Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7860
Views
0
Helpful
8
Replies

CSR1000V as DMVPN hub in AWS & ikev1/isakmp not establishing...

ksaridena
Level 1
Level 1

‎04-04-2017 03:12 AM - edited ‎03-12-2019 07:23 AM

Hi,

I am trying to bring up CSR1000V as a DMVPN hub in the AWS cloud. Go the basic config on the hub & spoke routers and ping across the public IPs of both the routers. But ISAKMP peering is failing and not able to establish the phase1 between the two devices. I have udp/500 & udp/4500 ports open to CSR1000V and also to the client. But I never see the routers trying flip over to udp encapsulation (udp/4500 port) because the CSR's private IP is mapped to the public IP by AWS, hence NAT at the hub end.

Any insights into what I am missing here.

Here are configs of both the routers & also the the isakmp debug messages.

DMVPN Hub - CSR100V in AWS
!
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set xform esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile awsvpn
set transform-set xform
!
!
interface Tunnel0
ip address 10.1.1.254 255.255.255.0
no ip redirects

ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp redirect

ip ospf priority 100
ip ospf network broadcast

tunnel source GigabitEthernet1
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile awsvpn shared
!

DMVPN Client - Cisco 1941

!
crypto isakmp policy 30
encr aes 256
hash sha256
authentication pre-share
!
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set xform esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile awsvpn
set transform-set xform
!
interface Tunnel12
description DMVPN IPSec Tunnel 2 AWS Oregon
ip address 10.1.1.101 255.255.255.0

ip nhrp authentication cisco
ip nhrp map 10.1.1.254 1.2.3.4
ip nhrp map multicast 1.2.3.4
ip nhrp network-id 1
ip nhrp nhs 10.1.1.254
ip nhrp shortcut

ip mtu 1400
ip tcp adjust-mss 1300
ip ospf network broadcast

tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile awsvpn shared
!


*Apr 4 2017 03:05:12.132 PDT: ISAKMP-PAK: (0):received packet from <dmvpn client ip> dport 500 sport 500 Global (N) NEW SA
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Created a peer struct for <dmvpn client ip>, peer port 500
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):New peer created peer = 0x7F075B279128 peer_handle = 0x80000426
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Locking peer struct 0x7F075B279128, refcount 1 for crypto_isakmp_process_block
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):local port 500, remote port 500
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7F075B278410
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Old State = IKE_READY New State = IKE_R_MM1

*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):processing SA payload. message ID = 0
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):processing vendor id payload
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):processing vendor id payload
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID is NAT-T v7
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):processing vendor id payload
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID is NAT-T v3
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):processing vendor id payload
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID is NAT-T v2
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):found peer pre-shared key matching <dmvpn client ip>
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):local preshared key found
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Scanning profiles for xauth ...
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Checking ISAKMP transform 1 against priority 10 policy
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): encryption AES-CBC
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): keylength of 256
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): hash SHA
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): default group 5
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): auth pre-share
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): life type in seconds
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 4 2017 03:05:12.133 PDT: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
*Apr 4 2017 03:05:12.133 PDT: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Checking ISAKMP transform 2 against priority 10 policy
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): encryption 3DES-CBC
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): hash SHA
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): default group 5
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): auth pre-share
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): life type in seconds
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 4 2017 03:05:12.133 PDT: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
*Apr 4 2017 03:05:12.133 PDT: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 3
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Checking ISAKMP transform 3 against priority 10 policy
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): encryption AES-CBC
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): keylength of 256
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): hash SHA256
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): default group 1
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): auth pre-share
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0): life type in seconds
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):atts are acceptable. Next payload is 0
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Acceptable atts:actual life: 86400
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Acceptable atts:life: 0
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Fill atts in sa vpi_length:4
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Returning Actual lifetime: 86400
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Started lifetime timer: 86400.

*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):processing vendor id payload
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID is NAT-T RFC 3947
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):processing vendor id payload
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID seems Unity/DPD but major 245 mismatch
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID is NAT-T v7
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):processing vendor id payload
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID seems Unity/DPD but major 157 mismatch
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID is NAT-T v3
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):processing vendor id payload
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID seems Unity/DPD but major 123 mismatch
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):vendor ID is NAT-T v2
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Apr 4 2017 03:05:12.133 PDT: ISAKMP-PAK: (0):sending packet to <dmvpn client ip> my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 4 2017 03:05:12.133 PDT: ISAKMP: (0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Apr 4 2017 03:05:22.133 PDT: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
*Apr 4 2017 03:05:22.133 PDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 4 2017 03:05:22.133 PDT: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
*Apr 4 2017 03:05:22.133 PDT: ISAKMP-PAK: (0):sending packet to <dmvpn client ip> my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 4 2017 03:05:22.133 PDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 4 2017 03:05:22.134 PDT: ISAKMP-PAK: (0):received packet from <dmvpn client ip> dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 4 2017 03:05:22.134 PDT: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
*Apr 4 2017 03:05:22.134 PDT: ISAKMP: (0):retransmission skipped for phase 1 (time since last transmission 0)
*Apr 4 2017 03:05:32.133 PDT: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
*Apr 4 2017 03:05:32.133 PDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Apr 4 2017 03:05:32.133 PDT: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
*Apr 4 2017 03:05:32.134 PDT: ISAKMP-PAK: (0):sending packet to <dmvpn client ip> my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 4 2017 03:05:32.134 PDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 4 2017 03:05:32.134 PDT: ISAKMP-PAK: (0):received packet from <dmvpn client ip> dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 4 2017 03:05:32.134 PDT: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
*Apr 4 2017 03:05:32.134 PDT: ISAKMP: (0):retransmission skipped for phase 1 (time since last transmission 0)
*Apr 4 2017 03:05:42.133 PDT: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
*Apr 4 2017 03:05:42.133 PDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Apr 4 2017 03:05:42.133 PDT: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
*Apr 4 2017 03:05:42.133 PDT: ISAKMP-PAK: (0):sending packet to <dmvpn client ip> my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 4 2017 03:05:42.133 PDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 4 2017 03:05:42.134 PDT: ISAKMP-PAK: (0):received packet from <dmvpn client ip> dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 4 2017 03:05:42.134 PDT: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
*Apr 4 2017 03:05:42.134 PDT: ISAKMP: (0):retransmission skipped for phase 1 (time since last transmission 0)

Labels:
0 Helpful
8 Replies 8

ksaridena
Level 1
Level 1

‎04-04-2017 05:56 AM

This issue is resolved when I launched CSR1000V with one interface instead of 2 interfaces that I have been using earlier.

When the device is launched with 2 interfaces I see two default routes in the router but when I launch with one interface it has only one default route.

So the issue might be related to how the traffic is being routed between the two default routes.

0 Helpful

tbanuelo
Cisco Employee
Cisco Employee
In response to ksaridena

‎04-04-2017 10:05 AM

Hello,

The issue you are seeing is due to the fact that the second interface comes up in DHCP mode and obtains a "default-router" IP when negotiating its IP address.

You need to make sure you "not" use DHCP for the second interface, you can also configure "no ip dhcp client request router" on the second interface to make sure if DHC is used it does not request a "default-router" IP

Regards

0 Helpful

dsborces
Level 1
Level 1

‎04-25-2017 09:41 PM

Hi,

does this problem solved, I had also same problem till now I was still digging how I can make it. hoping anybody could share how to address .

thanks

0 Helpful

ksaridena
Level 1
Level 1
In response to dsborces

‎04-25-2017 10:12 PM

Yes, I have resolved this issue. There were two issues associated with it.

1. When you launch the instance with 2 interfaces you get 2 default routes associated with each of the interface. So I launched the instance with one interface and then added the second interface later. With two default routes the traffic had two paths to exit the router....

2. Security groups associated with the public & private interfaces. You need to make sure the Security groups assigned to the router interfaces permit the interesting traffic associated with that interface.

0 Helpful

dsborces
Level 1
Level 1
In response to ksaridena

‎04-25-2017 11:02 PM

Thank you. its OK now...

crypto ipsec transform-set AWStun esp-3des esp-sha-hmac
 mode tunnel

to

crypto ipsec transform-set AWStun esp-3des esp-sha-hmac
 mode transport

thanks

0 Helpful

nishantpuri783622829
Level 1
Level 1
In response to dsborces

‎09-01-2020 04:58 AM

Instance launched with single interface , and even if i allow all inbound traffic it's not working.

any suggestion ?

0 Helpful

nishantpuri783622829
Level 1
Level 1
In response to ksaridena

‎09-01-2020 04:57 AM

Instance launched with single interface , and even if i allow all inbound traffic it's not working.

any suggestion ?

0 Helpful

Richard Tapp
Level 1
Level 1
In response to nishantpuri783622829

‎03-10-2023 07:07 AM

A long time ago, @nishantpuri783622829 did you ever get a fix for this, I am having the same issue

0 Helpful
Customers Also Viewed These Support Documents