cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
321
Views
0
Helpful
3
Replies

VPN issue after ISP change

scottmanzie1
Level 1
Level 1

Hi

 

I have a remote 800 series in a DMVPN network which recently moved to a new ISP. There are 2 DMVPN core routers, everything is working back to one of them, including EIGRP over the tunnel.

 

In terms of configuration changes, on the core routers the only change required is to add the peer to the crypto keying, which was done on both. The new ISP line seems fine as internet connectivity is good and the crypto session back to one core router is fine

 

here are ISAKMP debugs with IP's edited

 

Any ideas?

 

Jun 12 00:10:29.331: ISAKMP:(2163): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

Jun 12 00:10:29.331: ISAKMP:(2163):Sending an IKE IPv4 Packet.

Jun 12 00:10:29.331: ISAKMP:(2163):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jun 12 00:10:29.331: ISAKMP:(2163):Old State = IKE_I_MM4 New State = IKE_I_MM5

 

Jun 12 00:10:29.375: ISAKMP (2163): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH

Jun 12 00:10:29.375: ISAKMP:(2163): processing ID payload. message ID = 0

Jun 12 00:10:29.375: ISAKMP (2163): ID payload

       next-payload : 8

       type         : 1

       address     : 1.1.1.1

       protocol     : 17

       port         : 500

       length       : 12

Jun 12 00:10:29.375: ISAKMP:(2163): processing HASH payload. message ID = 0

Jun 12 00:10:29.375: ISAKMP:(2163):SA authentication status:

       authenticated

Jun 12 00:10:29.375: ISAKMP:(2163):SA has been authenticated with 1.1.1.1

Jun 12 00:10:29.379: ISAKMP: Trying to insert a peer 2.2.2.2/1.1.1.1/500/, and inserted successfully 89B51794.

Jun 12 00:10:29.379: ISAKMP:(2163):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Jun 12 00:10:29.379: ISAKMP:(2163):Old State = IKE_I_MM5 New State = IKE_I_MM6

 

Jun 12 00:10:29.379: ISAKMP:(2163):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Jun 12 00:10:29.379: ISAKMP:(2163):Old State = IKE_I_MM6 New State = IKE_I_MM6

 

Jun 12 00:10:29.379: ISAKMP:(2163):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Jun 12 00:10:29.379: ISAKMP:(2163):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

 

Jun 12 00:10:29.379: ISAKMP:(2163):IKE_DPD is enabled, initializing timers

Jun 12 00:10:29.379: ISAKMP:(2163):beginning Quick Mode exchange, M-ID of 596494801

Jun 12 00:10:29.379: ISAKMP:(2163):QM Initiator gets spi

Jun 12 00:10:29.379: ISAKMP:(2163): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE

Jun 12 00:10:29.379: ISAKMP:(2163):Sending an IKE IPv4 Packet.

Jun 12 00:10:29.379: ISAKMP:(2163):Node 596494801, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Jun 12 00:10:29.383: ISAKMP:(2163):Old State = IKE_QM_READY New State = IKE_QM_I_QM1

Jun 12 00:10:29.383: ISAKMP:(2163):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Jun 12 00:10:29.383: ISAKMP:(2163):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

 

Jun 12 00:10:29.423: ISAKMP (2163): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE

Jun 12 00:10:29.423: ISAKMP: set new node -349858321 to QM_IDLE

Jun 12 00:10:29.423: ISAKMP:(2163): processing HASH payload. message ID = 3945108975

Jun 12 00:10:29.423: ISAKMP:(2163): processing DELETE payload. message ID = 3945108975

Jun 12 00:10:29.423: ISAKMP:(2163):peer does not do paranoid keepalives.

 

Jun 12 00:10:29.423: ISAKMP:(2163):deleting node -349858321 error FALSE reason "Informational (in) state 1"

 

3 Replies 3

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

Try to disable the keepalive / check lifetiming at both locations. and check.

 

Regards,

Deepak Kumar 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Hi,
One of the last messages states QM_IDLE which indicates SA established between peers. What is the output of show crypto isakmp sa?

I was seeing a mix of issues, now it seems phase 1 and 2 but on 2 the connection is idle



3.3.3.3 is the good connection to the other core router





IPv4 Crypto ISAKMP SA

dst src state conn-id status

1.1.1.1 2.2.2.2 QM_IDLE 2132 ACTIVE

3.3.3.3 2.2.2.2 QM_IDLE 2161 ACTIVE







Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating

K - No IKE

ivrf = (none)

Peer I/F Username Group/Phase1_id Uptime Status

3.3.3.3 Tu1 3.3.3.3 16:50:17 UA

1.1.1.1 Tu1 1.1.1.1 UI


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: