Question

Locked

VPN between Cisco ASA and Nortel Contivity not working

By anantha.krishnan ·
Hello,
One of my vendors has a cisco ASA5520 and we are trying to build a VPN tunnel between ASA 5520 and Nortel 4500 contivity box.

It passes phase 1 and during phase 2 i get this error message
----------
3|Dec 06 2006|11:51:39|713119|||Group = 1.1.1.1 IP = 1.1.1.1PHASE 1 COMPLETED
6|Dec 06 2006|11:51:39|113009|||AAA retrieved default group policy (DfltGrpPolicy) for user = 1.1.1.1
4|Dec 06 2006|11:51:39|113019|||Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:03s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Dec 06 2006|11:51:39|713903|||Group = 1.1.1.1, IP = 1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes
4|Dec 06 2006|11:51:36|713903|||Group = 1.1.1.1, IP = 1.1.1.1, Information Exchange processing failed
5|Dec 06 2006|11:51:36|713904|||Group = 1.1.1.1, IP = 1.1.1.1, Received an un-encrypted INVALID_ID_INFO notify message, dropping
----------------

Similarly when we check at the remote Contivity box, we get the similar error and it says as
----------
11/16/2006 12:43:39 0 Branch Office [01] IPSEC branch office connection initiated to rem[2.2.2.200-255.255.255.255]@[2.2.2.2] loc[10.50.61.0-255.255.255.0]
11/16/2006 12:43:39 0 Security [11] Session: IPSEC[2.2.2.2] attempting login
11/16/2006 12:43:39 0 Security [01] Session: IPSEC[2.2.2.2] has no active sessions
11/16/2006 12:43:39 0 Security [01] Session: IPSEC[2.2.2.2] Customer has no active accounts
11/16/2006 12:43:39 0 ISAKMP [13] Invalid ID information in message from 2.2.2.2
11/16/2006 12:43:39 0 tIsakmp [34] Failed Login Attempt: Username=2.2.2.2: Date/Time=11/16/2006 12:43:39
11/16/2006 12:43:39 0 ISAKMP [02] Deleting ISAKMP SA with 2.2.2.2
---------

Invalid ID info generally means when the networks are not matching else when we use different routing where one end is static or other end is dynamic. But in tihs case we check that as well and still we get the same error.

any clue how to troubleshoot further.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

VPN between Cisco ASA and Nortel Contivity not working

by nick_mad In reply to VPN between Cisco ASA and ...

One of the first things you will want to do is to make sure that on the Contivity Vendor ID, Compression and Perfect Forward Secrecy are disabled. These settings are found under Profiles->Branch Office, select the group that this tunnel is created under, and click Configure, then click Configure in the IPSec section. On the ASA increase your debugs.

I hope this helps with the problem.
Nick

Collapse -

VPN between Cisco ASA and Nortel Contivity not working

by govindarajp In reply to VPN between Cisco ASA and ...

Even I experienced similar kind of issue with PIX515E and Nortel Contivity 1700 series on other end and it was solved by enabling PFS in PIX and using the preshared key with combination of a-z, A-Z, 0-9 and _.:/,-\!".

Collapse -

VPN: Received an un-encrypted INVALID_ID_INFO notify message, dropping

by elizabethframos In reply to VPN between Cisco ASA and ...

Hi Anantha,

Please check the Authentication and Encryption Algorithms i.e DH2, MD5, etc. also the pre-shared key (if using pre-shared key). On my experienced these are normally the causes of the issue.

=beth

Collapse -

Add peer-id-validate nocheck to ASA Tunnel

by boilermaker_z In reply to VPN between Cisco ASA and ...

under the Tunnel-group peer-ip ipsec-attributes, add peer-id-validate nocheck.

Back to Networks Forum
5 total posts (Page 1 of 1)  

Hardware Forums