1. Phase I proposal mismatch
Run show crypto isakmp sa
Initiator:
MM_WAIT_MSG2
Responder:
No info
Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:
Initiator log:
Information Exchange processing failed
All configured IKE versions failed to establish the tunnel
Initiator debug:
Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Responder log:
Error processing payload: Payload ID
Responder debug:
All SA proposals found unacceptable
2. IKE version mismatch:
Run show crypto isakmp sa
no info at both initiator and responder
Initiator log:
Removing peer from correlator table failed, no match!
Reason: User Requested
All configured IKE versions failed to establish the tunnel
Initiator debug:
Oakley begin quick mode
PHASE 1 COMPLETED
IKE Initiator sending 1st QM pkt
Removing peer from correlator table failed, no match!
Session is being torn down. Reason: User Requested
Responder log:
Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
Removing peer from correlator table failed, no match!
Responder debug:
PHASE 1 COMPLETED
IKE Responder starting QM
Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
3. Pre-shared key mismatch:
Run show crypto isakmp sa
Initiator:
MM_WAIT_MSG6
Responder:
MM_WAIT_MSG5
Initiator log:
Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch.
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MAP. Map Sequence Number = 10.
Initiator debug:
Received an un-encrypted PAYLOAD_MALFORMED notify message, dropping
Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch.
Received encrypted packet with no matching SA, dropping
Responder log:
ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
Responder debug:
Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
4. Phase II mismatch:
Run show crypto isakmp sa
no info displayed from both initiator and responder
Initiator log:
Removing peer from correlator table failed, no match!
Reason: User Requested
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MAP. Map Sequence Number = 10.
Initiator debug:
PHASE 1 COMPLETED
IKE Initiator sending 1st QM pkt
Received non-routine Notify message: No proposal chosen
Reason: Peer Terminate
Responder log:
QM FSM error
Removing peer from correlator table failed, no match!
Reason: Phase 2 Mismatch
Comments
Post a Comment