Re: [OSL | CCIE_Security] EzVPN and VTI

Hussain Arsalan Ali Tue, 11 Oct 2011 01:41:28 -0700


I tried doing it again in office and I can see the HTTP page on client machine 
. When I type in the pass it times out after sometime . I am attaching a debug 
file on R3 ( Server ) .
Can you tell me if the configuration done by me is correct ? I was thinking if 
the crypto ipsec client ezvpn IT outside should be on the physical interface ot 
the virtual-template interface I made on the CLient router .

Date: Tue, 11 Oct 2011 11:41:36 +0530
Subject: Re: [OSL | CCIE_Security] EzVPN and VTI
From: [email protected]
To: [email protected]
CC: [email protected]

What is the issue? Is the tunnel coming up?

With regards
Kings

On Mon, Oct 10, 2011 at 11:28 PM, Hussain Arsalan Ali <[email protected]> wrote:

I am configuring EzVPN using VTI . R1 is Client while R3 is Server . There is 
ASA in between which has allow any any statement there . It is working fine 
with Network Extension Mode ( without VTI ) but when I switched to VTI i cant 
bring things up . There is no isakmp debug messages on router . Attached is 
config . 

ALI                                       

_______________________________________________

For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Rack1R3#07:54:30.054: ISAKMP:(1074): IPSec policy invalidated proposal with 
error 32
*Mar  1 07:54:30.054: ISAKMP:(1074): phase 2 SA policy not acceptable! (local 
136.1.123.3 remote 136.1.121.1)
*Mar  1 07:54:30.054: ISAKMP: set new node -133501578 to QM_IDLE      
*Mar  1 07:54:30.054: ISAKMP:(1074):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 
3
        spi 1690994888, message ID = -133501578
*Mar  1 07:54:30.054: ISAKMP:(1074): sending packet to 136.1.121.1 my_port 500 
peer_port 500 (R) QM_IDLE      
*Mar  1 07:54:30.054: ISAKMP:(1074):Sending an IKE IPv4 Packet.
*Mar  1 07:54:30.058: ISAKMP:(1074):purging node -133501578
*Mar  1 07:54:30.058: ISAKMP:(1074):deleting node -1904696992 error TRUE reason 
"QM rejected"
*Mar  1 07:54:30.058: ISAKMP:(1074):Node -1904696992, Input = 
IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  1 07:54:30.062: ISAKMP:(1074):Old State = IKE_QM_READY  New State = 
IKE_QM_READY
*Mar  1 07:54:35.026: ISAKMP (0:1074): received packet from 136.1.121.1 dport 
500 sport 500 Globa
Rack1R3#l (R) QM_IDLE      
*Mar  1 07:54:35.026: ISAKMP:(1074): phase 2 packet is a duplicate of a 
previous packet.
*Mar  1 07:54:35.030: ISAKMP:(1074): retransmitting due to retransmit phase 2
*Mar  1 07:54:35.030: ISAKMP:(1074): retransmitting phase 2 QM_IDLE       
-1404583806 ...
*Mar  1 07:54:35.558: ISAKMP:(1074): retransmitting phase 2 QM_IDLE       
-1404583806 ...
*Mar  1 07:54:35.558: ISAKMP (0:1074): incrementing error counter on node, 
attempt 3 of 5: retransmit phase 2
*Mar  1 07:54:35.558: ISAKMP (0:1074): incrementing error counter on sa, 
attempt 1 of 5: retransmit phase 2
*Mar  1 07:54:35.562: ISAKMP:(1074): retransmitting phase 2 -1404583806 QM_IDLE 
     
*Mar  1 07:54:35.562: ISAKMP:(1074): sending packet to 136.1.121.1 my_port 500 
peer_port 500 (R) QM_IDLE      
*Mar  1 07:54:35.562: ISAKMP:(1074):Sending an IKE IPv4 Packet.
*Mar  1 07:54:45.030: ISAKMP (0:1074): received packet from 136.1.121.1 dport 
500 sport 500 Global (R) QM_IDLE      
*Mar  1 07:54:45.030: ISA
Rack1R3#KMP:(1074): phase 2 packet is a duplicate of a previous packet.
*Mar  1 07:54:45.030: ISAKMP:(1074): retransmitting due to retransmit phase 2
*Mar  1 07:54:45.034: ISAKMP:(1074): retransmitting phase 2 QM_IDLE       
-1404583806 ...
*Mar  1 07:54:45.534: ISAKMP:(1074): retransmitting phase 2 QM_IDLE       
-1404583806 ...
*Mar  1 07:54:45.534: ISAKMP (0:1074): incrementing error counter on node, 
attempt 4 of 5: retransmit phase 2
*Mar  1 07:54:45.534: ISAKMP (0:1074): incrementing error counter on sa, 
attempt 2 of 5: retransmit phase 2
*Mar  1 07:54:45.534: ISAKMP:(1074): retransmitting phase 2 -1404583806 QM_IDLE 
     
*Mar  1 07:54:45.538: ISAKMP:(1074): sending packet to 136.1.121.1 my_port 500 
peer_port 500 (R) QM_IDLE      
*Mar  1 07:54:45.538: ISAKMP:(1074):Sending an IKE IPv4 Packet.
*Mar  1 07:54:49.438: ISAKMP:(1074):purging node -1404583806
*Mar  1 07:54:49.518: ISAKMP:(1074):purging node 440189339
*Mar  1 07:54:50.330: ISAKMP:(1074):purging node 1373432198
Rack1R3#
*Mar  1 07:55:00.270: ISAKMP (0:1074): received packet from 136.1.121.1 dport 
500 sport 500 Global (R) QM_IDLE      
*Mar  1 07:55:00.270: ISAKMP: set new node 1538214124 to QM_IDLE      
*Mar  1 07:55:00.274: ISAKMP:(1074): processing HASH payload. message ID = 
1538214124
*Mar  1 07:55:00.274: ISAKMP:received payload type 18
*Mar  1 07:55:00.274: ISAKMP:(1074):Processing delete with reason payload
*Mar  1 07:55:00.278: ISAKMP:(1074):delete doi = 1
*Mar  1 07:55:00.278: ISAKMP:(1074):delete protocol id = 1
*Mar  1 07:55:00.278: ISAKMP:(1074):delete spi_size =  16
*Mar  1 07:55:00.278: ISAKMP:(1074):delete num spis = 1
*Mar  1 07:55:00.278: ISAKMP:(1074):delete_reason = 29
*Mar  1 07:55:00.282: ISAKMP:(1074): processing DELETE_WITH_REASON payload, 
message ID = 1538214124, reason: Unknown delete reason!
*Mar  1 07:55:00.282: ISAKMP:(1074):peer does not do paranoid keepalives.

*Mar  1 07:55:00.282: ISAKMP:(1074):peer does not do paranoid keepalives.

*Mar  1 07:55:00.28
Rack1R3#6: ISAKMP:(1074):deleting SA reason "gen_ipsec_isakmp_delete but doi 
isakmp" state (R) QM_IDLE       (peer 136.1.121.1)
*Mar  1 07:55:00.286: ISAKMP:(1074):deleting node 1538214124 error FALSE reason 
"Informational (in) state 1"
*Mar  1 07:55:00.294: ISAKMP: set new node -1788944588 to QM_IDLE      
*Mar  1 07:55:00.298: ISAKMP:(1074): sending packet to 136.1.121.1 my_port 500 
peer_port 500 (R) QM_IDLE      
*Mar  1 07:55:00.298: ISAKMP:(1074):Sending an IKE IPv4 Packet.
*Mar  1 07:55:00.302: ISAKMP:(1074):purging node -1788944588
*Mar  1 07:55:00.302: ISAKMP:(1074):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 07:55:00.306: ISAKMP:(1074):Old State = IKE_P1_COMPLETE  New State = 
IKE_DEST_SA 

*Mar  1 07:55:00.310: ISAKMP:(1074):deleting SA reason "gen_ipsec_isakmp_delete 
but doi isakmp" state (R) QM_IDLE       (peer 136.1.121.1) 
*Mar  1 07:55:00.310: ISAKMP:(0):Can't decrement IKE Call Admission Control 
stat incoming_active since it's already 0.
*Mar  1 07:55:00.314: I
Rack1R3#SAKMP (0:1074): returning address 20.0.0.10 to pool
*Mar  1 07:55:00.314: ISAKMP: Unlocking peer struct 0x64B12894 for 
isadb_mark_sa_deleted(), count 0
*Mar  1 07:55:00.318: ISAKMP: returning address 20.0.0.10 to pool
*Mar  1 07:55:00.322: ISAKMP: Deleting peer node by peer_reap for 136.1.121.1: 
64B12894
*Mar  1 07:55:00.322: ISAKMP: returning address 20.0.0.10 to pool
*Mar  1 07:55:00.326: ISAKMP:(1074):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 07:55:00.330: ISAKMP:(1074):Old State = IKE_DEST_SA  New State = 
IKE_DEST_SA 

*Mar  1 07:55:00.346: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state 
to down
*Mar  1 07:55:01.346: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
Virtual-Access2, changed state to down
Rack1R3#
*Mar  1 07:55:20.058: ISAKMP:(1074):purging node -1904696992
Rack1R3#
*Mar  1 07:55:50.286: ISAKMP:(1074):purging node 1538214124
Rack1R3#
*Mar  1 07:56:00.326: ISAKMP:(1074):purging SA., sa=63AE16C4, delme=63AE16C4
*Mar  1 07:56:00.326: ISAKMP:(1074):purging node -1164740391
*Mar  1 07:56:00.330: ISAKMP:(1074):purging node 1694391419

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Re: [OSL | CCIE_Security] EzVPN and VTI

Reply via email to