cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
267
Views
0
Helpful
15
Replies
Enthusiast

IKE Phase1 issue

Hello Experts,

 

I am having issue with Phase 1..

error logs:

 

Feb 15 06:49:45.824: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):no offers accepted!
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):phase 1 SA policy not acceptable! (local 106.120.64.62 remote 195.243.205.104)
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):deleting SA reason "Phase1 SA policy proposal not accepted" state (I) MM_NO_STATE (peer 195.243.205.104)

 

Hub policy :

Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

 

Spoke Policy:

Global IKE policy
Protection suite of priority 20
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

 

Tunnel are up for few hours and then offline for few hours. Do you guys have an idea to resolve the issue?

 

Thanks in advance.

Everyone's tags (1)
15 REPLIES 15
VIP Advisor

Re: IKE Phase1 issue

Verify that the phase 1 policy is on both peers, and ensure that all the attributes match.

Encryption DES or 3DES
Hash MD5 or SHA
Diffie-Hellman Group 1 or 2
Authentication {rsa-sig | rsa-encr | pre-share  

 

here is the debug reference guide :

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#sem

 

Or you can post the full configuraiton of the both devices to verify.

 

BB
*** Rate All Helpful Responses ***
Enthusiast

Re: IKE Phase1 issue

Hub Policy:

 

crypto isakmp policy 10
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr aes 256
authentication pre-share

 

Spoke Policy:

 

crypto isakmp policy 20
encr aes 256
authentication pre-share

 

Thanks

VIP Advisor

Re: IKE Phase1 issue

Since you have more policies in Hub, i would like to see full config, that determine what is wrong.

 

BB
*** Rate All Helpful Responses ***
VIP Mentor

Re: IKE Phase1 issue

Hello,

 

try and disable volume based rekeying

 

VPN(config)#crypto ipsec security-association lifetime kilobytes disable

 

or set the lifetime to 30 days:

 

VPN(config)#crypto ipsec security-association lifetime days 30

 

or increase the replay window size:

VPN(config)#crypto ipsec security-association replay window-size 1024

 

or disable it altogether:

 

VPN(config)#crypto ipsec security-association replay disable

Enthusiast

Re: IKE Phase1 issue

I tried all. Still same issue..

Enthusiast

Re: IKE Phase1 issue

It's clearly obvious that there's a mismatch in your Phase 1 parameters between Hub and Spoke. You have multiple crypto configs, but the output for show crypto isakmp policy on the Hub only shows policy 10, which uses 3DES and is different from the Spoke, which uses AES.

VIP Mentor

Re: IKE Phase1 issue

Hello,

 

on a side note, check the NTP/clock settings on both ends, are both running the same time ?

 

sh ntp associations detail

show clock

VIP Advisor

Re: IKE Phase1 issue

Hi

It looks IKEv1 could you please provide the configuration of phase 1 in both sides, also verify the key used to authenticate this phase.

Is it S2S VPN or  are you configuring GETVPN?

 

Enthusiast

Re: IKE Phase1 issue

its DMVPN...

 

 

crypto isakmp policy 10
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr aes 256
authentication pre-share

 

Spoke Policy:

 

crypto isakmp policy 20
encr aes 256
authentication pre-share

 

 

keys are same on both side.

Everyone's tags (1)
VIP Advisor

Re: IKE Phase1 issue

Thank you, is there any firewall, ACL or NAT between the devices? is possible to share the configuration removing the sensible info (like IPs and keys) and toplogy?

Enthusiast

Re: IKE Phase1 issue

issue i snot with firewall /aCL.

 

Tunnel works for  few hours and then goes offline for few hours!!

 

 

Hall of Fame Master

Re: IKE Phase1 issue

There are several things in this discussion that puzzle me. First in the original post there are these logs

Feb 15 06:49:45.824: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Feb 15 06:49:45.824: ISAKMP-ERROR: (0):no offers accepted!

 

but in the partial configs that are provided it is clear that DH does match. So are these logs about some different vpn? or what??

 

Then in a recent update to the discussion the original poster tells us that

Tunnel works for  few hours and then goes offline for few hours

We do not have much detail to work with but my first suggestion is that perhaps this is normal operation. If there is some interesting traffic then the tunnel comes up and stays up for several hours. If interesting traffic does not continue then the lifetime expires and the tunnel comes down. While there is not more interesting traffic the tunnel remains down. After several hours there is interesting traffic and the tunnel comes up. And the cycle repeats.

 

HTH

 

Rick

 

Enthusiast

Re: IKE Phase1 issue

Thanks for response...

 

 

Highlighted
Enthusiast

Re: IKE Phase1 issue

Based on the recent config, I see nothing wrong. The confusion is that your previous logs showed a mismatch in crypto policies.

 

You had previously mentioned that the tunnel is up for about 7 hours, which to me long, and an interface flap can cause a brief interruption.

 

Is the 7-hour duration constant or the tunnel goes down at different time intervals. 

How long does it stay down?

Is the tunnel down for only Hub1, while Hub2 stays up?

 

Could you post the following:

 

1. show crypto isakmp sa detail

2. show crypto ipsec sa detail

3. sh ip eigrp neighbors

2. show crypto ipsec sa 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards