Require isakmp tunnel assistance....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2013 02:07 PM - edited 03-04-2019 08:45 PM
Hi,
I have a VPN tunnel set up from one location to another, it's a bgp failover on my mpls network over a dsl line. I've checked policy, they all match and all my keys but I am getting the following in debug:
Aug 14 20:31:28.870: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xxx.xxx.xxx.xxx)
Aug 14 20:31:28.870: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer
xxx.xxx.xxx.xxx
)
Aug 14 20:31:28.870: ISAKMP: Unlocking peer struct 0x65C0390C for isadb_mark_sa_deleted(), count 0
Aug 14 20:31:28.870: ISAKMP: Deleting peer node by peer_reap for 74.94.42.153: 65C0390C
Aug 14 20:31:28.870: ISAKMP:(0):deleting node -1073969683 error FALSE reason "IKE deleted"
Aug 14 20:31:28.870: ISAKMP:(0):deleting node 1457398188 error FALSE reason "IKE deleted"
Aug 14 20:31:28.870: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug 14 20:31:28.870: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Aug 14 20:31:28.874: ISAKMP:(0): SA request profile is (NULL)
Aug 14 20:31:28.874: ISAKMP: Created a peer struct for 74.94.42.153, peer port 500
Aug 14 20:31:28.874: ISAKMP: New peer created peer = 0x65C0390C peer_handle = 0x800845EA
Aug 14 20:31:28.874: ISAKMP: Locking peer struct 0x65C0390C, refcount 1 for isakmp_initiator
Aug 14 20:31:28.874: ISAKMP: local port 500, remote port 500
Aug 14 20:31:28.874: ISAKMP: set new node 0 to QM_IDLE
Aug 14 20:31:28.874: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65C01674
Aug 14 20:31:28.874: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Aug 14 20:31:28.874: ISAKMP:(0):found peer pre-shared key matching 74.94.42.153
Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-07 ID
Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-03 ID
Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-02 ID
Aug 14 20:31:28.874: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Aug 14 20:31:28.874: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Aug 14 20:31:28.874: ISAKMP:(0): beginning Main Mode exchange
Aug 14 20:31:28.874: ISAKMP:(0): sending packet to
xxx.xxx.xxx.xxx
my_port 500 peer_port 500 (I) MM_NO_STATE
Aug 14 20:31:28.874: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 14 20:31:38.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug 14 20:31:38.873: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Aug 14 20:31:38.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug 14 20:31:38.873: ISAKMP:(0): sending packet to
xxx.xxx.xxx.xxx
my_port 500 peer_port 500 (I) MM_NO_STATE
Aug 14 20:31:38.873: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 14 20:31:48.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug 14 20:31:48.872: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 14 20:31:48.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug 14 20:31:48.872: ISAKMP:(0): sending packet to
xxx.xxx.xxx.xxx
my_port 500 peer_port 500 (I) MM_NO_STATE
Aug 14 20:31:48.872: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 14 20:31:58.866: ISAKMP: set new node 0 to QM_IDLE
Aug 14 20:31:58.866: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 67.40.110.170, remote 74.94.42.153)
Aug 14 20:31:58.866: ISAKMP: Error while processing SA request: Failed to initialize SA
Aug 14 20:31:58.866: ISAKMP: Error while processing KMI message 0, error 2.
Aug 14 20:31:58.870: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug 14 20:31:58.870: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Aug 14 20:31:58.870: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug 14 20:31:58.870: ISAKMP:(0): sending packet to
xxx.xxx.xxx.xxx
my_port 500 peer_port 500 (I) MM_NO_STATE
Aug 14 20:31:58.870: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 14 20:32:08.869: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug 14 20:32:08.869: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Aug 14 20:32:08.869: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug 14 20:32:08.869: ISAKMP:(0): sending packet to
xxx.xxx.xxx.xxx
my_port 500 peer_port 500 (I) MM_NO_STATE
Aug 14 20:32:08.869: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 14 20:32:18.864: ISAKMP:(0):purging node -1073969683
Aug 14 20:32:18.864: ISAKMP:(0):purging node 1457398188
Aug 14 20:32:18.868: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug 14 20:32:18.868: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Aug 14 20:32:18.868: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug 14 20:32:18.868: ISAKMP:(0): sending packet to
xxx.xxx.xxx.xxx
my_port 500 peer_port 500 (I) MM_NO_STATE
Aug 14 20:32:18.868: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug 14 20:32:28.863: ISAKMP:(0):purging SA., sa=667CC534, delme=667CC534
Aug 14 20:32:28.863: ISAKMP: set new node 0 to QM_IDLE
Aug 14 20:32:28.863: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 67.40.110.170, remote 74.94.42.153)
Aug 14 20:32:28.863: ISAKMP: Error while processing SA request: Failed to initialize SA
Aug 14 20:32:28.863: ISAKMP: Error while processing KMI message 0, error 2.
Aug 14 20:32:28.867: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug 14 20:32:28.867: ISAKMP:(0):peer does not do paranoid keepalives.
So with that I began chasing the "Aggressive mode" knowing that without it you cannot have a pre-share therefore more than likely dumping my MM_NO_STATE.
So instead of using just a crypto isakmp key xxxx address xxxxx I tried :
A
crypto isakmp peer address 14.38.69.71
set aggressive-mode password cisco123
set aggressive-mode client-endpoint ipv4-address 14.38.69.70
B
crypto isakmp key cisco123 address 67.40.110.170
Added on both sides. This got me from MM_NO_STATE to the AG_EX one but I still could not get the tunnel up.
Here is a full config from the outlying router, calling it A for troubleshooting:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key Clear address xxx.xxx.xxx
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac comp-lzs
mode transport
!
crypto map aesmap 10 ipsec-isakmp
set peer 7xxxxxx
set security-association lifetime kilobytes 40960000
set transform-set aesset
match address Voorhees_VPN_1
!
controller T1 0/1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
ip tcp synwait-time 10
ip ftp username sa_cisco_backup
ip ftp password 7 00071A150754
!
interface Tunnel1
description To Voorhees
bandwidth 1500
ip address 10.0.1.10 255.255.255.252
keepalive 10 5
tunnel source xxxxx
tunnel destination xxxxxx
!
interface FastEthernet0/1
description Qwest DSL
ip address xxxxxxxx 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
crypto map aesmap
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
neighbor 10.0.1.9 remote-as 65001
neighbor 10.0.1.9 next-hop-self
neighbor 10.0.1.9 send-community
neighbor 10.0.1.9 soft-reconfiguration inbound
neighbor 10.0.1.9 route-map vpn_bgp out
no auto-summary
!
ip forward-protocol nd
ip route xxxxx 255.255.255.255 xxxxx
ip route 192.168.0.0 255.255.0.0 Null0
!
ip access-list extended Voorhees_VPN_1
permit gre host xxxxx host xxxxxx
!
ip prefix-list lan seq 10 permit 10.10.128.0/24
!
route-map vpn_bgp permit 10
match ip address prefix-list lan
set local-preference 90
set community 65001:90
!
route-map qwest permit 10
match ip address prefix-list lan
set community 209:100
Any assistance would be appreciated.. I have 34 successful tunnels from other sites but for some reason this won't work, its also running ios 12.4(15). Thanks....
- Labels:
-
Routing Protocols
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2013 07:11 PM
Hi Matt,
Your peer IP in config is different compare the peer IP in the debug. Is NAT device in between?
HTH,
Lei Tian
Sent from Cisco Technical Support iPhone App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2013 05:21 AM
I just copied and pasted the IP config from another sheet for this post, it's not the real config they do match. There is no NAT as well, I am more interested in deciphering what is going on in that debug as I don't get it.
