IPSEC ISAKMP SA still negotiating

Forum|Forum|12 years ago
May 15, 2014
3 replies
12395 views

Hi, I have problem with IPSec. I have 3 locations. Both of them are working well. On the third location i have the same settings but tunnel can' t be established. Phase 1 are ok in log but next:

  IPsec SA connect 4 x.x.x.x->x.x.x.x:0  using existing connection  config found  IPsec SA connect 4 x.x.x.x->x.x.x.x:500 negotiating  ISAKMP SA still negotiating, queuing quick-mode request

emnoc

New Member

ISAKMP SA still negotiating, queuing quick-mode request

Suggestion: Are you sure NAT-T is not an issues or needs to be enabled at the third location.

woytassAuthor

New Member

I tried with nat enable and nat disable - same error.

emnoc

New Member

When you mean NAT enable/disable this nat-t under your phase1 ipsec configuration? Also on the branch that' s not working, have you double and triple checked the configuration? lastly, I would start some diags on that branch. You can use this blog that I created http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html And concentrate on phase1 diagnostics 1st diag debug app ike filter name " phase1-name" diag debug app ike -1 diag debug enable A packet capture on the wan interface would also be helpful to ensure packets are being sent and received for the 2 ike-gateways diag sniffer packet wan1 " port 500 or 4500" Place the correct vpn-uplink interface WAN1 WAN2 etc.... Make sure that interface is configured in your phase1 configuration.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded