cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
783
Views
0
Helpful
2
Replies

Require isakmp tunnel assistance....

Matthew Brennan
Level 1
Level 1

Hi,

I have a VPN tunnel set up from one location to another, it's a bgp failover on my mpls network over a dsl line. I've checked policy, they all match and all my keys but I am getting the following in debug:

Aug 14 20:31:28.870: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xxx.xxx.xxx.xxx)

Aug 14 20:31:28.870: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer

xxx.xxx.xxx.xxx

)

Aug 14 20:31:28.870: ISAKMP: Unlocking peer struct 0x65C0390C for isadb_mark_sa_deleted(), count 0

Aug 14 20:31:28.870: ISAKMP: Deleting peer node by peer_reap for 74.94.42.153: 65C0390C

Aug 14 20:31:28.870: ISAKMP:(0):deleting node -1073969683 error FALSE reason "IKE deleted"

Aug 14 20:31:28.870: ISAKMP:(0):deleting node 1457398188 error FALSE reason "IKE deleted"

Aug 14 20:31:28.870: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Aug 14 20:31:28.870: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

Aug 14 20:31:28.874: ISAKMP:(0): SA request profile is (NULL)

Aug 14 20:31:28.874: ISAKMP: Created a peer struct for 74.94.42.153, peer port 500

Aug 14 20:31:28.874: ISAKMP: New peer created peer = 0x65C0390C peer_handle = 0x800845EA

Aug 14 20:31:28.874: ISAKMP: Locking peer struct 0x65C0390C, refcount 1 for isakmp_initiator

Aug 14 20:31:28.874: ISAKMP: local port 500, remote port 500

Aug 14 20:31:28.874: ISAKMP: set new node 0 to QM_IDLE

Aug 14 20:31:28.874: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65C01674

Aug 14 20:31:28.874: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Aug 14 20:31:28.874: ISAKMP:(0):found peer pre-shared key matching 74.94.42.153

Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-07 ID

Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-03 ID

Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-02 ID

Aug 14 20:31:28.874: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Aug 14 20:31:28.874: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Aug 14 20:31:28.874: ISAKMP:(0): beginning Main Mode exchange

Aug 14 20:31:28.874: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:31:28.874: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:31:38.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:31:38.873: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Aug 14 20:31:38.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:31:38.873: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:31:38.873: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:31:48.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:31:48.872: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Aug 14 20:31:48.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:31:48.872: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:31:48.872: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:31:58.866: ISAKMP: set new node 0 to QM_IDLE

Aug 14 20:31:58.866: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 67.40.110.170, remote 74.94.42.153)

Aug 14 20:31:58.866: ISAKMP: Error while processing SA request: Failed to initialize SA

Aug 14 20:31:58.866: ISAKMP: Error while processing KMI message 0, error 2.

Aug 14 20:31:58.870: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:31:58.870: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Aug 14 20:31:58.870: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:31:58.870: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:31:58.870: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:32:08.869: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:32:08.869: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Aug 14 20:32:08.869: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:32:08.869: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:32:08.869: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:32:18.864: ISAKMP:(0):purging node -1073969683

Aug 14 20:32:18.864: ISAKMP:(0):purging node 1457398188

Aug 14 20:32:18.868: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:32:18.868: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Aug 14 20:32:18.868: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:32:18.868: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:32:18.868: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:32:28.863: ISAKMP:(0):purging SA., sa=667CC534, delme=667CC534

Aug 14 20:32:28.863: ISAKMP: set new node 0 to QM_IDLE

Aug 14 20:32:28.863: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 67.40.110.170, remote 74.94.42.153)

Aug 14 20:32:28.863: ISAKMP: Error while processing SA request: Failed to initialize SA

Aug 14 20:32:28.863: ISAKMP: Error while processing KMI message 0, error 2.

Aug 14 20:32:28.867: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:32:28.867: ISAKMP:(0):peer does not do paranoid keepalives.

So with that I began chasing the "Aggressive mode" knowing that without it you cannot have a pre-share therefore more than likely dumping my MM_NO_STATE.

So instead of using just a crypto isakmp key xxxx address xxxxx  I tried :

A

crypto isakmp peer address 14.38.69.71

set aggressive-mode password cisco123

set aggressive-mode client-endpoint ipv4-address 14.38.69.70

B

crypto isakmp key cisco123 address 67.40.110.170

Added on both sides. This got me from MM_NO_STATE to the AG_EX one but I still could not get the tunnel up.

Here is a full config from the outlying router, calling it A for troubleshooting:

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key Clear address xxx.xxx.xxx

!

crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac comp-lzs

mode transport

!

crypto map aesmap 10 ipsec-isakmp

set peer 7xxxxxx

set security-association lifetime kilobytes 40960000

set transform-set aesset

match address Voorhees_VPN_1

!

controller T1 0/1/0

framing esf

linecode b8zs

channel-group 0 timeslots 1-24

!

ip tcp synwait-time 10

ip ftp username sa_cisco_backup

ip ftp password 7 00071A150754

!

interface Tunnel1

description To Voorhees

bandwidth 1500

ip address 10.0.1.10 255.255.255.252

keepalive 10 5

tunnel source xxxxx

tunnel destination xxxxxx

!

interface FastEthernet0/1

description Qwest DSL

ip address xxxxxxxx 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

duplex auto

speed auto

crypto map aesmap

!

router bgp 65001

no synchronization

bgp log-neighbor-changes

neighbor 10.0.1.9 remote-as 65001

neighbor 10.0.1.9 next-hop-self

neighbor 10.0.1.9 send-community

neighbor 10.0.1.9 soft-reconfiguration inbound

neighbor 10.0.1.9 route-map vpn_bgp out

no auto-summary

!

ip forward-protocol nd

ip route xxxxx 255.255.255.255 xxxxx

ip route 192.168.0.0 255.255.0.0 Null0

!

ip access-list extended Voorhees_VPN_1

permit gre host xxxxx host xxxxxx

!

ip prefix-list lan seq 10 permit 10.10.128.0/24

!

route-map vpn_bgp permit 10

match ip address prefix-list lan

set local-preference 90

set community 65001:90

!

route-map qwest permit 10

match ip address prefix-list lan

set community 209:100

Any assistance would be appreciated.. I have 34 successful tunnels from other sites but for some reason this won't work, its also running ios 12.4(15). Thanks....

2 Replies 2

Lei Tian
Cisco Employee
Cisco Employee

Hi Matt,

Your peer IP in config is different compare the peer IP in the debug. Is NAT device in between?

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

I just copied and pasted the IP config from another sheet for this post, it's not the real config they do match. There is no NAT as well, I am more interested in deciphering what is going on in that debug as I don't get it.