processing ID payload. message ID = 0
01:33:48: ISAKMP (0:1): processing HASH payload. message ID = 0
01:33:48: CryptoEngine0: generate hmac context for conn id 1
01:33:48: ISAKMP (0:1): SA has been authenticated with 10.15.58.10
01:33:48: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
01:33:48: ISAKMP (1): Total payload length: 12
01:33:48: CryptoEngine0: generate hmac context for conn id 1
01:33:48: CryptoEngine0: clear dh number for conn id 1
01:33:48: ISAKMP (0:1): sending packet to 10.15.58.10 (R) QM_IDLE
01:33:48: ISAKMP (0:1): received packet from 10.15.58.10 (R) QM_IDLE
01:33:48: CryptoEngine0: generate hmac context for conn id 1
01:33:48: ISAKMP (0:1): processing HASH payload. message ID = -263684175
01:33:48: ISAKMP (0:1): processing SA payload. message ID = -263684175
01:33:48: ISAKMP (0:1): Checking IPSec proposal 1
01:33:48: ISAKMP: transform 1, ESP_DES
01:33:48: ISAKMP: attributes in transform:
01:33:48: ISAKMP: encaps is 1
01:33:48: ISAKMP: SA life type in seconds
01:33:48: ISAKMP: SA life duration (basic) of 3600
01:33:48: ISAKMP: SA life type in kilobytes
01:33:48: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
01:33:48: ISAKMP: authenticator is HMAC-MD5
01:33:48: validate proposal 0

Phase II failed. The message Invalid local address below means that the packet entered an interface where the map was not applied and thus Phase II could not be negotiated.

01:33:48: IPSEC(validate_proposal): invalid local address 10.15.58.38
01:33:48: ISAKMP (0:1): atts not acceptable. Next payload is 0
01:33:48: ISAKMP (0:1): phase 2 SA not acceptable!
01:33:48: CryptoEngine0: generate hmac context for conn id 1
01:33:48: ISAKMP (0:1): sending packet to 10.15.58.10 (R) QM_IDLE
01:33:48: ISAKMP (0:1): purging node 2084297188
01:33:48: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at
10.15.58.10
01:33:48: ISAKMP (0:1): deleting node -263684175 error FALSE reason
"IKMP_NO_ERR_NO_TRANS"

Missing SAs

CE2 has rebooted and no longer has SAs. CE1, however, still has SAs. If traffic is being sent from CE1, the following message appears on CE2:

01:51:48: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
destaddr=10.15.58.38, prot=50, spi=0x3ACB80F(61650959)

Transform and Proposal Mismatch

The following was entered on the Cisco 7100 router:

crypto ipsec transform-set isaTransform esp-3des esp-sha-hmac

The following was entered on the Cisco 7200 router:

:
crypto ipsec transform-set isaTransform esp-3des esp-md5-hmac
7100-UUT#
1d03h: ISAKMP (0:0): received packet from 193.168.1.1 (N) NEW SA
1d03h: ISAKMP: local port 500, remote port 500 ----------------------- (THIS IS THE PORT IKE USES)
1d03h: ISAKMP (0:1): processing SA payload. message ID = 0
1d03h: ISAKMP (0:1): found peer pre-shared key matching 193.168.1.1
1d03h: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
1d03h: ISAKMP: encryption 3DES-CBC ---- THESE ARE THE ISAKMP TRANSFORMS+
PROPOSALS FOR MAIN MODE
1d03h: ISAKMP: hash SHA
1d03h: ISAKMP: default group 2
1d03h: ISAKMP: auth pre-share
1d03h: ISAKMP (0:1): atts are acceptable. Next payload is 0
1d03h: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
1d03h: ISAKMP (0:1): sending packet to 193.168.1.1 (R) MM_SA_SETUP ------- MAIN MODE
SECURITY ASSOCIATION SETUP
1d03h: ISAKMP (0:1): received packet from 193.168.1.1 (R) MM_SA_SETUP
1d03h: ISAKMP (0:1): processing KE payload. message ID = 0
1d03h: ISAKMP (0:1): processing NONCE payload. message ID = 0
1d03h: ISAKMP (0:1): found peer pre-shared key matching 193.168.1.1
1d03h: ISAKMP (0:1): SKEYID state generated
1d03h: ISAKMP (0:1): processing vendor id payload
1d03h: ISAKMP (0:1): speaking to another IOS box!
1d03h: ISAKMP (0:1): sending packet to 193.168.1.1 (R) MM_KEY_EXCH ------- MAIN MODE KEY
EXCHANGE BEING DONE.
1d03h: ISAKMP (0:1): received packet from 193.168.1.1 (R) MM_KEY_EXCH
1d03h: ISAKMP (0:1): processing ID payload. message ID = 0
1d03h: ISAKMP (0:1): processing HASH payload. message ID = 0
1d03h: ISAKMP (0:1): SA has been authenticated with 193.168.1.1
1d03h: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
1d03h: ISAKMP (1): Total payload length: 12
1d03h: ISAKMP (0:1): sending packet to 193.168.1.1 (R) QM_IDLE ------ MAIN MODE IS DONE
AND MOVING TO QUICK MODE
1d03h: ISAKMP (0:1): received packet from 193.168.1.1 (R) QM_IDLE
1d03h: ISAKMP (0:1): processing HASH payload. message ID = -2037037709
1d03h: ISAKMP (0:1): processing SA payload. message ID = -2037037709
1d03h: ISAKMP (0:1): Checking IPSec proposal 1
1d03h: ISAKMP: transform 1, ESP_3DES --- THESE ARE THE TRANSFORMS AND PROPOSALS
SENT BY THE PEER
1d03h: ISAKMP: attributes in transform:
1d03h: ISAKMP: encaps is 1
1d03h: ISAKMP: SA life type in seconds
1d03h: ISAKMP: SA life duration (basic) of 3600
1d03h: ISAKMP: SA life type in kilobytes
1d03h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
1d03h: ISAKMP: authenticator is HMAC-MD5 ------------- USING HASH-MD5
1d03h: ISAKMP (0:1): atts not acceptable. Next payload is 0 ------ THE PROPOSAL IS REJECTED
1d03h: ISAKMP (0:1): phase 2 SA not acceptable! ------------------- QUCIK MODE OR PHASE 2 IS
REJECTED.
1d03h: ISAKMP (0:1): sending packet to 193.168.1.1 (R) QM_IDLE
1d03h: ISAKMP (0:1): purging node 2061107598
1d03h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at
193.168.1.1
1d03h: ISAKMP (0:1): deleting node -2037037709 error FALSE reason
"IKMP_NO_ERR_NO_TRANS"
7100-UUT#
7100-UUT#
1d03h: ISAKMP (0:1): received packet from 193.168.1.1 (R) QM_IDLE
1d03h: ISAKMP (0:1): phase 2 packet is a duplicate of a previous packet.
1d03h: ISAKMP (0:1): retransmitting due to retransmit phase 2
1d03h: ISAKMP (0:1): ignoring retransmission,because phase2 node marked dead -2037037709

All debugging has been turned off. Issue the show cry isa sa command.

7100-UUT#show cry isa sa
dst src state conn-id slot
195.168.1.1 193.168.1.1 QM_IDLE 1 0
7100-UUT#show cry isa sa
dst src state conn-id slot


hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue May 20 12:30:17 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.