Re: IPSec tunnel Issue

Sandip Barot · ‎08-21-2011

Hi

I have an issue with IPSec tunnel where the tunnel is changing status to UP-NO-IKE upon sending any traffic.

After clearing crypto session through command, it again shows UP and then went into UP-NO-IKE state and could not route any traffic further.

Could anyone help me what could be causign this ?

Thanks

Sandip

Manouchehr · ‎08-21-2011

Can you please paste your config here? and also some debug output of the IPSec tunnel?

Regards,

Sandip Barot · ‎08-21-2011

Hi,

I continuously get following in the logging.

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2x.x.x.x, prot=50, spi=0x76BDA86C(1992140908),

srcaddr=1x.xx.xx.xx

and

sh crypto session output as follows :

Interface: GigabitEthernet0/0

Session status: UP-NO-IKE

Peer: 1x.x.x.x port 500

IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 1x.x.x.x/255.255.255.192

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 host 1x.x.x.x

Active SAs: 2, origin: crypto map

I have tried following command but the same issue remains :

crypto isakmp invalid-spi-recovery

==============================================================================================================
Our end Configuration (Cisco 2821 router)

crypto ipsec transform-set ESP-AES-256 esp-aes 256 esp-sha-hmac

crypto isakmp key xxxxxx address 1x.1x.2x.1x

crypto isakmp policy 60

encr aes 256

authentication pre-share

group 2

lifetime 3600

crypto map mymap 60 ipsec-isakmp

set peer 1x.1x.2x.1x

set transform-set ESP-AES-256

match address 100

access-list 100 permit ip 192.168.1.0 0.0.0.255 1x.1x.2x.1x 0.0.0.63

Remote end config :(Linksys Router)

As per attached.

Rozsa Illes · ‎08-22-2011

Hello Sandip,

We would see this state if the IKE lifetime is shorter than IPSEC lifetime, when the IKE lifetime expired, the IPSEC SAs are still there, so we see "UP-NO-IKE,".

I can also see that you have an IKE lifetime mismatch. On the Cisco router, it is 3600 and on the Linksys, it is 28800. Could you please increase it on the Cisco router to the same value:

crypto isakmp policy 60

lifetime 28800

You can check the actual lifetime via show crypto isa sa detail on the Cisco router.

Warm Regards,

Rose

Sandip Barot · ‎08-22-2011

Hi,

I have done the setting however it still has the same issue.

Could the attached IPSec debug message be useful to diagnose?

==============================================================================

A-PEER#clear crypto session

A-PEER#

*Aug 23 00:13:12.983: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 20x.x.x.6, sa_proto= 50,

sa_spi= 0xE57B70A8(3850072232),

sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3002

sa_lifetime(k/sec)= (4606725/3600),

(identity) local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1)

*Aug 23 00:13:12.983: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,

(sa) sa_dest= 11x.x.x.188, sa_proto= 50,

sa_spi= 0x372DDC9E(925752478),

sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3001

sa_lifetime(k/sec)= (4606725/3600),

(identity) local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1)

*Aug 23 00:13:12.983: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 11x.x.x.188, sa_proto= 50,

sa_spi= 0x372DDC9E(925752478),

sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3001

sa_lifetime(k/sec)= (4606725/3600),

(identity) local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1)

*Aug 23 00:13:12.983: IPSec: Flow_switching Deallocated flow for sibling 80000017

*Aug 23 00:13:12.983: IPSEC(key_engine): got a queue event with 1 kei messages

*Aug 23 00:13:19.735: %ENVMON-4-FAN_LOW_RPM: Fan 2 service recommended

*Aug 23 00:13:22.415: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.128/255.255.255.192/0/0 (type=4),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x27CADC87(667606151), conn_id= 0, keysize= 256, flags= 0x400A

*Aug 23 00:13:23.103: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=20x.x.x.6, prot=50, spi=0xE57B70A8(3850072232),

srcaddr=11x.x.x.188

*Aug 23 00:13:41.603: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x22

*Aug 23 00:13:41.603: Crypto mapdb : proxy_match

src addr : 192.168.1.0

dst addr : 11x.x.x.182

protocol : 0

src port : 0

dst port : 0

*Aug 23 00:13:41.655: IPSEC(key_engine): got a queue event with 1 kei messages

*Aug 23 00:13:41.655: IPSEC(spi_response): getting spi 2102995494 for SA

from 20x.x.x.6 to 11x.x.x.188 for prot 3

*Aug 23 00:13:41.659: IPSEC(key_engine): got a queue event with 2 kei messages

*Aug 23 00:13:41.659: IPSEC(initialize_sas): ,

(key eng. msg.) INBOUND local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),

lifedur= 3600s and 0kb,

spi= 0x7D592A26(2102995494), conn_id= 0, keysize= 256, flags= 0x23

*Aug 23 00:13:41.659: IPSEC(initialize_sas): ,

(key eng. msg.) OUTBOUND local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.182/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),

lifedur= 3600s and 0kb,

spi= 0x372DDC9F(925752479), conn_id= 0, keysize= 256, flags= 0x2B

*Aug 23 00:13:41.659: Crypto mapdb : proxy_match

src addr : 192.168.1.0

dst addr : 11x.x.x.182

protocol : 0

src port : 0

dst port : 0

*Aug 23 00:13:41.659: IPSec: Flow_switching Allocated flow for sibling 80000018

*Aug 23 00:13:41.659: IPSEC(policy_db_add_ident): src 192.168.1.0, dest 11x.x.x.182, dest_port 0

*Aug 23 00:13:41.659: IPSEC(create_sa): sa created,

(sa) sa_dest= 20x.x.x.6, sa_proto= 50,

sa_spi= 0x7D592A26(2102995494),

sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3001

sa_lifetime(k/sec)= (4399175/3600)

*Aug 23 00:13:41.659: IPSEC(create_sa): sa created,

(sa) sa_dest= 11x.x.x.188, sa_proto= 50,

sa_spi= 0x372DDC9F(925752479),

sa_trans= esp-aes 256 esp-sha-hmac , sa_conn_id= 3002

sa_lifetime(k/sec)= (4399175/3600)

*Aug 23 00:13:42.027: IPSEC(key_engine): got a queue event with 1 kei messages

*Aug 23 00:13:42.027: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

*Aug 23 00:13:42.027: IPSEC(key_engine_enable_outbound): enable SA with spi 925752479/50

*Aug 23 00:13:42.031: IPSEC(key_engine): got a queue event with 1 kei messages

*Aug 23 00:13:42.031: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

*Aug 23 00:13:49.735: %ENVMON-4-FAN_LOW_RPM: Fan 2 service recommended

*Aug 23 00:13:52.415: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.128/255.255.255.192/0/0 (type=4)

*Aug 23 00:13:52.415: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.128/255.255.255.192/0/0 (type=4),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x10D016F7(282072823), conn_id= 0, keysize= 256, flags= 0x400A

*Aug 23 00:14:19.735: %ENVMON-4-FAN_LOW_RPM: Fan 2 service recommended

A-PEER#

*Aug 23 00:14:22.415: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 20x.x.x.6, remote= 11x.x.x.188,

local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),

remote_proxy= 11x.x.x.128/255.255.255.192/0/0 (type=4)\

^

% Invalid input detected at '^' marker.

A-PEER#

A-PEER#sh crypto session

Crypto session current status

Interface: GigabitEthernet0/0

Session status: UP-NO-IKE

Peer: 11x.x.x.188 port 500

IKE SA: local 20x.x.x.6/500 remote 11x.x.x.188/500 Inactive

IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 11x.x.x.128/255.255.255.192

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 host 11x.x.x.182

Active SAs: 2, origin: crypto map

=============================================================================

Thanks

Sandip

Sandip Barot · ‎08-25-2011

Hi

The SAs were created and deleted in IPSec debug.

It turned out to be connection issue where connection to destination peer was flapping but could not detect as the peer has blocked ICMP traffic. It became OK after ISP routed traffic through alternate route.

Is there any way to find such connection issue if ICMP is blocked at remote end?

Thanks

Sandip

Edison Ortiz · ‎08-26-2011

You can try using telnet