Verify the ISAKMP Policies2 N! F ]* K- P) e, Y, R4 N v
4 `( x: R$ {+ h% d2 ZIf the IPsec tunnel is not UP, check that the ISAKMP policies match with the remote peers. This ISAKMP policy is applicable to both the Site-to-Site (L2L) and Remote Access IPsec VPN.
( k) M8 p/ D* W" Y" N* e6 ?" i% L; [, d7 r# F0 h
If the Cisco VPN Clients or the Site-to-Site VPN are not able establish the tunnel with the remote-end device, check that the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values and when the remote peer policy specifies a lifetime less than or equal to the lifetime in the policy that the initiator sent. If the lifetimes are not identical, the security appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation, and the SA is not established.* ?( w l1 u2 `7 j) g4 M' m
( X$ ]3 g7 N6 M* w8 N3 s
"Error: Unable to remove Peer TblEntry, Removing peer from peer table" ?6 B' y! U3 N2 v! G1 W: m
failed, no match!"
/ U/ w2 j% t- u' T6 ~Here is the detailed log message:
" n" k. S& T$ M; H, `% [
. {& x$ P+ g3 o( g3 B4|Mar 24 2010 10:21:50|713903: IP = X.X.X.X, Error: Unable to remove PeerTblEntry0 p( o4 ]5 H8 s5 y7 h" P# e p, o
3|Mar 24 2010 10:21:50|713902: IP = X.X.X.X, Removing peer from peer table failed,
; F' H! J1 e0 s% O+ C6 Ano match!0 _3 a1 y! s) T5 w, u6 n
3|Mar 24 2010 10:21:50|713048: IP = X.X.X.X, Error processing payload: Payload ID: 1# j' m" k( d3 |" `
4|Mar 24 2010 10:21:49|713903: IP = X.X.X.X, Information Exchange processing failed
: h7 M7 X( c2 g7 M& F5|Mar 24 2010 10:21:49|713904: IP = X.X.X.X, Received an un-encrypted
! e1 h+ U: m4 FNO_PROPOSAL_CHOSEN notify message, dropping
3 G. T# \( \8 k) I4 B: p# d+ TThis message usually appears due to mismatched ISAKMP policies or a missing NAT 0 statement.
/ H4 N# X8 c3 J* J9 Y
; ?! W c1 J9 \; BIn addition, this message appears:3 r f& r+ q8 C" H7 D
+ _0 _6 p" S/ w: J3 q9 b# IError Message %PIX|ASA-6-713219: Queueing KEY-ACQUIRE messages to be processed when ) ]% A0 ]" P4 c9 Q" x$ }
P1 SA is complete.
5 E5 K. y @8 a9 o2 ]8 L" c5 xThis message indicates that Phase 2 messages are being enqueued after Phase 1 completes. This error message might be due to one of these reasons:
% @" L: d0 m0 X" }: n4 G
3 V* \% G" k6 C+ D& fMismatch in phase on any of the peers
$ \- H/ x6 ]9 `/ v& r
, ~" g1 C7 ]- y7 ZACL is blocking the peers from completing phase 1) \7 q: a6 g) b- |& x
# I$ X% G" N s" X% F5 D b9 |5 X$ P
This message usually comes after the Removing peer from peer table failed, no match! error message.% U: [6 i: c- A5 b# ^$ n2 A' v
% ^; ^9 D, D2 O ^. [! Q' `5 G
If the Cisco VPN Client is unable to connect the head-end device, the problem can be the mismatch of ISAKMP Policy. The head-end device must match with one of the IKE Proposals of the Cisco VPN Client.
9 n& G0 Y# b* w1 ~) g$ O, \7 ?8 G- l5 K" C
Note: For the ISAKMP policy and IPsec Transform-set that is used on the PIX/ASA, the Cisco VPN client cannot use a policy with a combination of DES and SHA. If you use DES, you need to use MD5 for the hash algorithm, or you can use the other combinations, 3DES with SHA and 3DES with MD5. |
所有IT类厂商认证考试题库下载
【新盟教育】2023最新华为HCIA全套视频合集【网工基础全覆盖】---国sir公开课合集
【新盟教育】网工小白必看的!2023最新版华为认证HCIA Datacom零基础全套实战课
原创_超融合自动化运维工具cvTools
重量级~~30多套JAVA就业班全套 视频教程(请尽快下载,链接失效后不补)
链接已失效【超过几百G】EVE 国内和国外镜像 全有了 百度群分享
某linux大佬,积累多年的电子书(约300本)
乾颐堂现任明教教主Python完整版
乾颐堂 教主技术进化论 2018-2019年 最新31-50期合集视频(各种最新技术杂谈视频)
Python学习视频 0起点视频 入门到项目实战篇 Python3.5.2视频教程 共847集 能学102天
约21套Python视频合集 核心基础视频教程(共310G,已压缩)
最新20180811录制 IT爱好者-清风羽毛 - 网络安全IPSec VPN实验指南视频教程
最新20180807录制EVE开机自启动虚拟路由器并桥接物理网卡充当思科路由器
[复制链接]
