cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
cancel
792
Visitas
10
ÚTIL
3
Respuestas

DMVPN Status IKE permanente

Hola comunidad. vengo con un inconvenientes, tengo varios RT en DMVPN con Tuneles GRE Corriendo OSPF entre ellos. estoy teniendo un inconveniente con 1 solo enlace que se queda en estatus IKE. 

 

La pre shared son las mismas, estan correctos todos los parametros de de Phase1 y Phase2

 

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 *.*.*.* 10.100.200.65 IKE 00:37:15 S

 

Les paso Log 

 

Mar 21 20:44:42.427: ISAKMP: set new node 0 to QM_IDLE
Mar 21 20:44:42.427: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local IP Publica LOCAL, remote IP Publica)
Mar 21 20:44:42.427: ISAKMP: Error while processing SA request: Failed to initialize SA
Mar 21 20:44:42.427: ISAKMP: Error while processing KMI message 0, error 2.
Mar 21 20:44:42.443: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:44:52.429: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:44:52.429: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 21 20:44:52.429: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 21 20:44:52.429: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:44:52.429: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:44:52.445: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:45:02.431: ISAKMP:(0):purging node 575337971
Mar 21 20:45:02.431: ISAKMP:(0):purging node -23260219
Mar 21 20:45:02.431: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:45:02.431: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 21 20:45:02.431: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 21 20:45:02.431: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:45:02.431: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:45:02.443: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:45:12.433: IPSEC:(SESSION ID = 106) (key_engine) request timer fired: count = 2,
(identity) local= IP Publica LOCAL:0, remote= IP Publica:0,
local_proxy= IP Publica LOCAL/255.255.255.255/47/0,
remote_proxy= IP Publica/255.255.255.255/47/0
Mar 21 20:45:12.433: ISAKMP:(0):purging SA., sa=38BE61C, delme=38BE61C
Mar 21 20:45:12.433: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:45:12.433: ISAKMP:(0):peer does not do paranoid keepalives.

Mar 21 20:45:12.433: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer IP Publica)
Mar 21 20:45:12.433: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= IP Publica LOCAL:500, remote= IP Publica:500,
local_proxy= IP Publica LOCAL/255.255.255.255/47/0,
remote_proxy= IP Publica/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Mar 21 20:45:12.433: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer IP Publica)
Mar 21 20:45:12.433: ISAKMP: Unlocking peer struct 0x3675C40 for isadb_mark_sa_deleted(), count 0
Mar 21 20:45:12.433: ISAKMP: Deleting peer node by peer_reap for IP Publica: 3675C40
Mar 21 20:45:12.433: ISAKMP:(0):deleting node 1881545948 error FALSE reason "IKE deleted"
Mar 21 20:45:12.433: ISAKMP:(0):deleting node -830468427 error FALSE reason "IKE deleted"
Mar 21 20:45:12.433: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 21 20:45:12.433: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Mar 21 20:45:12.433: ISAKMP:(0): SA request profile is (NULL)
Mar 21 20:45:12.433: ISAKMP: Created a peer struct for IP Publica, peer port 500
Mar 21 20:45:12.433: ISAKMP: New peer created peer = 0x3675C40 peer_handle = 0x8000F0D6
Mar 21 20:45:12.433: ISAKMP: Locking peer struct 0x3675C40, refcount 1 for isakmp_initiator
Mar 21 20:45:12.433: ISAKMP: local port 500, remote port 500
Mar 21 20:45:12.433: ISAKMP: set new node 0 to QM_IDLE
Mar 21 20:45:12.433: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 38BE61C
Mar 21 20:45:12.433: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Mar 21 20:45:12.433: ISAKMP:(0):found peer pre-shared key matching IP Publica
Mar 21 20:45:12.433: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 21 20:45:12.433: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 21 20:45:12.433: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 21 20:45:12.433: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 21 20:45:12.433: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 21 20:45:12.433: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Mar 21 20:45:12.433: ISAKMP:(0): beginning Main Mode exchange
Mar 21 20:45:12.433: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:45:12.433: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:45:12.433: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 21 20:45:12.457: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:45:22.434: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:45:22.434: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 21 20:45:22.434: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 21 20:45:22.434: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:45:22.434: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:45:22.954: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:45:22.954: %CRYPTO-4-IKMP_NO_SA: IKE message from IP Publica has no SA and is not an initialization offer
Mar 21 20:45:32.436: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:45:32.436: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 21 20:45:32.436: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 21 20:45:32.436: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:45:32.436: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:45:32.956: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA

 

 

 

1 SOLUCIÓN ACEPTADA

Soluciones aceptadas

Hola  diego.casanova91 

 

En ocasiones este tipo de problema se da cuando se interrumpe la comunicación entre los dos routers que estan formando el tunel IPsec y uno de los routers continua enviando el IKE sn obtnere respuesta del otro router. Puedes verificar que no hayan eventos de caidas de interfaz y/o problemas de adjacencia up/down antes de este evento.

 

Puedes referirte a la siguiente liga para mas infromación.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46402-16b.html 

 

Igual te comparto un documento que relaice para explaicar y mejor enetender DMVPN, 

 

Espero sea util

Saludos

Leonardo 

Ver la solución en mensaje original publicado

3 RESPUESTAS 3

Hola  diego.casanova91 

 

En ocasiones este tipo de problema se da cuando se interrumpe la comunicación entre los dos routers que estan formando el tunel IPsec y uno de los routers continua enviando el IKE sn obtnere respuesta del otro router. Puedes verificar que no hayan eventos de caidas de interfaz y/o problemas de adjacencia up/down antes de este evento.

 

Puedes referirte a la siguiente liga para mas infromación.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46402-16b.html 

 

Igual te comparto un documento que relaice para explaicar y mejor enetender DMVPN, 

 

Espero sea util

Saludos

Leonardo 

Muchas garcias por la pronta ayuda y aclaración @leonardo Pena Davila 

Hola,

 

Este problema es periodico? La Fase 1 se mira que renegocia. Como menciona Leonardo puede ser porque tienes problemas en la comunicacion entre ellos, revisa si no hay problemas de enlace.

 

Saludos 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Vamos a comenzar

¡Conecte con otros expertos de Cisco y del mundo! Encuentre soluciones a sus problemas técnicos o comerciales, y aprenda compartiendo experiencias.

Queremos que su experiencia sea grata, le compartimos algunos links que le ayudarán a familiarizarse con la Comunidad de Cisco: