help deciphering IOS to PIX ISAKMP debug

tato386 — Fri, 21 Feb 2020 07:07:29 GMT

I have several IOS routers that are successfully establishing IPSec tunnels to my PIX. However there is one particular router that will not connect. It is no different than all the rest, same IOS, same crypto config but it just doesn't work. I have double and triple checked the configs and all looks OK. I have some debugs here from both ends that show the failure but don't really say why its failing. Maybe somebody can tell me what the debugs mean. There is a debug from both ends.

Thanks,

Diego

** Debug of PIX with 68.44.33.90 IOS Router trying to establish ISAKMP **

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Added new peer: ip:68.44.33.90 Total VPN Peers:6

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:1 Total VPN Peers:6

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 3600

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:2 Total VPN Peers:6

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt decremented to:1 Total VPN Peers:6

crypto_isakmp_process_block: src 64.221.60.74, dest 64.3.180.226

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 494535626

ISAMKP (0): received DPD_R_U_THERE from peer 64.221.60.74

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 1...

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:2 Total VPN Peers:6

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt decremented to:1 Total VPN Peers:6

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:2 Total VPN Peers:6

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt decremented to:1 Total VPN Peers:6

ISAKMP (0): retransmitting phase 1...

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:2 Total VPN Peers:6

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt decremented to:1 Total VPN Peers:6

ISAKMP (0): deleting SA: src 68.44.33.90, dst 64.3.180.226

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt decremented to:0 Total VPN Peers:6

VPN Peer: ISAKMP: Deleted peer: ip:68.44.33.90 Total VPN peers:5

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Added new peer: ip:68.44.33.90 Total VPN Peers:6

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:1 Total VPN Peers:6

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 3600

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1...

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:2 Total VPN Peers:6

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 3600

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block: src 141.150.175.18, dest 64.3.180.226

ISAKMP (0): processing NOTIFY payload 36137 protocol 1

spi 0, message ID = 1670884433

ISAMKP (0): received DPD_R_U_THERE_ACK from peer 141.150.175.18

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 1...

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:3 Total VPN Peers:6

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 3600

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1...

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:4 Total VPN Peers:6

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 3600

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

ISAKMP (0): deleting SA: src 68.44.33.90, dst 64.3.180.226

ISAKMP (0): retransmitting phase 1...

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt decremented to:3 Total VPN Peers:6

crypto_isakmp_process_block: src 68.44.33.90, dest 64.3.180.226

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt incremented to:4 Total VPN Peers:6

VPN Peer: ISAKMP: Peer ip:68.44.33.90 Ref cnt decremented to:3 Total VPN Peers:6

ISAKMP (0): retransmitting phase 1...no debug crypto isakmp

** Debug at IOS router trying to establish ISAKMP with PIX **

ISAKMP: received ke message (1/1)

ISAKMP (0:0): SA request profile is (NULL)

ISAKMP: local port 500, remote port 500

ISAKMP: set new node 0 to QM_IDLE

ISAKMP: insert sa successfully sa = 81C55628

ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.

ISAKMP: Looking for a matching key for 64.3.180.226 in default : success

ISAKMP (0:1): found peer pre-shared key matching 64.3.180.226

ISAKMP (0:1): constructed NAT-T vendor-03 ID

ISAKMP (0:1): constructed NAT-T vendor-02 ID

ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

2w0d: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1

2w0d: ISAKMP (0:1): beginning Main Mode exchange

2w0d: ISAKMP (0:1): sending packet to 64.3.180.226 my_port 500 peer_port 500 (I) MM_NO_STATE.....

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE.

2w0d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

2w0d: ISAKMP (0:1): sending packet to 64.3.180.226 my_port 500 peer_port 500 (I) MM_NO_STATE

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE.

2w0d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

2w0d: ISAKMP (0:1): sending packet to 64.3.180.226 my_port 500 peer_port 500 (I) MM_NO_STATE

2w0d: ISAKMP: received ke message (1/1)

2w0d: ISAKMP: set new node 0 to QM_IDLE

2w0d: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 68.44.33.90, remote 64.3.180.226)

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE.

2w0d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

2w0d: ISAKMP (0:1): sending packet to 64.3.180.226 my_port 500 peer_port 500 (I) MM_NO_STATE

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE.

2w0d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

2w0d: ISAKMP (0:1): sending packet to 64.3.180.226 my_port 500 peer_port 500 (I) MM_NO_STATE

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE.

2w0d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

2w0d: ISAKMP (0:1): sending packet to 64.3.180.226 my_port 500 peer_port 500 (I) MM_NO_STATE

2w0d: ISAKMP: received ke message (3/1)

2w0d: ISAKMP (0:1): peer does not do paranoid keepalives.

2w0d: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 64.3.180.226) input queue 0

2w0d: ISAKMP (0:1): deleting node 243979660 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

2w0d: ISAKMP (0:1): deleting node -1559624423 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

2w0d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

2w0d: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA

Re: help deciphering IOS to PIX ISAKMP debug

gfullage — Mon, 01 Dec 2003 01:17:02 GMT

The router debug here:

2w0d: ISAKMP (0:1): beginning Main Mode exchange

2w0d: ISAKMP (0:1): sending packet to 64.3.180.226 my_port 500 peer_port 500 (I) MM_NO_STATE.....

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE.

2w0d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

2w0d: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE

2w0d: ISAKMP (0:1): sending packet to 64.3.180.226 my_port 500 peer_port 500 (I) MM_NO_STATE

shows that it's sending IKE packets to the PIX. The PIX debug shows it's comparing the attributes and they're OK, it replies to the router, but the router never sees that. It retransmits, again it gets no answer, and eventually gives up.

So you have to see why the router isn't seeing the ISAKMP packets from the PIX. Check that the ISP isn't blocking them, they do sometimes cause they want to charge extra for having VPN's run across their network.

Failing that, try bringing up the tunnel from behind the PIX (rather from behind the router) and check the debugs again, you'll get more information on the router debug this way and it may give more information as to the cause.

Re: help deciphering IOS to PIX ISAKMP debug

tato386 — Mon, 01 Dec 2003 03:07:12 GMT

That sounds look a good plan. Thanks for the tips!!

Diego

topic Re: help deciphering IOS to PIX ISAKMP debug in Network Security

help deciphering IOS to PIX ISAKMP debug

Re: help deciphering IOS to PIX ISAKMP debug

Re: help deciphering IOS to PIX ISAKMP debug