It has to be with some version ? Plus shall we expect this thing in lab ? i dont think so ! :) regards,
Kamran Shakil ITA NDC Operations Engineer MidEast Data Systems LLC Oman Cell: + 968 95804126 Office: + 968 24576640 http://www.mynameise.com/kamranshakil77 Confidentiality Warning: "This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system." -----Original Message----- From: [email protected] on behalf of Kingsley Charles Sent: Thu 12/16/2010 9:02 AM To: Kyle Ross Cc: [email protected] Subject: Re: [OSL | CCIE_Security] MM error between IOS router and ASAfirewall This is ASA's issue. I hit it many times. When you see this, the workaround is to write mem and reload the routers. The issue is that ASA keeps sending un-acceptable key lengths. With regards Kings On Thu, Dec 16, 2010 at 3:46 AM, Kyle Ross <[email protected]> wrote: Hello Everyone, I had an interesting thing happen to me today building a L2L tunnel between an IOS router and an ASA firewall. MM phase 1 was failing even though the atts were identical. This is the debug off the router: Dec 15 15:30:25.251: ISAKMP:(0):Checking ISAKMP transform 1 against priority 30 policy Dec 15 15:30:25.251: ISAKMP: default group 2 Dec 15 15:30:25.251: ISAKMP: encryption 3DES-CBC Dec 15 15:30:25.251: ISAKMP: keylength of 56797 Dec 15 15:30:25.251: ISAKMP: hash SHA Dec 15 15:30:25.251: ISAKMP: auth pre-share Dec 15 15:30:25.251: ISAKMP: life type in seconds Dec 15 15:30:25.251: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Dec 15 15:30:25.251: ISAKMP:(0):Unexpected key length attribute Dec 15 15:30:25.251: ISAKMP:(0):atts are not acceptable. Next payload is 0 Dec 15 15:30:25.251: ISAKMP:(0):no offers accepted! Dec 15 15:30:25.251: ISAKMP:(0): phase 1 SA policy not acceptable! After a looking a little harder I see the key length attribute in the Phase 1 SA, why? Thinking that my router was going sideways I decided to reloaded the router. When it came back up the same problem was still there. After some tinkering I decided to reload the ASA and the key length attribute was no longer a variable. Dec 15 15:33:51.595: ISAKMP:(0):Checking ISAKMP transform 1 against priority 30 policy Dec 15 15:33:51.595: ISAKMP: default group 2 Dec 15 15:33:51.595: ISAKMP: encryption 3DES-CBC Dec 15 15:33:51.595: ISAKMP: hash SHA Dec 15 15:33:51.595: ISAKMP: auth pre-share Dec 15 15:33:51.595: ISAKMP: life type in seconds Dec 15 15:33:51.595: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Dec 15 15:33:51.595: ISAKMP:(0):atts are acceptable. Next payload is 0 Dec 15 15:33:51.595: ISAKMP:(0):Acceptable atts:actual life: 0 Dec 15 15:33:51.595: ISAKMP:(0):Acceptable atts:life: 0 Does anyone know why this happened? Is there something I can do to prevent this from happening? Kyle _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
