Peer does not do paranoid keepalives

Paul Smith · ‎07-11-2017

Hey guys,

I have a Cisco 1920 and I am connecting to a IBM SOC Cisco ASA. I have no control over the ASA, although I have access toa read only version of the config. I am using the ISAKMP, IPSEC and tunnel interface setup, whereas they appear to be using the crypto map style of setup. The tunnel will not come up and debugging shows 'peer does not do paranoid keepalives'. Any clues?

ASA Version 9.4(2)11

interface GigabitEthernet0/1.802
description ASA to ASR Internet Side
vlan 802
nameif outside
security-level 0
ip address 144.140.xxx.xxx 255.255.255.248 standby 144.140.xxx.xxx

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map OUTSIDE-MAP 10 match address Peer-103.225.xxx.xxx-ACL
crypto map OUTSIDE-MAP 10 set pfs
crypto map OUTSIDE-MAP 10 set peer 103.225.xxx.xxx
crypto map OUTSIDE-MAP 10 set ikev1 transform-set ESP-AES-SHA
crypto map OUTSIDE-MAP 10 set security-association lifetime seconds 7200
crypto map OUTSIDE-MAP interface outside
crypto ca trustpoint vpn.xxxxxxx.com.au
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
tunnel-group 103.225.xxx.xxx type ipsec-l2l
tunnel-group 103.225.xxx.xxx ipsec-attributes
ikev1 pre-shared-key 9RECaYBLKxxxxxxxx

CISCO 1900 SIDE

rtr01#sh run | sect cryp
service password-encryption
crypto keyring key-belsoc
local-address GigabitEthernet0/0.2000
pre-shared-key address 144.140.xxx.xxx key 9RECaYBLKxxxxxxxx
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp profile isk-belsoc
keyring key-belsoc
match identity address 144.140.xxx.xxx 255.255.255.255
local-address GigabitEthernet0/0.2000
crypto ipsec transform-set tset-belsoc esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile ipsecprof-belsoc
set security-association lifetime seconds 7200
set transform-set tset-belsoc
set pfs group1

interface Tunnel1
ip address 169.254.34.230 255.255.255.252
tunnel source GigabitEthernet0/0.2000
tunnel mode ipsec ipv4
tunnel destination 144.140.xxx.xxx
tunnel protection ipsec profile ipsecprof-belsoc

Aditya Ganjoo · ‎07-11-2017

Hi Paul,

You can try disabling the keepalives on ASA and then check.

If that's not possible please take a UDP 500 capture for the public IP's on either of the devices.

And also complete debugs for the VPN:

debug cry isa

debug cry ips

Regards,

Aditya

Paul Smith · ‎07-12-2017

Unfortunately I have no control over the ASA. The customer is paying IBM to host :(

Aditya Ganjoo · ‎07-12-2017

Hi Paul,

Can we atleast get the debugs from the router?

Regards,

Aditya

Paul Smith · ‎07-12-2017

Sure;

Jul 9 00:32:37: %SYS-5-CONFIG_I: Configured from console by nwtech on vty0 (144.140.xxx.xxx)
Jul 9 00:32:54.601 AEST: ISAKMP:(0): SA request profile is (NULL)
Jul 9 00:32:54.601 AEST: ISAKMP: Created a peer struct for 144.140.xxx.xxx, peer port 500
Jul 9 00:32:54.601 AEST: ISAKMP: New peer created peer = 0x3229EFAC peer_handle = 0x80000539
Jul 9 00:32:54.601 AEST: ISAKMP: Locking peer struct 0x3229EFAC, refcount 1 for isakmp_initiator
Jul 9 00:32:54.601 AEST: ISAKMP: local port 500, remote port 500
Jul 9 00:32:54.601 AEST: ISAKMP: set new node 0 to QM_IDLE
Jul 9 00:32:54.601 AEST: ISAKMP:(0):insert sa successfully sa = 322C6A60
Jul 9 00:32:54.601 AEST: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jul 9 00:32:54.601 AEST: ISAKMP:(0):found peer pre-shared key matching 144.140.xxx.xxx
Jul 9 00:32:54.601 AEST: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 9 00:32:54.601 AEST: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jul 9 00:32:54.601 AEST: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jul 9 00:32:54.601 AEST: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jul 9 00:32:54.601 AEST: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jul 9 00:32:54.601 AEST: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Jul 9 00:32:54.601 AEST: ISAKMP:(0): beginning Main Mode exchange
Jul 9 00:32:54.605 AEST: ISAKMP:(0): sending packet to 144.140.xxx.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 9 00:32:54.605 AEST: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 9 00:32:54.629 AEST: ISAKMP (0): received packet from 144.140.xxx.xxx dport 500 sport 500 Global (I) MM_NO_STATE
Jul 9 00:32:54.629 AEST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 9 00:32:54.629 AEST: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

Jul 9 00:32:54.629 AEST: ISAKMP:(0): processing SA payload. message ID = 0
Jul 9 00:32:54.629 AEST: ISAKMP:(0): processing vendor id payload
Jul 9 00:32:54.629 AEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 9 00:32:54.629 AEST: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jul 9 00:32:54.629 AEST: ISAKMP:(0): processing vendor id payload
Jul 9 00:32:54.629 AEST: ISAKMP:(0): processing IKE frag vendor id payload
Jul 9 00:32:54.629 AEST: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jul 9 00:32:54.633 AEST: ISAKMP:(0):found peer pre-shared key matching 144.140.xxx.xxx
Jul 9 00:32:54.633 AEST: ISAKMP:(0): local preshared key found
Jul 9 00:32:54.633 AEST: ISAKMP : Scanning profiles for xauth ... isk-belsoc
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 200 policy
Jul 9 00:32:54.633 AEST: ISAKMP: encryption AES-CBC
Jul 9 00:32:54.633 AEST: ISAKMP: keylength of 128
Jul 9 00:32:54.633 AEST: ISAKMP: hash SHA
Jul 9 00:32:54.633 AEST: ISAKMP: default group 2
Jul 9 00:32:54.633 AEST: ISAKMP: auth pre-share
Jul 9 00:32:54.633 AEST: ISAKMP: life type in seconds
Jul 9 00:32:54.633 AEST: ISAKMP: life duration (basic) of 28800
Jul 9 00:32:54.633 AEST: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Acceptable atts:life: 0
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Basic life_in_seconds:28800
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Returning Actual lifetime: 28800
Jul 9 00:32:54.633 AEST: ISAKMP:(0)::Started lifetime timer: 28800.

Jul 9 00:32:54.633 AEST: ISAKMP:(0): processing vendor id payload
Jul 9 00:32:54.633 AEST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 9 00:32:54.633 AEST: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jul 9 00:32:54.633 AEST: ISAKMP:(0): processing vendor id payload
Jul 9 00:32:54.633 AEST: ISAKMP:(0): processing IKE frag vendor id payload
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

Jul 9 00:32:54.633 AEST: ISAKMP:(0): sending packet to 144.140.xxx.xxx my_port 500 peer_port 500 (I) MM_SA_SETUP
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 9 00:32:54.633 AEST: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

Jul 9 00:32:54.661 AEST: ISAKMP (0): received packet from 144.140.xxx.xxx dport 500 sport 500 Global (I) MM_SA_SETUP
Jul 9 00:32:54.661 AEST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 9 00:32:54.661 AEST: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

Jul 9 00:32:54.661 AEST: ISAKMP:(0): processing KE payload. message ID = 0
Jul 9 00:32:54.693 AEST: ISAKMP:(0): processing NONCE payload. message ID = 0
Jul 9 00:32:54.693 AEST: ISAKMP:(0):found peer pre-shared key matching 144.140.xxx.xxx
Jul 9 00:32:54.693 AEST: ISAKMP:(4105): processing vendor id payload
Jul 9 00:32:54.693 AEST: ISAKMP:(4105): vendor ID is Unity
Jul 9 00:32:54.693 AEST: ISAKMP:(4105): processing vendor id payload
Jul 9 00:32:54.693 AEST: ISAKMP:(4105): vendor ID seems Unity/DPD but major 84 mismatch
Jul 9 00:32:54.693 AEST: ISAKMP:(4105): vendor ID is XAUTH
Jul 9 00:32:54.693 AEST: ISAKMP:(4105): processing vendor id payload
Jul 9 00:32:54.693 AEST: ISAKMP:(4105): speaking to another IOS box!
Jul 9 00:32:54.693 AEST: ISAKMP:(4105): processing vendor id payload
Jul 9 00:32:54.693 AEST: ISAKMP:(4105):vendor ID seems Unity/DPD but hash mismatch
Jul 9 00:32:54.693 AEST: ISAKMP:received payload type 20
Jul 9 00:32:54.693 AEST: ISAKMP (4105): His hash no match - this node outside NAT
Jul 9 00:32:54.693 AEST: ISAKMP:received payload type 20
Jul 9 00:32:54.693 AEST: ISAKMP (4105): No NAT Found for self or peer
Jul 9 00:32:54.693 AEST: ISAKMP:(4105):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 9 00:32:54.693 AEST: ISAKMP:(4105):Old State = IKE_I_MM4 New State = IKE_I_MM4

Jul 9 00:32:54.693 AEST: ISAKMP:(4105):Send initial contact
Jul 9 00:32:54.693 AEST: ISAKMP:(4105):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jul 9 00:32:54.693 AEST: ISAKMP (4105): ID payload
next-payload : 8
type : 1
address : 103.225.xxx.xxx
protocol : 17
port : 500
length : 12
Jul 9 00:32:54.693 AEST: ISAKMP:(4105):Total payload length: 12
Jul 9 00:32:54.693 AEST: ISAKMP:(4105): sending packet to 144.140.xxx.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jul 9 00:32:54.693 AEST: ISAKMP:(4105):Sending an IKE IPv4 Packet.
Jul 9 00:32:54.697 AEST: ISAKMP:(4105):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 9 00:32:54.697 AEST: ISAKMP:(4105):Old State = IKE_I_MM4 New State = IKE_I_MM5

Jul 9 00:32:54.721 AEST: ISAKMP (4105): received packet from 144.140.xxx.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 9 00:32:54.721 AEST: ISAKMP:(4105): processing ID payload. message ID = 0
Jul 9 00:32:54.721 AEST: ISAKMP (4105): ID payload
next-payload : 8
type : 1
address : 144.140.xxx.xxx
protocol : 17
port : 0
length : 12
Jul 9 00:32:54.721 AEST: ISAKMP:(0):: peer matches isk-belsoc profile
Jul 9 00:32:54.721 AEST: ISAKMP:(4105):Found ADDRESS key in keyring key-belsoc
Jul 9 00:32:54.721 AEST: ISAKMP:(4105): processing HASH payload. message ID = 0
Jul 9 00:32:54.721 AEST: ISAKMP:received payload type 17
Jul 9 00:32:54.721 AEST: ISAKMP:(4105): processing vendor id payload
Jul 9 00:32:54.721 AEST: ISAKMP:(4105): vendor ID is DPD
Jul 9 00:32:54.721 AEST: ISAKMP:(4105):SA authentication status:
authenticated
Jul 9 00:32:54.721 AEST: ISAKMP:(4105):SA has been authenticated with 144.140.xxx.xxx
Jul 9 00:32:54.721 AEST: ISAKMP: Trying to insert a peer 103.225.xxx.xxx/144.140.xxx.xxx/500/, and inserted successfully 3229EFAC.
Jul 9 00:32:54.725 AEST: ISAKMP:(4105):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 9 00:32:54.725 AEST: ISAKMP:(4105):Old State = IKE_I_MM5 New State = IKE_I_MM6

Jul 9 00:32:54.725 AEST: ISAKMP:(4105):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 9 00:32:54.725 AEST: ISAKMP:(4105):Old State = IKE_I_MM6 New State = IKE_I_MM6

Jul 9 00:32:54.725 AEST: ISAKMP:(4105):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 9 00:32:54.725 AEST: ISAKMP:(4105):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Jul 9 00:32:54.725 AEST: ISAKMP:(4105):beginning Quick Mode exchange, M-ID of 2751555890
Jul 9 00:32:54.745 AEST: ISAKMP:(4105):QM Initiator gets spi
Jul 9 00:32:54.745 AEST: ISAKMP:(4105): sending packet to 144.140.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
Jul 9 00:32:54.745 AEST: ISAKMP:(4105):Sending an IKE IPv4 Packet.
Jul 9 00:32:54.749 AEST: ISAKMP:(4105):Node 2751555890, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jul 9 00:32:54.749 AEST: ISAKMP:(4105):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jul 9 00:32:54.749 AEST: ISAKMP:(4105):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jul 9 00:32:54.749 AEST: ISAKMP:(4105):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jul 9 00:32:54.773 AEST: ISAKMP (4105): received packet from 144.140.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE
Jul 9 00:32:54.773 AEST: ISAKMP: set new node -1149674751 to QM_IDLE
Jul 9 00:32:54.773 AEST: ISAKMP:(4105): processing HASH payload. message ID = 3145292545
Jul 9 00:32:54.773 AEST: ISAKMP:(4105): processing NOTIFY INVALID_ID_INFO protocol 3
spi 0, message ID = 3145292545, sa = 0x322C6A60
Jul 9 00:32:54.773 AEST: ISAKMP:(4105):peer does not do paranoid keepalives.

Jul 9 00:32:54.773 AEST: ISAKMP:(4105):deleting node -1149674751 error FALSE reason "Informational (in) state 1"
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jul 9 00:32:54.777 AEST: ISAKMP (4105): received packet from 144.140.xxx.xxx dport 500 sport 500 Global (I) QM_IDLE
Jul 9 00:32:54.777 AEST: ISAKMP: set new node -1879801680 to QM_IDLE
Jul 9 00:32:54.777 AEST: ISAKMP:(4105): processing HASH payload. message ID = 2415165616
Jul 9 00:32:54.777 AEST: ISAKMP:(4105): processing DELETE payload. message ID = 2415165616
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):peer does not do paranoid keepalives.

Jul 9 00:32:54.777 AEST: ISAKMP:(4105):deleting SA reason "No reason" state (I) QM_IDLE (peer 144.140.xxx.xxx)
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):deleting node -1879801680 error FALSE reason "Informational (in) state 1"
Jul 9 00:32:54.777 AEST: ISAKMP: set new node -242422180 to QM_IDLE
Jul 9 00:32:54.777 AEST: ISAKMP:(4105): sending packet to 144.140.xxx.xxx my_port 500 peer_port 500 (I) QM_IDLE
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):Sending an IKE IPv4 Packet.
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):purging node -242422180
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Jul 9 00:32:54.777 AEST: ISAKMP:(4105):deleting SA reason "No reason" state (I) QM_IDLE (peer 144.140.xxx.xxx)
Jul 9 00:32:54.777 AEST: ISAKMP: Unlocking peer struct 0x3229EFAC for isadb_mark_sa_deleted(), count 0
Jul 9 00:32:54.777 AEST: ISAKMP: Deleting peer node by peer_reap for 144.140.xxx.xxx: 3229EFAC
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):deleting node -1543411406 error FALSE reason "IKE deleted"
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 9 00:32:54.777 AEST: ISAKMP:(4105):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Aditya Ganjoo · ‎07-12-2017

Hi,

I only see this message:

Jul 9 00:32:54.777 AEST: ISAKMP:(4105):deleting SA reason "No reason" state (I) QM_IDLE (peer 144.140.251.20)

Phase 1 comes up momentarily.

I would have ideally like to have the same debugs from the ASA as well.

Are we sure the config is correct on both the devices?

Regards,

Aditya

Paul Smith · ‎07-12-2017

Thanks Aditya,

Definitely one side wrong but can't tell which.