Network Guys

Share your knowledge!

Cisco Site2Site VPN problem with “Fail to allocate ip address”

Today I configured a site2site VPN on a Cisco Router. The remote device was a Palo Alto. Phase 1 was working correctly but we got problems with Phase 2, the debug logs said:

*Aug 15 09:13:06.899: ISAKMP:(6035):Total payload length: 12
*Aug 15 09:13:06.899: ISAKMP:(6035): sending packet to 80.70.60.50 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Aug 15 09:13:06.899: ISAKMP:(6035):Sending an IKE IPv4 Packet.
*Aug 15 09:13:06.899: ISAKMP:(6035):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 15 09:13:06.899: ISAKMP:(6035):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Aug 15 09:13:06.903: ISAKMP:(6035):Need config/address
*Aug 15 09:13:06.903: ISAKMP: set new node 1642552031 to CONF_ADDR
*Aug 15 09:13:06.903: ISAKMP:(6035):No IP address pool defined for ISAKMP!
*Aug 15 09:13:06.903: ISAKMP:(6035):peer does not do paranoid keepalives.
*Aug 15 09:13:06.903: ISAKMP:(6035):deleting SA reason “Fail to allocate ip address” state (R) CONF_ADDR     (peer 80.70.60.50)

*Aug 15 09:13:06.903: ISAKMP:(6035):deleting node 1642552031 error FALSE reason “No Error”
*Aug 15 09:13:06.903: ISAKMP:(6035):peer does not do paranoid keepalives.

*Aug 15 09:13:06.903: ISAKMP (6035): FSM action returned error: 2
*Aug 15 09:13:06.903: ISAKMP:(6035):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Aug 15 09:13:06.903: ISAKMP:(6035):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_MODE_SET_SENT

Fail to allocate ip address? Within a site2site VPN? The problem was the command “crypto map XXXXX client configuration address initiate“. There was already a configured EasyVPN for clients. Normally I configure “crypto map XXXXX client configuration address respond” for giving the vpn-pool and other parameters to the connected clients. After I deleted the initiate command, the phase 2 was working great and the tunnel was established!

 

 

 

Leave a Reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Certificates

ekahau Certified Survey Engineer
ATP_wsrgb
ACMP2
suca
Post Categories
Post Archives