Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2752
Views
0
Helpful
1
Replies

ISAKMP Phase 1 getting stuck at ISAKMP: callback: no SA found for 0.0.0.0/0

mbadali
Level 1
Level 1

‎07-28-2005 03:39 AM - edited ‎03-09-2019 11:58 AM

I'm trying to connect an IPSec tunnel to an external site based on the following document.

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a0080143b0a.shtml

I've set this up successfully in the lab with four routers (2 hubs and 2 sites) and am now trying to set up the connection to an external site. When Phase 1 negotiation starts ISAKMP states the following errors (no SA found for 0.0.0.0/0.0.0.0 [vrf 0]). The only thing different between the lab and prod configs are the external addresses(private(lab) vs public (production)). Obviously the new prod config is using a publicy routeable address in fa 2/0. I'm wondering if the router recongizes that and is trying to use VRF. I was intending on doing this without VRF. The ISAKMP negotiation stops immediately after the router states that ISAKMP is ON.

To wake up the process I remove and readd the crypto map to the interface.

r12(config)#int fa 2/0

r12(config-if)#no cry

r12(config-if)#no crypto m

r12(config-if)#no crypto map B2B

r12(config-if)#

*Jul 28 09:54:22.848: ISAKMP: callback: no SA found for 0.0.0.0/0.0.0.0 [vrf 0]

*Jul 28 09:54:22.848: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF

r12(config-if)#crypto map B2B

r12(config-if)#

*Jul 28 09:54:31.036: ISAKMP: callback: no SA found for 0.0.0.0/0.0.0.0 [vrf 0]

*Jul 28 09:54:31.036: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

The following debugging was turned on for the above messages:

r12#sho debugging

Cryptographic Subsystem:

Crypto ISAKMP debugging is on

Crypto Engine debugging is on

Crypto Routing debugging is on

Crypto IPSEC debugging is on

Any suggestions would be helpful. Thank you

Pertinant Config (7206 with an SA-VAM):

crypto isakmp policy 4

authentication pre-share

crypto isakmp key xxxxxx address x.y.z.a

crypto isakmp key xxxxxx address x.y.z.b

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set encrypt-traffic-des esp-des esp-md5-hmac

crypto ipsec transform-set encrypt-traffic-3des esp-3des esp-md5-hmac

!

crypto map B2B local-address FastEthernet2/0

crypto map B2B 20 ipsec-isakmp

set peer x.y.z.a

set transform-set encrypt-traffic-des

match address site1

crypto map B2B 30 ipsec-isakmp

set peer x.y.z.b

set transform-set encrypt-traffic-des

match address test

!

!

!

interface FastEthernet2/0

description Internet Facing Interface

ip address 2.2.2.2 255.255.255.192

crypto map B2B

Labels:
0 Helpful
1 Reply 1

umedryk
Level 5
Level 5

‎08-03-2005 11:01 AM

This looks like a time out error. Did you change any timer on PIX from default value ?

0 Helpful
Customers Also Viewed These Support Documents