cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
0
Helpful
8
Replies

DMVPN Cisco C819 3G & 4G

Dear community,

I have a strange error, for backup we have dmvpn-routers 3G.

To connect to the site with a 3G router C819HG+7-K9 no problem.

XXXVR01_161#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel110104013, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.240 10.110.104.1 UP 1w0d S
1 10.4.0.241 10.110.104.2 UP 1w0d S

Interface: Tunnel243104013, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.240 10.243.104.1 UP 1w0d S
1 10.4.0.241 10.243.104.2 UP 1w0d S

All connections are up, when we use C819HG-4G-G-K9 router 4G, same config other chat script.

XXXVR01_163#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel110104015, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.240 10.110.104.1 IKE 00:20:08 S
1 10.4.0.241 10.110.104.2 UP 00:20:08 S

Interface: Tunnel243104015, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.240 10.243.104.1 IKE 00:20:08 S
1 10.4.0.241 10.243.104.2 UP 00:20:08 S

Not all connections comming up, I searched for all kind of solutions.

But nothing works. 

On the hub everything is oke.

DCLA0VR03#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel110104001, IPv4 NHRP Details
Type:Hub, NHRP Peers:6,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.241 10.110.104.2 UP 1w0d D
1 10.13.160.20 10.110.104.10 UP 1w0d D
1 10.13.160.19 10.110.104.11 UP 1w0d D
1 10.13.160.22 10.110.104.12 UP 14:30:30 D
1 10.13.160.21 10.110.104.13 UP 1w0d D
1 10.13.160.25 10.110.104.15 UP 00:23:11 D

Interface: Tunnel243104001, IPv4 NHRP Details
Type:Hub, NHRP Peers:6,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.241 10.243.104.2 UP 1w0d D
1 10.13.160.20 10.243.104.10 UP 1w0d D
1 10.13.160.19 10.243.104.11 UP 1w0d D
1 10.13.160.22 10.243.104.12 UP 14:30:30 D
1 10.13.160.21 10.243.104.13 UP 1w0d D
1 10.13.160.25 10.243.104.15 UP 00:23:11 D

DCLA0VR04#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel110104002, IPv4 NHRP Details
Type:Hub/Spoke, NHRP Peers:6,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.240 10.110.104.1 UP 34w1d S
1 10.13.160.20 10.110.104.10 UP 1w0d D
1 10.13.160.19 10.110.104.11 UP 1w0d D
1 10.13.160.22 10.110.104.12 UP 14:30:59 D
1 10.13.160.21 10.110.104.13 UP 1w0d D
1 10.13.160.25 10.110.104.15 UP 00:23:40 D

Interface: Tunnel243104002, IPv4 NHRP Details
Type:Hub/Spoke, NHRP Peers:6,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.240 10.243.104.1 UP 34w1d S
1 10.13.160.20 10.243.104.10 UP 1w0d D
1 10.13.160.19 10.243.104.11 UP 1w0d D
1 10.13.160.22 10.243.104.12 UP 14:30:59 D
1 10.13.160.21 10.243.104.13 UP 1w0d D
1 10.13.160.25 10.243.104.15 UP 00:23:40 D

What is wrong 3G no problem 4G router

There is a connection i can ping from the router to the central site, no problem.

I see only UP-NO-IKE in the connection with DMVPN detail.

XXXVR01_163#show dmvpn detail
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface Tunnel110104015 is up/up, Addr. is 10.110.104.15, VRF "vln"
Tunnel Src./Dest. addr: 10.13.160.25/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "dmvpn-pro"
Interface State Control: Disabled
nhrp event-publisher : Disabled

IPv4 NHS:
10.110.104.1 RE priority = 0 cluster = 0
10.110.104.2 RE priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 2

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 10.4.0.240 10.110.104.1 IKE 00:26:21 S 10.110.104.1/32 (vln)
1 10.4.0.241 10.110.104.2 UP 00:26:21 S 10.110.104.2/32 (vln)

Interface Tunnel243104015 is up/up, Addr. is 10.243.104.15, VRF "bln"
Tunnel Src./Dest. addr: 10.13.160.25/MGRE, Tunnel VRF ""
Protocol/Transport: "multi-GRE/IP", Protect "dmvpn-pro"
Interface State Control: Disabled
nhrp event-publisher : Disabled

IPv4 NHS:
10.243.104.1 RE priority = 0 cluster = 0
10.243.104.2 RE priority = 0 cluster = 0
Type:Spoke, Total NBMA Peers (v4/v6): 2

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb Target Network
----- --------------- --------------- ----- -------- ----- -----------------
1 10.4.0.240 10.243.104.1 IKE 00:26:21 S 10.243.104.1/32 (bln)
1 10.4.0.241 10.243.104.2 UP 00:26:21 S 10.243.104.2/32 (bln)


Crypto Session Details:
--------------------------------------------------------------------------------

Interface: Tunnel243104015 Tunnel110104015
Session: [0x0F081AB4]
Crypto Session Status: UP-NO-IKE
fvrf: (none), IPSEC FLOW: permit 47 host 10.13.160.25 host 10.4.0.240
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 766 drop 0 life (KB/Sec) 4341148/2018
Outbound: #pkts enc'ed 776 drop 0 life (KB/Sec) 4341147/2018
Outbound SPI : 0x12EDEEB8, transform : esp-aes esp-sha-hmac
Socket State: Open

Interface: Tunnel243104015 Tunnel110104015
Session: [0x0F0819BC]
Crypto Session Status: UP-NO-IKE
fvrf: (none), IPSEC FLOW: permit 47 host 10.13.160.25 host 10.4.0.241
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 740 drop 0 life (KB/Sec) 4181267/2018
Outbound: #pkts enc'ed 741 drop 0 life (KB/Sec) 4181268/2018
Outbound SPI : 0x3F06E912, transform : esp-aes esp-sha-hmac
Socket State: Open

Interface: Tunnel243104015 Tunnel110104015
Shared session: [0x0F081AB4] printed earlier

Interface: Tunnel243104015 Tunnel110104015
Shared session: [0x0F0819BC] printed earlier

Pending DMVPN Sessions:

8 Replies 8

Mark Malone
VIP Alumni
VIP Alumni

are you positive the 3G provider is allowing isakmp messages through ?  If its same config working on 4g I would think its something on there devices or circuits that's not allowing either certain crypto packets or nhrp messages

debug crypto isakmp will show if isakmp are being dropped on 3g network

Mark,

Thanks for replying, on 3G-router works this correct, the connection is 3G even it is a 4G router. The provider profile is 3G, wil be changes after some time.

I wil debug the connection, and let you know.

Mark here is de debug.

XXXVR01_163#
.Mar 15 10:53:04: %LINK-3-UPDOWN: Interface Cellular0, changed state to up
.Mar 15 10:53:04: %DIALER-6-BIND: Interface Ce0 bound to profile Di1
.Mar 15 10:53:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel243104015, changed state to up
.Mar 15 10:53:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel110104015, changed state to up
.Mar 15 10:53:04: ISAKMP:(0): SA request profile is (NULL)
.Mar 15 10:53:04: ISAKMP: Created a peer struct for 10.4.0.240, peer port 500
.Mar 15 10:53:04: ISAKMP: New peer created peer = 0x10146D20 peer_handle = 0x80000028
.Mar 15 10:53:04: ISAKMP: Locking peer struct 0x10146D20, refcount 1 for isakmp_initiator
.Mar 15 10:53:04: ISAKMP: local port 500, remote port 500
.Mar 15 10:53:04: ISAKMP: set new node 0 to QM_IDLE
.Mar 15 10:53:04: ISAKMP:(0):insert sa successfully sa = 2163394
.Mar 15 10:53:04: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.Mar 15 10:53:04: ISAKMP:(0):found peer pre-shared key matching 10.4.0.240
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-07 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-03 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-02 ID
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

.Mar 15 10:53:04: ISAKMP:(0): beginning Main Mode exchange
.Mar 15 10:53:04: ISAKMP:(0): sending packet to 10.4.0.240 my_port 500 peer_port 500 (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Mar 15 10:53:04: ISAKMP:(0): SA request profile is (NULL)
.Mar 15 10:53:04: ISAKMP: Created a peer struct for 10.4.0.241, peer port 500
.Mar 15 10:53:04: ISAKMP: New peer created peer = 0xF056F74 peer_handle = 0x80000029
.Mar 15 10:53:04: ISAKMP: Locking peer struct 0xF056F74, refcount 1 for isakmp_initiator
.Mar 15 10:53:04: ISAKMP: local port 500, remote port 500
.Mar 15 10:53:04: ISAKMP: set new node 0 to QM_IDLE
.Mar 15 10:53:04: ISAKMP:(0):insert sa successfully sa = 21671F4
.Mar 15 10:53:04: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.Mar 15 10:53:04: ISAKMP:(0):found peer pre-shared key matching 10.4.0.241
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-07 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-03 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-02 ID
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

.Mar 15 10:53:04: ISAKMP:(0): beginning Main Mode exchange
.Mar 15 10:53:04: ISAKMP:(0): sending packet to 10.4.0.241 my_port 500 peer_port 500 (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Mar 15 10:53:04: ISAKMP:(0):peer does not do paranoid keepalives.

.Mar 15 10:53:04: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.4.0.240)
.Mar 15 10:53:04: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.4.0.240)
.Mar 15 10:53:04: ISAKMP: Unlocking peer struct 0x10146D20 for isadb_mark_sa_deleted(), count 0
.Mar 15 10:53:04: ISAKMP: Deleting peer node by peer_reap for 10.4.0.240: 10146D20
.Mar 15 10:53:04: ISAKMP:(0):deleting node -823180107 error FALSE reason "IKE deleted"
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

.Mar 15 10:53:04: ISAKMP:(0):peer does not do paranoid keepalives.

.Mar 15 10:53:04: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.4.0.241)
.Mar 15 10:53:04: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.4.0.241)
.Mar 15 10:53:04: ISAKMP: Unlocking peer struct 0xF056F74 for isadb_mark_sa_deleted(), count 0
.Mar 15 10:53:04: ISAKMP: Deleting peer node by peer_reap for 10.4.0.241: F056F74
.Mar 15 10:53:04: ISAKMP:(0):deleting node 2146635587 error FALSE reason "IKE deleted"
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

.Mar 15 10:53:04: ISAKMP:(0): SA request profile is (NULL)
.Mar 15 10:53:04: ISAKMP: Created a peer struct for 10.4.0.240, peer port 500
.Mar 15 10:53:04: ISAKMP: New peer created peer = 0xF056F74 peer_handle = 0x8000002A
.Mar 15 10:53:04: ISAKMP: Locking peer struct 0xF056F74, refcount 1 for isakmp_initiator
.Mar 15 10:53:04: ISAKMP: local port 500, remote port 500
.Mar 15 10:53:04: ISAKMP: set new node 0 to QM_IDLE
.Mar 15 10:53:04: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 167C44C
.Mar 15 10:53:04: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.Mar 15 10:53:04: ISAKMP:(0):found peer pre-shared key matching 10.4.0.240
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-07 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-03 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-02 ID
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

.Mar 15 10:53:04: ISAKMP:(0): beginning Main Mode exchange
.Mar 15 10:53:04: ISAKMP:(0): sending packet to 10.4.0.240 my_port 500 peer_port 500 (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Mar 15 10:53:04: ISAKMP:(0): SA request profile is (NULL)
.Mar 15 10:53:04: ISAKMP: Created a peer struct for 10.4.0.241, peer port 500
.Mar 15 10:53:04: ISAKMP: New peer created peer = 0x21AAC830 peer_handle = 0x8000002B
.Mar 15 10:53:04: ISAKMP: Locking peer struct 0x21AAC830, refcount 1 for isakmp_initiator
.Mar 15 10:53:04: ISAKMP: local port 500, remote port 500
.Mar 15 10:53:04: ISAKMP: set new node 0 to QM_IDLE
.Mar 15 10:53:04: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 1051D2C4
.Mar 15 10:53:04: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.Mar 15 10:53:04: ISAKMP:(0):found peer pre-shared key matching 10.4.0.241
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-07 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-03 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-02 ID
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

.Mar 15 10:53:04: ISAKMP:(0): beginning Main Mode exchange
.Mar 15 10:53:04: ISAKMP:(0): sending packet to 10.4.0.241 my_port 500 peer_port 500 (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Mar 15 10:53:04: ISAKMP:(0):peer does not do paranoid keepalives.

.Mar 15 10:53:04: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.4.0.240)
.Mar 15 10:53:04: ISAKMP:(0):peer does not do paranoid keepalives.

.Mar 15 10:53:04: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.4.0.240)
.Mar 15 10:53:04: ISAKMP: Unlocking peer struct 0xF056F74 for isadb_mark_sa_deleted(), count 0
.Mar 15 10:53:04: ISAKMP: Deleting peer node by peer_reap for 10.4.0.240: F056F74
.Mar 15 10:53:04: ISAKMP:(0):deleting node -996914806 error FALSE reason "IKE deleted"
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

.Mar 15 10:53:04: ISAKMP:(0):peer does not do paranoid keepalives.

.Mar 15 10:53:04: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.4.0.241)
.Mar 15 10:53:04: ISAKMP:(0):peer does not do paranoid keepalives.

.Mar 15 10:53:04: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.4.0.241)
.Mar 15 10:53:04: ISAKMP: Unlocking peer struct 0x21AAC830 for isadb_mark_sa_deleted(), count 0
.Mar 15 10:53:04: ISAKMP: Deleting peer node by peer_reap for 10.4.0.241: 21AAC830
.Mar 15 10:53:04: ISAKMP:(0):deleting node -2032265161 error FALSE reason "IKE deleted"
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

.Mar 15 10:53:04: ISAKMP:(0): SA request profile is (NULL)
.Mar 15 10:53:04: ISAKMP: Created a peer struct for 10.4.0.240, peer port 500
.Mar 15 10:53:04: ISAKMP: New peer created peer = 0x21B4911C peer_handle = 0x8000002C
.Mar 15 10:53:04: ISAKMP: Locking peer struct 0x21B4911C, refcount 1 for isakmp_initiator
.Mar 15 10:53:04: ISAKMP: local port 500, remote port 500
.Mar 15 10:53:04: ISAKMP: set new node 0 to QM_IDLE
.Mar 15 10:53:04: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 219B7C40
.Mar 15 10:53:04: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.Mar 15 10:53:04: ISAKMP:(0):found peer pre-shared key matching 10.4.0.240
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-07 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-03 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-02 ID
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

.Mar 15 10:53:04: ISAKMP:(0): beginning Main Mode exchange
.Mar 15 10:53:04: ISAKMP:(0): sending packet to 10.4.0.240 my_port 500 peer_port 500 (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Mar 15 10:53:04: ISAKMP:(0): SA request profile is (NULL)
.Mar 15 10:53:04: ISAKMP: Created a peer struct for 10.4.0.241, peer port 500
.Mar 15 10:53:04: ISAKMP: New peer created peer = 0x21B48D88 peer_handle = 0x8000002D
.Mar 15 10:53:04: ISAKMP: Locking peer struct 0x21B48D88, refcount 1 for isakmp_initiator
.Mar 15 10:53:04: ISAKMP: local port 500, remote port 500
.Mar 15 10:53:04: ISAKMP: set new node 0 to QM_IDLE
.Mar 15 10:53:04: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 200B59E0
.Mar 15 10:53:04: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.Mar 15 10:53:04: ISAKMP:(0):found peer pre-shared key matching 10.4.0.241
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-07 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-03 ID
.Mar 15 10:53:04: ISAKMP:(0): constructed NAT-T vendor-02 ID
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

.Mar 15 10:53:04: ISAKMP:(0): beginning Main Mode exchange
.Mar 15 10:53:04: ISAKMP:(0): sending packet to 10.4.0.241 my_port 500 peer_port 500 (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Mar 15 10:53:04: ISAKMP (0): received packet from 10.4.0.240 dport 500 sport 500 Global (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP (0): received packet from 10.4.0.241 dport 500 sport 500 Global (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP (0): received packet from 10.4.0.240 dport 500 sport 500 Global (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP (0): received packet from 10.4.0.241 dport 500 sport 500 Global (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP (0): received packet from 10.4.0.240 dport 500 sport 500 Global (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

.Mar 15 10:53:04: ISAKMP:(0): processing SA payload. message ID = 0
.Mar 15 10:53:04: ISAKMP:(0): processing vendor id payload
.Mar 15 10:53:04: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
.Mar 15 10:53:04: ISAKMP (0): vendor ID is NAT-T RFC 3947
.Mar 15 10:53:04: ISAKMP:(0):found peer pre-shared key matching 10.4.0.240
.Mar 15 10:53:04: ISAKMP:(0): local preshared key found
.Mar 15 10:53:04: ISAKMP : Scanning profiles for xauth ...
.Mar 15 10:53:04: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
.Mar 15 10:53:04: ISAKMP: encryption AES-CBC
.Mar 15 10:53:04: ISAKMP: keylength of 256
.Mar 15 10:53:04: ISAKMP: hash SHA
.Mar 15 10:53:04: ISAKMP: default group 2
.Mar 15 10:53:04: ISAKMP: auth pre-share
.Mar 15 10:53:04: ISAKMP: life type in seconds
.Mar 15 10:53:04: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
.Mar 15 10:53:04: ISAKMP:(0):atts are acceptable. Next payload is 0
.Mar 15 10:53:04: ISAKMP:(0):Acceptable atts:actual life: 0
.Mar 15 10:53:04: ISAKMP:(0):Acceptable atts:life: 0
.Mar 15 10:53:04: ISAKMP:(0):Fill atts in sa vpi_length:4
.Mar 15 10:53:04: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
.Mar 15 10:53:04: ISAKMP:(0):Returning Actual lifetime: 86400
.Mar 15 10:53:04: ISAKMP:(0)::Started lifetime timer: 86400.

.Mar 15 10:53:04: ISAKMP:(0): processing vendor id payload
.Mar 15 10:53:04: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
.Mar 15 10:53:04: ISAKMP (0): vendor ID is NAT-T RFC 3947
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

.Mar 15 10:53:04: ISAKMP:(0): sending packet to 10.4.0.240 my_port 500 peer_port 500 (I) MM_SA_SETUP
.Mar 15 10:53:04: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

.Mar 15 10:53:04: ISAKMP (0): received packet from 10.4.0.241 dport 500 sport 500 Global (I) MM_NO_STATE
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

.Mar 15 10:53:04: ISAKMP:(0): processing SA payload. message ID = 0
.Mar 15 10:53:04: ISAKMP:(0): processing vendor id payload
.Mar 15 10:53:04: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
.Mar 15 10:53:04: ISAKMP (0): vendor ID is NAT-T RFC 3947
.Mar 15 10:53:04: ISAKMP:(0):found peer pre-shared key matching 10.4.0.241
.Mar 15 10:53:04: ISAKMP:(0): local preshared key found
.Mar 15 10:53:04: ISAKMP : Scanning profiles for xauth ...
.Mar 15 10:53:04: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
.Mar 15 10:53:04: ISAKMP: encryption AES-CBC
.Mar 15 10:53:04: ISAKMP: keylength of 256
.Mar 15 10:53:04: ISAKMP: hash SHA
.Mar 15 10:53:04: ISAKMP: default group 2
.Mar 15 10:53:04: ISAKMP: auth pre-share
.Mar 15 10:53:04: ISAKMP: life type in seconds
.Mar 15 10:53:04: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
.Mar 15 10:53:04: ISAKMP:(0):atts are acceptable. Next payload is 0
.Mar 15 10:53:04: ISAKMP:(0):Acceptable atts:actual life: 0
.Mar 15 10:53:04: ISAKMP:(0):Acceptable atts:life: 0
.Mar 15 10:53:04: ISAKMP:(0):Fill atts in sa vpi_length:4
.Mar 15 10:53:04: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
.Mar 15 10:53:04: ISAKMP:(0):Returning Actual lifetime: 86400
.Mar 15 10:53:04: ISAKMP:(0)::Started lifetime timer: 86400.

.Mar 15 10:53:04: ISAKMP:(0): processing vendor id payload
.Mar 15 10:53:04: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
.Mar 15 10:53:04: ISAKMP (0): vendor ID is NAT-T RFC 3947
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

.Mar 15 10:53:04: ISAKMP:(0): sending packet to 10.4.0.241 my_port 500 peer_port 500 (I) MM_SA_SETUP
.Mar 15 10:53:04: ISAKMP:(0):Sending an IKE IPv4 Packet.
.Mar 15 10:53:04: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
.Mar 15 10:53:04: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

.Mar 15 10:53:05: ISAKMP (0): received packet from 10.4.0.240 dport 500 sport 500 Global (I) MM_SA_SETUP
.Mar 15 10:53:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Mar 15 10:53:05: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

.Mar 15 10:53:05: ISAKMP:(0): processing KE payload. message ID = 0
.Mar 15 10:53:05: ISAKMP:(0): processing NONCE payload. message ID = 0
.Mar 15 10:53:05: ISAKMP:(0):found peer pre-shared key matching 10.4.0.240
.Mar 15 10:53:05: ISAKMP:(2015): processing vendor id payload
.Mar 15 10:53:05: ISAKMP:(2015): vendor ID is Unity
.Mar 15 10:53:05: ISAKMP:(2015): processing vendor id payload
.Mar 15 10:53:05: ISAKMP:(2015): vendor ID is DPD
.Mar 15 10:53:05: ISAKMP:(2015): processing vendor id payload
.Mar 15 10:53:05: ISAKMP:(2015): speaking to another IOS box!
.Mar 15 10:53:05: ISAKMP:received payload type 20
.Mar 15 10:53:05: ISAKMP (2015): His hash no match - this node outside NAT
.Mar 15 10:53:05: ISAKMP:received payload type 20
.Mar 15 10:53:05: ISAKMP (2015): No NAT Found for self or peer
.Mar 15 10:53:05: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
.Mar 15 10:53:05: ISAKMP:(2015):Old State = IKE_I_MM4 New State = IKE_I_MM4

.Mar 15 10:53:05: ISAKMP:(2015):Send initial contact
.Mar 15 10:53:05: ISAKMP:(2015):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
.Mar 15 10:53:05: ISAKMP (2015): ID payload
next-payload : 8
type : 1
address : 10.13.160.25
protocol : 17
port : 500
length : 12
.Mar 15 10:53:05: ISAKMP:(2015):Total payload length: 12
.Mar 15 10:53:05: ISAKMP:(2015): sending packet to 10.4.0.240 my_port 500 peer_port 500 (I) MM_KEY_EXCH
.Mar 15 10:53:05: ISAKMP:(2015):Sending an IKE IPv4 Packet.
.Mar 15 10:53:05: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
.Mar 15 10:53:05: ISAKMP:(2015):Old State = IKE_I_MM4 New State = IKE_I_MM5

.Mar 15 10:53:05: ISAKMP (0): received packet from 10.4.0.241 dport 500 sport 500 Global (I) MM_SA_SETUP
.Mar 15 10:53:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Mar 15 10:53:05: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

.Mar 15 10:53:05: ISAKMP:(0): processing KE payload. message ID = 0
.Mar 15 10:53:05: ISAKMP:(0): processing NONCE payload. message ID = 0
.Mar 15 10:53:05: ISAKMP:(0):found peer pre-shared key matching 10.4.0.241
.Mar 15 10:53:05: ISAKMP:(2016): processing vendor id payload
.Mar 15 10:53:05: ISAKMP:(2016): vendor ID is Unity
.Mar 15 10:53:05: ISAKMP:(2016): processing vendor id payload
.Mar 15 10:53:05: ISAKMP:(2016): vendor ID is DPD
.Mar 15 10:53:05: ISAKMP:(2016): processing vendor id payload
.Mar 15 10:53:05: ISAKMP:(2016): speaking to another IOS box!
.Mar 15 10:53:05: ISAKMP:received payload type 20
.Mar 15 10:53:05: ISAKMP (2016): His hash no match - this node outside NAT
.Mar 15 10:53:05: ISAKMP:received payload type 20
.Mar 15 10:53:05: ISAKMP (2016): No NAT Found for self or peer
.Mar 15 10:53:05: ISAKMP:(2016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
.Mar 15 10:53:05: ISAKMP:(2016):Old State = IKE_I_MM4 New State = IKE_I_MM4

.Mar 15 10:53:05: ISAKMP:(2016):Send initial contact
.Mar 15 10:53:05: ISAKMP:(2016):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
.Mar 15 10:53:05: ISAKMP (2016): ID payload
next-payload : 8
type : 1
address : 10.13.160.25
protocol : 17
port : 500
length : 12
.Mar 15 10:53:05: ISAKMP:(2016):Total payload length: 12
.Mar 15 10:53:05: ISAKMP:(2016): sending packet to 10.4.0.241 my_port 500 peer_port 500 (I) MM_KEY_EXCH
.Mar 15 10:53:05: ISAKMP:(2016):Sending an IKE IPv4 Packet.
.Mar 15 10:53:05: ISAKMP:(2016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
.Mar 15 10:53:05: ISAKMP:(2016):Old State = IKE_I_MM4 New State = IKE_I_MM5

.Mar 15 10:53:05: ISAKMP (2015): received packet from 10.4.0.240 dport 500 sport 500 Global (I) MM_KEY_EXCH
.Mar 15 10:53:05: ISAKMP:(2015): processing ID payload. message ID = 0
.Mar 15 10:53:05: ISAKMP (2015): ID payload
next-payload : 8
type : 1
address : 10.4.0.240
protocol : 17
port : 500
length : 12
.Mar 15 10:53:05: ISAKMP:(0):: peer matches *none* of the profiles
.Mar 15 10:53:05: ISAKMP:(2015): processing HASH payload. message ID = 0
.Mar 15 10:53:05: ISAKMP:(2015):SA authentication status:
authenticated
.Mar 15 10:53:05: ISAKMP:(2015):SA has been authenticated with 10.4.0.240
.Mar 15 10:53:05: ISAKMP: Trying to insert a peer 10.13.160.25/10.4.0.240/500/, and inserted successfully 21B4911C.
.Mar 15 10:53:05: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Mar 15 10:53:05: ISAKMP:(2015):Old State = IKE_I_MM5 New State = IKE_I_MM6

.Mar 15 10:53:05: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
.Mar 15 10:53:05: ISAKMP:(2015):Old State = IKE_I_MM6 New State = IKE_I_MM6

.Mar 15 10:53:05: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
.Mar 15 10:53:05: ISAKMP:(2015):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

.Mar 15 10:53:05: ISAKMP:(2015):beginning Quick Mode exchange, M-ID of 3935376390
.Mar 15 10:53:05: ISAKMP:(2015):QM Initiator gets spi
.Mar 15 10:53:05: ISAKMP:(2015): sending packet to 10.4.0.240 my_port 500 peer_port 500 (I) QM_IDLE
.Mar 15 10:53:05: ISAKMP:(2015):Sending an IKE IPv4 Packet.
.Mar 15 10:53:05: ISAKMP:(2015):Node 3935376390, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
.Mar 15 10:53:05: ISAKMP:(2015):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
.Mar 15 10:53:05: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
.Mar 15 10:53:05: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

.Mar 15 10:53:05: ISAKMP (2016): received packet from 10.4.0.241 dport 500 sport 500 Global (I) MM_KEY_EXCH
.Mar 15 10:53:05: ISAKMP:(2016): processing ID payload. message ID = 0
.Mar 15 10:53:05: ISAKMP (2016): ID payload
next-payload : 8
type : 1
address : 10.4.0.241
protocol : 17
port : 500
length : 12
.Mar 15 10:53:05: ISAKMP:(0):: peer matches *none* of the profiles
.Mar 15 10:53:05: ISAKMP:(2016): processing HASH payload. message ID = 0
.Mar 15 10:53:05: ISAKMP:(2016):SA authentication status:
authenticated
.Mar 15 10:53:05: ISAKMP:(2016):SA has been authenticated with 10.4.0.241
.Mar 15 10:53:05: ISAKMP: Trying to insert a peer 10.13.160.25/10.4.0.241/500/, and inserted successfully 21B48D88.
.Mar 15 10:53:05: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Mar 15 10:53:05: ISAKMP:(2016):Old State = IKE_I_MM5 New State = IKE_I_MM6

.Mar 15 10:53:05: ISAKMP:(2016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
.Mar 15 10:53:05: ISAKMP:(2016):Old State = IKE_I_MM6 New State = IKE_I_MM6

.Mar 15 10:53:05: ISAKMP:(2016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
.Mar 15 10:53:05: ISAKMP:(2016):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

.Mar 15 10:53:05: ISAKMP:(2016):beginning Quick Mode exchange, M-ID of 2658077126
.Mar 15 10:53:05: ISAKMP:(2016):QM Initiator gets spi
.Mar 15 10:53:05: ISAKMP:(2016): sending packet to 10.4.0.241 my_port 500 peer_port 500 (I) QM_IDLE
.Mar 15 10:53:05: ISAKMP:(2016):Sending an IKE IPv4 Packet.
.Mar 15 10:53:05: ISAKMP:(2016):Node 2658077126, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
.Mar 15 10:53:05: ISAKMP:(2016):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
.Mar 15 10:53:05: ISAKMP:(2016):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
.Mar 15 10:53:05: ISAKMP:(2016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

.Mar 15 10:53:05: ISAKMP (2015): received packet from 10.4.0.240 dport 500 sport 500 Global (I) QM_IDLE
.Mar 15 10:53:05: ISAKMP:(2015): processing HASH payload. message ID = 3935376390
.Mar 15 10:53:05: ISAKMP:(2015): processing SA payload. message ID = 3935376390
.Mar 15 10:53:05: ISAKMP:(2015):Checking IPSec proposal 1
.Mar 15 10:53:05: ISAKMP: transform 1, ESP_AES
.Mar 15 10:53:05: ISAKMP: attributes in transform:
.Mar 15 10:53:05: ISAKMP: encaps is 2 (Transport)
.Mar 15 10:53:05: ISAKMP: SA life type in seconds
.Mar 15 10:53:05: ISAKMP: SA life duration (basic) of 3600
.Mar 15 10:53:05: ISAKMP: SA life type in kilobytes
.Mar 15 10:53:05: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
.Mar 15 10:53:05: ISAKMP: authenticator is HMAC-SHA
.Mar 15 10:53:05: ISAKMP: key length is 128
.Mar 15 10:53:05: ISAKMP:(2015):atts are acceptable.
.Mar 15 10:53:05: ISAKMP:(2015): processing NONCE payload. message ID = 3935376390
.Mar 15 10:53:05: ISAKMP:(2015): processing ID payload. message ID = 3935376390
.Mar 15 10:53:05: ISAKMP:(2015): processing ID payload. message ID = 3935376390
.Mar 15 10:53:05: ISAKMP:(2015):Node 3935376390, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
.Mar 15 10:53:05: ISAKMP:(2015):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
.Mar 15 10:53:05: ISAKMP: Failed to find peer index node to update peer_info_list
.Mar 15 10:53:05: ISAKMP:(2015):Received IPSec Install callback... proceeding with the negotiation
.Mar 15 10:53:05: ISAKMP:(2015):Successfully installed IPSEC SA (SPI:0xADD13D09) on Tunnel243104015
.Mar 15 10:53:05: ISAKMP:(2015): sending packet to 10.4.0.240 my_port 500 peer_port 500 (I) QM_IDLE
.Mar 15 10:53:05: ISAKMP:(2015):Sending an IKE IPv4 Packet.
.Mar 15 10:53:05: ISAKMP:(2015):deleting node -359590906 error FALSE reason "No Error"
.Mar 15 10:53:05: ISAKMP:(2015):Node 3935376390, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
.Mar 15 10:53:05: ISAKMP:(2015):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
.Mar 15 10:53:05: ISAKMP (2016): received packet from 10.4.0.241 dport 500 sport 500 Global (I) QM_IDLE
.Mar 15 10:53:05: ISAKMP:(2016): processing HASH payload. message ID = 2658077126
.Mar 15 10:53:05: ISAKMP:(2016): processing SA payload. message ID = 2658077126
.Mar 15 10:53:05: ISAKMP:(2016):Checking IPSec proposal 1
.Mar 15 10:53:05: ISAKMP: transform 1, ESP_AES
.Mar 15 10:53:05: ISAKMP: attributes in transform:
.Mar 15 10:53:05: ISAKMP: encaps is 2 (Transport)
.Mar 15 10:53:05: ISAKMP: SA life type in seconds
.Mar 15 10:53:05: ISAKMP: SA life duration (basic) of 3600
.Mar 15 10:53:05: ISAKMP: SA life type in kilobytes
.Mar 15 10:53:05: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
.Mar 15 10:53:05: ISAKMP: authenticator is HMAC-SHA
.Mar 15 10:53:05: ISAKMP: key length is 128
.Mar 15 10:53:05: ISAKMP:(2016):atts are acceptable.
.Mar 15 10:53:05: ISAKMP:(2016): processing NONCE payload. message ID = 2658077126
.Mar 15 10:53:05: ISAKMP:(2016): processing ID payload. message ID = 2658077126
.Mar 15 10:53:05: ISAKMP:(2016): processing ID payload. message ID = 2658077126
.Mar 15 10:53:05: ISAKMP:(2016):Node 2658077126, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
.Mar 15 10:53:05: ISAKMP:(2016):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
.Mar 15 10:53:05: ISAKMP: Failed to find peer index node to update peer_info_list
.Mar 15 10:53:05: ISAKMP:(2016):Received IPSec Install callback... proceeding with the negotiation
.Mar 15 10:53:05: ISAKMP:(2016):Successfully installed IPSEC SA (SPI:0x45E1EB14) on Tunnel243104015
.Mar 15 10:53:05: ISAKMP:(2016): sending packet to 10.4.0.241 my_port 500 peer_port 500 (I) QM_IDLE
.Mar 15 10:53:05: ISAKMP:(2016):Sending an IKE IPv4 Packet.
.Mar 15 10:53:05: ISAKMP:(2016):deleting node -1636890170 error FALSE reason "No Error"
.Mar 15 10:53:05: ISAKMP:(2016):Node 2658077126, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
.Mar 15 10:53:05: ISAKMP:(2016):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
.Mar 15 10:53:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0, changed state to up
.Mar 15 10:53:06: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.243.104.2 (Tunnel243104015) is up: new adjacency
.Mar 15 10:53:06: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.243.104.1 (Tunnel243104015) is up: new adjacency
.Mar 15 10:53:06: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.110.104.2 (Tunnel110104015) is up: new adjacency
.Mar 15 10:53:06: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.110.104.1 (Tunnel110104015) is up: new adjacency
.Mar 15 10:53:54: ISAKMP:(0):purging node -823180107
.Mar 15 10:53:54: ISAKMP:(0):purging node 2146635587
.Mar 15 10:53:54: ISAKMP:(0):purging node -996914806
.Mar 15 10:53:54: ISAKMP:(0):purging node -2032265161
.Mar 15 10:53:55: ISAKMP:(2015):purging node -359590906
.Mar 15 10:53:55: ISAKMP:(2016):purging node -1636890170
XXXVR01_163#
XXXVR01_163#
XXXVR01_163#
.Mar 15 10:54:04: ISAKMP:(0):purging SA., sa=2163394, delme=2163394
.Mar 15 10:54:04: ISAKMP:(0):purging SA., sa=21671F4, delme=21671F4
.Mar 15 10:54:04: ISAKMP:(0):purging SA., sa=167C44C, delme=167C44C
.Mar 15 10:54:04: ISAKMP:(0):purging SA., sa=1051D2C4, delme=1051D2C4
XXXVR01_163#

so it looks like isakmp struggled to come up kept failing but then the packets went through and it peered eventually

IKE_QM_PHASE2_COMPLETE  - phase two completed and tunnel is up

can see it negotiating its authentication and hashing as well , do you still see it as ike in show dmvpn , does it show packets incrementing in encryption/decryption section  show crypto IPsec sa

is there NAT configured in this dmvpn design

Yes,

XXXVR01_163#show dmvp
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
T1 - Route Installed, T2 - Nexthop-override
C - CTS Capable
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel110104015, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.240 10.110.104.1 IKE 02:11:08 S
1 10.4.0.241 10.110.104.2 UP 02:11:08 S

Interface: Tunnel243104015, IPv4 NHRP Details
Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 10.4.0.240 10.243.104.1 IKE 02:11:08 S
1 10.4.0.241 10.243.104.2 UP 02:11:08 S

There is no nat configured, and i see packets increments.


interface: Tunnel243104015
Crypto map tag: dmvpn-pro-head-1, local addr 10.13.160.25

protected vrf: (none)
local ident (addr/mask/prot/port): (10.13.160.25/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.4.0.241/255.255.255.255/47/0)
current_peer 10.4.0.241 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3576, #pkts encrypt: 3576, #pkts digest: 3576
#pkts decaps: 3565, #pkts decrypt: 3565, #pkts verify: 3565
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

protected vrf: (none)
local ident (addr/mask/prot/port): (10.13.160.25/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.4.0.240/255.255.255.255/47/0)
current_peer 10.4.0.240 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3696, #pkts encrypt: 3696, #pkts digest: 3696
#pkts decaps: 3687, #pkts decrypt: 3687, #pkts verify: 3687
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.13.160.25, remote crypto endpt.: 10.4.0.240

It looks like every thing is oke.

Here are the config of dmvpn hub and spoke (3G&4G)

3G works fine

don't see any issues in that config looks ok in terms of IPsec/dmvpn , the only thing I would suggest but this is not related to the issue is disable split-horizon under the tunnel on each spoke as using dynamic routing

if this was me I would collect a wireshark from working 3g and non working 4g and see if theres something noticeable happening when on 4g compared to 3g , the fact the same config basically works on each setup would suggest its something to do with either the 4g device its passing through or the actual 4g connection

did you check with the ISP providing the 4g that there not restricting any protocols or traffic which could effect dmvpn/IPsec

Mark,

Thanks for the info, we wil first check the provider. We wil first try to connect with 4G, and then look of the tunnels come correct up.

For now thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: