Cisco pix interop fails - ipsec,ike unknown notify message,

Could you please help?

We cannot setup a tunnel with Cisco pix.
IS there a workaround we can use? All configuration looks clean.

Error log.

10:24:57 ipsec,ike peer1 give up to get IPsec-SA due to time up to wait.
10:24:57 ipsec,ike IPsec-SA expired: ESP/Tunnel peer1[0]->peer2[0] spi=208282269(0xc6a229d)
10:24:57 ipsec,ike ISAKMP-SA deleted peer2[500]-peer1[500] spi:edc85ec582ee75df:1a69775b344bdf88
10:24:58 ipsec,ike IPsec-SA request for peer1 queued due to no phase1 found.
10:24:58 ipsec,ike initiate new phase 1 negotiation: peer2[500]<=>peer1[500]
10:24:58 ipsec,ike begin Identity Protection mode.
10:24:58 ipsec,ike received broken Microsoft ID: FRAGMENTATION
10:24:58 ipsec,ike received Vendor ID: CISCO-UNITY
10:24:58 ipsec,ike received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
10:24:59 ipsec,ike ISAKMP-SA established peer2[500]-peer1[500] spi:a1b48fc41a5bdaca:75cb6d0886e6164b
10:25:00 ipsec,ike initiate new phase 2 negotiation: peer2[500]<=>peer1[500]
10:25:00 ipsec,ike unknown notify message, no phase2 handle found.
10:25:00 ipsec,ike purging ISAKMP-SA spi=a1b48fc41a5bdaca:75cb6d0886e6164b.
10:25:00 ipsec,ike purged ISAKMP-SA spi=a1b48fc41a5bdaca:75cb6d0886e6164b.

Post your IPSEC configuration from both ends.

Regards

Andrew

[admin@Cartiza] /ip ipsec> peer print
Flags: X - disabled
0 address=peer2/32:500 auth-method=pre-shared-key secret="xxx" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024
lifetime=4w2d lifebytes=0

1 address=peer1/32:500 auth-method=pre-shared-key secret="xxx" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=4w2d lifebytes=0

\

/ip ipsec> policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.110.0/24:any dst-address=172.31.121.64/27:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=own-ip1 sa-dst-address=peer2 proposal=ipsec manual-sa=none
priority=0

1 src-address=192.168.110.0/24:any dst-address=10.203.183.192/27:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=own-ip1 sa-dst-address=peer2 proposal=ipsec manual-sa=none
priority=0

2 src-address=192.168.110.0/24:any dst-address=172.30.15.32/27:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=own-ip1 sa-dst-address=peer1 proposal=ipsec
manual-sa=none priority=0

3 src-address=192.168.110.0/24:any dst-address=10.203.117.32/27:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=own-ip1 sa-dst-address=peer1 proposal=ipsec
manual-sa=none priority=0

4 src-address=192.168.111.0/24:any dst-address=172.31.121.64/27:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=own-ip1 sa-dst-address=peer2 proposal=ipsec manual-sa=none
priority=0

5 src-address=192.168.111.0/24:any dst-address=10.203.183.192/27:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=own-ip1 sa-dst-address=peer2 proposal=ipsec manual-sa=none
priority=0

6 src-address=192.168.111.0/24:any dst-address=172.30.15.32/27:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=own-ip1 sa-dst-address=peer1 proposal=ipsec
manual-sa=none priority=0

7 src-address=192.168.111.0/24:any dst-address=10.203.117.32/27:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=own-ip1 sa-dst-address=peer1 proposal=ipsec
manual-sa=none priority=0

[admin@Cartiza] /ip ipsec> remote-peers print
0 local-address=own-ip1 remote-address=peer1 state=expired side=initiator
[admin@Cartiza] /ip ipsec> installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0 src-address=own-ip1 dst-address=peer1 auth-algorithm=none enc-algorithm=none replay=0 state=larval
add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0

1 E spi=0 src-address=own-ip1 dst-address=peer2 auth-algorithm=none enc-algorithm=none replay=0 state=larval
add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0

2 E spi=0x488A593 src-address=peer1 dst-address=own-ip1 auth-algorithm=none enc-algorithm=none replay=0
state=larval add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0

Thanks.

Can you post the IPSEC proposals as well.

I need to see the configuration from the Cisco end.

What version of ROS is this?

Regards

Andrew

we’ve ensured cisco pix configuration is compatible.
basically tunnel goes down for whatever reason, Mikrotik figures out it’s down and attempts to re-neg the tunnel. Cisco keeps hold of SAs tunnel establishment keeps failing.
Once we purge SAs on Cisco re-neg is sucessful until the next time.

Is there a way for Mikrotik to stop changing keys?

Are manual SAs a solution?

ilasic, I’m having a similar problem. Did you figure out a solution?

Have you got Dead Peer Detection enabled?

Regards

Andrew