02-14-2019 11:02 PM
Hello Experts,
I am having issue with Phase 1..
error logs:
Hub policy :
Spoke Policy:
Tunnel are up for few hours and then offline for few hours. Do you guys have an idea to resolve the issue?
Thanks in advance.
02-14-2019 11:09 PM
Verify that the phase 1 policy is on both peers, and ensure that all the attributes match.
Encryption DES or 3DES Hash MD5 or SHA Diffie-Hellman Group 1 or 2 Authentication {rsa-sig | rsa-encr | pre-share
here is the debug reference guide :
Or you can post the full configuraiton of the both devices to verify.
02-14-2019 11:13 PM
Hub Policy:
Spoke Policy:
Thanks
02-15-2019 12:00 AM
Since you have more policies in Hub, i would like to see full config, that determine what is wrong.
02-15-2019 12:51 AM
Hello,
try and disable volume based rekeying
VPN(config)#crypto ipsec security-association lifetime kilobytes disable
or set the lifetime to 30 days:
VPN(config)#crypto ipsec security-association lifetime days 30
or increase the replay window size:
VPN(config)#crypto ipsec security-association replay window-size 1024
or disable it altogether:
VPN(config)#crypto ipsec security-association replay disable
02-15-2019 01:08 AM
I tried all. Still same issue..
02-16-2019 01:19 PM
It's clearly obvious that there's a mismatch in your Phase 1 parameters between Hub and Spoke. You have multiple crypto configs, but the output for show crypto isakmp policy on the Hub only shows policy 10, which uses 3DES and is different from the Spoke, which uses AES.
02-17-2019 12:33 AM
Hello,
on a side note, check the NTP/clock settings on both ends, are both running the same time ?
sh ntp associations detail
show clock
02-17-2019 08:27 AM - edited 02-17-2019 08:28 AM
Hi
It looks IKEv1 could you please provide the configuration of phase 1 in both sides, also verify the key used to authenticate this phase.
Is it S2S VPN or are you configuring GETVPN?
02-18-2019 01:35 AM
its DMVPN...
Spoke Policy:
keys are same on both side.
02-18-2019 03:37 AM - edited 02-18-2019 03:39 AM
Thank you, is there any firewall, ACL or NAT between the devices? is possible to share the configuration removing the sensible info (like IPs and keys) and toplogy?
02-18-2019 04:26 AM
issue i snot with firewall /aCL.
Tunnel works for few hours and then goes offline for few hours!!
02-18-2019 07:35 AM
There are several things in this discussion that puzzle me. First in the original post there are these logs
Feb 15 06:49:45.824: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):no offers accepted!
but in the partial configs that are provided it is clear that DH does match. So are these logs about some different vpn? or what??
Then in a recent update to the discussion the original poster tells us that
Tunnel works for few hours and then goes offline for few hours
We do not have much detail to work with but my first suggestion is that perhaps this is normal operation. If there is some interesting traffic then the tunnel comes up and stays up for several hours. If interesting traffic does not continue then the lifetime expires and the tunnel comes down. While there is not more interesting traffic the tunnel remains down. After several hours there is interesting traffic and the tunnel comes up. And the cycle repeats.
HTH
Rick
02-18-2019 09:48 PM - edited 02-19-2019 09:36 PM
Thanks for response...
02-19-2019 10:57 AM
Based on the recent config, I see nothing wrong. The confusion is that your previous logs showed a mismatch in crypto policies.
You had previously mentioned that the tunnel is up for about 7 hours, which to me long, and an interface flap can cause a brief interruption.
Is the 7-hour duration constant or the tunnel goes down at different time intervals.
How long does it stay down?
Is the tunnel down for only Hub1, while Hub2 stays up?
Could you post the following:
1. show crypto isakmp sa detail
2. show crypto ipsec sa detail
3. sh ip eigrp neighbors
2. show crypto ipsec sa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide