Hello Everyone,
I had an interesting thing happen to me today building a L2L tunnel between an IOS router and an ASA firewall. MM phase 1 was failing even though the atts were identical. This is the debug off the router: Dec 15 15:30:25.251: ISAKMP:(0):Checking ISAKMP transform 1 against priority 30 policy Dec 15 15:30:25.251: ISAKMP: default group 2 Dec 15 15:30:25.251: ISAKMP: encryption 3DES-CBC Dec 15 15:30:25.251: ISAKMP: keylength of 56797 Dec 15 15:30:25.251: ISAKMP: hash SHA Dec 15 15:30:25.251: ISAKMP: auth pre-share Dec 15 15:30:25.251: ISAKMP: life type in seconds Dec 15 15:30:25.251: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Dec 15 15:30:25.251: ISAKMP:(0):Unexpected key length attribute Dec 15 15:30:25.251: ISAKMP:(0):atts are not acceptable. Next payload is 0 Dec 15 15:30:25.251: ISAKMP:(0):no offers accepted! Dec 15 15:30:25.251: ISAKMP:(0): phase 1 SA policy not acceptable! After a looking a little harder I see the key length attribute in the Phase 1 SA, why? Thinking that my router was going sideways I decided to reloaded the router. When it came back up the same problem was still there. After some tinkering I decided to reload the ASA and the key length attribute was no longer a variable. Dec 15 15:33:51.595: ISAKMP:(0):Checking ISAKMP transform 1 against priority 30 policy Dec 15 15:33:51.595: ISAKMP: default group 2 Dec 15 15:33:51.595: ISAKMP: encryption 3DES-CBC Dec 15 15:33:51.595: ISAKMP: hash SHA Dec 15 15:33:51.595: ISAKMP: auth pre-share Dec 15 15:33:51.595: ISAKMP: life type in seconds Dec 15 15:33:51.595: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Dec 15 15:33:51.595: ISAKMP:(0):atts are acceptable. Next payload is 0 Dec 15 15:33:51.595: ISAKMP:(0):Acceptable atts:actual life: 0 Dec 15 15:33:51.595: ISAKMP:(0):Acceptable atts:life: 0 Does anyone know why this happened? Is there something I can do to prevent this from happening? Kyle
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
