cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1845
Views
0
Helpful
0
Comments
melaniemaillet
Level 1
Level 1

Hi


I have an issue, it seems the peers have done the first exchange in aggressive mode, but the SA is not
authenticated.   What could cause the SA to not authenticate ?

I haven 't access to the remote end, only to the CPE router which is a cisco 871 using teh IOS version :c870-adventerprisek9-mz.124-6.t.bin.

My tunnel is actually showing up down, I believe it's because my Ipsec iskamp is not showing QM_IDLE? Am I right?

I capture some debus from the CPE router, but as I cannot access to the remote end, my troubleshooting is based only from the CPE.


RouterH#sh crypto isakmp sa deta
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

0     192.168.8.9     210.10.9.109             ACTIVE           psk  2  0
       Engine-id:Conn-id =  ???

       RouterH#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
210.10.9.109    192.168.8.9     AG_INIT_EXCH         0    0 ACTIVE

      
    AG_INIT_EXCH


RouterH#sh crypto sessio
Crypto session current status

Interface: FastEthernet4
Session status: DOWN-NEGOTIATING
Peer: 210.10.9.109 port 500
  IKE SA: local 192.168.8.9/500 remote 210.10.9.109/500 Inactive
  IKE SA: local 192.168.8.9/500 remote 210.10.9.109/500 Inactive
  IPSEC FLOW: deny ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit 47 host 87.85.32.5 host 87.85.32.6
        Active SAs: 0, origin: crypto map

       
        RouterH#
*Oct 14 09:30:57.615 UTC: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.8.9, remote 210.10.9.109)
*Oct 14 09:30:57.615 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 14 09:30:57.615 UTC: ISAKMP: Error while processing KMI message 0, error 2.
RouterH#


router#
*Oct 14 09:44:57.393 UTC: ISAKMP:(0): SA request profile is (NULL)
*Oct 14 09:44:57.393 UTC: ISAKMP: Created a peer struct for 210.10.9.109, peer port 500
*Oct 14 09:44:57.393 UTC: ISAKMP: New peer created peer = 0x83404108 peer_handle = 0x8000001D
*Oct 14 09:44:57.393 UTC: ISAKMP: Locking peer struct 0x83404108, refcount 1 for isakmp_initiator
*Oct 14 09:44:57.393 UTC: ISAKMP: local port 500, remote port 500
*Oct 14 09:44:57.393 UTC: ISAKMP: set new node 0 to QM_IDLE
*Oct 14 09:44:57.393 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 842679FC
*Oct 14 09:44:57.393 UTC: ISAKMP:(0):SA has tunnel attributes set.
*Oct 14 09:44:57.393 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 14 09:44:57.393 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 14 09:44:57.393 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 14 09:44:57.397 UTC: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_USER_FQDN
*Oct 14 09:44:57.397 UTC: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 3
        USER FQDN    : 212407650-E01
        protocol     : 17
        port         : 0
        length       : 21
*Oct 14 09:44:57.397 UTC: ISAKMP:(0):Total payload length: 21
*Oct 14 09:44:57.397 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
router#
*Oct 14 09:44:57.397 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*Oct 14 09:44:57.397 UTC: ISAKMP:(0): beginning Aggressive Mode exchange
*Oct 14 09:44:57.397 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:07.394 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:07.394 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Oct 14 09:45:07.394 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:07.394 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:17.392 UTC: ISAKMP:(0):purging node 622331625
*Oct 14 09:45:17.392 UTC: ISAKMP:(0):purging node -886217408
*Oct 14 09:45:17.392 UTC: ISAKMP:(0):purging node -365032318
*Oct 14 09:45:17.392 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:17.392 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Oct 14 09:45:17.392 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:17.392 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:27.385 UTC: ISAKMP: set new node 0 to QM_IDLE
*Oct 14 09:45:27.385 UTC: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.8.9, remote 210.10.9.109)
*Oct 14 09:45:27.385 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 14 09:45:27.385 UTC: ISAKMP: Error while processing KMI message 0, error 2.
*Oct 14 09:45:27.405 UTC: ISAKMP:(0):purging SA., sa=83D7F888, delme=83D7F888
*Oct 14 09:45:27.405 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:27.405 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
router#
*Oct 14 09:45:27.405 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:27.405 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:37.402 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:37.402 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 14 09:45:37.402 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:37.402 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:47.400 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:47.400 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Oct 14 09:45:47.400 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:47.400 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:57.377 UTC: ISAKMP: set new node 0 to QM_IDLE
*Oct 14 09:45:57.377 UTC: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.8.9, remote 210.10.9.109)
*Oct 14 09:45:57.377 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 14 09:45:57.377 UTC: ISAKMP: Error while processing KMI message 0, error 2.
*Oct 14 09:45:57.397 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):peer does not do paranoid keepalives.

*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 210.10.9.109)
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 210.10.9.109)
*Oct 14 09:45:57.397 UTC: ISAKMP: Unlocking peer struct 0x83404108 for isadb_mark_sa_deleted(), count 0
*Oct 14 09:45:57.397 UTC: ISAKMP: Deleting peer node by peer_reap for 210.10.9.109: 83404108
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting node -1189368726 error FALSE reason "IKE deleted"
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting node -771908059 error FALSE reason "IKE deleted"
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting node 397073023 error FALSE reason "IKE deleted"
router#
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_DEST_SA

router#
*Oct 14 09:46:27.369 UTC: ISAKMP:(0): SA request profile is (NULL)
*Oct 14 09:46:27.369 UTC: ISAKMP: Created a peer struct for 210.10.9.109, peer port 500
*Oct 14 09:46:27.369 UTC: ISAKMP: New peer created peer = 0x83404108 peer_handle = 0x8000001F
*Oct 14 09:46:27.369 UTC: ISAKMP: Locking peer struct 0x83404108, refcount 1 for isakmp_initiator
*Oct 14 09:46:27.369 UTC: ISAKMP: local port 500, remote port 500
*Oct 14 09:46:27.369 UTC: ISAKMP: set new node 0 to QM_IDLE
*Oct 14 09:46:27.369 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83D80AB0
*Oct 14 09:46:27.369 UTC: ISAKMP:(0):SA has tunnel attributes set.
*Oct 14 09:46:27.369 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 14 09:46:27.369 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 14 09:46:27.369 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 14 09:46:27.369 UTC: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_USER_FQDN
*Oct 14 09:46:27.369 UTC: ISAKMP (0:0): ID payload

Thanks in advance for your help


Mel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: