![]() | processing: start state #3 connection "myconnname" asaglobalip (in timer_event_cb() at timer. The remote PIX is configured as a remote client in network extension mode and is accessing the concentrator through ESP-3DES-MD5 IPSec SA and using MD5/HMAC-128 authentication, 3DES encryption and Group 2 DH for IKE. | timer_event_cb: processing handling event EVENT_DPD for child state #3 Helo My company creates a VPN through our VPN 3005 Concentrator and a remote Cisco PIX 501. | expiring aged bare shunts from shunt table | processing: STOP connection NULL (in process_md() at demux.c:446) | processing: STOP state #0 (in process_md() at demux.c:445) | processing: stop from asaglobalip:500 (in process_md() at demux.c:443) Packet from asaglobalip:500: phase 1 message is part of an unknown exchange Why does my ipsec partner(asaglobalip) always and infinitely send me messages about phase 1(some unknown exchange) when the connection is already established and working? STATE_PARENT_I1: retransmission will wait 8 seconds for responseĭeleting state (STATE_PARENT_I1) aged 15.155s and NOT sending notificationĭeleting IKE SA for connection 'myconnname' but connection is supposed to remain up schedule EVENT_REVIVE_CONNS STATE_PARENT_I1: retransmission will wait 4 seconds for response STATE_PARENT_I1: retransmission will wait 2 seconds for response STATE_PARENT_I1: retransmission will wait 1 seconds for response STATE_PARENT_I1: retransmission will wait 0.5 seconds for response STATE_PARENT_I1: sent v2I1, expected v2R1 Updated to 6_10.x86_64.rpmĠ00 State Information: DDoS cookies not required, Accepting new IKE connectionsĠ00 IKE SAs: total(1), half-open(1), open(0), authenticated(0), anonymous(0)Ġ00 IPsec SAs: total(0), authenticated(0), anonymous(0)Ġ00 #1: "myconnname":500 STATE_PARENT_I1 (sent v2I1, expected v2R1) EVENT_RETRANSMIT in 0s idle Ġ00 #1: pending CHILD SA for "myconnname"Ĭonstructed local IKE proposals for myconnname (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256 PRF=HMAC_SHA1 INTEG=HMAC_SHA1_96 DH=MODP1024 Reply to this email directly, view it on GitHub, or mute the thread. You are receiving this because you are subscribed to this thread. Packet from asaip:500: phase 1 message is part of an unknown exchange "myconnname/0x1" #23522: initiating Main Mode to replace #23521 ![]() "myconnname/0x1" #23521: starting keying attempt 5780 of an unlimited number No response (or no acceptable response) to our first IKEv1 message "myconnname/0x1" #23521: max number of retransmissions (8) reached STATE_MAIN_I1. "myconnname" #3: received and ignored empty informational notification payload "myconnname" #3: ESP traffic information: in=0B out=0B "myconnname" #3: deleting state #4 (STATE_QUICK_R2) "myconnname" #3: received Delete SA(0xe40ed673) payload: deleting IPSEC State #4 "myconnname/0x2" #20972: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW to replace #20969 "myconnname/0x2" #20969: starting keying attempt 11 of an unlimited number "myconnname/0x2" #20969: max number of retransmissions (8) reached STATE_QUICK_I1 Ipsec restart repair connection until the next failure.Īsaglobalip:500: phase 1 message is part of an unknown exchange Вut after some time (hours, days) connection lost. I feel like I've just about got it but am just leaving something out (most likely on the router side).I have Centos6 and libreswan.x86_64 3.15-7.3.el6Īll is ok, phase 1 and 2 established, ping working. Thanks in advance for any help with this. If I left something out that you need to see please let me know and I'll post it. I obviously clipped out most of the config and tried to give you only what is relevant to this tunnel. Jun 03 13:45:21 : Group =, IP =, Removing peer from correlator table failed, no match! Jun 03 13:45:21 : Group =, IP =, construct_ipsec_delete(): No SPI to identify Phase 2 SA! Here is what the ASA shows during the debugs: The way I have the VPN configured I am able to get phase 1 to complete but not phase 2. I have a 2800 series router with a static peer address and an ASA 5505 with a dynamic peer address.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |