annuler
Affichage des résultats de 
Rechercher plutôt 
Vouliez-vous dire : 
cancel
2307
Visites
0
Compliment
6
Réponses

IPSec VPN supprimant la raison SA « Mort par retransmission P1 » état (I) MM_NO_STATE (homologue 10.126.253.69)

Translator
Community Manager
Community Manager

Je rencontre des problèmes avec le tunnel VPN IPsec. VPN créé entre le routeur Cisco ISR4331 et Cisco ASR1001-X.

 

Je reçois Ph-1 à venir et je suis supprimé. erreur "MM_NO_STATE - ACTIVE (Deleted)"

 

Lorsque j’exécute le débogage sur le routeur ASR1001-X, je trouve l’erreur ci-dessous dont voici tous les journaux de débogage

 

 

Mar 25 21:19:42: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...

Mar 25 21:19:42: ISAKMP: (0):peer does not do paranoid keepalives.

Mar 25 21:19:42: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 10.126.253.69)

Mar 25 21:19:42: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 10.126.253.69) 

Mar 25 21:19:42: ISAKMP: (0):Deleting the unauthenticated sa

Mar 25 21:19:42: ISAKMP: (0):Unlocking peer struct 0x7FC1B38B8498 for isadb_mark_sa_deleted(), count 0

Mar 25 21:19:42: ISAKMP: (0):Deleting the peer struct for unauthenticated sa

Mar 25 21:19:42: ISAKMP: (0):Deleting peer node by peer_reap for 10.126.253.69: 7FC1B38B8498

Mar 25 21:19:42: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Mar 25 21:19:42: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_DEST_SA 

 

Mar 25 21:19:49: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

Mar 25 21:19:49: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Mar 25 21:19:49: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

Mar 25 21:19:49: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE

Mar 25 21:19:49: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:19:51: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP

Mar 25 21:19:51: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.

Mar 25 21:19:51: ISAKMP: (0):retransmitting due to retransmit phase 1

Mar 25 21:19:52: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...

Mar 25 21:19:52: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Mar 25 21:19:52: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP

Mar 25 21:19:52: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP

Mar 25 21:19:52: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:19:59: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

Mar 25 21:19:59: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Mar 25 21:19:59: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

Mar 25 21:19:59: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE

Mar 25 21:19:59: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:20:01: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP

Mar 25 21:20:01: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.

Mar 25 21:20:01: ISAKMP: (0):retransmitting due to retransmit phase 1

Mar 25 21:20:02: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...

Mar 25 21:20:02: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Mar 25 21:20:02: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP

Mar 25 21:20:02: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP

Mar 25 21:20:02: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:20:09: ISAKMP: (0):set new node 0 to QM_IDLE    

Mar 25 21:20:09: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 203.13.114.4, remote 10.126.253.69)

Mar 25 21:20:09: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

Mar 25 21:20:09: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

Mar 25 21:20:09: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Mar 25 21:20:09: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

Mar 25 21:20:09: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE

Mar 25 21:20:09: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:20:11: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP

Mar 25 21:20:11: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.

Mar 25 21:20:11: ISAKMP: (0):retransmitting due to retransmit phase 1

Mar 25 21:20:12: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...

Mar 25 21:20:12: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Mar 25 21:20:12: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP

Mar 25 21:20:12: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP

Mar 25 21:20:12: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:20:19: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

Mar 25 21:20:19: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Mar 25 21:20:19: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

Mar 25 21:20:19: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE

Mar 25 21:20:19: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:20:21: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP

Mar 25 21:20:21: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.

Mar 25 21:20:21: ISAKMP: (0):retransmitting due to retransmit phase 1

Mar 25 21:20:22: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...

Mar 25 21:20:22: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Mar 25 21:20:22: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP

Mar 25 21:20:22: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP

Mar 25 21:20:22: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:20:28: ISAKMP: (0):purging node 3684507416

Mar 25 21:20:28: ISAKMP: (0):purging node 2547109587

Mar 25 21:20:29: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

Mar 25 21:20:29: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Mar 25 21:20:29: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

Mar 25 21:20:29: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE

Mar 25 21:20:29: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:20:31: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP

Mar 25 21:20:31: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.

Mar 25 21:20:31: ISAKMP: (0):retransmitting due to retransmit phase 1

Mar 25 21:20:32: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...

Mar 25 21:20:32: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Mar 25 21:20:32: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP

Mar 25 21:20:32: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP

Mar 25 21:20:32: ISAKMP: (0):Sending an IKE IPv4 Packet.

Mar 25 21:20:38: ISAKMP: (0):purging SA., sa=7FC1A6B21CD0, delme=7FC1A6B21CD0

Mar 25 21:20:39: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

Mar 25 21:20:39: ISAKMP: (0):peer does not do paranoid keepalives.

Mar 25 21:20:39: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.126.253.69)

Mar 25 21:20:39: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.126.253.69) 

Mar 25 21:20:39: ISAKMP: (0):Unlocking peer struct 0x7FC1B32B68B0 for isadb_mark_sa_deleted(), count 0

Mar 25 21:20:39: ISAKMP: (0):Deleting peer node by peer_reap for 10.126.253.69: 7FC1B32B68B0

Mar 25 21:20:39: ISAKMP: (0):deleting node 1024521642 error FALSE reason "IKE deleted"

Mar 25 21:20:39: ISAKMP: (0):deleting node 2934222722 error FALSE reason "IKE deleted"

Mar 25 21:20:39: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Mar 25 21:20:39: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA 

2 SOLUTIONS APPROUVÉES

Solutions approuvées

Salut Sachin,

Du côté du routeur ###ISP, vous avez une incompatibilité de configuration:
vous avez
  interface Loopback52
toutefois
  interface Tunnel2045011
  tunnel source Loop52
Vous devez passer à
  tunnel source Loopback52

Voir la solution dans l'envoi d'origine

Translator
Community Manager
Community Manager

Ce que j’ai remarqué en entrant, c’est que l’interface de gestion de l’ASA n’est pas couramment utilisée simplement parce que vous pouvez manipuler l’ASA en utilisant l’interface interne pour une nouvelle revue c.f. cet article. La raison pour laquelle vous ne pouvez probablement pas atteindre l’interface de gestion est dû à l’absence de route:

Voir la solution dans l'envoi d'origine

6 RÉPONSES 6

Translator
Community Manager
Community Manager

vérifiez votre côté et votre extrémité distante si vous correspondez aux valeurs du groupe PFS.

Translator
Community Manager
Community Manager

Salut Sheraz, merci pour la réponse à mon post.

 

J’ai vérifié les deux configurations d’extrémité. Aucun problème n’a été constaté. Veuillez trouver ci-dessous la configuration du FAI (ISP) et du Remote end config.

 

###ISP router

!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto keyring ewan-vpn vrf ewan-vpn
pre-shared-key address 10.126.253.69 key XXXXXXXXXX
!
crypto ipsec transform-set ts-extranet-vti esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile ipsec-extranet
set transform-set ts-extranet-vti
set reverse-route distance 255
!
interface Loopback52
description Loopback for ewan-vpn VRF
ip vrf forwarding ewan-vpn
ip address 203.13.114.4 255.255.255.255
!
interface Tunnel2045011
description IPSEC Tunnel to Mobileum Bangalore Tu2071
ip unnumbered Loop56
ip virtual-reassembly
ip tcp adjust-mss 1387
tunnel source Loop52
tunnel mode ipsec ipv4
tunnel destination 10.126.253.69
tunnel vrf ewan-vpn
ip vrf forwarding vti-semitrusted
tunnel protection ipsec profile ipsec-extranet
service-policy output shape-5mbps-mobileum
!

------------------------------------------------------------------------------------------


###Remote end router

crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key XXXXXXXXXX address 203.13.114.4
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set optus-ts esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile optus-ipsec
set transform-set optus-ts

interface Loopback0
description Loopback for data and bgp peer
ip address 10.240.176.238 255.255.255.255
!
interface Loopback65100
description Optus VTI tunnel termination loopback
ip address 10.126.253.69 255.255.255.255
!
interface Tunnel2031
description IPSEC Tunnel to CHOC EO2KYGZAT01 Tu3010011
ip unnumbered GigabitEthernet0/0/1
ip tcp adjust-mss 1387
tunnel source Loopback65100
tunnel mode ipsec ipv4
tunnel destination 203.13.114.4
tunnel protection ipsec profile optus-ipsec
ip virtual-reassembly
!
interface GigabitEthernet0/0/0
ip address 115.31.251.254 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 10.10.16.2 255.255.248.0
negotiation auto
!

ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 115.31.251.253
ip route 0.0.0.0 0.0.0.0 Tunnel2031 name default-to-optus_via_tunnel2031
ip route 10.10.16.0 255.255.248.0 10.10.16.13
ip route 10.10.24.0 255.255.248.0 10.10.16.13
ip route 203.13.114.4 255.255.255.255 115.31.251.253 name EO2KYGZAT01-loop52
!

Salut SachinAhire9605 6

Désolé pour la réponse tardive. En regardant dans votre configuration et votre débogage, j’ai noté que nous ne voyons que le "MM_SA_SETUP" qui signifie "les pairs se sont mis d’accord sur les paramètres pour l’ISAKMP SA" cependant, nous ne voyons aucun autre paramètre ISAKMP. Il semblerait que l'UDP 500 soit tombé unidirectionnellement dans le chemin de ce routeur à l’homologue distant. Pourriez-vous également déboguer sur le site distant et vérifier ce que vous voyez à l’autre extrémité.

 

Pourriez-vous s’il vous plaît montrer la sortie des deux côtés "show crypto isakmp sa detail" et aussi pourriez-vous activer / capturer le paquet sur les routeurs à une ou les deux extrémités.

 

 

access-list CAP-ACL

  permit ip host x.x.x.x ip y.y.y.y

monitor capture mycap access-list CAP-ACL

monitor capture mycap limit duration 1000

monitor capture mycap interface loopback52 both

monitor capture mycap buffer circular size 100
monitor capture mycap start
monitor capture mycap export tftp://192.168.x.x/mycap.pcap
monitor capture mycap stop

 

Salut Sachin,

Du côté du routeur ###ISP, vous avez une incompatibilité de configuration:
vous avez
  interface Loopback52
toutefois
  interface Tunnel2045011
  tunnel source Loop52
Vous devez passer à
  tunnel source Loopback52

Translator
Community Manager
Community Manager

Ce que j’ai remarqué en entrant, c’est que l’interface de gestion de l’ASA n’est pas couramment utilisée simplement parce que vous pouvez manipuler l’ASA en utilisant l’interface interne pour une nouvelle revue c.f. cet article. La raison pour laquelle vous ne pouvez probablement pas atteindre l’interface de gestion est dû à l’absence de route:

iandaniel084
Level 1
Level 1
debug encryption is 2
ISAKMP ISAKMP encrypted debugging is at
3!
Four, four, four, four,
5s Feb 17 10:58:20.066: ISAKMP (0:1): SA uses identity type ID_IPV4_ADDR RSA 6 encryption
authentication!
Seven, seven!
8 Feb 17 10:58:20.554: %Encryption-6-IKMP_CRYPT_FAILURE: IKE (Connection ID 1) Undote (W/RSA Private Key) Pack
9!
One of them!
11 Feb 17 10:58:41.706: ISAKMP (0:1): MM_SA_SETUP Broadcast Stage 1...
12 Feb 17 10:58:41.706: ISAKMP (0:1): Incremental error counter in Sae: Resubmit step
1 13!
14th!
15 Feb 17 10:59:19:918: ISAMMP (0:1): SA ratio "gen_IPsec_isakmp_delete but Doi isakmp" status (I) MM_SA_SETUP (Peer 200) .0.0.2) Entry queue
0 16 s Feb 17 10:59:19:19 918: ISAMMP (Enter 0:1) - Enter: IKE_ MESG_INTERNAL IKE_PHASE1_DEL
17 Feb 17 10:59:19:918: ISAKMP (0:1): The IKE_I_MM3 of the old state IKE_DEST_SA
18
encryption debugging Isakmp
20 isakmp
encrypted is at 21!
Twenty-two!
23 Feb 17 10:01:10.930: ISAKMP: (0:1:SW:1): SA is using id type ID_IPV4_ADDR 24 for
RSA encryption authentication!
Twenty-five!
Feb 26, 17 10:01:21:658: ISAKMP: (0:1:SW:1): Broadcast Phase 1
MM_KEY_EXCH February 27 10:01:21.658: ISAKMP: (0:1:SW:1): MM_KEY_EXCH 200.1.1.my_port 500 peer_port 500!
Twenty-nine!
30 Feb 17 10:01:55.466: ISAKMP: Fast mode time has expired.
31 Feb 17 10:01:55.466: ISAKMP: (0:1:SW:1): src 200.0.0.1 dst 200.0.0.0.2, Sa
disapproved certification 32 s Feb 17 10:01:55.466: ISAKMP: (0:1:SW:1)  do not allow paranoia to remain.
Thirty-three!
Thirty-four!
35 Feb 17 10:01:55.4666: ISAKMP: (0:1:SW:1) :d SA ratio "QM_TIMER expires" status (R) MM_KEY_EXCH (Peer 200.01) 0.0.1)
Feb 1710:01:55.466: ISA KMP : (0:1:SW:1) :d SA status "Cause QM_TIMER Expires" status (R)MM_KEY_ EXCH (Pierre 
200.1.1.1)37/17/10:01:55.4666: ISAKMP: Unlock the iKE stroke 0x65C405A8 Is isadb_mark_sa_deleted (isadb_mark_sa_deleted).  Count
0 38 s Feb 17 10:01:55.466: ISAKMP: Remove 200.1.1.1.1 from peer_reap point node: 65C4 5A8
39 s Feb 171:01:55.55.1 46 6: ISAKMP: (0:1:SW:1:1 IKE_MESG_INTERNAL entry) IKE_PHASE1_DEL
40 s 17 February 10:01:55.466: ISAKMP: (0:1:SW:1): Old State s IKE_R_MM4 NSW's IKE_DEST_SA