08-21-2011 08:26 PM - edited 03-04-2019 01:21 PM
Hi
I have an issue with IPSec tunnel where the tunnel is changing status to UP-NO-IKE upon sending any traffic.
After clearing crypto session through command, it again shows UP and then went into UP-NO-IKE state and could not route any traffic further.
Could anyone help me what could be causign this ?
Thanks
Sandip
08-21-2011 09:27 PM
Can you please paste your config here? and also some debug output of the IPSec tunnel?
Regards,
08-21-2011 11:41 PM
Hi,
I continuously get following in the logging.
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2x.x.x.x, prot=50, spi=0x76BDA86C(1992140908),
srcaddr=1x.xx.xx.xx
and
sh crypto session output as follows :
Interface: GigabitEthernet0/0
Session status: UP-NO-IKE
Peer: 1x.x.x.x port 500
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 1x.x.x.x/255.255.255.192
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 host 1x.x.x.x
Active SAs: 2, origin: crypto map
I have tried following command but the same issue remains :
crypto isakmp invalid-spi-recovery
==============================================================================================================
Our end Configuration (Cisco 2821 router)
crypto ipsec transform-set ESP-AES-256 esp-aes 256 esp-sha-hmac
crypto isakmp key xxxxxx address 1x.1x.2x.1x
crypto isakmp policy 60
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto map mymap 60 ipsec-isakmp
set peer 1x.1x.2x.1x
set transform-set ESP-AES-256
match address 100
access-list 100 permit ip 192.168.1.0 0.0.0.255 1x.1x.2x.1x 0.0.0.63
Remote end config :(Linksys Router)
As per attached.
08-22-2011 01:57 PM
Hello Sandip,
We would see this state if the IKE lifetime is shorter than IPSEC lifetime, when the IKE lifetime expired, the IPSEC SAs are still there, so we see "UP-NO-IKE,".
I can also see that you have an IKE lifetime mismatch. On the Cisco router, it is 3600 and on the Linksys, it is 28800. Could you please increase it on the Cisco router to the same value:
crypto isakmp policy 60
lifetime 28800
You can check the actual lifetime via show crypto isa sa detail on the Cisco router.
Warm Regards,
Rose
08-22-2011 05:30 PM
Hi,
I have done the setting however it still has the same issue.
Could the attached IPSec debug message be useful to diagnose?
==============================================================================
A-PEER#clear crypto session
A-PEER#
*Aug 23 00:13:12.983: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 20x.x.x.6, sa_proto= 50,
sa_spi= 0xE57B70A8(3850072232),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3002
sa_lifetime(k/sec)= (4606725/3600),
(identity) local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1)
*Aug 23 00:13:12.983: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
(sa) sa_dest= 11x.x.x.188, sa_proto= 50,
sa_spi= 0x372DDC9E(925752478),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3001
sa_lifetime(k/sec)= (4606725/3600),
(identity) local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1)
*Aug 23 00:13:12.983: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 11x.x.x.188, sa_proto= 50,
sa_spi= 0x372DDC9E(925752478),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3001
sa_lifetime(k/sec)= (4606725/3600),
(identity) local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1)
*Aug 23 00:13:12.983: IPSec: Flow_switching Deallocated flow for sibling 80000017
*Aug 23 00:13:12.983: IPSEC(key_engine): got a queue event with 1 kei messages
*Aug 23 00:13:19.735: %ENVMON-4-FAN_LOW_RPM: Fan 2 service recommended
*Aug 23 00:13:22.415: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.128/255.255.255.192/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x27CADC87(667606151), conn_id= 0, keysize= 256, flags= 0x400A
*Aug 23 00:13:23.103: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=20x.x.x.6, prot=50, spi=0xE57B70A8(3850072232),
srcaddr=11x.x.x.188
*Aug 23 00:13:41.603: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x22
*Aug 23 00:13:41.603: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 11x.x.x.182
protocol : 0
src port : 0
dst port : 0
*Aug 23 00:13:41.655: IPSEC(key_engine): got a queue event with 1 kei messages
*Aug 23 00:13:41.655: IPSEC(spi_response): getting spi 2102995494 for SA
from 20x.x.x.6 to 11x.x.x.188 for prot 3
*Aug 23 00:13:41.659: IPSEC(key_engine): got a queue event with 2 kei messages
*Aug 23 00:13:41.659: IPSEC(initialize_sas): ,
(key eng. msg.) INBOUND local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 0kb,
spi= 0x7D592A26(2102995494), conn_id= 0, keysize= 256, flags= 0x23
*Aug 23 00:13:41.659: IPSEC(initialize_sas): ,
(key eng. msg.) OUTBOUND local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 0kb,
spi= 0x372DDC9F(925752479), conn_id= 0, keysize= 256, flags= 0x2B
*Aug 23 00:13:41.659: Crypto mapdb : proxy_match
src addr : 192.168.1.0
dst addr : 11x.x.x.182
protocol : 0
src port : 0
dst port : 0
*Aug 23 00:13:41.659: IPSec: Flow_switching Allocated flow for sibling 80000018
*Aug 23 00:13:41.659: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 11x.x.x.182, dest_port 0
*Aug 23 00:13:41.659: IPSEC(create_sa): sa created,
(sa) sa_dest= 20x.x.x.6, sa_proto= 50,
sa_spi= 0x7D592A26(2102995494),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3001
sa_lifetime(k/sec)= (4399175/3600)
*Aug 23 00:13:41.659: IPSEC(create_sa): sa created,
(sa) sa_dest= 11x.x.x.188, sa_proto= 50,
sa_spi= 0x372DDC9F(925752479),
sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3002
sa_lifetime(k/sec)= (4399175/3600)
*Aug 23 00:13:42.027: IPSEC(key_engine): got a queue event with 1 kei messages
*Aug 23 00:13:42.027: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Aug 23 00:13:42.027: IPSEC(key_engine_enable_outbound): enable SA with spi 925752479/50
*Aug 23 00:13:42.031: IPSEC(key_engine): got a queue event with 1 kei messages
*Aug 23 00:13:42.031: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Aug 23 00:13:49.735: %ENVMON-4-FAN_LOW_RPM: Fan 2 service recommended
*Aug 23 00:13:52.415: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.128/255.255.255.192/0/0 (type=4)
*Aug 23 00:13:52.415: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.128/255.255.255.192/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x10D016F7(282072823), conn_id= 0, keysize= 256, flags= 0x400A
*Aug 23 00:14:19.735: %ENVMON-4-FAN_LOW_RPM: Fan 2 service recommended
A-PEER#
*Aug 23 00:14:22.415: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 20x.x.x.6, remote= 11x.x.x.188,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 11x.x.x.128/255.255.255.192/0/0 (type=4)\
^
% Invalid input detected at '^' marker.
A-PEER#
A-PEER#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/0
Session status: UP-NO-IKE
Peer: 11x.x.x.188 port 500
IKE SA: local 20x.x.x.6/500 remote 11x.x.x.188/500 Inactive
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 11x.x.x.128/255.255.255.192
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 host 11x.x.x.182
Active SAs: 2, origin: crypto map
=============================================================================
Thanks
Sandip
08-25-2011 05:10 PM
Hi
The SAs were created and deleted in IPSec debug.
It turned out to be connection issue where connection to destination peer was flapping but could not detect as the peer has blocked ICMP traffic. It became OK after ISP routed traffic through alternate route.
Is there any way to find such connection issue if ICMP is blocked at remote end?
Thanks
Sandip
08-26-2011 12:19 PM
You can try using telnet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide