- Cisco 2811 Ipsec - Couldn't find node: message_id,
 Аноним, 20:16 , 20-Окт-15 (1)>[оверквотинг удален]
> *Oct 20 11:39:15.731: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500
> (I) MM_NO_STATE
> *Oct 20 11:39:15.731: ISAKMP:(0):Sending an IKE IPv4 Packet.
> *Oct 20 11:39:15.795: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport
> 500 Global (I) MM_NO_STATE
> *Oct 20 11:39:15.795: ISAKMP:(0):Couldn't find node: message_id 1991501159
> *Oct 20 11:39:15.795: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:
> state = IKE_I_MM1
> *Oct 20 11:39:15.795: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
> *Oct 20 11:39:15.795: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 Настройки с обоих сторон одинаковые?
Ни одно из устройств за NAT не сидит? Проблема-то в чем? Не поднимается IPSEC или только "Couldn't find node: message_id", а остальное работает?
- Cisco 2811 Ipsec - Couldn't find node: message_id, Евгений, 20:21 , 20-Окт-15 (2)
>[оверквотинг удален]
>> 500 Global (I) MM_NO_STATE
>> *Oct 20 11:39:15.795: ISAKMP:(0):Couldn't find node: message_id 1991501159
>> *Oct 20 11:39:15.795: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:
>> state = IKE_I_MM1
>> *Oct 20 11:39:15.795: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
>> *Oct 20 11:39:15.795: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
> Настройки с обоих сторон одинаковые?
> Ни одно из устройств за NAT не сидит?
> Проблема-то в чем? Не поднимается IPSEC или только "Couldn't find node: message_id",
> а остальное работает?Оба устройства с белыми адресами (ко второму доступа нет) только указаны настройки которые были применены с другой стороны, в соответствии с ними был запилен конфиг. При попытке отправить трафик в тоннель он не поднимается, при этом Router2811#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 MM_NO_STATE 0 ACTIVE Router2811#sh crypto session
Crypto session current status Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 1.1.1.1 port 500
IKE SA: local 2.2.2.2/500 remote 1.1.1.1/500 Inactive
IPSEC FLOW: permit ip 172.30.0.0/255.255.255.0 172.16.0.0/255.255.254.0
Active SAs: 0, origin: crypto map
Сессия не уходит дальше чем DOWN-NEGOTIATING
- Cisco 2811 Ipsec - Couldn't find node: message_id, eRIC, 06:19 , 21-Окт-15 (3)
- Cisco 2811 Ipsec - Couldn't find node: message_id, Аноним, 14:04 , 21-Окт-15 (4)
>>[оверквотинг удален]
> Оба устройства ... ко второму доступа нетРазбирайтесь с админом второго устройства по поводу настроек. > 1.1.1.1 2.2.2.2 MM_NO_STATE У вас не устанавливается Phase1. Это значит что ваша секция
crypto isakmp policy ...
не равнозначна такой-же конструкции на другой стороне или не согласованы ключи (что скорее всего).
Более ничего без конфигов и сказать нельзя.
- Cisco 2811 Ipsec - Couldn't find node: message_id, Евгений, 10:52 , 22-Окт-15 (5)
Обрезаный конфиг (Из конфига исключено то, что не имеет отношения к данному вопросу, такие как пользователи, настройки snmp, dns и прочего). Current configuration : 3781 bytes
!
version 12.4
!
hostname Router2811
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xKirHCHJrlfF7YWnb6JfpkdWd8LRFWzx address 1.1.1.1
!
!
crypto ipsec transform-set test-ipsec-proposal-set esp-aes 256 esp-sha-hmac
!
crypto map test-crypto-map 10 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime kilobytes 102400000
set transform-set test-ipsec-proposal-set
match address 101
!
!
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.248
ip tcp adjust-mss 1350
duplex auto
speed auto
no mop enabled
crypto map test-crypto-map
!
interface FastEthernet0/1
description $ES_LAN$
ip address 172.30.0.1 255.255.255.0
duplex auto
speed 100
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.3
!
!
!
access-list 101 permit ip 172.30.0.0 0.0.0.255 172.16.0.0 0.0.1.255
- Cisco 2811 Ipsec - Couldn't find node: message_id, Евгений, 11:01 , 22-Окт-15 (6)
И лог*Oct 22 09:01:20.940: ISAKMP:(0): SA request profile is (NULL)
*Oct 22 09:01:20.940: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Oct 22 09:01:20.940: ISAKMP: New peer created peer = 0x480B5C2C peer_handle = 0x80000042
*Oct 22 09:01:20.940: ISAKMP: Locking peer struct 0x480B5C2C, refcount 1 for isakmp_initiator
*Oct 22 09:01:20.940: ISAKMP: local port 500, remote port 500
*Oct 22 09:01:20.944: ISAKMP: set new node 0 to QM_IDLE
*Oct 22 09:01:20.944: ISAKMP:(0):insert sa successfully sa = 493E9228
*Oct 22 09:01:20.944: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Oct 22 09:01:20.944: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
*Oct 22 09:01:20.944: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 22 09:01:20.944: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 22 09:01:20.944: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 22 09:01:20.944: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 22 09:01:20.944: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 22 09:01:20.944: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Oct 22 09:01:20.944: ISAKMP:(0): beginning Main Mode exchange
*Oct 22 09:01:20.944: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 22 09:01:20.944: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 22 09:01:21.004: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 22 09:01:21.004: ISAKMP:(0):Couldn't find node: message_id -411290594
*Oct 22 09:01:21.004: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 22 09:01:21.004: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 22 09:01:21.004: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
*Oct 22 09:01:21.004: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 1.1.1.1
*Oct 22 09:01:29.996: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
*Oct 22 09:01:30.944: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 22 09:01:30.944: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Oct 22 09:01:30.944: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 22 09:01:30.944: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 22 09:01:30.944: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 22 09:01:30.992: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
*Oct 22 09:01:31.000: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 22 09:01:31.000: ISAKMP:(0):Couldn't find node: message_id -510068758
*Oct 22 09:01:31.000: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 22 09:01:31.000: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 22 09:01:31.000: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
*Oct 22 09:01:31.996: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
*Oct 22 09:01:35.212: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
*Oct 22 09:01:36.204: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
*Oct 22 09:01:37.208: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
*Oct 22 09:01:40.944: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 22 09:01:40.944: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Oct 22 09:01:40.944: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 22 09:01:40.944: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 22 09:01:40.944: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 22 09:01:41.000: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 22 09:01:41.000: ISAKMP:(0):Couldn't find node: message_id -902278816
*Oct 22 09:01:41.000: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 22 09:01:41.000: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 22 09:01:41.000: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
*Oct 22 09:01:43.208: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
*Oct 22 09:01:44.232: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
*Oct 22 09:01:45.252: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
*Oct 22 09:01:50.940: ISAKMP: set new node 0 to QM_IDLE
*Oct 22 09:01:50.940: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
*Oct 22 09:01:50.940: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 22 09:01:50.940: ISAKMP: Error while processing KMI message 0, error 2.
*Oct 22 09:01:50.944: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 22 09:01:50.944: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Oct 22 09:01:50.944: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 22 09:01:50.944: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 22 09:01:50.944: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 22 09:01:51.000: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 22 09:01:51.000: ISAKMP:(0):Couldn't find node: message_id 227721643
*Oct 22 09:01:51.000: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 22 09:01:51.000: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 22 09:01:51.000: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
*Oct 22 09:02:00.944: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 22 09:02:00.944: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 22 09:02:00.944: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 22 09:02:00.944: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 22 09:02:00.944: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 22 09:02:01.000: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 22 09:02:01.000: ISAKMP:(0):Couldn't find node: message_id 1038116462
*Oct 22 09:02:01.000: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 22 09:02:01.000: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 22 09:02:01.000: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
- Cisco 2811 Ipsec - Couldn't find node: message_id, Евгений, 11:20 , 22-Окт-15 (7)
По поводу ключей, судя по логам ключи совпадают*Oct 22 09:01:20.944: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
- Cisco 2811 Ipsec - Couldn't find node: message_id, eRIC, 15:20 , 22-Окт-15 (8)
дело не в включах, а версиях IKEv1 против IKEv2у вас: >version 12.4
>*Oct 22 09:01:43.208: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
>*Oct 22 09:01:44.232: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
>*Oct 22 09:01:45.252: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet! на другой стороне скорее всего 15.1 и используется IKEv2. решение одно из двух:
1- вы обновляетесь до 15.1(если железка позволяет) и оба работаете на IKEv2
2- другая сторона явно должна crypto enable ikev1 и явно указывать ikev1 в настройках policy и transform-set
- Cisco 2811 Ipsec - Couldn't find node: message_id, Евгений, 17:22 , 22-Окт-15 (9)
>[оверквотинг удален]
> у вас:
>>version 12.4
>>*Oct 22 09:01:43.208: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
>>*Oct 22 09:01:44.232: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
>>*Oct 22 09:01:45.252: IKE Dispatcher: IKEv2 version 2 detected, Dropping packet!
> на другой стороне скорее всего 15.1 и используется IKEv2.
> решение одно из двух:
> 1- вы обновляетесь до 15.1(если железка позволяет) и оба работаете на IKEv2
> 2- другая сторона явно должна crypto enable ikev1 и явно указывать ikev1
> в настройках policy и transform-set Обновился до 15.1 IKE Dispatcher: IKEv2 version 2 detected, Dropping packet! сообщения пропали, все остальные сообщения в дебаге полностью идентичны.
- Cisco 2811 Ipsec - Couldn't find node: message_id, eRIC, 09:43 , 23-Окт-15 (10)
> Обновился до 15.1
> IKE Dispatcher: IKEv2 version 2 detected, Dropping packet! сообщения пропали, все остальные
> сообщения в дебаге полностью идентичны.#show crypto isakmp sa
#show crypto isakmp policy
#show crypto isakmp default policy и предоставьте свежие логи со второй железяки бы аналогичные данные получить
- Cisco 2811 Ipsec - Couldn't find node: message_id, Евгений, 11:43 , 23-Окт-15 (11)
>> Обновился до 15.1
>> IKE Dispatcher: IKEv2 version 2 detected, Dropping packet! сообщения пропали, все остальные
>> сообщения в дебаге полностью идентичны.
> #show crypto isakmp sa
> #show crypto isakmp policy
> #show crypto isakmp default policy
> и предоставьте свежие логи
> со второй железяки бы аналогичные данные получить Router2811#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status IPv6 Crypto ISAKMP SA Router2811#sh crypto isakmp policy Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 28800 seconds, no volume limit
Router2811#sh crypto isakmp default policy
Default IKE policy
Default protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit После запуска трафика в тоннель Router2811#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 MM_NO_STATE 0 ACTIVE И логи *Oct 23 09:42:07.399: ISAKMP:(0): SA request profile is (NULL)
*Oct 23 09:42:07.403: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Oct 23 09:42:07.403: ISAKMP: New peer created peer = 0x4A1BDE10 peer_handle = 0x80000003
*Oct 23 09:42:07.403: ISAKMP: Locking peer struct 0x4A1BDE10, refcount 1 for isakmp_initiator
*Oct 23 09:42:07.403: ISAKMP: local port 500, remote port 500
*Oct 23 09:42:07.403: ISAKMP: set new node 0 to QM_IDLE
*Oct 23 09:42:07.403: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4A2C8EC4
*Oct 23 09:42:07.403: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Oct 23 09:42:07.403: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
*Oct 23 09:42:07.403: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 23 09:42:07.403: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 23 09:42:07.403: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 23 09:42:07.403: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 23 09:42:07.403: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 23 09:42:07.403: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 *Oct 23 09:42:07.403: ISAKMP:(0): beginning Main Mode exchange
*Oct 23 09:42:07.403: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 23 09:42:07.403: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 23 09:42:07.463: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 23 09:42:07.463: ISAKMP:(0):Couldn't find node: message_id 1317700968
*Oct 23 09:42:07.463: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 23 09:42:07.463: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 23 09:42:07.463: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 *Oct 23 09:42:07.463: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 1.1.1.1.....
Success rate is 0 percent (0/5)
Router2811#
*Oct 23 09:42:17.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 23 09:42:17.407: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Oct 23 09:42:17.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 23 09:42:17.407: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 23 09:42:17.407: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 23 09:42:17.463: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 23 09:42:17.463: ISAKMP:(0):Couldn't find node: message_id -726632295
*Oct 23 09:42:17.463: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 23 09:42:17.463: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 23 09:42:17.463: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 *Oct 23 09:42:27.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 23 09:42:27.407: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Oct 23 09:42:27.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 23 09:42:27.407: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 23 09:42:27.407: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 23 09:42:27.463: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 23 09:42:27.463: ISAKMP:(0):Couldn't find node: message_id -1737446913
*Oct 23 09:42:27.463: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 23 09:42:27.463: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 23 09:42:27.463: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 *Oct 23 09:42:37.399: ISAKMP: set new node 0 to QM_IDLE
*Oct 23 09:42:37.399: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)
*Oct 23 09:42:37.399: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 23 09:42:37.399: ISAKMP: Error while processing KMI message 0, error 2.
*Oct 23 09:42:37.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 23 09:42:37.407: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Oct 23 09:42:37.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 23 09:42:37.407: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 23 09:42:37.407: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 23 09:42:37.463: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 23 09:42:37.463: ISAKMP:(0):Couldn't find node: message_id -1728359607
*Oct 23 09:42:37.463: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 23 09:42:37.463: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 23 09:42:37.463: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 *Oct 23 09:42:42.895: ISAKMP:(0):purging node -1546922538
*Oct 23 09:42:42.895: ISAKMP:(0):purging node -1695489255
*Oct 23 09:42:47.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 23 09:42:47.407: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 23 09:42:47.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 23 09:42:47.407: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 23 09:42:47.407: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 23 09:42:47.463: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 23 09:42:47.463: ISAKMP:(0):Couldn't find node: message_id -1571055350
*Oct 23 09:42:47.463: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 23 09:42:47.463: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 23 09:42:47.463: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 *Oct 23 09:42:52.895: ISAKMP:(0):purging SA., sa=4A2C0C28, delme=4A2C0C28
*Oct 23 09:42:57.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 23 09:42:57.407: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Oct 23 09:42:57.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Oct 23 09:42:57.407: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 23 09:42:57.407: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 23 09:42:57.463: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 23 09:42:57.463: ISAKMP:(0):Couldn't find node: message_id -1921433792
*Oct 23 09:42:57.463: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 23 09:42:57.463: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 23 09:42:57.463: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1 *Oct 23 09:43:07.407: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Oct 23 09:43:07.407: ISAKMP:(0):peer does not do paranoid keepalives. *Oct 23 09:43:07.407: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.1.1.1)
*Oct 23 09:43:07.407: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.1.1.1)
*Oct 23 09:43:07.407: ISAKMP: Unlocking peer struct 0x4A1BDE10 for isadb_mark_sa_deleted(), count 0
*Oct 23 09:43:07.407: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 4A1BDE10
*Oct 23 09:43:07.407: ISAKMP:(0):deleting node 2134233700 error FALSE reason "IKE deleted"
*Oct 23 09:43:07.407: ISAKMP:(0):deleting node 1700880190 error FALSE reason "IKE deleted"
*Oct 23 09:43:07.407: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 23 09:43:07.407: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Получить данные с второй стороны крайне проблематично. Очень хотелось бы найти источник проблемы, чтобы приводить аргументы.
- Cisco 2811 Ipsec - Couldn't find node: message_id, eRIC, 11:46 , 23-Окт-15 (12)
>> Обновился до 15.1
>> IKE Dispatcher: IKEv2 version 2 detected, Dropping packet! сообщения пропали, все остальные
>> сообщения в дебаге полностью идентичны.
> #show crypto isakmp sa
> #show crypto isakmp policy
> #show crypto isakmp default policy
> и предоставьте свежие логи
> со второй железяки бы аналогичные данные получить + group 2 указать или какое значение на другой стороне в crypto map
- Cisco 2811 Ipsec - Couldn't find node: message_id, Евгений, 11:53 , 23-Окт-15 (13)
>>> Обновился до 15.1
>>> IKE Dispatcher: IKEv2 version 2 detected, Dropping packet! сообщения пропали, все остальные
>>> сообщения в дебаге полностью идентичны.
>> #show crypto isakmp sa
>> #show crypto isakmp policy
>> #show crypto isakmp default policy
>> и предоставьте свежие логи
>> со второй железяки бы аналогичные данные получить
> + group 2 указать или какое значение на другой стороне в crypto
> map group 2 указан в policy
- Cisco 2811 Ipsec - Couldn't find node: message_id, eRIC, 12:02 , 23-Окт-15 (14)
> group 2 указан в policy ага, вы успели первым ответить точно с двух сторон не стоит NAT? IKE_I_MM1 фазе висит все
- Cisco 2811 Ipsec - Couldn't find node: message_id, Евгений, 12:30 , 23-Окт-15 (15)
>> group 2 указан в policy
> ага, вы успели первым ответить
> точно с двух сторон не стоит NAT? IKE_I_MM1 фазе висит все Оба устройства с белыми адресами, на циске ната вообще нет как такового, данные должны уходить только в тонннель без доступа наружу. С другой стороны говорили что нету, т.е он смотрит прямо в мир.
- Cisco 2811 Ipsec - Couldn't find node: message_id, eRIC, 12:57 , 23-Окт-15 (16)
- Cisco 2811 Ipsec - Couldn't find node: message_id, Евгений, 13:54 , 23-Окт-15 (17)
|
Версия для распечатки
Cisco 2811 Ipsec - Couldn't find node: message_id, 
