This is ASA's issue. I hit it many times. When you see this, the workaround is to write mem and reload the routers.
The issue is that ASA keeps sending un-acceptable key lengths. With regards Kings On Thu, Dec 16, 2010 at 3:46 AM, Kyle Ross <[email protected]> wrote: > Hello Everyone, > > > > I had an interesting thing happen to me today building a L2L tunnel between > an IOS router and an ASA firewall. MM phase 1 was failing even though > the atts were identical. This is the debug off the router: > > > > Dec 15 15:30:25.251: ISAKMP:(0):Checking ISAKMP transform 1 against > priority 30 policy > Dec 15 15:30:25.251: ISAKMP: default group 2 > Dec 15 15:30:25.251: ISAKMP: encryption 3DES-CBC > *Dec 15 15:30:25.251: ISAKMP: keylength of 56797 > *Dec 15 15:30:25.251: ISAKMP: hash SHA > Dec 15 15:30:25.251: ISAKMP: auth pre-share > Dec 15 15:30:25.251: ISAKMP: life type in seconds > Dec 15 15:30:25.251: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 > > Dec 15 15:30:25.251: ISAKMP:(0):Unexpected key length attribute > Dec 15 15:30:25.251: ISAKMP:(0):atts are not acceptable. Next payload is 0 > Dec 15 15:30:25.251: ISAKMP:(0):no offers accepted! > Dec 15 15:30:25.251: ISAKMP:(0): phase 1 SA policy not acceptable! > > > > After a looking a little harder I see the key length attribute in the Phase > 1 SA, why? Thinking that my router was going sideways I decided to reloaded > the router. When it came back up the same problem was still there. After > some tinkering I decided to reload the ASA and the key length attribute was > no longer a variable. > > > Dec 15 15:33:51.595: ISAKMP:(0):Checking ISAKMP transform 1 against > priority 30 policy > Dec 15 15:33:51.595: ISAKMP: default group 2 > Dec 15 15:33:51.595: ISAKMP: encryption 3DES-CBC > Dec 15 15:33:51.595: ISAKMP: hash SHA > Dec 15 15:33:51.595: ISAKMP: auth pre-share > Dec 15 15:33:51.595: ISAKMP: life type in seconds > Dec 15 15:33:51.595: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 > > Dec 15 15:33:51.595: ISAKMP:(0):atts are acceptable. Next payload is 0 > Dec 15 15:33:51.595: ISAKMP:(0):Acceptable atts:actual life: 0 > Dec 15 15:33:51.595: ISAKMP:(0):Acceptable atts:life: 0 > > > > Does anyone know why this happened? Is there something I can do to prevent > this from happening? > > > > Kyle > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
