ISAKMP error?

dunks59 · Mar 30, 2009

I'm attempting to setup an other Cisco ASA5520. Getting the below error. The part that I presume is the problem is when the ASA says "Attempt to get Phase 1 ID data failed while constructing ID"

After that the connection is drop by the ASA and the Client says something on the order of server not responding.

Mar 30 21:30:40 [IKEv1]: IP = 70.10.206.243, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 1100
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing SA payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, Oakley proposal is acceptable
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing VID payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, Received xauth V6 VID
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing VID payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, Received DPD VID
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing VID payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, Received Cisco Unity client VID
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing IKE SA payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, IKE SA Proposal # 1, Transform # 21 acceptable Matches global IKE entry # 1
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, constructing ISAKMP SA payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, constructing Fragmentation VID + extended capabilities payload
Mar 30 21:30:40 [IKEv1]: IP = 70.10.206.243, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 30 21:30:40 [IKEv1]: IP = 70.10.206.243, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 224
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing ke payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing ISA_KE payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing nonce payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing VID payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, processing VID payload
Mar 30 21:30:40 [IKEv1 DEBUG]: IP = 70.10.206.243, Received Cisco Unity client VID
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, constructing ke payload
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, constructing nonce payload
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, constructing certreq payload
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, constructing certreq payload
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, constructing Cisco Unity VID payload
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, constructing xauth V6 VID payload
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, Send IOS VID
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, constructing VID payload
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 30 21:30:41 [IKEv1 DEBUG]: IP = 70.10.206.243, Generating keys for Responder...
Mar 30 21:30:41 [IKEv1]: IP = 70.10.206.243, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) + CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 494
Mar 30 21:30:43 [IKEv1]: IP = 70.10.206.243, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + CERT_REQ (7) + SIG (9) + NOTIFY (11) + NONE (0) total length : 3180
Mar 30 21:30:43 [IKEv1 DEBUG]: IP = 70.10.206.243, processing ID payload
Mar 30 21:30:43 [IKEv1 DEBUG]: IP = 70.10.206.243, processing cert payload
Mar 30 21:30:43 [IKEv1 DEBUG]: IP = 70.10.206.243, processing cert request payload
Mar 30 21:30:43 [IKEv1 DEBUG]: IP = 70.10.206.243, processing RSA signature
Mar 30 21:30:43 [IKEv1 DEBUG]: IP = 70.10.206.243, Computing hash for ISAKMP
Mar 30 21:30:43 [IKEv1 DEBUG]: IP = 70.10.206.243, processing notify payload
Mar 30 21:30:43 [IKEv1]: IP = 70.10.206.243, Trying to find group via cert rules...
Mar 30 21:30:43 [IKEv1]: IP = 70.10.206.243, Connection landed on tunnel_group ra-tunnel-gp
Mar 30 21:30:43 [IKEv1]: Group = ra-tunnel-gp, IP = 70.10.206.243, No valid authentication type found for the tunnel group
Mar 30 21:30:43 [IKEv1 DEBUG]: Group = ra-tunnel-gp, IP = 70.10.206.243, peer ID type 9 received (DER_ASN1_DN)
Mar 30 21:30:43 [IKEv1 DEBUG]: Group = ra-tunnel-gp, IP = 70.10.206.243, constructing ID payload
Mar 30 21:30:43 [IKEv1]: Group = ra-tunnel-gp, IP = 70.10.206.243, Attempt to get Phase 1 ID data failed while constructing ID
Mar 30 21:30:43 [IKEv1 DEBUG]: Group = ra-tunnel-gp, IP = 70.10.206.243, IKE MM Responder FSM error history (struct &0xc90285e0) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA-->MM_BLD_MSG6, EV_CHK_PROPOSAL-->MM_BLD_MSG6, EV_COMPARE_IDS-->MM_BLD_MSG6, EV_CERT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ACTIVATE_NEW_SA
Mar 30 21:30:43 [IKEv1 DEBUG]: Group = ra-tunnel-gp, IP = 70.10.206.243, IKE SA MM:df416c90 terminating: flags 0x0105c002, refcnt 0, tuncnt 0
Mar 30 21:30:43 [IKEv1 DEBUG]: Group = ra-tunnel-gp, IP = 70.10.206.243, sending delete/delete with reason message
Mar 30 21:30:43 [IKEv1 DEBUG]: Group = ra-tunnel-gp, IP = 70.10.206.243, constructing blank hash payload
Mar 30 21:30:43 [IKEv1 DEBUG]: Group = ra-tunnel-gp, IP = 70.10.206.243, constructing IKE delete payload
Mar 30 21:30:43 [IKEv1 DEBUG]: Group = ra-tunnel-gp, IP = 70.10.206.243, constructing qm hash payload
Mar 30 21:30:43 [IKEv1]: IP = 70.10.206.243, IKE_DECODE SENDING Message (msgid=326a7278) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar 30 21:30:43 [IKEv1]: Group = ra-tunnel-gp, IP = 70.10.206.243, Removing peer from peer table failed, no match!
Mar 30 21:30:43 [IKEv1]: Group = ra-tunnel-gp, IP = 70.10.206.243, Error: Unable to remove PeerTblEntry
Mar 30 21:30:48 [IKEv1]: IP = 70.10.206.243, Received encrypted packet with no matching SA, dropping
Mar 30 21:30:53 [IKEv1]: IP = 70.10.206.243, Received encrypted packet with no matching SA, dropping
Mar 30 21:30:56 [IKEv1]: IP = 70.10.206.243, Received encrypted packet with no matching SA, dropping

brianinms · Mar 30, 2009

Looks like its trying to hit on a remote access group first. Rearrange your crypto maps so that the dynamic is set to 65535

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

ISAKMP error?

dunks59

IS-IT--Management

brianinms

MIS

Similar threads

Part and Inventory Search

Sponsor