Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

ISAKMP and IPSEC

ak646j
Beginner
Beginner

‎08-08-2018 11:24 AM - edited ‎03-03-2019 08:52 AM

My Association is not coming UP with the following configurations - Please suggest

 

crypto isakmp policy 2
encr aes 256
hash sha256
authentication pre-share
group 14

crypto isakmp key XXXXX address <IP Address>


crypto ipsec transform-set aes256 esp-aes 256 esp-sha256-hmac
mode tunnel



crypto map bun 14 ipsec-isakmp
 description <description>
 set peer <Peer IP>
set transform-set aes256
 match address <IP Extended list>

 

Although tunnel is UP with the below Parameters -

==========================================

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 
crypto ipsec transform-set CSC-3DES esp-3des esp-md5-hmac

 

IOS Used is routers

====================

Router-1 Image - System image file is "bootflash:asr1000-universalk9.16.03.06.SPA.bin"


Router-2 Image - System image file is "bootflash:asr1000rp1-adventerprisek9.03.16.05.S.155-3.S5-ext.bi"

 

Does any one has any clue why our IPSEC is not coming up.

Here are debug logs.

==============DEBUG LOGS=======================

to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585056: Aug 14 09:06:40.481 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585057: Aug 14 09:06:40.482 GMT: ISAKMP: (53194):Node 4100728720, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
585058: Aug 14 09:06:40.482 GMT: ISAKMP: (53194):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
585059: Aug 14 09:06:40.808 GMT: ISAKMP-PAK: (53194):received packet from 20.138.247.37 dport 500 sport 500 Global (R) QM_IDLE      
585060: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):set new node 3710995957 to QM_IDLE      
585061: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):processing HASH payload. message ID = 3710995957
585062: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):processing DELETE payload. message ID = 3710995957
585063: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):deleting other-spi 3332117770 message ID = 4100728720
585064: Aug 14 09:06:40.808 GMT: ISAKMP-ERROR: (53194):deleting node 4100728720 error TRUE reason "Delete Larval"
585065: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):peer does not do paranoid keepalives.
585066: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0xC69C150A)
585067: Aug 14 09:06:40.808 GMT: ISAKMP: (53194):deleting node 3710995957 error FALSE reason "Informational (in) state 1"
585068: Aug 14 09:06:40.808 GMT: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
585069: Aug 14 09:06:40.977 GMT: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image:  list INET-Filter-IN denied tcp 41.239.197.126(26022) -> 20.139.3.37(23), 1 packet
585070: Aug 14 09:06:41.718 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2951673060 ...
585071: Aug 14 09:06:41.718 GMT: ISAKMP: (53194):: incrementing error counter on node, attempt 4 of 5: retransmit phase 2
585072: Aug 14 09:06:41.718 GMT: ISAKMP: (53194):retransmitting phase 2 2951673060 QM_IDLE      
585073: Aug 14 09:06:41.718 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585074: Aug 14 09:06:41.718 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585075: Aug 14 09:06:41.918 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2125402457 ...
585076: Aug 14 09:06:41.918 GMT: ISAKMP: (53194):: incrementing error counter on node, attempt 3 of 5: retransmit phase 2
585077: Aug 14 09:06:41.918 GMT: ISAKMP: (53194):retransmitting phase 2 2125402457 QM_IDLE      
585078: Aug 14 09:06:41.918 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585079: Aug 14 09:06:41.918 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585080: Aug 14 09:06:46.027 GMT: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image:  list INET-Filter-IN denied udp 37.49.231.171(5327) -> 20.139.3.37(5070), 1 packet
585081: Aug 14 09:06:51.718 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2951673060 ...
585082: Aug 14 09:06:51.718 GMT: ISAKMP: (53194):: incrementing error counter on node, attempt 5 of 5: retransmit phase 2
585083: Aug 14 09:06:51.718 GMT: ISAKMP: (53194):retransmitting phase 2 2951673060 QM_IDLE      
585084: Aug 14 09:06:51.718 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585085: Aug 14 09:06:51.718 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585086: Aug 14 09:06:51.918 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2125402457 ...
585087: Aug 14 09:06:51.918 GMT: ISAKMP: (53194):: incrementing error counter on node, attempt 4 of 5: retransmit phase 2
585088: Aug 14 09:06:51.918 GMT: ISAKMP: (53194):retransmitting phase 2 2125402457 QM_IDLE      
585089: Aug 14 09:06:51.918 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585090: Aug 14 09:06:51.918 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585091: Aug 14 09:06:52.045 GMT: ISAKMP: (53194):purging node 1815614818
585092: Aug 14 09:06:57.350 GMT: ISAKMP: (53194):purging node 774373182
585093: Aug 14 09:06:57.350 GMT: ISAKMP: (53194):purging node 1530294766
585094: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):set new node 0 to QM_IDLE      
585095: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):SA has outstanding requests  (local 20.139.3.37 port 500, remote 20.138.247.37 port 500)
585096: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):sitting IDLE. Starting QM immediately (QM_IDLE      )
585097: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):beginning Quick Mode exchange, M-ID of 2742021518
585098: Aug 14 09:07:00.077 GMT: ISAKMP: (53194):QM Initiator gets spi
585099: Aug 14 09:07:00.078 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585100: Aug 14 09:07:00.078 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585101: Aug 14 09:07:00.078 GMT: ISAKMP: (53194):Node 2742021518, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
585102: Aug 14 09:07:00.078 GMT: ISAKMP: (53194):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
585103: Aug 14 09:07:00.404 GMT: ISAKMP-PAK: (53194):received packet from 20.138.247.37 dport 500 sport 500 Global (R) QM_IDLE      
585104: Aug 14 09:07:00.404 GMT: ISAKMP: (53194):set new node 1646157093 to QM_IDLE      
585105: Aug 14 09:07:00.404 GMT: ISAKMP: (53194):processing HASH payload. message ID = 1646157093
585106: Aug 14 09:07:00.404 GMT: ISAKMP: (53194):processing DELETE payload. message ID = 1646157093
585107: Aug 14 09:07:00.404 GMT: ISAKMP: (53194):peer does not do paranoid keepalives.
585108: Aug 14 09:07:00.405 GMT: ISAKMP: (53194):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x7392EE0)
585109: Aug 14 09:07:00.405 GMT: ISAKMP: (53194):deleting node 1646157093 error FALSE reason "Informational (in) state 1"
585110: Aug 14 09:07:01.717 GMT: ISAKMP: (53194):retransmitting phase 2 QM_IDLE       2951673060 ...
585111: Aug 14 09:07:01.717 GMT: ISAKMP-ERROR: (53194):deleting node 2951673060 error TRUE reason "Phase 2 err count exceeded"
585112: Aug 14 09:07:01.717 GMT: ISAKMP-ERROR: (53194):QM node retransmission timeout, deleting IKE SA immediately
585113: Aug 14 09:07:01.717 GMT: ISAKMP: (53194):peer does not do paranoid keepalives.
585114: Aug 14 09:07:01.717 GMT: ISAKMP-ERROR: (53194):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE       (peer 20.138.247.37)
585115: Aug 14 09:07:01.717 GMT: ISAKMP: (53194):set new node 1412544931 to QM_IDLE      
585116: Aug 14 09:07:01.717 GMT: ISAKMP-PAK: (53194):sending packet to 20.138.247.37 my_port 500 peer_port 500 (R) QM_IDLE      
585117: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Sending an IKE IPv4 Packet.
585118: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):purging node 1412544931
585119: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
585120: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

585121: Aug 14 09:07:01.718 GMT: ISAKMP-ERROR: (53194):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE       (peer 20.138.247.37)
585122: Aug 14 09:07:01.718 GMT: ISAKMP: (0):Unlocking peer struct 0x7FDFCFF49EF8 for isadb_mark_sa_deleted(), count 0
585123: Aug 14 09:07:01.718 GMT: ISAKMP: (0):Deleting peer node by peer_reap for 20.138.247.37: 7FDFCFF49EF8
585124: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):deleting node 2125402457 error FALSE reason "IKE deleted"
585125: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):deleting node 2742021518 error FALSE reason "IKE deleted"
585126: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
585127: Aug 14 09:07:01.718 GMT: ISAKMP: (53194):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

585128: Aug 14 09:07:02.037 GMT: ISAKMP-PAK: (53194):received packet from 20.138.247.37 dport 500 sport 500 Global (R) MM_NO_STATE
585129: Aug 14 09:07:02.241 GMT: %FMANFP-6-IPACCESSLOGP: SIP0: fman_fp_image:  list INET-Filter-IN denied tcp 146.185.222.28(48089) -> 20.139.3.37(12902), 1 packet
585130: Aug 14 09:07:02.245 GMT: ISAKMP: (53194):purging node 2865639406

=====================================================

 

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic