Today I configured a site2site VPN on a Cisco Router. The remote device was a Palo Alto. Phase 1 was working correctly but we got problems with Phase 2, the debug logs said:
*Aug 15 09:13:06.899: ISAKMP:(6035):Total payload length: 12
*Aug 15 09:13:06.899: ISAKMP:(6035): sending packet to 80.70.60.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Aug 15 09:13:06.899: ISAKMP:(6035):Sending an IKE IPv4 Packet.
*Aug 15 09:13:06.899: ISAKMP:(6035):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 15 09:13:06.899: ISAKMP:(6035):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE*Aug 15 09:13:06.903: ISAKMP:(6035):Need config/address
*Aug 15 09:13:06.903: ISAKMP: set new node 1642552031 to CONF_ADDR
*Aug 15 09:13:06.903: ISAKMP:(6035):No IP address pool defined for ISAKMP!
*Aug 15 09:13:06.903: ISAKMP:(6035):peer does not do paranoid keepalives.
*Aug 15 09:13:06.903: ISAKMP:(6035):deleting SA reason “Fail to allocate ip address” state (R) CONF_ADDR (peer 80.70.60.50)*Aug 15 09:13:06.903: ISAKMP:(6035):deleting node 1642552031 error FALSE reason “No Error”
*Aug 15 09:13:06.903: ISAKMP:(6035):peer does not do paranoid keepalives.*Aug 15 09:13:06.903: ISAKMP (6035): FSM action returned error: 2
*Aug 15 09:13:06.903: ISAKMP:(6035):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Aug 15 09:13:06.903: ISAKMP:(6035):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_SET_SENT
Fail to allocate ip address? Within a site2site VPN? The problem was the command “crypto map XXXXX client configuration address initiate“. There was already a configured EasyVPN for clients. Normally I configure “crypto map XXXXX client configuration address respond” for giving the vpn-pool and other parameters to the connected clients. After I deleted the initiate command, the phase 2 was working great and the tunnel was established!
