el 03-21-2022 01:50 PM
Hola comunidad. vengo con un inconvenientes, tengo varios RT en DMVPN con Tuneles GRE Corriendo OSPF entre ellos. estoy teniendo un inconveniente con 1 solo enlace que se queda en estatus IKE.
La pre shared son las mismas, estan correctos todos los parametros de de Phase1 y Phase2
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 *.*.*.* 10.100.200.65 IKE 00:37:15 S
Les paso Log
Mar 21 20:44:42.427: ISAKMP: set new node 0 to QM_IDLE
Mar 21 20:44:42.427: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local IP Publica LOCAL, remote IP Publica)
Mar 21 20:44:42.427: ISAKMP: Error while processing SA request: Failed to initialize SA
Mar 21 20:44:42.427: ISAKMP: Error while processing KMI message 0, error 2.
Mar 21 20:44:42.443: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:44:52.429: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:44:52.429: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 21 20:44:52.429: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 21 20:44:52.429: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:44:52.429: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:44:52.445: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:45:02.431: ISAKMP:(0):purging node 575337971
Mar 21 20:45:02.431: ISAKMP:(0):purging node -23260219
Mar 21 20:45:02.431: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:45:02.431: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 21 20:45:02.431: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 21 20:45:02.431: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:45:02.431: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:45:02.443: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:45:12.433: IPSEC:(SESSION ID = 106) (key_engine) request timer fired: count = 2,
(identity) local= IP Publica LOCAL:0, remote= IP Publica:0,
local_proxy= IP Publica LOCAL/255.255.255.255/47/0,
remote_proxy= IP Publica/255.255.255.255/47/0
Mar 21 20:45:12.433: ISAKMP:(0):purging SA., sa=38BE61C, delme=38BE61C
Mar 21 20:45:12.433: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:45:12.433: ISAKMP:(0):peer does not do paranoid keepalives.
Mar 21 20:45:12.433: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer IP Publica)
Mar 21 20:45:12.433: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= IP Publica LOCAL:500, remote= IP Publica:500,
local_proxy= IP Publica LOCAL/255.255.255.255/47/0,
remote_proxy= IP Publica/255.255.255.255/47/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Mar 21 20:45:12.433: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer IP Publica)
Mar 21 20:45:12.433: ISAKMP: Unlocking peer struct 0x3675C40 for isadb_mark_sa_deleted(), count 0
Mar 21 20:45:12.433: ISAKMP: Deleting peer node by peer_reap for IP Publica: 3675C40
Mar 21 20:45:12.433: ISAKMP:(0):deleting node 1881545948 error FALSE reason "IKE deleted"
Mar 21 20:45:12.433: ISAKMP:(0):deleting node -830468427 error FALSE reason "IKE deleted"
Mar 21 20:45:12.433: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 21 20:45:12.433: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Mar 21 20:45:12.433: ISAKMP:(0): SA request profile is (NULL)
Mar 21 20:45:12.433: ISAKMP: Created a peer struct for IP Publica, peer port 500
Mar 21 20:45:12.433: ISAKMP: New peer created peer = 0x3675C40 peer_handle = 0x8000F0D6
Mar 21 20:45:12.433: ISAKMP: Locking peer struct 0x3675C40, refcount 1 for isakmp_initiator
Mar 21 20:45:12.433: ISAKMP: local port 500, remote port 500
Mar 21 20:45:12.433: ISAKMP: set new node 0 to QM_IDLE
Mar 21 20:45:12.433: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 38BE61C
Mar 21 20:45:12.433: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Mar 21 20:45:12.433: ISAKMP:(0):found peer pre-shared key matching IP Publica
Mar 21 20:45:12.433: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 21 20:45:12.433: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 21 20:45:12.433: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 21 20:45:12.433: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 21 20:45:12.433: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 21 20:45:12.433: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 21 20:45:12.433: ISAKMP:(0): beginning Main Mode exchange
Mar 21 20:45:12.433: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:45:12.433: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:45:12.433: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Mar 21 20:45:12.457: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:45:22.434: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:45:22.434: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 21 20:45:22.434: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 21 20:45:22.434: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:45:22.434: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:45:22.954: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
Mar 21 20:45:22.954: %CRYPTO-4-IKMP_NO_SA: IKE message from IP Publica has no SA and is not an initialization offer
Mar 21 20:45:32.436: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 21 20:45:32.436: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 21 20:45:32.436: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 21 20:45:32.436: ISAKMP:(0): sending packet to IP Publica my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 21 20:45:32.436: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 21 20:45:32.956: ISAKMP (0): received packet from IP Publica dport 500 sport 500 Global (N) NEW SA
¡Resuelto! Ir a solución.
el 03-22-2022 10:49 AM
Hola diego.casanova91
En ocasiones este tipo de problema se da cuando se interrumpe la comunicación entre los dos routers que estan formando el tunel IPsec y uno de los routers continua enviando el IKE sn obtnere respuesta del otro router. Puedes verificar que no hayan eventos de caidas de interfaz y/o problemas de adjacencia up/down antes de este evento.
Puedes referirte a la siguiente liga para mas infromación.
Igual te comparto un documento que relaice para explaicar y mejor enetender DMVPN,
Espero sea util
Saludos
Leonardo
el 03-22-2022 10:49 AM
Hola diego.casanova91
En ocasiones este tipo de problema se da cuando se interrumpe la comunicación entre los dos routers que estan formando el tunel IPsec y uno de los routers continua enviando el IKE sn obtnere respuesta del otro router. Puedes verificar que no hayan eventos de caidas de interfaz y/o problemas de adjacencia up/down antes de este evento.
Puedes referirte a la siguiente liga para mas infromación.
Igual te comparto un documento que relaice para explaicar y mejor enetender DMVPN,
Espero sea util
Saludos
Leonardo
el 03-22-2022 01:17 PM
Muchas garcias por la pronta ayuda y aclaración @leonardo Pena Davila
el 03-23-2022 04:28 PM
Hola,
Este problema es periodico? La Fase 1 se mira que renegocia. Como menciona Leonardo puede ser porque tienes problemas en la comunicacion entre ellos, revisa si no hay problemas de enlace.
Saludos
Descubra y salve sus notas favoritas. Vuelva a encontrar las respuestas de los expertos, guías paso a paso, temas recientes y mucho más.
¿Es nuevo por aquí? Empiece con estos tips. Cómo usar la comunidad Guía para nuevos miembros
Navegue y encuentre contenido personalizado de la comunidad