Hi, Can you provide a whole 'deb cry isa' output from router and ASA? Use level 20 debugging for ASA.
Regards, Piotr 2011/9/26 Dnyaneshwar Gore <[email protected]> > Hi All, > > I am doing YB lab 1, Q 3.2 IPsec L2L tunnel. I am getting an issue and not > able to solve it. > > I have configured R5 router and ASA2 for L2L ipsec. VPN tunnel is getting > established when traffic is initiated from R5 side. But it does not come up > when traffic is initiated from ASA2 side (i.e. from SW2) > > I am getting following error on R5 router: > > 073: ISAKMP:(1024):Checking IPSec proposal 1 > Sep 26 02:20:47.073: ISAKMP: transform 1, ESP_3DES > Sep 26 02:20:47.073: ISAKMP: attributes in transform: > Sep 26 02:20:47.073: ISAKMP: SA life type in seconds > Sep 26 02:20:47.073: ISAKMP: SA life duration (basic) of 3600 > Sep 26 02:20:47.073: ISAKMP: SA life type in kilobytes > Sep 26 02:20:47.073: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 > 0x0 > Sep 26 02:20:47.073: ISAKMP: encaps is 1 (Tunnel) > Sep 26 02:20:47.073: ISAKMP: authenticator is HMAC-MD5 > Sep 26 02:20:47.073: ISAKMP:(1024):atts are acceptable. > Sep 26 02:20:47.073: ISAKMP:(1024): IPSec policy invalidated proposal with > error > 32 > Sep 26 02:20:47.073: ISAKMP:(1024): phase 2 SA policy not acceptable! > (local 192 > .168.55.55 remote 192.168.9.10) > Sep 26 02:20:47.073: ISAKMP: set new node -795672340 to QM_IDLE > Sep 26 02:20:47.073: ISAKMP:(1024):Sending NOTIFY PROPOSAL_NOT_CHOSEN > protocol 3 > spi 1711436688, message ID = -795672340 > Sep 26 02:20:47.073: ISAKMP:(1024): sending packet to 192.168.9.10 my_port > 500 p > eer_port 500 (R) QM_IDLE > Sep 26 02:20:47.073: ISAKMP:(1024):Sending an IKE IPv4 Packet. > Sep 26 02:20:47.073: ISAKMP:(1024):purging node -795672340 > Sep 26 02:20:47.077: ISAKMP:(1024):deleting node 326691547 error TRUE > reason "QM > rejected" > Sep 26 02:20:47.077: ISAKMP:(1024):Node 326691547, Input = > IKE_MESG_FROM_PEER, I > KE_QM_EXCH > Sep 26 02:20:47.077: ISAKMP:(1024):Old State = IKE_QM_READY New State = > IKE_QM_ > READY > Sep 26 02:20:54.761: ISAKMP:(1023):purging SA., sa=65697D00, delme=65697D00 > > It shows that phase 1 is completed and started phase 2 (QM). But proposal > is not accepted. > > I am attaching configs and debug output for your reference. > > Kindly help me to solve this issue. > > Regards, > DMG > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
