02-19-2009 01:39 AM - edited 03-11-2019 07:53 AM
Hi,
My IPSEC VPN tunnel between two pix's has gone down and after trying
the normal reboots I attached a syslog to one end and got a ipsec
isakmp phase 1 retransmit message
cisco doesnt really explain the causes of this.
Does anyone have any ideas what this means ? or the causes ?
I have attached both configs
Thanks
Alex
Solved! Go to Solution.
02-27-2009 07:40 AM
That is not good - you need to do the below:-
1) Check your config
2) Check your config
I say it twice as about 99% of network related issues are configuration based.
HTH>
02-19-2009 01:44 AM
try "debug crypto isakmp"
then post the output
02-20-2009 10:22 PM
Where you able to get the VPN's back up?
02-21-2009 05:39 AM
02-21-2009 06:30 AM
check the following:-
1) You have the same IKE config at both sites.
2) You have configure the correct IP address for the remote peer on both sites.
The capture log indicates you are not neogtiating IKE correctly, either due to hash/encryption mis-match or incorrect peer IP address or both.
HTH>
02-24-2009 03:35 AM
Hi, I have checked the above with no luck. could a nat/router problem cause that output ?
also what does this line mean ?
crypto_isakmp_process_block:src:81.129.167.199, dest: a.a.a.a spt:50996 dpt:500
Many Thanks
Alex
02-24-2009 03:42 AM
it is possible if you are not directly connecting to the internet, and there is a NAT device in between.
It says that it is blocking an ISKMP packet from 81.129.167.199 to a.a.a.a
02-26-2009 03:47 AM
Thanks, I think the actual config's are ok so im going to try swapping the router.
02-27-2009 01:47 AM
hi, changed the router over and now receive this error
ISAKMP (0): speaking to another IOS box!
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match MINE
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
Alex
02-27-2009 07:40 AM
That is not good - you need to do the below:-
1) Check your config
2) Check your config
I say it twice as about 99% of network related issues are configuration based.
HTH>
03-05-2009 05:31 AM
Thanks for all your help.
The issue was that the remote boarder router although in its config said it was not doing any NAT it actually was. As soon as the router was swapped out the tunnel came back up.
Alex
03-05-2009 05:34 AM
np - glad to help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide