ISAKMP:(1006):deleting node 1202729771 error TRUE reason "Delete Larval"

原创

anzhilengye 2014-03-06 14:30:15 博主文章分类：Network ©著作权

©著作权归作者所有：来自51CTO博客作者anzhilengye的原创作品，请联系作者获取转载授权，否则将追究法律责任

(2012-07-16 12:29:06)

今天调试一个分支段到总部的IPsec×××，对端为1841，本来很简单的配置，由于自己的疏忽，导致排障花了些时间。所有配置完成后，ping感兴趣数据流中对端的IP不通。自己做了下述尝试：
1、debug crypto isakmp error
*Jul 16 03:46:13.747: ISAKMP:(1006):deleting node 1335259614 errorTRUE reason "Delete Larval"
*Jul 16 03:46:15.843: ISAKMP:(1006):deleting node 1284639 errorTRUE reason "Delete Larval"
*Jul 16 03:46:43.751: ISAKMP:(1006):deleting node 1263793959 errorTRUE reason "Delete Larval"
*Jul 16 03:46:45.971: ISAKMP:(1006):deleting node 319028693 errorTRUE reason "Delete Larval"
*Jul 16 03:47:15.063: ISAKMP:(1006):deleting node -1450876185 errorTRUE reason "Delete Larval"
*Jul 16 03:47:15.959: ISAKMP:(1006):deleting node 1677832055 errorTRUE reason "Delete Larval"
*Jul 16 03:47:45.051: ISAKMP:(1006):deleting node 2071772467 errorTRUE reason "Delete Larval"
*Jul 16 03:47:45.971: ISAKMP:(1006):deleting node 1170525146 errorTRUE reason "Delete Larval"
*Jul 16 03:48:15.963: ISAKMP:(1006):deleting node 1727443573 errorTRUE reason "Delete Larval"
*Jul 16 03:48:18.919: ISAKMP:(1006):deleting node 1211193290 errorTRUE reason "Delete Larval"
*Jul 16 03:48:48.919: ISAKMP:(1006):deleting node -1379849354 errorTRUE reason "Delete Larval"
*Jul 16 03:48:55.959: ISAKMP:(1006):deleting node 1303757505 errorTRUE reason "Delete Larval"
*Jul 16 03:49:15.975: ISAKMP:(1006):deleting node 832156045 errorTRUE reason "Delete Larval"
*Jul 16 03:49:19.411: ISAKMP:(1006):deleting node 1202729771 errorTRUE reason "Delete Larval"
*Jul 16 03:49:47.159: ISAKMP:(1006):deleting node -1818309908 errorTRUE reason "Delete Larval"
*Jul 16 03:49:49.415: ISAKMP:(1006):deleting node -1012643197 errorTRUE reason "Delete Larval"
google和百度了网上一条记录也没有，无奈自己重新找其他办法
2、show crypto isakmp sa
在总部这端的路由器上
3662#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst

src state conn-id status
1.1.1.1 218.5.202.1 QM_IDLE 1007ACTIVE 这个第一阶段是正常的
3662#sh crypto ipsec sa
3662# 问题来了，第二阶段没有任何协商信息
由于IKE配置的都是des（加密方式）和MD5（哈希算法），我检查了一下两端的第二阶段配置，发现分支段配置的时候自己手敲快了，哈希算法配置成sha了，配置如下
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco address 1.1.1.1
!
!
crypto ipsec transform-set xian esp-des esp-sha-hmac
!
crypto map vpanmap 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set xian
match address 101
!
interface Dialer1
crypto map vpanmap
!
修改IPsec的哈希算法后，全通。其实要是自己细心点，也不会发生这种低级错误，浪费了后面的时间来排错。