04-25-2018 08:26 AM - edited 03-05-2019 10:20 AM
Hi
I have a remote 800 series in a DMVPN network which recently moved to a new ISP. There are 2 DMVPN core routers, everything is working back to one of them, including EIGRP over the tunnel.
In terms of configuration changes, on the core routers the only change required is to add the peer to the crypto keying, which was done on both. The new ISP line seems fine as internet connectivity is good and the crypto session back to one core router is fine
here are ISAKMP debugs with IP's edited
Any ideas?
Jun 12 00:10:29.331: ISAKMP:(2163): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jun 12 00:10:29.331: ISAKMP:(2163):Sending an IKE IPv4 Packet.
Jun 12 00:10:29.331: ISAKMP:(2163):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 12 00:10:29.331: ISAKMP:(2163):Old State = IKE_I_MM4 New State = IKE_I_MM5
Jun 12 00:10:29.375: ISAKMP (2163): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jun 12 00:10:29.375: ISAKMP:(2163): processing ID payload. message ID = 0
Jun 12 00:10:29.375: ISAKMP (2163): ID payload
next-payload : 8
type : 1
address : 1.1.1.1
protocol : 17
port : 500
length : 12
Jun 12 00:10:29.375: ISAKMP:(2163): processing HASH payload. message ID = 0
Jun 12 00:10:29.375: ISAKMP:(2163):SA authentication status:
authenticated
Jun 12 00:10:29.375: ISAKMP:(2163):SA has been authenticated with 1.1.1.1
Jun 12 00:10:29.379: ISAKMP: Trying to insert a peer 2.2.2.2/1.1.1.1/500/, and inserted successfully 89B51794.
Jun 12 00:10:29.379: ISAKMP:(2163):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 12 00:10:29.379: ISAKMP:(2163):Old State = IKE_I_MM5 New State = IKE_I_MM6
Jun 12 00:10:29.379: ISAKMP:(2163):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 12 00:10:29.379: ISAKMP:(2163):Old State = IKE_I_MM6 New State = IKE_I_MM6
Jun 12 00:10:29.379: ISAKMP:(2163):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jun 12 00:10:29.379: ISAKMP:(2163):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Jun 12 00:10:29.379: ISAKMP:(2163):IKE_DPD is enabled, initializing timers
Jun 12 00:10:29.379: ISAKMP:(2163):beginning Quick Mode exchange, M-ID of 596494801
Jun 12 00:10:29.379: ISAKMP:(2163):QM Initiator gets spi
Jun 12 00:10:29.379: ISAKMP:(2163): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
Jun 12 00:10:29.379: ISAKMP:(2163):Sending an IKE IPv4 Packet.
Jun 12 00:10:29.379: ISAKMP:(2163):Node 596494801, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jun 12 00:10:29.383: ISAKMP:(2163):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jun 12 00:10:29.383: ISAKMP:(2163):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jun 12 00:10:29.383: ISAKMP:(2163):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jun 12 00:10:29.423: ISAKMP (2163): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
Jun 12 00:10:29.423: ISAKMP: set new node -349858321 to QM_IDLE
Jun 12 00:10:29.423: ISAKMP:(2163): processing HASH payload. message ID = 3945108975
Jun 12 00:10:29.423: ISAKMP:(2163): processing DELETE payload. message ID = 3945108975
Jun 12 00:10:29.423: ISAKMP:(2163):peer does not do paranoid keepalives.
Jun 12 00:10:29.423: ISAKMP:(2163):deleting node -349858321 error FALSE reason "Informational (in) state 1"
04-25-2018 10:32 AM
Hi,
Try to disable the keepalive / check lifetiming at both locations. and check.
Regards,
Deepak Kumar
04-25-2018 10:46 AM
Hi,
One of the last messages states QM_IDLE which indicates SA established between peers. What is the output of show crypto isakmp sa?
04-26-2018 01:03 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide