Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2610
Views
0
Helpful
15
Replies

IKE Phase1 issue

ittechk4u1
Level 4
Level 4

‎02-14-2019 11:02 PM

Hello Experts,

 

I am having issue with Phase 1..

error logs:

 

Feb 15 06:49:45.824: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):no offers accepted!
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local 106.120.64.62 remote 195.243.205.104)
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer 195.243.205.104)

 

Hub policy :

Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

 

Spoke Policy:

Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

 

Tunnel are up for few hours and then offline for few hours. Do you guys have an idea to resolve the issue?

 

Thanks in advance.

Labels:
0 Helpful
15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

‎02-14-2019 11:09 PM

Verify that the phase 1 policy is on both peers, and ensure that all the attributes match.

Encryption DES or 3DES
Hash MD5 or SHA
Diffie-Hellman Group 1 or 2
Authentication {rsa-sig | rsa-encr | pre-share

 

here is the debug reference guide :

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#sem

 

Or you can post the full configuraiton of the both devices to verify.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

ittechk4u1
Level 4
Level 4
In response to balaji.bandi

‎02-14-2019 11:13 PM

Hub Policy:

 

crypto isakmp policy 10
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr aes 256
authentication pre-share

 

Spoke Policy:

 

crypto isakmp policy 20
encr aes 256
authentication pre-share

 

Thanks

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to ittechk4u1

‎02-15-2019 12:00 AM

Since you have more policies in Hub, i would like to see full config, that determine what is wrong.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP
In response to ittechk4u1

‎02-15-2019 12:51 AM

Hello,

 

try and disable volume based rekeying

 

VPN(config)#crypto ipsec security-association lifetime kilobytes disable

 

or set the lifetime to 30 days:

 

VPN(config)#crypto ipsec security-association lifetime days 30

 

or increase the replay window size:

VPN(config)#crypto ipsec security-association replay window-size 1024

 

or disable it altogether:

 

VPN(config)#crypto ipsec security-association replay disable

0 Helpful

ittechk4u1
Level 4
Level 4
In response to Georg Pauwen

‎02-15-2019 01:08 AM

I tried all. Still same issue..

0 Helpful

grabonlee
Level 4
Level 4

‎02-16-2019 01:19 PM

It's clearly obvious that there's a mismatch in your Phase 1 parameters between Hub and Spoke. You have multiple crypto configs, but the output for show crypto isakmp policy on the Hub only shows policy 10, which uses 3DES and is different from the Spoke, which uses AES.

0 Helpful

Georg Pauwen
VIP
VIP

‎02-17-2019 12:33 AM

Hello,

 

on a side note, check the NTP/clock settings on both ends, are both running the same time ?

 

sh ntp associations detail

show clock

0 Helpful

Julio E. Moisa
VIP
VIP

‎02-17-2019 08:27 AM - edited ‎02-17-2019 08:28 AM

Hi

It looks IKEv1 could you please provide the configuration of phase 1 in both sides, also verify the key used to authenticate this phase.

Is it S2S VPN or  are you configuring GETVPN?

 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

ittechk4u1
Level 4
Level 4
In response to Julio E. Moisa

‎02-18-2019 01:35 AM

its DMVPN...

 

 

crypto isakmp policy 10
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr aes 256
authentication pre-share

 

Spoke Policy:

 

crypto isakmp policy 20
encr aes 256
authentication pre-share

 

 

keys are same on both side.

0 Helpful

Julio E. Moisa
VIP
VIP
In response to ittechk4u1

‎02-18-2019 03:37 AM - edited ‎02-18-2019 03:39 AM

Thank you, is there any firewall, ACL or NAT between the devices? is possible to share the configuration removing the sensible info (like IPs and keys) and toplogy?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

ittechk4u1
Level 4
Level 4
In response to Julio E. Moisa

‎02-18-2019 04:26 AM

issue i snot with firewall /aCL.

 

Tunnel works for  few hours and then goes offline for few hours!!

 

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ittechk4u1

‎02-18-2019 07:35 AM

There are several things in this discussion that puzzle me. First in the original post there are these logs

Feb 15 06:49:45.824: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):no offers accepted!

 

but in the partial configs that are provided it is clear that DH does match. So are these logs about some different vpn? or what??

 

Then in a recent update to the discussion the original poster tells us that

Tunnel works for  few hours and then goes offline for few hours

We do not have much detail to work with but my first suggestion is that perhaps this is normal operation. If there is some interesting traffic then the tunnel comes up and stays up for several hours. If interesting traffic does not continue then the lifetime expires and the tunnel comes down. While there is not more interesting traffic the tunnel remains down. After several hours there is interesting traffic and the tunnel comes up. And the cycle repeats.

 

HTH

 

Rick

 

HTH

Rick
0 Helpful

ittechk4u1
Level 4
Level 4
In response to Richard Burts

‎02-18-2019 09:48 PM - edited ‎02-19-2019 09:36 PM

Thanks for response...

 

 

0 Helpful

grabonlee
Level 4
Level 4
In response to ittechk4u1

‎02-19-2019 10:57 AM

Based on the recent config, I see nothing wrong. The confusion is that your previous logs showed a mismatch in crypto policies.

 

You had previously mentioned that the tunnel is up for about 7 hours, which to me long, and an interface flap can cause a brief interruption.

 

Is the 7-hour duration constant or the tunnel goes down at different time intervals. 

How long does it stay down?

Is the tunnel down for only Hub1, while Hub2 stays up?

 

Could you post the following:

 

1. show crypto isakmp sa detail

2. show crypto ipsec sa detail

3. sh ip eigrp neighbors

2. show crypto ipsec sa 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card