Invaid ID error



  • All,

    I was trying to configure Netscreen box for new VPN tunnel and am getting the below error.It is recieving “invalid id” notification.Please let me know if there is some configuration am missing here.

    Received a notification message for DOI <1> <18> <invalid-id-information>.

    Thanks
    Akram</invalid-id-information>



  • I am having the exact same situation with Juniper and a Watchguard.

    How did you resolve it - if you remember!



  • hi,

    Sorry for delayed reply as i was busy with something else.Also replaced remote end IP to A.B.C.D,and the FW is Watchdog 5500.

    Thanks
    Akram

    2009-03-18 10:13:21 : IKE <a.b.c.d>****** Recv kernel msg IDX-4, TYPE-5 ******

    2009-03-18 10:13:21 : IKE <a.b.c.d>****** Recv kernel msg IDX-4, TYPE-5 ******

    2009-03-18 10:13:21 : IKE <a.b.c.d>sa orig index<4>, peer_id<3>.

    2009-03-18 10:13:21 : IKE <a.b.c.d>isadb get entry by peer/local ip and port

    2009-03-18 10:13:21 : IKE<a.b.c.d>  create sa: X.X.X.X->A.B.C.D

    2009-03-18 10:13:21 : getProfileFromP1Proposal->

    2009-03-18 10:13:21 : find profile[0]=<00000005 00000001 00000001 00000001> for p1 proposal (id 20), xauth(0)

    2009-03-18 10:13:21 : init p1sa, pidt = 0x0

    2009-03-18 10:13:21 : change peer identity for p1 sa, pidt = 0x0

    2009-03-18 10:13:21 : IKE<0.0.0.0        >  create peer identity 083ad4e58

    2009-03-18 10:13:21 : peer identity 3ad4e58 created.

    2009-03-18 10:13:21 : IKE<0.0.0.0        >  EDIPI disabled

    2009-03-18 10:13:21 : IKE <a.b.c.d>Construct ISAKMP header.

    2009-03-18 10:13:21 : IKE <a.b.c.d>Msg header built (next payload #1)

    2009-03-18 10:13:21 : IKE <a.b.c.d>Construct [SA] for ISAKMP

    2009-03-18 10:13:21 : IKE <a.b.c.d>auth(1)<preshrd>, encr(5)<3DES>, hash(1)<md5>, group(1)

    2009-03-18 10:13:21 : IKE <a.b.c.d>xauth attribute: disabled

    2009-03-18 10:13:21 : IKE <a.b.c.d>lifetime/lifesize (28800/0)

    2009-03-18 10:13:21 : IKE <a.b.c.d>Construct NetScreen [VID]

    2009-03-18 10:13:21 : IKE <a.b.c.d>Construct NAT-T [VID]: draft 2

    2009-03-18 10:13:21 : IKE <a.b.c.d>Construct NAT-T [VID]: draft 1

    2009-03-18 10:13:21 : IKE <a.b.c.d>Construct custom [VID]

    2009-03-18 10:13:21 : IKE <a.b.c.d>Construct custom [VID]

    2009-03-18 10:13:21 : IKE <a.b.c.d >Xmit : [SA] [VID] [VID] [VID] [VID] [VID]

    2009-03-18 10:13:21 : IKE <a.b.c.d>Initiator sending IPv4 IP A.B.C.D/port 500

    2009-03-18 10:13:21 : IKE <a.b.c.d>Send Phase 1 packet (len=196)

    2009-03-18 10:13:21 : IKE <a.b.c.d>Phase 2 task added

    2009-03-18 10:13:22 : IKE <a.b.c.d>ike packet, len 140, action 0

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: received 112 bytes from socket.

    2009-03-18 10:13:22 : IKE <a.b.c.d>****** Recv packet if <ethernet2>of vsys <root>******

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: get 112 bytes. src port 500

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  ISAKMP msg: len 112, nxp 1[SA], exch 2[MM], flag 00

    2009-03-18 10:13:22 : IKE <a.b.c.d >Recv : [SA] [VID] [VID]

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  extract payload (84):

    2009-03-18 10:13:22 : IKE <a.b.c.d>MM in state OAK_MM_NO_STATE.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [VID]:

    2009-03-18 10:13:22 : IKE<a.b.c.d >  Vendor ID:

    2009-03-18 10:13:22 : 09 00 26 89 df d6 b7 12

    2009-03-18 10:13:22 : IKE <a.b.c.d>rcv XAUTH v6.0 vid

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [VID]:

    2009-03-18 10:13:22 : IKE<a.b.c.d >  Vendor ID:

    2009-03-18 10:13:22 : 90 cb 80 91 3e bb 69 6e  08 63 81 b5 ec 42 7b 1f

    2009-03-18 10:13:22 : IKE <a.b.c.d>rcv NAT-Traversal VID payload (draft-ietf-ipsec-nat-t-ike-02).

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [SA]:

    2009-03-18 10:13:22 : IKE <a.b.c.d>Proposal received: xauthflag 40

    2009-03-18 10:13:22 : IKE <a.b.c.d>auth(1)<preshrd>, encr(5)<3DES>, hash(1)<md5>, group(1)

    2009-03-18 10:13:22 : IKE <a.b.c.d>xauth attribute: disabled

    2009-03-18 10:13:22 : IKE <a.b.c.d>Phase 1 proposal [0] selected.

    2009-03-18 10:13:22 : IKE <a.b.c.d>SA Life Type = seconds

    2009-03-18 10:13:22 : IKE <a.b.c.d>SA lifetime (TV) = 28800

    2009-03-18 10:13:22 : IKE<0.0.0.0        >    dh group 1

    2009-03-18 10:13:22 : IKE <a.b.c.d>IKE msg done: PKI state<0> IKE state<0/1110803>

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: Error get ike packet from socket.

    2009-03-18 10:13:22 : IKE <a.b.c.d>MM in state OAK_MM_NO_STATE.

    2009-03-18 10:13:22 : IKE <a.b.c.d>re-enter MM after offline DH done

    2009-03-18 10:13:22 : IKE <a.b.c.d>Phase 1 MM Initiator constructing 3rd message.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct ISAKMP header.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Msg header built (next payload #4)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [KE] for ISAKMP

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [NONCE]

    2009-03-18 10:13:22 : IKE <a.b.c.d>initiator (psk) constructing remote NAT-D

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [NATD]

    2009-03-18 10:13:22 : IKE <a.b.c.d>initiator (psk) constructing local NAT-D

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [NATD]

    2009-03-18 10:13:22 : IKE <a.b.c.d>throw packet to the peer, paket_len=192

    2009-03-18 10:13:22 : IKE <a.b.c.d >Xmit : [KE] [NONCE] [NATD] [NATD]

    2009-03-18 10:13:22 : IKE <a.b.c.d>Initiator sending IPv4 IP A.B.C.D/port 500

    2009-03-18 10:13:22 : IKE <a.b.c.d>Send Phase 1 packet (len=192)

    2009-03-18 10:13:22 : IKE <a.b.c.d>ike packet, len 208, action 0

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: received 180 bytes from socket.

    2009-03-18 10:13:22 : IKE <a.b.c.d>****** Recv packet if <ethernet2>of vsys <root>******

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: get 180 bytes. src port 500

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  ISAKMP msg: len 180, nxp 4[KE], exch 2[MM], flag 00

    2009-03-18 10:13:22 : IKE <a.b.c.d >Recv : [KE] [NONCE] [NATD] [NATD]

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  extract payload (152):

    2009-03-18 10:13:22 : IKE <a.b.c.d>MM in state OAK_MM_SA_SETUP.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [NATD]:

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [NATD]:

    2009-03-18 10:13:22 : IKE <a.b.c.d>init p1sa, pidt = 0x3ad4e58

    2009-03-18 10:13:22 : IKE <a.b.c.d>change peer identity for p1 sa, pidt = 0x3ad4e58

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  EDIPI disabled

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [KE]:

    2009-03-18 10:13:22 : IKE <a.b.c.d>processing ISA_KE in phase 1.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [NONCE]:

    2009-03-18 10:13:22 : IKE <a.b.c.d>processing NONCE in phase 1.

    2009-03-18 10:13:22 : IKE <a.b.c.d>IKE msg done: PKI state<0> IKE state<1/1a17080f>

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: Error get ike packet from socket.

    2009-03-18 10:13:22 : IKE <a.b.c.d>gen_skeyid()

    2009-03-18 10:13:22 : IKE <a.b.c.d>MM in state OAK_MM_SA_SETUP.

    2009-03-18 10:13:22 : IKE <a.b.c.d>re-enter MM after offline DH done

    2009-03-18 10:13:22 : IKE <a.b.c.d>Phase 1 MM Initiator constructing 5th message.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct ISAKMP header.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Msg header built (next payload #5)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [ID] for ISAKMP

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [HASH]

    2009-03-18 10:13:22 : IKE <a.b.c.d>ID, len=8, type=1, pro=17, port=500,

    2009-03-18 10:13:22 : IKE <a.b.c.d>addr=X.X.X.X

    2009-03-18 10:13:22 : IKE <a.b.c.d>throw packet to the peer, paket_len=60

    2009-03-18 10:13:22 : IKE <a.b.c.d >Xmit*: [ID] [HASH]

    2009-03-18 10:13:22 : IKE <a.b.c.d>Encrypt P1 payload (len 60)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Initiator sending IPv4 IP A.B.C.D/port 500

    2009-03-18 10:13:22 : IKE <a.b.c.d>Send Phase 1 packet (len=68)

    2009-03-18 10:13:22 : IKE <a.b.c.d>ike packet, len 88, action 0

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: received 60 bytes from socket.

    2009-03-18 10:13:22 : IKE <a.b.c.d>****** Recv packet if <ethernet2>of vsys <root>******

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: get 60 bytes. src port 500

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  ISAKMP msg: len 60, nxp 5[ID], exch 2[MM], flag 01  E

    2009-03-18 10:13:22 : IKE <a.b.c.d>Decrypting payload (length 32)

    2009-03-18 10:13:22 : IKE <a.b.c.d >Recv*: [ID] [HASH]

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  extract payload (32):

    2009-03-18 10:13:22 : IKE <a.b.c.d>MM in state OAK_MM_KEY_EXCH.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [ID]:

    2009-03-18 10:13:22 : IKE <a.b.c.d>ID received: type=ID_IPV4_ADDR, ip = A.B.C.D, port=0, protocol=0

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  Find NATT enabled peer with matching ID and ifp.

    2009-03-18 10:13:22 : IKE<a.b.c.d>  locate peer entry for (1/A.B.C.D), by identity in ip.

    2009-03-18 10:13:22 : IKE<a.b.c.d>  static-ip peer entry ip A.B.C.D.

    2009-03-18 10:13:22 : IKE <a.b.c.d>ID processed. return 0. sa->p1_state = 2.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [HASH]:

    2009-03-18 10:13:22 : IKE <a.b.c.d>ID, len=8, type=1, pro=0, port=0,

    2009-03-18 10:13:22 : IKE <a.b.c.d>addr=A.B.C.D

    2009-03-18 10:13:22 : IKE <a.b.c.d>completing Phase 1

    2009-03-18 10:13:22 : IKE <a.b.c.d>sa_pidt = 3ad4e58

    2009-03-18 10:13:22 : IKE <a.b.c.d>found existing peer identity 3ad5104

    2009-03-18 10:13:22 : IKE <a.b.c.d>peer_identity_unregister_p1_sa.

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  delete peer identity 0x3ad4e58

    2009-03-18 10:13:22 : IKE <a.b.c.d>peer_idt.c peer_identity_unregister_p1_sa 506: pidt deleted.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Phase 1: Completed Main mode negotiation with a <28800>-second lifetime.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Phase 2: Initiated Quick Mode negotiation.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Phase-2: start quick mode negotiation

    2009-03-18 10:13:22 : IKE <a.b.c.d>Phase-2: no tunnel interface binding for Modecfg IPv4 address.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Create conn entry…

    2009-03-18 10:13:22 : IKE<a.b.c.d>  …done(new 2c249a4a)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Initiator not set commit bit on 1st QM.

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  add sa list for msg id <2c249a4a>

    2009-03-18 10:13:22 : IKE <a.b.c.d>0,0/0(0)/spi(ccfbcb48)/keylen(0)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct ISAKMP header.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Msg header built (next payload #8)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [HASH]

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [SA] for IPSEC

    2009-03-18 10:13:22 : IKE <a.b.c.d>Set IPSEC SA attrs: lifetime(86400/0)

    2009-03-18 10:13:22 : IKE <a.b.c.d>atts<00000003 00000000 00000003 00000001 00000001 00000000>

    2009-03-18 10:13:22 : IKE <a.b.c.d>proto(3)<esp>, esp(3)<esp_3des>, auth(1)<md5>, encap(1)<tunnel>, group(0)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Before NAT-T attr unmap: private tunnel = 1.

    2009-03-18 10:13:22 : IKE <a.b.c.d>After NAT-T attr unmap: private tunnel = 1.

    2009-03-18 10:13:22 : IKE <a.b.c.d>Policy have separate SA. Use P2 ID from policy sa (19).

    2009-03-18 10:13:22 : IKE <e.f.g.h>IP <e.f.g.h>mask<255.255.255.0> prot<0> port<0>

    2009-03-18 10:13:22 : IKE <a.b.c.d>Initiator P2 ID built: @IT## 2009-03-18 10:13:22 : IP<0.0.0.0> mask<0.0.0.0> prot<0> port<0>

    2009-03-18 10:13:22 : IKE <a.b.c.d>Responder P2 ID built: @IT## 2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [NONCE] for IPSec

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [ID] for Phase 2

    2009-03-18 10:13:22 : id payload constructed. type(4),ip(ac100b00),mask(ffffff00), prot(0), port(0)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Construct [ID] for Phase 2

    2009-03-18 10:13:22 : id payload constructed. type(1),ip(00000000),mask(00000000), prot(0), port(0)

    2009-03-18 10:13:22 : IKE <a.b.c.d>construct QM HASH

    2009-03-18 10:13:22 : IKE <a.b.c.d >Xmit*: [HASH] [SA] [NONCE] [ID] [ID]

    2009-03-18 10:13:22 : IKE <a.b.c.d>Encrypt P2 payload (len 152)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Initiator sending IPv4 IP A.B.C.D/port 500

    2009-03-18 10:13:22 : IKE <a.b.c.d>Send Phase 2 packet (len=156)

    2009-03-18 10:13:22 : IKE <a.b.c.d>IKE msg done: PKI state<0> IKE state<3/1017182f>

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: Error get ike packet from socket.

    2009-03-18 10:13:22 : IKE <a.b.c.d>ike packet, len 96, action 0

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: received 68 bytes from socket.

    2009-03-18 10:13:22 : IKE <a.b.c.d>****** Recv packet if <ethernet2>of vsys <root>******

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: get 68 bytes. src port 500

    2009-03-18 10:13:22 : IKE<0.0.0.0        >  ISAKMP msg: len 68, nxp 8[HASH], exch 5[INFO], flag 01  E

    2009-03-18 10:13:22 : IKE <a.b.c.d>Create conn entry…

    2009-03-18 10:13:22 : IKE<a.b.c.d>  …done(new 99718a76)

    2009-03-18 10:13:22 : IKE <a.b.c.d>Decrypting payload (length 40)

    2009-03-18 10:13:22 : IKE <a.b.c.d >Recv*: [HASH] [NOTIF]

    2009-03-18 10:13:22 : IKE <a.b.c.d>Process [NOTIF]:

    2009-03-18 10:13:22 : IKE <a.b.c.d>Received notify message for DOI <1> <18> <invalid-id-information>.

    2009-03-18 10:13:22 : IKE <a.b.c.d>ah-esp: notify has no matching QM record, mess_id in<99718a76> centry<2c249a4a>

    2009-03-18 10:13:22 : IKE <a.b.c.d>WARN, Unknown Notify Message 18

    2009-03-18 10:13:22 : IKE <a.b.c.d>process notify exit with <0>.

    2009-03-18 10:13:22 : IKE<a.b.c.d>  Delete conn entry…

    2009-03-18 10:13:22 : IKE<a.b.c.d>  …found conn entry(99718a76)

    2009-03-18 10:13:22 : IKE <a.b.c.d>IKE msg done: PKI state<0> IKE state<3/1017182f>

    2009-03-18 10:13:22 : IKE <a.b.c.d>Catcher: Error get ike packet from socket.

    2009-03-18 10:13:27 : IKE<0.0.0.0        >  IKE: phase-2 packet re-trans timer expired

    2009-03-18 10:13:27 : IKE <a.b.c.d>phase-2 packet re-trans timer expired.

    2009-03-18 10:13:27 : IKE <a.b.c.d>Initiator sending IPv4 IP A.B.C.D/port 500

    2009-03-18 10:13:27 : IKE <a.b.c.d>Send Phase 2 packet (len=156)

    2009-03-18 10:13:27 : IKE <a.b.c.d>ike packet, len 96, action 0

    2009-03-18 10:13:27 : IKE <a.b.c.d>Catcher: received 68 bytes from socket.

    2009-03-18 10:13:27 : IKE <a.b.c.d>****** Recv packet if <ethernet2>of vsys <root>******

    2009-03-18 10:13:27 : IKE <a.b.c.d>Catcher: get 68 bytes. src port 500

    2009-03-18 10:13:27 : IKE<0.0.0.0        >  ISAKMP msg: len 68, nxp 8[HASH], exch 5[INFO], flag 01  E

    2009-03-18 10:13:27 : IKE <a.b.c.d>Create conn entry…

    2009-03-18 10:13:27 : IKE<a.b.c.d>  …done(new e443c7f7)

    2009-03-18 10:13:27 : IKE <a.b.c.d>Decrypting payload (length 40)

    2009-03-18 10:13:27 : IKE <a.b.c.d >Recv*: [HASH] [NOTIF]

    2009-03-18 10:13:27 : IKE <a.b.c.d>Process [NOTIF]:

    2009-03-18 10:13:27 : IKE <a.b.c.d>Received notify message for DOI <1> <18> <invalid-id-information>.

    2009-03-18 10:13:27 : IKE <a.b.c.d>ah-esp: notify has no matching QM record, mess_id in <e443c7f7>centry<2c249a4a>

    2009-03-18 10:13:27 : IKE <a.b.c.d>WARN, Unknown Notify Message 18

    2009-03-18 10:13:27 : IKE <a.b.c.d>process notify exit with <0>.

    2009-03-18 10:13:27 : IKE<a.b.c.d>  Delete conn entry…

    2009-03-18 10:13:27 : IKE<a.b.c.d>  …found conn entry(e443c7f7)

    2009-03-18 10:13:27 : IKE <a.b.c.d>IKE msg done: PKI state<0> IKE state<3/1017182f>

    2009-03-18 10:13:27 : IKE <a.b.c.d>Catcher: Error get ike packet from socket.

    2009-03-18 10:13:31 : IKE<0.0.0.0        >  IKE: phase-2 packet re-trans timer expired

    2009-03-18 10:13:31 : IKE <a.b.c.d>phase-2 packet re-trans timer expired.

    2009-03-18 10:13:31 : IKE <a.b.c.d>Initiator sending IPv4 IP A.B.C.D/port 500

    2009-03-18 10:13:31 : IKE <a.b.c.d>Send Phase 2 packet (len=156)

    2009-03-18 10:13:31 : IKE <a.b.c.d>ike packet, len 96, action 0

    2009-03-18 10:13:31 : IKE <a.b.c.d>Catcher: received 68 bytes from socket.

    2009-03-18 10:13:31 : IKE <a.b.c.d>****** Recv packet if <ethernet2>of vsys <root>******

    2009-03-18 10:13:31 : IKE <a.b.c.d>Catcher: get 68 bytes. src port 500

    2009-03-18 10:13:31 : IKE<0.0.0.0        >  ISAKMP msg: len 68, nxp 8[HASH], exch 5[INFO], flag 01  E

    2009-03-18 10:13:31 : IKE <a.b.c.d>Create conn entry…

    2009-03-18 10:13:31 : IKE<a.b.c.d>  …done(new 9e357e59)

    2009-03-18 10:13:31 : IKE <a.b.c.d>Decrypting payload (length 40)

    2009-03-18 10:13:31 : IKE <a.b.c.d >Recv*: [HASH] [NOTIF]

    2009-03-18 10:13:31 : IKE <a.b.c.d>Process [NOTIF]:

    2009-03-18 10:13:31 : IKE <a.b.c.d>Received notify message for DOI <1> <18> <invalid-id-information>.

    2009-03-18 10:13:31 : IKE <a.b.c.d>ah-esp: notify has no matching QM record, mess_id in<9e357e59> centry<2c249a4a>

    2009-03-18 10:13:31 : IKE <a.b.c.d>WARN, Unknown Notify Message 18

    2009-03-18 10:13:31 : IKE <a.b.c.d>process notify exit with <0>.

    2009-03-18 10:13:31 : IKE<a.b.c.d>  Delete conn entry…

    2009-03-18 10:13:31 : IKE<a.b.c.d>  …found conn entry(9e357e59)

    2009-03-18 10:13:31 : IKE <a.b.c.d>IKE msg done: PKI state<0> IKE state<3/1017182f>

    2009-03-18 10:13:31 : IKE <a.b.c.d>Catcher: Error get ike packet from socket.

    2009-03-18 10:13:35 : IKE<0.0.0.0        >  IKE: phase-2 packet re-trans timer expired

    2009-03-18 10:13:35 : IKE <a.b.c.d>phase-2 packet re-trans timer expired.

    2009-03-18 10:13:35 : IKE <a.b.c.d>Initiator sending IPv4 IP A.B.C.D/port 500

    2009-03-18 10:13:35 : IKE <a.b.c.d>Send Phase 2 packet (len=156)

    2009-03-18 10:13:35 : IKE <a.b.c.d>ike packet, len 96, action 0

    2009-03-18 10:13:35 : IKE <a.b.c.d>Catcher: received 68 bytes from socket.

    2009-03-18 10:13:35 : IKE <a.b.c.d>****** Recv packet if <ethernet2>of vsys <root>******

    2009-03-18 10:13:35 : IKE <a.b.c.d>Catcher: get 68 bytes. src port 500

    2009-03-18 10:13:35 : IKE<0.0.0.0        >  ISAKMP msg: len 68, nxp 8[HASH], exch 5[INFO], flag 01  E

    2009-03-18 10:13:35 : IKE <a.b.c.d>Create conn entry…

    2009-03-18 10:13:35 : IKE<a.b.c.d>  …done(new d58d7796)

    2009-03-18 10:13:35 : IKE <a.b.c.d>Decrypting payload (length 40)

    2009-03-18 10:13:35 : IKE <a.b.c.d >Recv*: [HASH] [NOTIF]

    2009-03-18 10:13:35 : IKE <a.b.c.d>Process [NOTIF]:

    2009-03-18 10:13:35 : IKE <a.b.c.d>Received notify message for DOI <1> <18> <invalid-id-information>.

    2009-03-18 10:13:35 : IKE <a.b.c.d>ah-esp: notify has no matching QM record, mess_id in <d58d7796>centry<2c249a4a>

    2009-03-18 10:13:35 : IKE <a.b.c.d>WARN, Unknown Notify Message 18

    2009-03-18 10:13:35 : IKE <a.b.c.d>process notify exit with <0>.

    2009-03-18 10:13:35 : IKE<a.b.c.d>  Delete conn entry…

    2009-03-18 10:13:35 : IKE<a.b.c.d>  …found conn entry(d58d7796)

    2009-03-18 10:13:35 : IKE <a.b.c.d>IKE msg done: PKI state<0> IKE state<3/1017182f>

    2009-03-18 10:13:35 : IKE <a.b.c.d>Catcher: Error get ike packet from socket.

    2009-03-18 10:13:39 : IKE<0.0.0.0        >  IKE: phase-2 packet re-trans timer expired

    2009-03-18 10:13:39 : IKE <a.b.c.d>phase-2 packet re-trans timer expired.</a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></d58d7796></a.b.c.d></invalid-id-information></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></root></ethernet2></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></invalid-id-information></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></root></ethernet2></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></e443c7f7></a.b.c.d></invalid-id-information></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></root></ethernet2></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></invalid-id-information></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></root></ethernet2></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></e.f.g.h></e.f.g.h></a.b.c.d></a.b.c.d></a.b.c.d></tunnel></md5></esp_3des></esp></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></root></ethernet2></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></root></ethernet2></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></md5></preshrd></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></root></ethernet2></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d ></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></md5></preshrd></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d></a.b.c.d>



  • undebug all



  • Hi,

    How to stop debug?



  • with policy based, the proxy ID’s are generated from the policy objects, but that does not mean you can put in anything you want in the policy. They still need to match what is set at the other side

    When you set up a “debug ike detail”, and when they generate traffic to you, what do you see ? can you post the output of the debug (undebug all and then get db str)?



  • Hi,

    I dont have access to the other end device.
    But if i have a Policy based VPN do i still need to configure the “Proxy ID”.
    Since in my configuration itself i have not mentiuoned about this.
    Please advise.

    Thanks
    Akram



  • do you have access to the config at the other end
    can you verify that

    • proxy ID’s are exactly the same (try with one local network to one remote network)
    • ports and protocols are set to ANY (just to start with - this is the most common reason for invalid-id problems)


  • Hi,

    The other end is Watchguard 5500 box.I have changed the VPN to Policy based.I initiated a ping session to remote network.Still its throwing up the same error message.Please advise.

    Thanks
    Akram



  • when you see this message in phase 2, this usually means that either the protocol or the proxy ID’s don’t match

    are you setting up a VPN between two netscreen boxes, or between one netscreen and one non-netscreen box ?


 

25
Online

38.4k
Users

12.7k
Topics

44.5k
Posts