|
|
[ DarkoK78 @ 03.06.2009. 12:10 ] @
|
| Ljudi, imam dva firewalla Junipera SSG 140 i pokusavam da ih povezem i podignem na njima NSRP protokol. Kad se podigne HA na jednom je upali alarm.
Je li moguce da je problem u tome sto mi je na jednom verzija software-a 6.1.0r2.0 a na drugom 6.0.0r4.0
Alarm mi se pali na ovom na kojem je ver 6.1.0r2.0 i primijetio sam da promjene u konfiguraciji na njemu se ne apliciraju na drugom uredjaju dok apliciranje u obrnutom smjeru radi.
Pokusao sam sa Juniperovog sajta da skinem verziju software-a 6.0.0r4.0 ali ne mogu jer je proslo 90 dana od isporuke istih.
Ima li ko ideju kako da dodjem do software-a 6.0.0r4.0?
Hvalai pozzdrav
Darko |
[ Gojko Vujovic @ 03.06.2009. 12:30 ] @
NSRP nije podrzan na razlicitim verzijama, to si u pravu. Tako da moras da ih dovedes na isti release.
Za softver moras da otvoris Customer Care Case sa Juniperom pa ce ti oni reci sta je potrebno kako bi mogao da ga downloadujes. Mozes telefonom ili preko weba:
http://www.juniper.net/support/requesting-support.html[ DarkoK78 @ 16.06.2009. 09:49 ] @
Uspio sam da download-ujem novije sofrware i na oba sam ucitao verziju 6.2.0r2.0.
NSRP odlicno funkcionise ali mi non-stop osim lampice HA gori i lampica Alarm.
Zbog cega se pali alarm iako mi na samom firewall-u ne prijavljuje nikakvu gresku?
[ DarkoK78 @ 17.06.2009. 12:17 ] @
Gojko,
mozes li mi dati informaciju koji port da odaberem da stavim HA mod prilikom konfiguracije NSRP-a?
Sta mi je pametnije da stavim, jedan port od 1Gbps, jedan port od 100Mbps ili dva portta od 100Mbps? Od cega mi zavisi od ovoga da odaberem?
Nikako da mi se ugasi alarm iako mi sve perfektno funkcionise, u cemu li grijesim?
Pozdrav
Darko
[ Gojko Vujovic @ 01.07.2009. 09:07 ] @
Za alarm probaj sa 'get event' da vidis o cemu je rec.
Za portove, zvanicno je 2 x 1Gbps savet od Junipera. Doduse, mozes za control channel da stavis 100Mbps, ali za data channel mora 1Gbps. Ako bude bilo kakvih problema na NSRP, probaj sa oba gigabitna interfejsa.
Inace mozes i software image da snimis sa fajrvola na tftp ovako: save soft from flash to tftp x.x.x.x <filename>
[ DarkoK78 @ 26.07.2010. 11:52 ] @
Zdravo Gojko,
uspio sam da iskonfigurisem NSRP na dva Junipera SSG 140 i do sad mi je super funkcionisalo do skoro. Naime, od skoro sam primijetio, da se iz meni nepoznatih razloga, fukcionalnost jednog prebaca na drugog (master u backup i obratno) ali ne vidim da dolazi do nekih prekida na nekom od interface-a koji se monitorisu. medjutim, ne bi mi ni to prestavljalo problem, nego se prilikom toga desava i sledeca stvar: Prilikom aktiviranja backup firewall-a i povratka na primarni ne podigne mi se i jedan od kreiranih VPN-ova (i to najvazniji :-() Sve sto treba da odradim u ovoj gluposti jeste da udjem u konfiguraciju VPN-a i potvrdim je na OK. odmah poslije toga se VPN uspostavi i sve normalno funkcionise dok se opet ne desi prelazak sa primarnog na backup i obratno.
evo i sta pise u log-u:
Citat:
==============================================================================
System Event Log (Current system time: Mon, 26 July 2010 12:18:49)
==============================================================================
Date Time Module level Type Description
2010-07-26 12:06:42 system info 00536 IKE 172.31.1.254 Phase 2 msg ID f2a6dca2: Completed negotiations with SPI 638a36f7, tunnel ID 28, and lifetime 3600 seconds/0 KB.
2010-07-26 12:06:42 system info 00536 IKE 172.31.1.254 phase 2:The symmetric crypto key has been generated successfully.
2010-07-26 12:06:42 system info 00536 IKE 172.31.1.254 Phase 2: Initiated negotiations.
2010-07-26 12:06:42 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 40473c2f: Completed negotiations with SPI 638a36f6, tunnel ID 21, and lifetime 3600 seconds/0 KB.
2010-07-26 12:06:42 system notif 00625 Session (id 48034 src-ip 192.168.100.100 dst-ip 172.31.1.254 dst port 0) route is valid.
2010-07-26 12:06:42 system info 00536 IKE 172.31.1.254 phase 2:The symmetric crypto key has been generated successfully.
2010-07-26 12:06:42 system info 00536 IKE 172.31.1.254 Phase 2: Initiated negotiations.
2010-07-26 12:06:42 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 12:06:42 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 12:06:40 system info 00767 System configuration saved by user via web from host 192.168.120.45 to 10.1.1.100:80 by user.
2010-07-26 12:06:40 system notif 00017 VPN monitoring for VPN_1 has been disabled.
2010-07-26 12:06:40 system notif 00625 Session (id 48024 src-ip 192.168.100.100 dst-ip 172.31.1.254 dst port 0) route is valid.
2010-07-26 12:06:40 system notif 00017 VPN_1 with gateway VPN_1 and P2 proposal nopfs-esp-3des-sha has been modified by user via web from host 192.168.120.45 to 10.1.1.100:80.
2010-07-26 12:06:21 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 03177b51: Negotiations have failed.
2010-07-26 12:06:21 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 21b841f398752fc5 and cefb4e567d6bfa64 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:06:21 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:06:21 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 03177b51: Responded to the peer's first message.
2010-07-26 12:06:20 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:06:13 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 03177b51: Negotiations have failed.
2010-07-26 12:06:13 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 21b841f398752fc5 and cefb4e567d6bfa64 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:06:13 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:06:13 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 03177b51: Responded to the peer's first message.
2010-07-26 12:06:09 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:06:05 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 03177b51: Negotiations have failed.
2010-07-26 12:06:05 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 21b841f398752fc5 and cefb4e567d6bfa64 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:06:05 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:06:05 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 03177b51: Responded to the peer's first message.
2010-07-26 12:06:01 system notif 00531 The system clock was updated from primary NTP server type 10.1.1.204 with an adjustment of -15 ms. Authentication was None. Update mode was Automatic
2010-07-26 12:05:58 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:05:57 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 03177b51: Negotiations have failed.
2010-07-26 12:05:57 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 21b841f398752fc5 and cefb4e567d6bfa64 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:05:57 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:05:57 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 03177b51: Responded to the peer's first message.
2010-07-26 12:05:57 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 12:05:57 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 12:05:56 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 12:05:56 system warn 00519 Admin user "user" logged in for Web(http) management (port 80) from 192.168.120.45:2239
2010-07-26 12:05:56 system info 00519 ADM: Local admin authentication successful for login name user
2010-07-26 12:05:36 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:05:36 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 8e6a0234: Negotiations have failed.
2010-07-26 12:05:36 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies df7ed3f2e2b15d4c and f60d846aa329d336 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:05:36 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:05:36 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 8e6a0234: Responded to the peer's first message.
2010-07-26 12:05:28 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 8e6a0234: Negotiations have failed.
2010-07-26 12:05:28 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies df7ed3f2e2b15d4c and f60d846aa329d336 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:05:28 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:05:28 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 8e6a0234: Responded to the peer's first message.
2010-07-26 12:05:25 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:05:20 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 8e6a0234: Negotiations have failed.
2010-07-26 12:05:20 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies df7ed3f2e2b15d4c and f60d846aa329d336 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:05:20 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:05:20 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 8e6a0234: Responded to the peer's first message.
2010-07-26 12:05:14 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:05:12 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 8e6a0234: Negotiations have failed.
2010-07-26 12:05:12 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies df7ed3f2e2b15d4c and f60d846aa329d336 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:05:12 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:05:12 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 8e6a0234: Responded to the peer's first message.
2010-07-26 12:05:12 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 12:05:12 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 12:05:11 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 12:05:03 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:05:01 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 6399f522: Negotiations have failed.
2010-07-26 12:05:01 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 93a4e5700a728264 and ba38851e91e5b84e because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:05:01 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:05:01 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 6399f522: Responded to the peer's first message.
2010-07-26 12:04:53 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 6399f522: Negotiations have failed.
2010-07-26 12:04:53 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 93a4e5700a728264 and ba38851e91e5b84e because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:04:53 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:04:53 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 6399f522: Responded to the peer's first message.
2010-07-26 12:04:52 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:04:45 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 6399f522: Negotiations have failed.
2010-07-26 12:04:45 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 93a4e5700a728264 and ba38851e91e5b84e because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:04:45 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:04:45 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 6399f522: Responded to the peer's first message.
2010-07-26 12:04:41 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:04:37 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 6399f522: Negotiations have failed.
2010-07-26 12:04:37 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 93a4e5700a728264 and ba38851e91e5b84e because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:04:37 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:04:37 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 6399f522: Responded to the peer's first message.
2010-07-26 12:04:37 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 12:04:37 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 12:04:37 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 12:04:30 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:04:29 system info 00536 IKE 172.31.1.254 Phase 2 msg ID a76e69af: Negotiations have failed.
2010-07-26 12:04:29 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 95cf9cb2d6e54816 and e29ec4a4589a6ef2 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:04:29 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:04:29 system info 00536 IKE 172.31.1.254 Phase 2 msg ID a76e69af: Responded to the peer's first message.
2010-07-26 12:04:21 system info 00536 IKE 172.31.1.254 Phase 2 msg ID a76e69af: Negotiations have failed.
2010-07-26 12:04:21 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 95cf9cb2d6e54816 and e29ec4a4589a6ef2 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:04:21 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:04:21 system info 00536 IKE 172.31.1.254 Phase 2 msg ID a76e69af: Responded to the peer's first message.
2010-07-26 12:04:19 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:04:13 system info 00536 IKE 172.31.1.254 Phase 2 msg ID a76e69af: Negotiations have failed.
2010-07-26 12:04:13 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 95cf9cb2d6e54816 and e29ec4a4589a6ef2 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:04:13 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:04:13 system info 00536 IKE 172.31.1.254 Phase 2 msg ID a76e69af: Responded to the peer's first message.
2010-07-26 12:04:08 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:04:05 system info 00536 IKE 172.31.1.254 Phase 2 msg ID a76e69af: Negotiations have failed.
2010-07-26 12:04:05 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 95cf9cb2d6e54816 and e29ec4a4589a6ef2 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:04:05 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:04:05 system info 00536 IKE 172.31.1.254 Phase 2 msg ID a76e69af: Responded to the peer's first message.
2010-07-26 12:04:04 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 12:04:04 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 12:04:04 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 12:03:46 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:03:44 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 2c454332: Negotiations have failed.
2010-07-26 12:03:44 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies a9c47a6529796d76 and 28b33e69516fb5ab because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:03:44 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:03:44 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 2c454332: Responded to the peer's first message.
2010-07-26 12:03:38 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:03:36 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 2c454332: Negotiations have failed.
2010-07-26 12:03:36 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies a9c47a6529796d76 and 28b33e69516fb5ab because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:03:36 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:03:36 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 2c454332: Responded to the peer's first message.
2010-07-26 12:03:32 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:03:30 system notif 00625 Session (id 47475 src-ip 192.168.5.21 dst-ip 192.168.1.4 dst port 23) route is valid.
2010-07-26 12:03:28 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 2c454332: Negotiations have failed.
2010-07-26 12:03:28 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies a9c47a6529796d76 and 28b33e69516fb5ab because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:03:28 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:03:28 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 2c454332: Responded to the peer's first message.
2010-07-26 12:03:24 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:03:20 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 2c454332: Negotiations have failed.
2010-07-26 12:03:20 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies a9c47a6529796d76 and 28b33e69516fb5ab because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:03:20 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:03:20 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 2c454332: Responded to the peer's first message.
2010-07-26 12:03:19 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 12:03:19 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 12:03:19 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 12:03:14 system notif 00625 Session (id 47756 src-ip 192.168.7.27 dst-ip 192.168.1.3 dst port 445) route is valid.
2010-07-26 12:03:02 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:02:59 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1865b275: Negotiations have failed.
2010-07-26 12:02:59 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 91d3bf8b7b07244e and 5990ecdfac177112 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:02:59 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:02:59 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1865b275: Responded to the peer's first message.
2010-07-26 12:02:51 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1865b275: Negotiations have failed.
2010-07-26 12:02:51 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 91d3bf8b7b07244e and 5990ecdfac177112 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:02:51 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:02:51 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1865b275: Responded to the peer's first message.
2010-07-26 12:02:51 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:02:43 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1865b275: Negotiations have failed.
2010-07-26 12:02:43 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 91d3bf8b7b07244e and 5990ecdfac177112 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:02:43 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:02:43 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1865b275: Responded to the peer's first message.
2010-07-26 12:02:40 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:02:35 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1865b275: Negotiations have failed.
2010-07-26 12:02:35 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 91d3bf8b7b07244e and 5990ecdfac177112 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:02:35 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:02:35 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1865b275: Responded to the peer's first message.
2010-07-26 12:02:35 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 12:02:35 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 12:02:35 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 12:02:18 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:02:14 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 07f10c1f: Negotiations have failed.
2010-07-26 12:02:14 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies f26fca050dea5e75 and 7e66e376ce58e218 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:02:14 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:02:14 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 07f10c1f: Responded to the peer's first message.
2010-07-26 12:02:07 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:02:06 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 07f10c1f: Negotiations have failed.
2010-07-26 12:02:06 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies f26fca050dea5e75 and 7e66e376ce58e218 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:02:06 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:02:06 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 07f10c1f: Responded to the peer's first message.
2010-07-26 12:01:58 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 07f10c1f: Negotiations have failed.
2010-07-26 12:01:58 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies f26fca050dea5e75 and 7e66e376ce58e218 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:01:58 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:01:58 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 07f10c1f: Responded to the peer's first message.
2010-07-26 12:01:56 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:01:50 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 07f10c1f: Negotiations have failed.
2010-07-26 12:01:50 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies f26fca050dea5e75 and 7e66e376ce58e218 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:01:50 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:01:50 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 07f10c1f: Responded to the peer's first message.
2010-07-26 12:01:50 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 12:01:50 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 12:01:50 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 12:01:01 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:00:59 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1041f245: Negotiations have failed.
2010-07-26 12:00:59 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 55896d2c10e5da36 and 4860be86b80eb8a7 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:00:59 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:00:59 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1041f245: Responded to the peer's first message.
2010-07-26 12:00:51 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1041f245: Negotiations have failed.
2010-07-26 12:00:51 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 55896d2c10e5da36 and 4860be86b80eb8a7 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:00:51 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:00:51 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1041f245: Responded to the peer's first message.
2010-07-26 12:00:50 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:00:43 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1041f245: Negotiations have failed.
2010-07-26 12:00:43 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 55896d2c10e5da36 and 4860be86b80eb8a7 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:00:43 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:00:43 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1041f245: Responded to the peer's first message.
2010-07-26 12:00:39 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 12:00:35 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1041f245: Negotiations have failed.
2010-07-26 12:00:35 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 55896d2c10e5da36 and 4860be86b80eb8a7 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 12:00:35 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 12:00:35 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 1041f245: Responded to the peer's first message.
2010-07-26 12:00:35 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 12:00:35 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 12:00:35 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 12:00:06 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
.
2010-07-26 11:59:59 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 22ba0d74: Negotiations have failed.
2010-07-26 11:59:59 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 435d4b322a849fff and 8c412e716e28f09b because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:59:59 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:59:59 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 22ba0d74: Responded to the peer's first message.
2010-07-26 11:59:55 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 11:59:51 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 22ba0d74: Negotiations have failed.
2010-07-26 11:59:51 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 435d4b322a849fff and 8c412e716e28f09b because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:59:51 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:59:51 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 22ba0d74: Responded to the peer's first message.
2010-07-26 11:59:44 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 11:59:43 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 22ba0d74: Negotiations have failed.
2010-07-26 11:59:43 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 435d4b322a849fff and 8c412e716e28f09b because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:59:43 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:59:43 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 22ba0d74: Responded to the peer's first message.
2010-07-26 11:59:38 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 11:59:35 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 22ba0d74: Negotiations have failed.
2010-07-26 11:59:35 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies 435d4b322a849fff and 8c412e716e28f09b because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:59:35 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:59:35 system info 00536 IKE 172.31.1.254 Phase 2 msg ID 22ba0d74: Responded to the peer's first message.
2010-07-26 11:59:35 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 11:59:35 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 11:59:35 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 11:58:38 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 11:58:37 system info 00536 IKE 172.31.1.254 Phase 2 msg ID c4576313: Negotiations have failed.
2010-07-26 11:58:37 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies f348615501c3ec84 and dcbfd17413da3df0 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:58:37 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:58:37 system info 00536 IKE 172.31.1.254 Phase 2 msg ID c4576313: Responded to the peer's first message.
2010-07-26 11:58:29 system info 00536 IKE 172.31.1.254 Phase 2 msg ID c4576313: Negotiations have failed.
2010-07-26 11:58:29 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies f348615501c3ec84 and dcbfd17413da3df0 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:58:29 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:58:29 system info 00536 IKE 172.31.1.254 Phase 2 msg ID c4576313: Responded to the peer's first message.
2010-07-26 11:58:27 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 11:58:21 system info 00536 IKE 172.31.1.254 Phase 2 msg ID c4576313: Negotiations have failed.
2010-07-26 11:58:21 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies f348615501c3ec84 and dcbfd17413da3df0 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:58:21 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:58:21 system info 00536 IKE 172.31.1.254 Phase 2 msg ID c4576313: Responded to the peer's first message.
2010-07-26 11:58:16 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 11:58:13 system info 00536 IKE 172.31.1.254 Phase 2 msg ID c4576313: Negotiations have failed.
2010-07-26 11:58:13 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies f348615501c3ec84 and dcbfd17413da3df0 because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:58:13 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:58:13 system info 00536 IKE 172.31.1.254 Phase 2 msg ID c4576313: Responded to the peer's first message.
2010-07-26 11:58:13 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 11:58:13 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 11:58:13 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 11:58:05 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 11:58:02 system info 00536 IKE 172.31.1.254 Phase 2 msg ID d0a103e4: Negotiations have failed.
2010-07-26 11:58:02 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies b5e907a7ebf568b4 and 492c376e1a793bea because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:58:02 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:58:02 system info 00536 IKE 172.31.1.254 Phase 2 msg ID d0a103e4: Responded to the peer's first message.
2010-07-26 11:57:54 system info 00536 IKE 172.31.1.254 Phase 2 msg ID d0a103e4: Negotiations have failed.
2010-07-26 11:57:54 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies b5e907a7ebf568b4 and 492c376e1a793bea because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:57:54 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:57:54 system info 00536 IKE 172.31.1.254 Phase 2 msg ID d0a103e4: Responded to the peer's first message.
2010-07-26 11:57:54 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 11:57:46 system info 00536 IKE 172.31.1.254 Phase 2 msg ID d0a103e4: Negotiations have failed.
2010-07-26 11:57:46 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies b5e907a7ebf568b4 and 492c376e1a793bea because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:57:46 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:57:46 system info 00536 IKE 172.31.1.254 Phase 2 msg ID d0a103e4: Responded to the peer's first message.
2010-07-26 11:57:43 system info 00536 IKE 172.31.1.254: Received a notification message for DOI 1 11 INVALID-SPI.
2010-07-26 11:57:42 system notif 00625 Session (id 47406 src-ip 192.168.11.127 dst-ip 192.168.1.4 dst port 23) route is valid.
2010-07-26 11:57:38 system info 00536 IKE 172.31.1.254 Phase 2 msg ID d0a103e4: Negotiations have failed.
2010-07-26 11:57:38 system info 00536 Rejected an IKE packet on ethernet0/3 from 172.31.1.254:500 to 192.168.100.100:500 with cookies b5e907a7ebf568b4 and 492c376e1a793bea because The peer sent a proxy ID that did not match the one in the SA config.
2010-07-26 11:57:38 system info 00536 IKE 172.31.1.254 Phase 2: No policy exists for the proxy ID received: local ID (10.144.13.0/255.255.255.0, 0, 0) remote ID (192.168.50.0/255.255.255.0, 0, 0).
2010-07-26 11:57:38 system info 00536 IKE 172.31.1.254 Phase 2 msg ID d0a103e4: Responded to the peer's first message.
2010-07-26 11:57:38 system info 00536 IKE 172.31.1.254 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
2010-07-26 11:57:38 system info 00536 IKE 172.31.1.254 phase 1:The symmetric crypto key has been generated successfully.
2010-07-26 11:57:38 system info 00536 IKE 172.31.1.254 Phase 1: Responder starts MAIN mode negotiations.
2010-07-26 11:55:09 system crit 00071 The local device 9145600 in the Virtual Security Device group (0) changed state from primary backup to master, missing master.
2010-07-26 11:55:09 system crit 00015 Peer device 2092928 in the Virtual Security Device group 0 changed state from master to backup.
2010-07-26 11:55:04 system crit 00072 The local device 9145600 in the Virtual Security Device group (0) changed state from init to primary backup, missing backup.
2010-07-26 11:55:00 system crit 00015 Peer device 2092928 in the Virtual Security Device group 0 changed state from primary backup to master.
==============================================================================
End of System Event Log
==============================================================================
Kao sto vidis iz loga, on nikako ne moze da zavrsi Phase 2 do ja ne udjem u konfiguraciju VPN-a, ne mijenjam nista nego potvrdim na OK (iz loha vrijeme 2010-07-26 12:06:40) i sve OK onda prodje.
Molim te ako mozes da mi pomognes oko ovoga, zbog cega se ovo desava?
Pozdrav
Darko
[Ovu poruku je menjao optix dana 26.07.2010. u 13:32 GMT+1][ dkrstajic @ 26.07.2010. 18:25 ] @
Gojko,
pronasao sam razlog cestog aktiviranja backup firewall-a tako da sam to rijesio.
Imas li ideju zbog cega mi se desava ovo nepodizanje tunela? primijetio sam sledece, kad sistem predje sa MASTERA na BACKUP, pojavi mi se jedan "request time out" prilikom pinga i odmah poslije njega komunikacija se normalizuje, ali prilikom ponovne aktivacije MASTER firewall-a komunikacija se ne uspostavlja dok ne udjem u konfiguraciju VPN-a i jednostavno je potvrdim na OK. :-(
Do cega moze da bude ovaj problem?
Pozdrav
Darko
P.S.
Otvorio sam novi profil dkrstajic jer sam kod starog DarkoK78 promijenio email adresu ali mi nije stigla promjena passworda.
[ dkrstajic @ 26.07.2010. 22:03 ] @
Obradovah se prerano :-((((
[00001] 2010-07-26 22:28:48 [Root]system-critical-00015: Peer device 2092928 in the Virtual Security Device group 0 changed state from backup to primary backup.
[00002] 2010-07-26 22:28:47 [Root]system-alert-00026: IPSec tunnel on interface ethernet0/3 with tunnel ID 0x1c received a packet with a bad SPI. 172.31.1.254->192.168.100.100/112, ESP, SPI 0xe591f7a2, SEQ 0x1.
[00003] 2010-07-26 22:28:47 [Root]system-critical-00071: The local device 9145600 in the Virtual Security Device group (0) changed state from primary backup to master, missing master.
[00004] 2010-07-26 22:28:47 [Root]system-critical-00015: Peer device 2092928 in the Virtual Security Device group 0 changed state from master to backup.
[00005] 2010-07-26 22:28:42 [Root]system-critical-00072: The local device 9145600 in the Virtual Security Device group (0) changed state from init to primary backup, missing backup.
[00006] 2010-07-26 22:28:38 [Root]system-critical-00015: Peer device 2092928 in the Virtual Security Device group 0 changed state from primary backup to master.
[00007] 2010-07-26 22:28:37 [Root]system-critical-00070: The local device 9145600 in the Virtual Security Device group 0 changed state from inoperable to init.
[00008] 2010-07-26 22:28:36 [Root]system-critical-00075: The local device 9145600 in the Virtual Security Device group 0 changed state from master to inoperable.
opet se ovo desava bez razloga koliko mi se cini.
Pozdrav
Darko
[ dkrstajic @ 28.07.2010. 09:32 ] @
Gojko,
iz logova sam primijetio da se na MASTER-u, bez ikakvog reda, bez ikakvih razloga desava DOWN - UP porta eth 0/0 sto normalno prouzrokuje aktivaciju BACKUP-a.
verzija firmwara na juniperu SSG140 do sada je bila 6.2.0r2.0 tako da sam odradio upgrade na najnovju verziju 6.3.0r4.0 mogu ti reci da se vec duzi perio problem ne ponavlja (sa starijom verzijom o toku noci se to desavalo i po 2-3 puta).
Nadam se da sam sa ovim upgrade-om rijesio ovaj problem kad se u sekundi desi DOWN-UP porta.
Pokusacu da otvorim case kod Junipera zasto mi VPN tunel normano nastavi sa radom pri prelasku sa MASTERA na BACKUP ali pri povratku sa BACKUPa na MASTER VPN se ne podize dok mu ne potvrdim konfiguraciju!!!! :-(((((
Pozdrav
Darko
Copyright (C) 2001-2024 by www.elitesecurity.org. All rights reserved.
|