cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2816
Views
1
Helpful
13
Replies

IPSEC tunnel up, but cannot ping across to destination IP

DavidGIP
Level 1
Level 1

Hello.

I have a Cisco 881 router, and we set up an IPSEC tunnel to another company equipment. The IPSEC tunnel is showing up and active, but I cannot ping across the tunnel. I believe the issue is with the routing, but truthfully I am not sure. Any assistance would be greatly appreciated.

Tantalus#sho cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
198.37.29.62 129.213.169.148 QM_IDLE 2107 ACTIVE

IPv6 Crypto ISAKMP SA

Tantalus#sho cry ipsec sa

interface: FastEthernet4.89
Crypto map tag: TANTALUS, local addr 198.37.29.62

protected vrf: (none)
local ident (addr/mask/prot/port): (198.37.29.60/255.255.255.252/0/0)
remote ident (addr/mask/prot/port): (129.213.169.0/255.255.255.0/0/0)
current_peer 129.213.169.148 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 73, #pkts encrypt: 73, #pkts digest: 73
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 198.37.29.62, remote crypto endpt.: 129.213.169.148
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4.89
current outbound spi: 0xF3E89E4C(4092108364)
PFS (Y/N): Y, DH group: group5

inbound esp sas:
spi: 0x894F1216(2303660566)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80004040, crypto map: TANTALUS
sa timing: remaining key lifetime (k/sec): (4273907/86119)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF3E89E4C(4092108364)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80004040, crypto map: TANTALUS
sa timing: remaining key lifetime (k/sec): (4273906/86119)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

13 Replies 13

Hello,

based on your configuration, it is difficult to figure out which traffic you want to encrypt, and what your routing actually looks like, as it appears there are more devices in your topology than just that one router. Can you post a schematic drawing/diagram of your full topology, showing how everything is connected ?

Basically, your NAT access list needs to deny the traffic that is specified in the access list that defines the encrypted traffic (access list 100 in your case).

129.213.169.0

Show ip route 129.213.169.0 longest

Do you see the path through egress interface that you config crypto map under it, if not then you have routing problems 

 

I am focusing on this part of the original post

#pkts encaps: 73, #pkts encrypt: 73, #pkts digest: 73
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

This indicates that you are sending traffic over the vpn but are not receiving any traffic over the vpn. I am wondering if there might be some mismatch between the traffic you describe in your config to be encrypted and what your peer describes in their config?

HTH

Rick

So I found that there were some mismatches with the encryption. I made the necessary updates, and it worked. But now What I am seeing is the tunnel is dropping 

 

198.37.29.62 129.213.169.148 MM_NO_STATE 2166 ACTIVE (deleted)

 

Hello,

as stated, it is difficult to help you without knowing what your topology looks like, and which traffic you need to encrypt. Can you provide the topology drawing, showing how all devices are physically and logically connected ?

Hi ,

if we landed with below situation , in that circumstances Ipsec phase 2 will be up or it will remains down as there is no flow on that tunnel from remote side ?

#pkts encaps: 73, #pkts encrypt: 73, #pkts digest: 73
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

may be some natting issue here 

In that situation phase 2 would be up. The original poster was clear that the situation you point out was the result of a mismatch in configuration between the 2 peers. And when the mismatches were resolved that there was 2 way flow of traffic.

HTH

Rick

""So I found that there were some mismatches with the encryption ""!!
Are you sure that this was the problem? because the IPSec never override the Phase1 and Phase2 and in both Phase both side check the SA proposal. 

and for ISAKMP, you need keepalive to make it always UP. 

DavidGIP
Level 1
Level 1

I apologize for the late response in regards to this issue. 

So what is happening is currently the tunnel comes up but drops after a few minutes. I verified with the other side and the encryption specs match. 

The Cisco 881 router is coming off of our core Cisco 6513 router. I can ping 129.213.169.148 from the 6513. When I remove the access list to disable the tunnel on the 881, I can also ping the 129.213.169.148 from the router. Once I enable the tunnel again, It comes up for a bit then drop again.

 

Tantalus#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
198.37.29.62 129.213.169.148 QM_IDLE 2073 ACTIVE

IPv6 Crypto ISAKMP SA

Tantalus#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
198.37.29.62 129.213.169.148 MM_NO_STATE 2073 ACTIVE (deleted)

 I added "crypto isakmp keepalive 20 periodic" to the existing config

DavidGIP
Level 1
Level 1

I ran a debug and got these messages:

 

5w6d: ISAKMP:(2112):Checking IPSec proposal 0
5w6d: ISAKMP: transform 7, ESP_AES
5w6d: ISAKMP: attributes in transform:
5w6d: ISAKMP: group is 5
5w6d: ISAKMP: encaps is 1 (Tunnel)
5w6d: ISAKMP: SA life type in seconds
5w6d: ISAKMP: SA life duration (basic) of 3600
5w6d: ISAKMP: authenticator is HMAC-SHA256
5w6d: ISAKMP: key length is 128
5w6d: ISAKMP:(2112):atts are acceptable.
5w6d: ISAKMP:(2112):Checking IPSec proposal 0
5w6d: ISAKMP: transform 8, ESP_AES
5w6d: ISAKMP: attributes in transform:
5w6d: ISAKMP: group is 5
5w6d: ISAKMP: encaps is 1 (Tunnel)
5w6d: ISAKMP: SA life type in seconds
5w6d: ISAKMP: SA life duration (basic) of 3600
5w6d: ISAKMP: authenticator is HMAC-SHA
5w6d: ISAKMP: key length is 128
5w6d: ISAKMP:(2112):atts are acceptable.
5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): phase 2 SA policy not acceptable! (local 198.37.29.62 remote 129.213.169.148)
5w6d: ISAKMP: set new node -1661145704 to QM_IDLE
5w6d: ISAKMP:(2112):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2305286168, message ID = 2633821592
5w6d: ISAKMP:(2112): sending packet to 129.213.169.148 my_port 500 peer_port 500 (R) QM_IDLE
5w6d: ISAKMP:(2112):Sending an IKE IPv4 Packet.
5w6d: ISAKMP:(2112):purging node -1661145704
5w6d: ISAKMP:(2112):deleting node 716084529 error TRUE reason "QM rejected"
5w6d: ISAKMP:(2112):Node 716084529, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
5w6d: ISAKMP:(2112):Old State = IKE_QM_READY New State = IKE_QM_READY
5w6d: ISAKMP (2112): received packet from 129.213.169.148 dport 500 sport 500 Global (R) QM_IDLE
5w6d: ISAKMP:(2112): phase 2 packet is a duplicate of a previous packet.
5w6d: ISAKMP:(2112): retransmitting due to retransmit phase 2
5w6d: ISAKMP:(2112): Quick Mode is being processed. Ignoring retransmission
5w6d: ISAKMP (2112): received packet from 129.213.169.148 dport 500 sport 500 Global (R) QM_IDLE
5w6d: ISAKMP:(2112): phase 2 packet is a duplicate of a previous packet.
5w6d: ISAKMP:(2112): retransmitting due to retransmit phase 2
5w6d: ISAKMP:(2112): Quick Mode is being processed. Ignoring retransmission
5w6d: ISAKMP (2112): received packet from 129.213.169.148 dport 500 sport 500 Global (R) QM_IDLE
5w6d: ISAKMP:(2112): phase 2 packet is a duplicate of a previous packet.
5w6d: ISAKMP:(2112): retransmitting due to retransmit phase 2
5w6d: ISAKMP:(2112): Quick Mode is being processed. Ignoring retransmission
5w6d: ISAKMP (2112): received packet from 129.213.169.148 dport 500 sport 500 Global (R) QM_IDLE
5w6d: ISAKMP:(2112): phase 2 packet is a duplicate of a previous packet.
5w6d: ISAKMP:(2112): retransmitting due to retransmit phase 2
5w6d: ISAKMP:(2112): Quick Mode is being processed. Ignoring retransmission
5w6d: ISAKMP:(0):purging SA., sa=8B4708D8, delme=8B4708D8
5w6d: ISAKMP (2112): received packet from 129.213.169.148 dport 500 sport 500 Global (R) QM_IDLE
5w6d: ISAKMP:(2112): phase 2 packet is a duplicate of a previous packet.
5w6d: ISAKMP:(2112): retransmitting due to retransmit phase 2
5w6d: ISAKMP:(2112): Quick Mode is being processed. Ignoring retransmission
5w6d: ISAKMP (2112): received packet from 129.213.169.148 dport 500 sport 500 Global (R) QM_IDLE
5w6d: ISAKMP:(2112): phase 2 packet is a duplicate of a previous packet.
5w6d: ISAKMP:(2112): retransmitting due to retransmit phase 2
5w6d: ISAKMP:(2112): Quick Mode is being processed. Ignoring retransmission
5w6d: ISAKMP:(2112):purging node 716084529
5w6d: ISAKMP:(0):purging SA., sa=8B474974, delme=8B474974
5w6d: ISAKMP (2112): received packet from 129.213.169.148 dport 500 sport 500 Global (R) QM_IDLE
5w6d: ISAKMP: set new node 784148521 to QM_IDLE
5w6d: ISAKMP:(2112): processing HASH payload. message ID = 784148521
5w6d: ISAKMP:(2112): processing DELETE payload. message ID = 784148521
5w6d: ISAKMP:(2112):peer does not do paranoid keepalives.

5w6d: ISAKMP:(2112):deleting SA reason "No reason" state (R) QM_IDLE (peer 129.213.169.148)
5w6d: ISAKMP:(2112):deleting node 784148521 error FALSE reason "Informational (in) state 1"
5w6d: IPSec: Key engine got a KEY_MGR_CHECK_MORE_SAS message
5w6d: ISAKMP (2112): IPSec has no more SA's with this peer. Won't keepalive phase 1.
5w6d: ISAKMP: set new node -275553074 to QM_IDLE
5w6d: ISAKMP:(2112): sending packet to 129.213.169.148 my_port 500 peer_port 500 (R) QM_IDLE
5w6d: ISAKMP:(2112):Sending an IKE IPv4 Packet.
5w6d: ISAKMP:(2112):purging node -275553074
5w6d: ISAKMP:(2112):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
5w6d: ISAKMP:(2112):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

5w6d: ISAKMP:(2112):deleting SA reason "No reason" state (R) QM_IDLE (peer 129.213.169.148)
5w6d: ISAKMP: Unlocking peer struct 0x8B40FA64 for isadb_mark_sa_deleted(), count 0
5w6d: ISAKMP: Deleting peer node by peer_reap for 129.213.169.148: 8B40FA64
5w6d: ISAKMP:(2112):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
5w6d: ISAKMP:(2112):Old State = IKE_DEST_SA New State = IKE_DEST_SA

DavidGIP
Level 1
Level 1

5w6d: ISAKMP:(2112):purging node 784148521
5w6d: ISAKMP:(2112):purging SA., sa=8C577958, delme=8C577958

Hello


@DavidGIP wrote:
The IPSEC tunnel is showing up and active, but I cannot ping across the tunnel. I believe the issue is with the routing, but truthfully I am not sure. Any assistance would be greatly appreciated.

Looking at your configuration your nat statement isnt correct, it calling upon an access-list that doesn't exist plus you need to negate NAT from Lan-Lan clients connectivity, Additionally your static routes are recursive even though this is applicable would suggest to make them more definitive static routes.
.
no ip nat inside source list 1 interface FastEthernet4.89 overload
no ip nat pool Tantalus 198.37.29.62 198.37.29.62 netmask 255.255.255.252
no ip route 0.0.0.0 0.0.0.0 198.37.29.61
no ip route 108.59.208.0 255.255.240.0 10.1.1.1
no ip route 198.37.28.0 255.255.252.0 10.1.1.1

ip access-list extended LAN-LAN
deny ip 172.23.3.0 0.0.0.255  x.x.x.x y.y.y.y <other sites lan>
permit ip 172.23.3.0 0.0.0.255 any

route-map NOT-to-NAT
match ip address  LAN-LAN
ip nat inside source route-map NOT-to-NAT interface FastEthernet4.89 overload
ip route 0.0.0.0 0.0.0.0  FastEthernet4.89 198.37.29.61
ip route 108.59.208.0 255.255.240.0  FastEthernet4.210.1.1.1
ip route 198.37.28.0 255.255.252.0  FastEthernet4.2 10.1.1.1

 

Edited-
int vlan 88
ip nat inside

Edited-2
Apologies just also noticed your crypto-map ACL doesn't look correct either, this should state the lan ip subnet to be encrypted which it doesn't at present

access-list 100 permit ip 198.37.29.60 0.0.0.3 129.213.169.0 0.0.0.255

I believe it should read
no access-list 100 permit ip 198.37.29.60 0.0.0.3 129.213.169.0 0.0.0.255
access-list 100 permit 172.23.3.0 0.0.0.255  x.x.x.x y.y.y.y <other sites lan>


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

EugeniuB
Level 1
Level 1

Hi,

Based on debug output:

5w6d: ISAKMP:(2112): IPSec policy invalidated proposal with error 32
5w6d: ISAKMP:(2112): phase 2 SA policy not acceptable! (local 198.37.29.62 remote 129.213.169.148)
5w6d: ISAKMP: set new node -1661145704 to QM_IDLE

The Phase I passed successfully but You have problems with Phase II.

Either the encryption domain (VPN selector or ACL which should match the traffic which is supposed to be encrypted) doesn't math with the VPN peer, either the transform set doesn't match. 

Could You share the Access List for VPN of both routers ?

Best regards,

Eugene

 

Review Cisco Networking for a $25 gift card