フェーズ 1 ポリシーがマッチしない

以下に、フェーズ 1 ポリシーがマッチしないエラーのログを示します。

NSX Edge

NSX Edge が STATE_MAIN_I1 状態でハングしています。/var/log/messages の内容を調べ、ピアが「NO_PROPOSAL_CHOSEN」を設定して IKE メッセージを送り返したことを示す情報があることを確認してください。

000 #1: "s1-c1":500 STATE_MAIN_I1 (sent MI1, 
      expecting MR1); EVENT_RETRANSMIT in 7s; nodpd; idle; 
      import:admin initiate
000 #1: pending Phase 2 for "s1-c1" replacing #0
Aug 26 12:31:25 weiqing-desktop ipsec[6569]: 
      | got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
Aug 26 12:31:25 weiqing-desktop ipsec[6569]:
      | ***parse ISAKMP Notification Payload:
Aug 26 12:31:25 weiqing-desktop ipsec[6569]: 
      |    next payload type: ISAKMP_NEXT_NONE
Aug 26 12:31:25 weiqing-desktop ipsec[6569]: |    length: 96
Aug 26 12:31:25 weiqing-desktop ipsec[6569]: 
      |    DOI: ISAKMP_DOI_IPSEC
Aug 26 12:31:25 weiqing-desktop ipsec[6569]: |    protocol ID: 0
Aug 26 12:31:25 weiqing-desktop ipsec[6569]: |    SPI size: 0
Aug 26 12:31:25 weiqing-desktop ipsec[6569]: 
      |    Notify Message Type: NO_PROPOSAL_CHOSEN
Aug 26 12:31:25 weiqing-desktop ipsec[6569]:
      "s1-c1" #1: ignoring informational payload, 
       type NO_PROPOSAL_CHOSEN msgid=00000000

Cisco

デバッグクリプトが有効の場合、プロポーザルが受け入れられなかったというエラーメッセージがプリントされます。

ciscoasa# Aug 26 18:17:27 [IKEv1]: 
      IP = 10.20.129.80, IKE_DECODE RECEIVED 
      Message (msgid=0) with payloads : HDR + SA (1)
      + VENDOR (13) + VENDOR (13) + NONE (0) total length : 148
Aug 26 18:17:27 [IKEv1 DEBUG]: IP = 10.20.129.80, 
      processing SA payload
Aug 26 18:17:27 [IKEv1]: Phase 1 failure:  Mismatched attribute 
      types for class Group Description:  Rcv'd: Group 5  
      Cfg'd: Group 2
Aug 26 18:17:27 [IKEv1]: Phase 1 failure:  Mismatched attribute 
      types for class Group Description:  Rcv'd: Group 5  
      Cfg'd: Group 2
Aug 26 18:17:27 [IKEv1]: IP = 10.20.129.80, IKE_DECODE SENDING 
      Message (msgid=0) with payloads : HDR + NOTIFY (11)
      + NONE (0) total length : 124
Aug 26 18:17:27 [IKEv1 DEBUG]: IP = 10.20.129.80, 
      All SA proposals found unacceptable
Aug 26 18:17:27 [IKEv1]: IP = 10.20.129.80, Error processing 
      payload: Payload ID: 1
Aug 26 18:17:27 [IKEv1 DEBUG]: IP = 10.20.129.80, IKE MM Responder
      FSM error history (struct &0xd8355a60)  <state>, <event>:  
      MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, 
      EV_START_MM-->MM_START, EV_START_MM-->MM_START, 
      EV_START_MM-->MM_START, EV_START_MM-->MM_START, 
      EV_START_MM-->MM_START, EV_START_MM
Aug 26 18:17:27 [IKEv1 DEBUG]: IP = 10.20.129.80, IKE SA 
      MM:9e0e4511 terminating:  flags 0x01000002, refcnt 0, 
      tuncnt 0
Aug 26 18:17:27 [IKEv1 DEBUG]: IP = 10.20.129.80, sending 
      delete/delete with reason message