11-13-2020 02:08 AM
Hello all,
I'm getting struggle in adding a new Spoke to a DMVPN. This DMVPN Network consists of one HUB and 4 Spokes in different locations. I have configured the new Spoke exactly wit the same config as the current ones, however while trying to initiate traffic I can see below output
HUB
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 37.153.245.138 172.16.0.14 UP 29w2d D
0 UNKNOWN 172.16.0.50 NHRP never IX
1 94.186.185.131 172.16.0.35 UP 24w5d D
1 51.163.192.172 172.16.0.46 UP 10w4d D
1 195.50.208.85 172.16.0.56 UP 3d10h D
Spoke
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 217.166.205.102 172.16.0.1 IKE 00:11:49 S
Can anyone provide me with some help on what that status means?
I'm pretty sure thee is an issue with the IKE negotiation for phase 1
HUB
nlsl-rtvpn01p#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
217.166.205.102 78.133.207.132 MM_KEY_EXCH 15282 ACTIVE
Spoke
dst src state conn-id status
217.166.205.102 78.133.207.132 MM_NO_STATE 4201 ACTIVE (deleted)
I would be able to provide further debug and config if needed
PS. This is a Production environment so I won't be able to apply any change on the HUB as this is working fine for other Spokes
Your help will be really appreciated
Thanks
Jaime Enrique Viera Arbelo | Senior Network Engineer | jame.viera@unit4.com
UNIT4 R&D Spain S.L.
Avd. del Conocimiento, s/n. Edificio I+D, 18100 Granada,
Solved! Go to Solution.
11-13-2020 07:13 AM
Hello Jaime,
your current spokes use certificates instead of preshared key, tunnel key is just a way to identify a GRE tunnel not a form of authentication.
see the following debug lines:
*Nov 13 10:04:10.164: ISAKMP:(4214): processing CERT_REQ payload. message ID = 0
*Nov 13 10:04:10.164: ISAKMP:(4214): peer wants a CT_X509_SIGNATURE cert
*Nov 13 10:04:10.164: ISAKMP:(4214): peer wants cert issued by cn=u4agr,l=Sliedrecht,c=NL
*Nov 13 10:04:10.164: ISAKMP:(4214): issuer name is not a trusted root.
You need to get a certificate for the new router signed by the same CA and you need also the CA certificate to be installed both on your new Spoke.
.
Hope to help
Giuseppe
11-13-2020 02:48 AM
Hello @Unit4_cognizant ,
Yes isakmp state is active. it should show up as QM_IDLE if working correctly.
Could you post please crypto configuration and tunnel configuration of hub and recently added spoke ?
thank you.
regards.
11-13-2020 03:38 AM
Hello Pigallo,
Thanks so much for your quick response. Below you can see the info required
Crypto config
-------------------------------------------------------------------------------------
crypto isakmp policy 1
encr 3des
crypto ipsec transform-set dmvpn esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile dmvpn
set transform-set dmvpn
PS. Same crypto config in both HUB and Spoke
-------------------------------------------------------------------------------------
Tunnel Config
-------------------------------------------------------------------------------------
HUB
interface Tunnel0
ip flow monitor Netflow input
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication XXXXXXX
ip nhrp network-id XXXXXXXX
ip nhrp holdtime 300
ip nhrp redirect
ip tcp adjust-mss 1201
delay 1000
tunnel source GigabitEthernet0/0/1
tunnel mode gre multipoint
tunnel key XXXXXXXXXX
tunnel protection ipsec profile dmvpn
New SPOKE
interface Tunnel0
description Tunnel Hub1 NLSL
ip address 172.16.0.50 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nhrp authentication XXXXXX
ip nhrp map 172.16.0.1 217.166.205.102
ip nhrp map multicast 217.166.205.102
ip nhrp network-id XXXXXXX
ip nhrp holdtime 300
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXXXXX
tunnel protection ipsec profile dmvpn shared
-------------------------------------------------------------------------------------
As you can see there is not any PSK configured in the crypto, but then we do have a "tunnel key" configured in the interface, to be honest not sure how it works but it is working with other spokes that way
Thanks so much for your help and best regards,
Jaime Enrique Viera Arbelo | Senior Network Engineer | jame.viera@unit4.com
UNIT4 R&D Spain S.L.
Avd. del Conocimiento, s/n. Edificio I+D, 18100 Granada,
11-13-2020 03:54 AM
Hello,
add 'ip nhrp shortcut' to the tunnel on the spoke.
11-13-2020 04:20 AM
Hello Georg,
Added it now but still failing
SPOKE
interface Tunnel0
description Tunnel Hub1 NLSL
ip address 172.16.0.50 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nhrp authentication XXXXXXX
ip nhrp map 172.16.0.1 217.166.205.102
ip nhrp map multicast 217.166.205.102
ip nhrp network-id XXXXXXX
ip nhrp holdtime 300
ip nhrp nhs 172.16.0.1
ip nhrp registration no-unique
ip nhrp shortcut
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXXXXX
tunnel protection ipsec profile dmvpn
SPOKE
Type:Spoke, NHRP Peers:1,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 217.166.205.102 172.16.0.1 IKE 00:37:02 S
HUB
Type:Hub, NHRP Peers:4,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
2 37.153.245.138 172.16.0.14 UP 29w2d D
0 UNKNOWN 172.16.0.50 NHRP never IX
1 94.186.185.131 172.16.0.35 UP 24w5d D
1 51.163.192.172 172.16.0.46 UP 10w5d D
1 195.50.208.85 172.16.0.56 UP 3d13h D
11-13-2020 04:28 AM
Hello,
the tcp adjust mss value on the hub is 1201, is this on purpose ? Not sure what you have configured on the other spokes, but make sure these values match on hub and spoke.
Can you post the full running configs of both the hub and the spoke, so I can lab this ?
11-13-2020 04:52 AM - edited 11-13-2020 04:55 AM
Sure, attached you can see both running-config
Thanks so much for checking on this ad trying to help me out to find the root cause.
I'm also debugging IPSEC and below you can see some outputs
------------------------------------------------------------------------------------------
*Nov 13 10:04:10.052: ISAKMP: Created a peer struct for 217.166.205.102, peer port 500
*Nov 13 10:04:10.052: ISAKMP: New peer created peer = 0x327209EC peer_handle = 0x8002B4B4
*Nov 13 10:04:10.052: ISAKMP: Locking peer struct 0x327209EC, refcount 1 for isakmp_initiator
*Nov 13 10:04:10.052: ISAKMP: local port 500, remote port 500
*Nov 13 10:04:10.052: ISAKMP: set new node 0 to QM_IDLE
*Nov 13 10:04:10.052: ISAKMP:(0):insert sa successfully sa = 2B5CB13C
*Nov 13 10:04:10.052: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Nov 13 10:04:10.052: ISAKMP:(0):No pre-shared key with 217.166.205.102!
*Nov 13 10:04:10.052: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 217.166.205.102)
*Nov 13 10:04:10.052: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 217.166.205.102)
*Nov 13 10:04:10.052: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Nov 13 10:04:10.052: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Nov 13 10:04:10.052: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Nov 13 10:04:10.052: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Nov 13 10:04:10.052: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Nov 13 10:04:10.052: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Nov 13 10:04:10.052: ISAKMP:(0): beginning Main Mode exchange
*Nov 13 10:04:10.052: ISAKMP:(0): sending packet to 217.166.205.102 my_port 500 peer_port 500 (I) MM_NO_STATE
*Nov 13 10:04:10.052: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 13 10:04:10.096: ISAKMP (0): received packet from 217.166.205.102 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 13 10:04:10.096: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 13 10:04:10.096: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Nov 13 10:04:10.096: ISAKMP:(0): processing SA payload. message ID = 0
*Nov 13 10:04:10.096: ISAKMP:(0): processing vendor id payload
*Nov 13 10:04:10.096: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 13 10:04:10.100: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Nov 13 10:04:10.100: ISAKMP:(0):No pre-shared key with 217.166.205.102!
*Nov 13 10:04:10.100: ISAKMP : Scanning profiles for xauth ... oracle-vpn-130.61.6.54
*Nov 13 10:04:10.100: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 217.166.205.102)
*Nov 13 10:04:10.100: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 217.166.205.102)
*Nov 13 10:04:10.100: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Nov 13 10:04:10.100: ISAKMP: encryption 3DES-CBC
*Nov 13 10:04:10.100: ISAKMP: hash SHA
*Nov 13 10:04:10.100: ISAKMP: default group 1
*Nov 13 10:04:10.100: ISAKMP: auth RSA sig
*Nov 13 10:04:10.100: ISAKMP: life type in seconds
*Nov 13 10:04:10.100: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Nov 13 10:04:10.100: ISAKMP:(0):atts are acceptable. Next payload is 0
*Nov 13 10:04:10.100: ISAKMP:(0):Acceptable atts:actual life: 0
*Nov 13 10:04:10.100: ISAKMP:(0):Acceptable atts:life: 0
*Nov 13 10:04:10.100: ISAKMP:(0):Fill atts in sa vpi_length:4
*Nov 13 10:04:10.100: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Nov 13 10:04:10.100: ISAKMP:(0): IKE->PKI Start PKI Session state (I) MM_NO_STATE (peer 217.166.205.102)
*Nov 13 10:04:10.100: ISAKMP:(0): PKI->IKE Started PKI Session state (I) MM_NO_STATE (peer 217.166.205.102)
*Nov 13 10:04:10.100: ISAKMP:(0):Returning Actual lifetime: 86400
*Nov 13 10:04:10.100: ISAKMP:(0)::Started lifetime timer: 86400.
*Nov 13 10:04:10.100: ISAKMP:(0): processing vendor id payload
*Nov 13 10:04:10.100: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 13 10:04:10.100: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Nov 13 10:04:10.100: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 13 10:04:10.100: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Nov 13 10:04:10.100: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (I) MM_SA_SETUP (peer 217.166.205.102)
*Nov 13 10:04:10.100: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (I) MM_SA_SETUP (peer 217.166.205.102)
*Nov 13 10:04:10.100: ISAKMP:(0): IKE->PKI Get IssuerNames state (I) MM_SA_SETUP (peer 217.166.205.102)
*Nov 13 10:04:10.100: ISAKMP:(0): PKI->IKE Got IssuerNames state (I) MM_SA_SETUP (peer 217.166.205.102)
*Nov 13 10:04:10.100: ISAKMP:(0): sending packet to 217.166.205.102 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Nov 13 10:04:10.100: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 13 10:04:10.100: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 13 10:04:10.100: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Nov 13 10:04:10.148: ISAKMP (0): received packet from 217.166.205.102 dport 500 sport 500 Global (I) MM_SA_SETUP
*Nov 13 10:04:10.148: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 13 10:04:10.148: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Nov 13 10:04:10.148: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 13 10:04:10.164: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov 13 10:04:10.164: ISAKMP:(4214): processing vendor id payload
*Nov 13 10:04:10.164: ISAKMP:(4214): vendor ID is Unity
*Nov 13 10:04:10.164: ISAKMP:(4214): processing vendor id payload
*Nov 13 10:04:10.164: ISAKMP:(4214): vendor ID is DPD
*Nov 13 10:04:10.164: ISAKMP:(4214): processing vendor id payload
*Nov 13 10:04:10.164: ISAKMP:(4214): speaking to another IOS box!
*Nov 13 10:04:10.164: ISAKMP:received payload type 20
*Nov 13 10:04:10.164: ISAKMP (4214): His hash no match - this node outside NAT
*Nov 13 10:04:10.164: ISAKMP:received payload type 20
*Nov 13 10:04:10.164: ISAKMP (4214): No NAT Found for self or peer
*Nov 13 10:04:10.164: ISAKMP:(4214):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 13 10:04:10.164: ISAKMP:(4214):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Nov 13 10:04:10.164: ISAKMP:(4214):Send initial contact
*Nov 13 10:04:10.164: ISAKMP:(4214): processing CERT_REQ payload. message ID = 0
*Nov 13 10:04:10.164: ISAKMP:(4214): peer wants a CT_X509_SIGNATURE cert
*Nov 13 10:04:10.164: ISAKMP:(4214): peer wants cert issued by cn=u4agr,l=Sliedrecht,c=NL
*Nov 13 10:04:10.164: ISAKMP:(4214): issuer name is not a trusted root.
*Nov 13 10:04:10.164: ISAKMP:(4214): IKE->PKI Get self CertificateChain state (I) MM_KEY_EXCH (peer 217.166.205.102)
*Nov 13 10:04:10.164: ISAKMP:(4214): PKI->IKE Got self CertificateChain state (I) MM_KEY_EXCH (peer 217.166.205.102)
*Nov 13 10:04:10.164: ISAKMP:(4214):Unable to get router cert or routerdoes not have a cert: needed to find DN!
*Nov 13 10:04:10.164: ISAKMP:(4214):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
*Nov 13 10:04:10.164: ISAKMP (4214): ID payload
next-payload : 6
type : 1
address : 78.133.207.132
protocol : 17
port : 500
length : 12
*Nov 13 10:04:10.164: ISAKMP:(4214):Total payload length: 12
*Nov 13 10:04:10.164: ISAKMP:(4214): no valid cert found to return
*Nov 13 10:04:10.164: ISAKMP: set new node 1277181464 to QM_IDLE
*Nov 13 10:04:10.164: ISAKMP:(4214):Sending NOTIFY CERTIFICATE_UNAVAILABLE protocol 1
spi 0, message ID = 1277181464
*Nov 13 10:04:10.164: ISAKMP:(4214): sending packet to 217.166.205.102 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Nov 13 10:04:10.164: ISAKMP:(4214):Sending an IKE IPv4 Packet.
*Nov 13 10:04:10.164: ISAKMP:(4214):purging node 1277181464
*Nov 13 10:04:10.164: ISAKMP (4214): FSM action returned error: 2
*Nov 13 10:04:10.164: ISAKMP:(4214):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 13 10:04:10.164: ISAKMP:(4214):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Nov 13 10:04:10.720: %SYS-5-CONFIG_I: Configured from console by gsscnetl2 on vty3 (10.100.147.205)
*Nov 13 10:04:12.048: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Nov 13 10:04:12.048: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
*Nov 13 10:04:18.980: ISAKMP:(1971):purging node -2066544485
*Nov 13 10:04:20.100: ISAKMP:(4214): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
*Nov 13 10:04:20.148: ISAKMP (4214): received packet from 217.166.205.102 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Nov 13 10:04:20.148: ISAKMP:(4214): phase 1 packet is a duplicate of a previous packet.
*Nov 13 10:04:20.148: ISAKMP:(4214): retransmitting due to retransmit phase 1
*Nov 13 10:04:20.148: ISAKMP:(4214): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
*Nov 13 10:04:21.064: ISAKMP (1971): received packet from 130.61.6.54 dport 500 sport 500 Global (R) QM_IDLE
*Nov 13 10:04:21.064: ISAKMP: set new node 2115747652 to QM_IDLE
*Nov 13 10:04:21.064: ISAKMP:(1971): processing HASH payload. message ID = 2115747652
*Nov 13 10:04:21.068: ISAKMP:(1971): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2115747652, sa = 0x32E256F8
*Nov 13 10:04:21.068: ISAKMP:(1971):deleting node 2115747652 error FALSE reason "Informational (in) state 1"
*Nov 13 10:04:21.068: ISAKMP:(1971):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 13 10:04:21.068: ISAKMP:(1971):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 13 10:04:21.068: ISAKMP:(1971):DPD/R_U_THERE received from peer 130.61.6.54, sequence 0xE63B80
*Nov 13 10:04:21.068: ISAKMP: set new node -1715327776 to QM_IDLE
*Nov 13 10:04:21.068: ISAKMP:(1971):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 833864544, message ID = 2579639520
*Nov 13 10:04:21.068: ISAKMP:(1971): seq. no 0xE63B80
*Nov 13 10:04:21.068: ISAKMP:(1971): sending packet to 130.61.6.54 my_port 500 peer_port 500 (R) QM_IDLE
*Nov 13 10:04:21.068: ISAKMP:(1971):Sending an IKE IPv4 Packet.
*Nov 13 10:04:21.068: ISAKMP:(1971):purging node -1715327776
*Nov 13 10:04:21.068: ISAKMP:(1971):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Nov 13 10:04:21.068: ISAKMP:(1971):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 13 10:04:30.148: ISAKMP (4214): received packet from 217.166.205.102 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Nov 13 10:04:30.148: ISAKMP:(4214): phase 1 packet is a duplicate of a previous packet.
*Nov 13 10:04:30.148: ISAKMP:(4214): retransmitting due to retransmit phase 1
*Nov 13 10:04:30.148: ISAKMP:(4214): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
*Nov 13 10:04:30.992: ISAKMP:(1971):purging node -891759503
*Nov 13 10:04:33.060: ISAKMP (1971): received packet from 130.61.6.54 dport 500 sport 500 Global (R) QM_IDLE
*Nov 13 10:04:33.060: ISAKMP: set new node 958917937 to QM_IDLE
*Nov 13 10:04:33.060: ISAKMP:(1971): processing HASH payload. message ID = 958917937
*Nov 13 10:04:33.060: ISAKMP:(1971): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 958917937, sa = 0x32E256F8
*Nov 13 10:04:33.060: ISAKMP:(1971):deleting node 958917937 error FALSE reason "Informational (in) state 1"
*Nov 13 10:04:33.060: ISAKMP:(1971):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 13 10:04:33.060: ISAKMP:(1971):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 13 10:04:33.060: ISAKMP:(1971):DPD/R_U_THERE received from peer 130.61.6.54, sequence 0xE63B81
*Nov 13 10:04:33.060: ISAKMP: set new node -385646365 to QM_IDLE
*Nov 13 10:04:33.060: ISAKMP:(1971):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 833864544, message ID = 3909320931
*Nov 13 10:04:33.060: ISAKMP:(1971): seq. no 0xE63B81
*Nov 13 10:04:33.060: ISAKMP:(1971): sending packet to 130.61.6.54 my_port 500 peer_port 500 (R) QM_IDLE
*Nov 13 10:04:33.060: ISAKMP:(1971):Sending an IKE IPv4 Packet.
*Nov 13 10:04:33.060: ISAKMP:(1971):purging node -385646365
*Nov 13 10:04:33.060: ISAKMP:(1971):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Nov 13 10:04:33.060: ISAKMP:(1971):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 13 10:04:40.052: ISAKMP: set new node 0 to QM_IDLE
*Nov 13 10:04:40.052: ISAKMP:(4214):SA is still budding. Attached new ipsec request to it. (local 78.133.207.132, remote 217.166.205.102)
*Nov 13 10:04:40.052: ISAKMP: Error while processing SA request: Failed to initialize SA
*Nov 13 10:04:40.052: ISAKMP: Error while processing KMI message 0, error 2.
*Nov 13 10:04:40.148: ISAKMP (4214): received packet from 217.166.205.102 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Nov 13 10:04:40.148: ISAKMP:(4214): phase 1 packet is a duplicate of a previous packet.
*Nov 13 10:04:40.148: ISAKMP:(4214): retransmitting due to retransmit phase 1
*Nov 13 10:04:40.148: ISAKMP:(4214): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
*Nov 13 10:04:44.008: ISAKMP:(1971):purging node -1710994298
*Nov 13 10:04:45.072: ISAKMP (1971): received packet from 130.61.6.54 dport 500 sport 500 Global (R) QM_IDLE
*Nov 13 10:04:45.072: ISAKMP: set new node 1349396366 to QM_IDLE
*Nov 13 10:04:45.072: ISAKMP:(1971): processing HASH payload. message ID = 1349396366
*Nov 13 10:04:45.072: ISAKMP:(1971): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1349396366, sa = 0x32E256F8
*Nov 13 10:04:45.072: ISAKMP:(1971):deleting node 1349396366 error FALSE reason "Informational (in) state 1"
*Nov 13 10:04:45.072: ISAKMP:(1971):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 13 10:04:45.072: ISAKMP:(1971):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 13 10:04:45.076: ISAKMP:(1971):DPD/R_U_THERE received from peer 130.61.6.54, sequence 0xE63B82
*Nov 13 10:04:45.076: ISAKMP: set new node 1819032585 to QM_IDLE
*Nov 13 10:04:45.076: ISAKMP:(1971):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 833864544, message ID = 1819032585
*Nov 13 10:04:45.076: ISAKMP:(1971): seq. no 0xE63B82
*Nov 13 10:04:45.076: ISAKMP:(1971): sending packet to 130.61.6.54 my_port 500 peer_port 500 (R) QM_IDLE
*Nov 13 10:04:45.076: ISAKMP:(1971):Sending an IKE IPv4 Packet.
*Nov 13 10:04:45.076: ISAKMP:(1971):purging node 1819032585
*Nov 13 10:04:45.076: ISAKMP:(1971):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Nov 13 10:04:45.076: ISAKMP:(1971):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 13 10:04:50.148: ISAKMP (4214): received packet from 217.166.205.102 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Nov 13 10:04:50.148: ISAKMP:(4214): phase 1 packet is a duplicate of a previous packet.
*Nov 13 10:04:50.148: ISAKMP:(4214): retransmitting due to retransmit phase 1
*Nov 13 10:04:50.148: ISAKMP:(4214): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
*Nov 13 10:04:58.028: ISAKMP:(1971):purging node 1226544980
*Nov 13 10:04:58.088: ISAKMP (1971): received packet from 130.61.6.54 dport 500 sport 500 Global (R) QM_IDLE
*Nov 13 10:04:58.088: ISAKMP: set new node -1807394006 to QM_IDLE
*Nov 13 10:04:58.088: ISAKMP:(1971): processing HASH payload. message ID = 2487573290
*Nov 13 10:04:58.088: ISAKMP:(1971): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2487573290, sa = 0x32E256F8
*Nov 13 10:04:58.088: ISAKMP:(1971):deleting node -1807394006 error FALSE reason "Informational (in) state 1"
*Nov 13 10:04:58.088: ISAKMP:(1971):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 13 10:04:58.088: ISAKMP:(1971):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 13 10:04:58.088: ISAKMP:(1971):DPD/R_U_THERE received from peer 130.61.6.54, sequence 0xE63B83
*Nov 13 10:04:58.088: ISAKMP: set new node 2051266433 to QM_IDLE
*Nov 13 10:04:58.088: ISAKMP:(1971):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 833864544, message ID = 2051266433
*Nov 13 10:04:58.088: ISAKMP:(1971): seq. no 0xE63B83
------------------------------------------------------------------------------------------
Again thanks so much
Jaime Enrique Viera Arbelo | Senior Network Engineer | jame.viera@unit4.com
UNIT4 R&D Spain S.L.
Avd. del Conocimiento, s/n. Edificio I+D, 18100 Granada,
11-13-2020 07:13 AM
Hello Jaime,
your current spokes use certificates instead of preshared key, tunnel key is just a way to identify a GRE tunnel not a form of authentication.
see the following debug lines:
*Nov 13 10:04:10.164: ISAKMP:(4214): processing CERT_REQ payload. message ID = 0
*Nov 13 10:04:10.164: ISAKMP:(4214): peer wants a CT_X509_SIGNATURE cert
*Nov 13 10:04:10.164: ISAKMP:(4214): peer wants cert issued by cn=u4agr,l=Sliedrecht,c=NL
*Nov 13 10:04:10.164: ISAKMP:(4214): issuer name is not a trusted root.
You need to get a certificate for the new router signed by the same CA and you need also the CA certificate to be installed both on your new Spoke.
.
Hope to help
Giuseppe
11-13-2020 07:44 AM
Hello Giuseppe,
Thanks so much for your findings
Will keep you posted
Jaime Enrique Viera Arbelo | Senior Network Engineer | jame.viera@unit4.com
UNIT4 R&D Spain S.L.
Avd. del Conocimiento, s/n. Edificio I+D, 18100 Granada,
11-13-2020 07:54 AM - edited 11-17-2020 06:40 AM
....
11-17-2020 03:21 AM
Hello Giuseppe,
Thanks so much for your finding, indeed the issue was because of the missing certificate, now we installed the certificae and the DMVPN is working with the new SPOKE
Interface: Tunnel0, IPv4 NHRP Details
Type:Hub, NHRP Peers:5,
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 37.153.245.138 172.16.0.14 UP 3d11h D
1 94.186.185.131 172.16.0.35 UP 25w2d D
1 51.163.192.172 172.16.0.46 UP 11w2d D
1 78.133.207.132 172.16.0.50 UP 01:31:28 D
1 195.50.208.85 172.16.0.56 UP 1d23h D
I really appreciate your help and also thanks to all that had provide outputs
Best Regards,
Jaime Enrique Viera Arbelo | Senior Network Engineer | jame.viera@unit4.com
UNIT4 R&D Spain S.L.
Avd. del Conocimiento, s/n. Edificio I+D, 18100 Granada,
11-13-2020 04:58 AM - edited 11-17-2020 06:40 AM
...
11-13-2020 07:08 AM
Hello,
Thanks for the response, anyway it doesn't need to be necessarily in transport mode, we do have other 3 SPOKEs working in tunnel mode with any issue.
That shouldn't be a condition for the IKE to negotiate
Regards,
Jaime Enrique Viera Arbelo | Senior Network Engineer | jame.viera@unit4.com
UNIT4 R&D Spain S.L.
Avd. del Conocimiento, s/n. Edificio I+D, 18100 Granada,
11-13-2020 10:07 AM - edited 11-17-2020 06:39 AM
....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide