Ipsec up but no data transfer

dees · ‎06-30-2018

Hi All,

Ipsec is up but I cannot see any data inside the tunnel. Any help will be greately appreciated.

Jun 30 15:36:39.446: ISAKMP (2014): received packet from 80.127.1.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
Jun 30 15:36:39.446: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 30 15:36:39.446: ISAKMP:(2014):Old State = IKE_R_MM4 New State = IKE_R_MM5

Jun 30 15:36:39.450: ISAKMP:(2014): processing ID payload. message ID = 0
Jun 30 15:36:39.450: ISAKMP (2014): ID payload
next-payload : 8
type : 1
address : 80.127.1.2
protocol : 0
port : 0
length : 12
Jun 30 15:36:39.450: ISAKMP:(0):: peer matches *none* of the profiles
Jun 30 15:36:39.450: ISAKMP:(2014): processing HASH payload. message ID = 0
Jun 30 15:36:39.450: ISAKMP:(2014): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x884B0A40
Jun 30 15:36:39.450: ISAKMP:(2014):SA authentication status:
authenticated
Jun 30 15:36:39.450: ISAKMP:(2014):SA has been authenticated with 80.127.1.2
Jun 30 15:36:39.450: ISAKMP:(2014):SA authentication status:
authenticated
Jun 30 15:36:39.450: ISAKMP:(2014): Process initial contact,
bring down existing phase 1 and 2 SA's with local 5.127.247.3 remote 80.127.1.2 remote port 500
Jun 30 15:36:39.450: ISAKMP: Trying to insert a peer 5.127.247.3/80.127.1.2/500/, and inserted successfully 8A2F4EE0.
Jun 30 15:36:39.450: ISAKMP:(2014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 30 15:36:39.450: ISAKMP:(2014):Old State = IKE_R_MM5 New State = IKE_R_MM5

Jun 30 15:36:39.450: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 30 15:36:39.450: ISAKMP:(2014):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jun 30 15:36:39.450: ISAKMP (2014): ID payload
next-payload : 8
type : 1
address : 5.127.247.3
protocol : 17
port : 500
length : 12
Jun 30 15:36:39.450: ISAKMP:(2014):Total payload length: 12
Jun 30 15:36:39.450: ISAKMP:(2014): sending packet to 80.127.1.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jun 30 15:36:39.450: ISAKMP:(2014):Sending an IKE IPv4 Packet.
Jun 30 15:36:39.454: ISAKMP:(2014):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 30 15:36:39.454: ISAKMP:(2014):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Jun 30 15:36:39.454: ISAKMP:(2014):IKE_DPD is enabled, initializing timers
Jun 30 15:36:39.454: ISAKMP:(2014):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 30 15:36:39.454: ISAKMP:(2014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 30 15:36:39.474: ISAKMP (2014): received packet from 80.127.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 30 15:36:39.474: ISAKMP: set new node 1532780953 to QM_IDLE
Jun 30 15:36:39.474: ISAKMP:(2014): processing HASH payload. message ID = 1532780953
Jun 30 15:36:39.474: ISAKMP:(2014): processing SA payload. message ID = 1532780953
Jun 30 15:36:39.474: ISAKMP:(2014):Checking IPSec proposal 0
Jun 30 15:36:39.474: ISAKMP: transform 1, ESP_AES
Jun 30 15:36:39.474: ISAKMP: attributes in transform:
Jun 30 15:36:39.474: ISAKMP: key length is 128
Jun 30 15:36:39.474: ISAKMP: authenticator is HMAC-SHA
Jun 30 15:36:39.474: ISAKMP: encaps is 1 (Tunnel)
Jun 30 15:36:39.474: ISAKMP:(2014):atts are acceptable.
Jun 30 15:36:39.474: ISAKMP:(2014):Checking IPSec proposal 0
Jun 30 15:36:39.474: ISAKMP: transform 2, ESP_AES
Jun 30 15:36:39.474: ISAKMP: attributes in transform:
Jun 30 15:36:39.474: ISAKMP: key length is 128
Jun 30 15:36:39.474: ISAKMP: authenticator is HMAC-SHA256
Jun 30 15:36:39.474: ISAKMP: encaps is 1 (Tunnel)
Jun 30 15:36:39.474: ISAKMP:(2014):atts are acceptable.
Jun 30 15:36:39.474: IPSEC(validate_proposal_request): proposal part #1
Jun 30 15:36:39.474: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 5.127.247.3:0, remote= 80.127.1.2:0,
local_proxy= 10.2.137.0/255.255.255.0/256/0,
remote_proxy= 192.168.6.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Jun 30 15:36:39.474: Crypto mapdb : proxy_match
src addr : 10.2.137.0
dst addr : 192.168.6.0
protocol : 0
src port : 0
dst port : 0
Jun 30 15:36:39.474: (ipsec_process_proposal)Map Accepted: EXT_MAP, 5
Jun 30 15:36:39.474: ISAKMP:(2014): processing NONCE payload. message ID = 1532780953
Jun 30 15:36:39.474: ISAKMP:(2014): processing ID payload. message ID = 1532780953
Jun 30 15:36:39.474: ISAKMP:(2014): processing ID payload. message ID = 1532780953
Jun 30 15:36:39.474: ISAKMP:(2014):QM Responder gets spi
Jun 30 15:36:39.474: ISAKMP:(2014):Node 1532780953, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 30 15:36:39.474: ISAKMP:(2014):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Jun 30 15:36:39.474: ISAKMP:(2014):Node 1532780953, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Jun 30 15:36:39.474: ISAKMP:(2014):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
Jun 30 15:36:39.474: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 30 15:36:39.474: Crypto mapdb : proxy_match
src addr : 10.2.137.0
dst addr : 192.168.6.0
protocol : 256
src port : 0
dst port : 0
Jun 30 15:36:39.478: IPSEC(crypto_ipsec_create_ipsec_sas): Map found EXT_MAP, 5
Jun 30 15:36:39.478: IPSEC(create_sa): sa created,
(sa) sa_dest= 5.127.247.3, sa_proto= 50,
sa_spi= 0xE85A0F98(3898216344),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 57
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 5.127.247.3:0, remote= 80.127.1.2:0,
local_proxy= 10.2.137.0/255.255.255.0/256/0,
remote_proxy= 192.168.6.0/255.255.255.0/256/0
Jun 30 15:36:39.478: IPSEC(create_sa): sa created,
(sa) sa_dest= 80.127.1.2, sa_proto= 50,
sa_spi= 0xCF802DBF(3481284031),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 58
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 5.127.247.3:0, remote= 80.127.1.2:0,
local_proxy= 10.2.137.0/255.255.255.0/256/0,
remote_proxy= 192.168.6.0/255.255.255.0/256/0
Jun 30 15:36:39.478: ISAKMP: Failed to find peer index node to update peer_info_list
Jun 30 15:36:39.478: ISAKMP:(2014):Received IPSec Install callback... proceeding with the negotiation
Jun 30 15:36:39.478: ISAKMP:(2014):Successfully installed IPSEC SA (SPI:0xE85A0F98) on Loopback0
Jun 30 15:36:39.478: ISAKMP:(2014): sending packet to 80.127.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 30 15:36:39.482: ISAKMP:(2014):Sending an IKE IPv4 Packet.
Jun 30 15:36:39.482: ISAKMP:(2014):Node 1532780953, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Jun 30 15:36:39.482: ISAKMP:(2014):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
CPE#
Jun 30 15:36:39.502: ISAKMP (2014): received packet from 80.127.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 30 15:36:39.502: ISAKMP:(2014):deleting node 1532780953 error FALSE reason "QM done (await)"
Jun 30 15:36:39.502: ISAKMP:(2014):Node 1532780953, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jun 30 15:36:39.502: ISAKMP:(2014):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
Jun 30 15:36:39.502: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 30 15:36:39.502: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Jun 30 15:36:39.502: IPSEC: Expand action denied, notify RP
CPE#
Jun 30 15:36:41.690: ISAKMP:(2013):purging node 1237208721
CPE#
Jun 30 15:36:49.575: ISAKMP (2014): received packet from 80.127.1.2 dport 500 sport 500 Global (R) QM_IDLE
Jun 30 15:36:49.575: ISAKMP: set new node -908578386 to QM_IDLE
Jun 30 15:36:49.575: ISAKMP:(2014): processing HASH payload. message ID = 3386388910
Jun 30 15:36:49.575: ISAKMP:(2014): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 3386388910, sa = 0x884B0A40
Jun 30 15:36:49.575: ISAKMP:(2014):deleting node -908578386 error FALSE reason "Informational (in) state 1"
Jun 30 15:36:49.575: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 30 15:36:49.575: ISAKMP:(2014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jun 30 15:36:49.579: ISAKMP:(2014):DPD/R_U_THERE received from peer 80.127.1.2, sequence 0x610FEA68
Jun 30 15:36:49.579: ISAKMP: set new node 1588123982 to QM_IDLE
Jun 30 15:36:49.579: ISAKMP:(2014):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2303315152, message ID = 1588123982
Jun 30 15:36:49.579: ISAKMP:(2014): seq. no 0x610FEA68
Jun 30 15:36:49.579: ISAKMP:(2014): sending packet to 80.127.1.2 my_port 500 peer_port 500 (R) QM_IDLE
Jun 30 15:36:49.579: ISAKMP:(2014):Sending an IKE IPv4 Packet.
Jun 30 15:36:49.579: ISAKMP:(2014):purging node 1588123982
Jun 30 15:36:49.579: ISAKMP:(2014):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
CPE#
Jun 30 15:36:49.579: ISAKMP:(2014):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

CPE#

Stratto-Angel-CPE#show crypto ipsec sa

interface: Loopback0
Crypto map tag: EXT_MAP, local addr 5.133.247.9

protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.137.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
current_peer 80.127.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

balaji.bandi · ‎06-30-2018

Based on the Log, this is the respond for the connection and it is receiving the DELETE message from the other site.

Jun 30 15:36:49.575: ISAKMP:(2014):deleting node -908578386 error FALSE reason "Informational (in) state 1"

Suggest to looks both the side debug.

1. check both the side config

2. make sure transforset is correct both the side

you need configured both side config to match identical to work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help