Re: EZVPN problem -- Help !!!

From: Kal Han (calikali2006@gmail.com)
Date: Wed Nov 08 2006 - 22:58:16 ART

Looks like you are doing both RA and L2L VPNs
From what I know,
It wont work with your config.
Two different types of VPNs, in your case you have the crypto
map being used for both L2L Vpn and also Remote Access VPN.

Similar config never worked for "me".

The solution to think kind of problem is to create isakmp-profile
for each type. one for L2L and one for RA clients.

and use it with your crypto maps. ( set one under your regular
crypto map and the other under your dynamic crypto map )
and it will work.

So you basically create two isakmp-profiles
L2L-Ike_profile and RA-Ike_profile

crypto keyring l2lKey
  pre-shared-key address 195.1.114.1 key cciesec

crypto isakmp profile L2L-Ike_profile
   keyring l2lKey
   match identity address 195.1.114.1 255.255.255.255

crypto isakmp profile RA-Ike_profile
   match identity group EZVPN
   isakmp authorization list EZ
   client configuration address respond

crypto map mymap 10 ipsec-isakmp
set peer 195.1.114.1
set isakmp-profile L2L-Ike_profile <---------
set transform-set myset
match address 114

crypto dynamic-map DMAP 10
set transform-set ezset
set isakmp-profile RA-Ike_profile <---------

This will work, but im not sure if your looking for such a
solution.

Let me know. Im curious.

Thanks
Kal

On 11/7/06, Lab Rat #109385382 <techlist01@gmail.com> wrote:
>
> You have no authentication statements...
>
> You need:
>
> aaa authentication login default local
>
> crypto map VPN client authentication list default
>
> HTH,
>
> Ed
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> secondie
> Sent: Tuesday, November 07, 2006 6:20 PM
> To: Cisco certification; security@groupstudy.com
> Subject: EZVPN problem -- Help !!!
>
> Working on EZVPN and getting stuck on same error every time.
>
> *Mar 1 01:00:06.515: ISAKMP (0:40): claimed IOS but failed
> authentication <<<+++++++++++++WHAT does this mean ???
>
>
> May be I am looking at wrong place so the debug for server side is below.
>
> Any help is appreciated. !!!!
>
>
> TIA
> -secondie
>
>
>
> Server side config:
>
> R4#sh running-config
> username cisco password 0 cisco
> !
> aaa authorization network EZ local
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> !
> crypto isakmp key cciesec address 195.1.114.1 !
> crypto isakmp client configuration group EZVPN key trinetnt pool VPNPool !
> crypto ipsec transform-set ezset esp-des esp-md5-hmac !
> crypto dynamic-map DMAP 10
> set transform-set ezset
> !
> crypto map mymap isakmp authorization list EZ crypto map mymap client
> configuration address initiate crypto map mymap client configuration
> address
> respond crypto map mymap 10 ipsec-isakmp set peer 195.1.114.1 set
> transform-set myset match address 114 !
> crypto map mymap 100 ipsec-isakmp dynamic DMAP !
> interface FastEthernet0/0
> ip address 195.1.114.4 255.255.255.0
> crypto map mymap
> !
> ip local pool VPNPool 192.168.1.1 192.168.1.254
>
>
>
>
> Client side:
>
> crypto ipsec client ezvpn EZ
> connect auto
> group EZVPN key trinetnt
> mode client
> peer 195.1.114.4
> !
> interface Loopback55
> ip address 10.55.55.55 255.255.255.0
> crypto ipsec client ezvpn EZ inside
> !
> interface Serial0/0:0
> ip address 195.3.56.5 255.255.255.0
> crypto ipsec client ezvpn EZ
>
>
>
> debugs: on server side:
> R4#sh debug
>
>
>
> Cryptographic Subsystem:
> Crypto ISAKMP debugging is on
> Crypto IPSEC debugging is on
> R4#
> *Mar 1 00:59:24.239: ISAKMP (0:0): received packet from 195.3.56.5 dport
> 500 sport 500 Global (N) NEW SA *Mar 1 00:59:24.239: ISAKMP: Created a
> peer
> struct for 195.3.56.5, peer port 500 *Mar 1 00:59:24.239: ISAKMP: Locking
> peer struct 0x8365A4F0, IKE refcount 1 for
> crypto_ikmp_config_initialize_sa
> *Mar 1 00:59:24.239: ISAKMP (0:0): Setting client config settings
> 8365E8F0
> *Mar 1 00:59:24.239: ISAKMP: local port 500, remote port 500 *Mar 1
> 00:59:24.243: ISAKMP: Find a dup sa in the avl tree during calling
> isadb_insert sa = 83667BE8 *Mar 1 00:59:24.243: ISAKMP (0:39): processing
> SA payload. message ID = 0 *Mar 1 00:59:24.243: ISAKMP (0:39): processing
> ID payload. message ID = 0 *Mar 1 00:59:24.243: ISAKMP (0:39): peer
> matches
> *none* of the profiles *Mar 1 00:59:24.243: ISAKMP (0:39): processing
> vendor id payload *Mar 1 00:59:24.243: ISAKMP (0:39): vendor ID seems
> Unity/DPD but major
> 157 mismatch
> *Mar 1 00:59:24.243: ISAKMP (0:39): vendor ID is NAT-T v3 *Mar 1 0
> R4#0:59:24.243: ISAKMP (0:39): processing vendor id payload *Mar 1
> 00:59:24.243: ISAKMP (0:39): vendor ID seems Unity/DPD but major
> 123 mismatch
> *Mar 1 00:59:24.247: ISAKMP (0:39): vendor ID is NAT-T v2 *Mar 1
> 00:59:24.247: ISAKMP: no pre-shared key based on address
> 195.3.56.5 !
> *Mar 1 00:59:24.247: ISAKMP: Looking for a matching key for 195.3.56.5 in
> default *Mar 1 00:59:24.247: ISAKMP (0:39): No pre-shared key with
> 195.3.56.5!
> *Mar 1 00:59:24.247: ISAKMP : Scanning profiles for xauth ...
> *Mar 1 00:59:24.247: ISAKMP (0:39): Checking ISAKMP transform 1 against
> priority 10 policy
> *Mar 1 00:59:24.247: ISAKMP: encryption 3DES-CBC
> *Mar 1 00:59:24.247: ISAKMP: hash SHA
> *Mar 1 00:59:24.247: ISAKMP: default group 2
> *Mar 1 00:59:24.247: ISAKMP: auth XAUTHInitPreShared
> *Mar 1 00:59:24.247: ISAKMP: life type in seconds
> *Mar 1 00:59:24.247: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 00:59:24.247: ISAKMP (0:39): Encryption algorithm offered does not
> match policy!
> *Mar 1 00:59:24.247: ISAKMP (0:39): atts are not acceptable. Next payload
> is 3 *Mar 1 00:59:24.251: ISAKMP (0:39): Checking ISAKMP transform 2
> against priority 10 policy
> *Mar 1 00:59:24.251: ISAKMP: encryption 3DES-CBC
> *Mar 1 00:59:24.251: ISAKMP: hash MD5
> *Mar 1 00:59:24.251: ISAKMP: default group 2
> *Mar 1 00:59:24.251: ISAKMP: auth XAUTHInitPreShared
> *Mar 1 00:59:24.251: ISAKMP: life type in seconds
> *Mar 1 00:59:24.251: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 00:59:24.251: ISAKMP (0:39): Encryption algorithm offered does not
> match policy!
> *Mar 1 00:59:24.251: ISAKMP (0:39): atts are not acceptable. Next payload
> is 3 *Mar 1 00:59:24.251: ISAKMP (0:39): Checking ISAKMP transform 3
> against priority 10 policy
> *Mar 1 00:59:24.251: ISAKMP: encryption 3DES-CBC
> *Mar 1 00:59:24.251: ISAKMP: hash SHA
> *Mar 1 00:59:24.251: ISAKMP: default group 2
> *Mar 1 00:59:24.251: ISAKMP: auth pre-share
> *Mar 1 00:59:24.251: ISAKMP: life type in seconds
> *Mar 1 00:59:24.251: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 00:59:24.255: ISAKMP (0:39): Encryption algorithm offered does not
> match policy!
> *Mar 1 00:59:24.255: ISAKMP (0:39): atts are not acceptable. Next payload
> is 3 *Mar 1 00:59:24.255: ISAKMP (0:39): Checking ISAKMP transform 4
> against priority 10 policy
> *Mar 1 00:59:24.255: ISAKMP: encryption 3DES-CBC
> *Mar 1 00:59:24.255: ISAKMP: hash MD5
> *Mar 1 00:59:24.255: ISAKMP: default group 2
> *Mar 1 00:59:24.255: ISAKMP: auth pre-share
> *Mar 1 00:59:24.255: ISAKMP: life type in seconds
> *Mar 1 00:59:24.255: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 00:59:24.255: ISAKMP (0:39): Encryption algorithm offered does not
> match policy!
> *Mar 1 00:59:24.255: ISAKMP (0:39): atts are not acceptable. Next payload
> is 3 *Mar 1 00:59:24.255: ISAKMP (0:39): Checking ISAKMP transform 5
> against priority 10 policy
> *Mar 1 00:59:24.255: ISAKMP: encryption DES-CBC
> *Mar 1 00:59:24.255: ISAKMP: hash SHA
> *Mar 1 00:59:24.255: ISAKMP: default group 2
> *Mar 1 00:59:24.259: ISAKMP: auth XAUTHInitPreShared
> *Mar 1 00:59:24.259: ISAKMP: life type in seconds
> *Mar 1 00:59:24.259: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 00:59:24.259: ISAKMP (0:39): Hash algorithm offered does not match
> policy!
> *Mar 1 00:59:24.259: ISAKMP (0:39): atts are not acceptable. Next payload
> is 3 *Mar 1 00:59:24.259: ISAKMP (0:39): Checking ISAKMP transform 6
> against priority 10 policy
> *Mar 1 00:59:24.259: ISAKMP: encryption DES-CBC
> *Mar 1 00:59:24.259: ISAKMP: hash MD5
> *Mar 1 00:59:24.259: ISAKMP: default group 2
> *Mar 1 00:59:24.259: ISAKMP: auth XAUTHInitPreShared
> *Mar 1 00:59:24.259: ISAKMP: life type in seconds
> *Mar 1 00:59:24.259: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 00:59:24.259: ISAKMP (0:39): Xauth authentication by pre-shared
> key
> offered but does not match policy!
> *Mar 1 00:59:24.259: ISAKMP (0:39): atts are not acceptable. Next payload
> is 3 *Mar 1 00:59:24.259: ISAKMP (0:39): Checking ISAKMP transform 7
> against priority 10 policy
> *Mar 1 00:59:24.263: ISAKMP: encryption DES-CBC
> *Mar 1 00:59:24.263: ISAKMP: hash SHA
> *Mar 1 00:59:24.263: ISAKMP: default group 2
> *Mar 1 00:59:24.263: ISAKMP: auth pre-share
> *Mar 1 00:59:24.263: ISAKMP: life type in seconds
> *Mar 1 00:59:24.263: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 00:59:24.263: ISAKMP (0:39): Hash algorithm offered does not match
> policy!
> *Mar 1 00:59:24.263: ISAKMP (0:39): atts are not acceptable. Next payload
> is 3 *Mar 1 00:59:24.263: ISAKMP (0:39): Checking ISAKMP transform 8
> against priority 10 policy
> *Mar 1 00:59:24.263: ISAKMP: encryption DES-CBC
> *Mar 1 00:59:24.263: ISAKMP: hash MD5
> *Mar 1 00:59:24.263: ISAKMP: default group 2
> *Mar 1 00:59:24.263: ISAKMP: auth pre-share
> *Mar 1 00:59:24.263: ISAKMP: life type in seconds
> *Mar 1 00:59:24.263: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 00:59:24.267: ISAKMP (0:39): atts are acceptable. Next payload is
> 0
> *Mar 1 00:59:24.479: ISAKMP (0:39): processing vendor id payload *Mar 1
> 00:59:24.479: ISAKMP (0:39): vendor ID seems Unity/DPD but major
> 157 mismatch
> *Mar 1 00:59:24.479: ISAKMP (0:39): vendor ID is NAT-T v3 *Mar 1
> 00:59:24.479: ISAKMP (0:39): processing vendor id payload *Mar 1
> 00:59:24.479: ISAKMP (0:39): vendor ID seems Unity/DPD but major
> 123 mismatch
> *Mar 1 00:59:24.479: ISAKMP (0:39): vendor ID is NAT-T v2 *Mar 1
> 00:59:24.479: ISAKMP (0:39): processing KE payload. message ID = 0 *Mar 1
> 00:59:24.747: ISAKMP (0:39): processing NONCE payload. message ID = 0 *Mar
> 1 00:59:24.747: ISAKMP (0:39): processing vendor id payload *Mar 1
> 00:59:24.747: ISAKMP (0:39): vendor ID is DPD *Mar 1 00:59:24.747: ISAKMP
> (0:39): processing vendor id payload *Mar 1 00:59:24.747: ISAKMP (0:39):
> vendor ID seems Unity/DPD but major
> 186 mismatch
> *Mar 1 00:59:24.751: ISAKMP (0:39): vendor ID is XAUTH *Mar 1
> 00:59:24.751: ISAKMP (0:39): processing vendor id payload *Mar 1
> 00:59:24.751: ISAKMP (0:39): claimed IOS but failed authentication *Mar 1
> 00:59:24.751: ISAKMP (0:39): processing vendor id payload *Mar 1
> 00:59:24.751: ISAKMP (0:39): vendor ID is Unity *Mar 1 00:59:24.751:
> ISAKMP
> (0:39): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Mar 1 00:59:24.751:
> ISAKMP
> (0:39): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
>
> *Mar 1 00:59:24.755: ISAKMP: got callback 1 *Mar 1 00:59:24.755: ISAKMP
> (0:39): incrementing error counter on sa:
> construct_fail_ag_init
> R4#
> R4#
> *Mar 1 00:59:34.239: ISAKMP (0:39): received packet from 195.3.56.5 dport
> 500 sport 500 Global (R) AG_NO_STATE *Mar 1 00:59:34.243: ISAKMP (0:39):
> phase 1 packet is a duplicate of a previous packet.
> *Mar 1 00:59:34.243: ISAKMP (0:39): retransmitting due to retransmit
> phase
> 1 *Mar 1 00:59:34.243: ISAKMP (0:39): retransmitting phase 1
> AG_NO_STATE...
> *Mar 1 00:59:34.743: ISAKMP (0:39): retransmitting phase 1 AG_NO_STATE...
> *Mar 1 00:59:34.743: ISAKMP (0:39): incrementing error counter on sa:
> retransmit phase 1
> *Mar 1 00:59:34.743: ISAKMP (0:39): retransmitting phase 1 AG_NO_STATE
> R4#
> *Mar 1 00:59:34.743: ISAKMP (0:39): sending packet to 195.3.56.5 my_port
> 500 peer_port 500 (R) AG_NO_STATE R4# *Mar 1 00:59:35.759: ISAKMP (0:39):
> received packet from 195.3.56.5 dport 500 sport 500 Global (R) AG_NO_STATE
> *Mar 1 00:59:35.763: ISAKMP (0:39): phase 1 packet is a duplicate of a
> previous packet.
> *Mar 1 00:59:35.763: ISAKMP (0:39): retransmitting due to retransmit
> phase
> 1 *Mar 1 00:59:35.763: ISAKMP (0:39): retransmitting phase 1
> AG_NO_STATE...
> *Mar 1 00:59:36.263: ISAKMP (0:39): retransmitting phase 1 AG_NO_STATE...
> *Mar 1 00:59:36.263: ISAKMP (0:39): incrementing error counter on sa:
> retransmit phase 1
> *Mar 1 00:59:36.263: ISAKMP (0:39): no outgoing phase 1 packet to
> retransmit. AG_NO_STATE R4# *Mar 1 00:59:41.483: ISAKMP (0:38): purging
> SA., sa=836649AC, delme=836649AC *Mar 1 00:59:41.483: ISAKMP: Unlocking
> IKE
> struct 0x8365E7B8 for declare_sa_dead(), count 0 *Mar 1 00:59:41.483:
> ISAKMP (0:37): purging SA., sa=836640BC, delme=836640BC *Mar 1
> 00:59:41.483: ISAKMP: Unlocking IKE struct 0x83665F3C for
> declare_sa_dead(),
> count 0 *Mar 1 00:59:41.487: ISAKMP (0:36): purging SA., sa=836637CC,
> delme=836637CC *Mar 1 00:59:41.487: ISAKMP: Unlocking IKE struct
> 0x8365EAC8
> for declare_sa_dead(), count 0 R4# *Mar 1 00:59:45.763: ISAKMP (0:39):
> received packet from 195.3.56.5 dport 500 sport 500 Global (R) AG_NO_STATE
> *Mar 1 00:59:45.763: ISAKMP (0:39): phase 1 packet is a duplicate of a
> previous packet.
> *Mar 1 00:59:45.763: ISAKMP (0:39): retransmitting due to retransmit
> phase
> 1 *Mar 1 00:59:45.763: ISAKMP (0:39): retransmitting phase 1
> AG_NO_STATE...
> *Mar 1 00:59:46.263: ISAKMP (0:39): retransmitting phase 1 AG_NO_STATE...
> *Mar 1 00:59:46.263: ISAKMP (0:39): incrementing error counter on sa:
> retransmit phase 1
> *Mar 1 00:59:46.263: ISAKMP (0:39): no outgoing phase 1 packet to
> retransmit. AG_NO_STATE R4# *Mar 1 00:59:55.763: ISAKMP (0:39): received
> packet from 195.3.56.5 dport 500 sport 500 Global (R) AG_NO_STATE *Mar 1
> 00:59:55.763: ISAKMP (0:39): phase 1 packet is a duplicate of a previous
> packet.
> *Mar 1 00:59:55.763: ISAKMP (0:39): retransmitting due to retransmit
> phase
> 1 *Mar 1 00:59:55.763: ISAKMP (0:39): retransmitting phase 1
> AG_NO_STATE...
> *Mar 1 00:59:56.263: ISAKMP (0:39): retransmitting phase 1 AG_NO_STATE...
> *Mar 1 00:59:56.263: ISAKMP (0:39): incrementing error counter on sa:
> retransmit phase 1
> *Mar 1 00:59:56.263: ISAKMP (0:39): no outgoing phase 1 packet to
> retransmit. AG_NO_STATE R4# *Mar 1 01:00:05.999: ISAKMP (0:0): received
> packet from 195.3.56.5 dport 500 sport 500 Global (N) NEW SA *Mar 1
> 01:00:05.999: ISAKMP: Created a peer struct for 195.3.56.5, peer port 500
> *Mar 1 01:00:06.003: ISAKMP: Locking peer struct 0x8365E9AC, IKE refcount
> 1
> for crypto_ikmp_config_initialize_sa *Mar 1 01:00:06.003: ISAKMP (0:0):
> Setting client config settings 83666B04 *Mar 1 01:00:06.003: ISAKMP:
> local
> port 500, remote port 500 *Mar 1 01:00:06.003: ISAKMP: Find a dup sa in
> the
> avl tree during calling isadb_insert sa = 83663538 *Mar 1 01:00:06.003:
> ISAKMP (0:40): processing SA payload. message ID = 0 *Mar 1 01:00:06.003:
> ISAKMP (0:40): processing ID payload. message ID = 0 *Mar 1 01:00:06.003:
> ISAKMP (0:40): peer matches *none* of the profiles *Mar 1 01:00:06.003:
> ISAKMP (0:40): processing vendor id payload *Mar 1 01:00:06.007: ISAKMP
> (0:40): vendor ID seems Unity/DPD but major
> 157 mismatch
> *Mar 1 01:00:06.007: ISAKMP (0:40): vendor ID is NAT-T v3 *Mar 1 0
> R4#1:00:06.007: ISAKMP (0:40): processing vendor id payload *Mar 1
> 01:00:06.007: ISAKMP (0:40): vendor ID seems Unity/DPD but major
> 123 mismatch
> *Mar 1 01:00:06.007: ISAKMP (0:40): vendor ID is NAT-T v2 *Mar 1
> 01:00:06.007: ISAKMP: no pre-shared key based on address
> 195.3.56.5 !
> *Mar 1 01:00:06.007: ISAKMP: Looking for a matching key for 195.3.56.5 in
> default *Mar 1 01:00:06.007: ISAKMP (0:40): No pre-shared key with
> 195.3.56.5!
> *Mar 1 01:00:06.007: ISAKMP : Scanning profiles for xauth ...
> *Mar 1 01:00:06.007: ISAKMP (0:40): Checking ISAKMP transform 1 against
> priority 10 policy
> *Mar 1 01:00:06.007: ISAKMP: encryption 3DES-CBC
>
>
> SNIP SNIP .....policies fail to match ....
>
>
> *Mar 1 01:00:06.023: ISAKMP (0:40): Checking ISAKMP transform 7 against
> priority 10 policy
> *Mar 1 01:00:06.023: ISAKMP: encryption DES-CBC
> *Mar 1 01:00:06.023: ISAKMP: hash SHA
> *Mar 1 01:00:06.023: ISAKMP: default group 2
> *Mar 1 01:00:06.023: ISAKMP: auth pre-share
> *Mar 1 01:00:06.023: ISAKMP: life type in seconds
> *Mar 1 01:00:06.023: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 01:00:06.023: ISAKMP (0:40): Hash algorithm offered does not match
> policy!
> *Mar 1 01:00:06.023: ISAKMP (0:40): atts are not acceptable. Next payload
> is 3 *Mar 1 01:00:06.023: ISAKMP (0:40): Checking ISAKMP transform 8
> against priority 10 policy
> *Mar 1 01:00:06.023: ISAKMP: encryption DES-CBC
> *Mar 1 01:00:06.027: ISAKMP: hash MD5
> *Mar 1 01:00:06.027: ISAKMP: default group 2
> *Mar 1 01:00:06.027: ISAKMP: auth pre-share
> *Mar 1 01:00:06.027: ISAKMP: life type in seconds
> *Mar 1 01:00:06.027: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4
> 0x9B
> *Mar 1 01:00:06.027: ISAKMP (0:40): atts are acceptable. Next payload is
> 0
> <<<<============ ISAKMP Matched *Mar 1 01:00:06.243: ISAKMP (0:40):
> processing vendor id payload *Mar 1 01:00:06.243: ISAKMP (0:40): vendor
> ID
> seems Unity/DPD but major
> 157 mismatch
> *Mar 1 01:00:06.243: ISAKMP (0:40): vendor ID is NAT-T v3 *Mar 1
> 01:00:06.243: ISAKMP (0:40): processing vendor id payload *Mar 1
> 01:00:06.243: ISAKMP (0:40): vendor ID seems Unity/DPD but major
> 123 mismatch
> *Mar 1 01:00:06.243: ISAKMP (0:40): vendor ID is NAT-T v2 *Mar 1
> 01:00:06.243: ISAKMP (0:40): processing KE payload. message ID = 0 *Mar 1
> 01:00:06.511: ISAKMP (0:40): processing NONCE payload. message ID = 0 *Mar
> 1 01:00:06.511: ISAKMP (0:40): processing vendor id payload *Mar 1
> 01:00:06.511: ISAKMP (0:40): vendor ID is DPD *Mar 1 01:00:06.511: ISAKMP
> (0:40): processing vendor id payload *Mar 1 01:00:06.515: ISAKMP (0:40):
> vendor ID seems Unity/DPD but major
> 186 mismatch
> *Mar 1 01:00:06.515: ISAKMP (0:40): vendor ID is XAUTH *Mar 1
> 01:00:06.515: ISAKMP (0:40): processing vendor id payload *Mar 1
> 01:00:06.515: ISAKMP (0:40): claimed IOS but failed
> authentication <<<+++++++++++++WHAT does this mean ???
> *Mar 1 01:00:06.515: ISAKMP (0:40): processing vendor id payload *Mar 1
> 01:00:06.515: ISAKMP (0:40): vendor ID is Unity *Mar 1 01:00:06.515:
> ISAKMP
> (0:40): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Mar 1 01:00:06.515:
> ISAKMP
> (0:40): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
>
> *Mar 1 01:00:06.519: ISAKMP: got callback 1 *Mar 1 01:00:06.519: ISAKMP
> (0:40): incrementing error counter on sa:
> construct_fail_ag_init
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> R4#
> *Mar 1 01:00:16.003: ISAKMP (0:40): received packet from 195.3.56.5 dport
> 500 sport 500 Global (R) AG_NO_STATE *Mar 1 01:00:16.003: ISAKMP (0:40):
> phase 1 packet is a duplicate of a previous packet.
> *Mar 1 01:00:16.003: ISAKMP (0:40): retransmitting due to retransmit
> phase
> 1 *Mar 1 01:00:16.003: ISAKMP (0:40): retransmitting phase 1
> AG_NO_STATE...
> *Mar 1 01:00:16.503: ISAKMP (0:40): retransmitting phase 1 AG_NO_STATE...
> *Mar 1 01:00:16.503: ISAKMP (0:40): incrementing error counter on sa:
> retransmit phase 1
> *Mar 1 01:00:16.503: ISAKMP (0:40): retransmitting phase 1 AG_NO_STATE
> R4#
> *Mar 1 01:00:16.503: ISAKMP (0:40): sending packet to 195.3.56.5 my_port
> 500 peer_port 500 (R) AG_NO_STATE R4# *Mar 1 01:00:17.519: ISAKMP (0:40):
> received packet from 195.3.56.5 dport 500 sport 500 Global (R) AG_NO_STATE
> *Mar 1 01:00:17.519: ISAKMP (0:40): phase 1 packet is a duplicate of a
> previous packet.
> *Mar 1 01:00:17.519: ISAKMP (0:40): retransmitting due to retransmit
> phase
> 1 *Mar 1 01:00:17.519: ISAKMP (0:40): retransmitting phase 1
> AG_NO_STATE...
> *Mar 1 01:00:18.019: ISAKMP (0:40): retransmitting phase 1 AG_NO_STATE...
> *Mar 1 01:00:18.019: ISAKMP (0:40): incrementing error counter on sa:
> retransmit phase 1
> *Mar 1 01:00:18.019: ISAKMP (0:40): no outgoing phase 1 packet to
> retransmit. AG_NO_STATE R4# *Mar 1 01:00:27.519: ISAKMP (0:40): received
> packet from 195.3.56.5 dport 500 sport 500 Global (R) AG_NO_STATE *Mar 1
> 01:00:27.519: ISAKMP (0:40): phase 1 packet is a duplicate of a previous
> packet.
> *Mar 1 01:00:27.519: ISAKMP (0:40): retransmitting due to retransmit
> phase
> 1 *Mar 1 01:00:27.519: ISAKMP (0:40): retransmitting phase 1
> AG_NO_STATE...
> *Mar 1 01:00:28.023: ISAKMP (0:40): retransmitting phase 1 AG_NO_STATE...
> *Mar 1 01:00:28.023: ISAKMP (0:40): incrementing error counter on sa:
> retransmit phase 1
> *Mar 1 01:00:28.023: ISAKMP (0:40): no outgoing phase 1 packet to
> retransmit. AG_NO_STATE R4# *Mar 1 01:00:37.519: ISAKMP (0:40): received
> packet from 195.3.56.5 dport 500 sport 500 Global (R) AG_NO_STATE *Mar 1
> 01:00:37.519: ISAKMP (0:40): phase 1 packet is a duplicate of a previous
> packet.
> *Mar 1 01:00:37.523: ISAKMP (0:40): retransmitting due to retransmit
> phase
> 1 *Mar 1 01:00:37.523: ISAKMP (0:40): retransmitting phase 1
> AG_NO_STATE...
> *Mar 1 01:00:38.023: ISAKMP (0:40): retransmitting phase 1 AG_NO_STATE...
> *Mar 1 01:00:38.023: ISAKMP (0:40): incrementing error counter on sa:
> retransmit phase 1
> *Mar 1 01:00:38.023: ISAKMP (0:40): no outgoing phase 1 packet to
> retransmit. AG_NO_STATE R4# R4# R4#
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART