Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6698
Views
0
Helpful
1
Replies

VPN tunnel in MM_NO_STATE state

mfaisalrahman
Level 1
Level 1

‎12-04-2013 11:43 PM - edited ‎03-04-2019 09:46 PM

Hi,

Looking for experts here to assist me. I have Cisco Router2811 (A) tunnelling to another Cisco2821 (B) but NATing and connection to internet via ASA Firewall. At Cisco2821 (B) have several VPNs connection and working well but failed with Router A for now. Here are configuration for both routers :

Router A :

!

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key xxxyyyzzz address 211.24.252.54

!

crypto ipsec transform-set strong esp-3des esp-sha-hmac

!

crypto map Mal 10 ipsec-isakmp

description == VPN to KL ==

set peer 211.24.252.54

set transform-set strong

match address VPN_to_KL

!

!

interface FastEthernet0/0

description == Connection to Internet ==

bandwidth 1536

ip address 218.208.234.6 255.255.255.252

ip access-group public_in in

ip tcp adjust-mss 1405

duplex auto

speed auto

no cdp enable

crypto map Mal

max-reserved-bandwidth 100

!

ip route 0.0.0.0 0.0.0.0 218.208.234.5

!

ip access-list extended VPN_to_KL

permit ip 10.41.121.128 0.0.0.127 10.0.0.0 0.255.255.255

!

ip access-list extended public_in

permit udp host 211.24.252.54 host 218.208.234.6 eq isakmp

permit udp host 211.24.252.54 host 218.208.234.6 eq non500-isakmp

permit esp host 211.24.252.54 host 218.208.234.6

Router B :

!

crypto isakmp policy 19

encr 3des

authentication pre-share

group 2

!

crypto isakmp key xxxyyyzzz address 218.208.234.6

!

crypto ipsec transform-set Strong esp-3des esp-sha-hmac

!

crypto map Mal 19 ipsec-isakmp

description == VPN to MSO ==

set peer 218.208.234.6

set transform-set Strong

match address VPN_to_MSO

!

interface GigabitEthernet0/0

description LINK TO PIX inside2-vpn

ip address 192.0.0.1 255.255.255.252

no ip redirects

no ip unreachables

ip flow ingress

ip flow egress

no ip route-cache cef

no ip route-cache

duplex full

speed 100

no cdp enable

crypto map Mal

max-reserved-bandwidth 100

!

ip route 10.41.121.128 255.255.255.128 192.0.0.2 name MSO_Internal_Range

!

ip access-list extended VPN_to_MSO

permit ip 10.0.0.0 0.255.255.255 10.41.121.128 0.0.0.127

!

Here are debug from Router A :

*Dec  5 11:32:27.203 MYY: ISAKMP:(0): beginning Main Mode exchange

*Dec  5 11:32:27.203 MYY: ISAKMP:(0): sending packet to 211.24.252.54 my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec  5 11:32:27.203 MYY: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Dec  5 11:32:37.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Dec  5 11:32:37.203 MYY: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Dec  5 11:32:37.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Dec  5 11:32:37.203 MYY: ISAKMP:(0): sending packet to 211.24.252.54 my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec  5 11:32:37.203 MYY: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Dec  5 11:32:47.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Dec  5 11:32:47.203 MYY: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Dec  5 11:32:47.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Dec  5 11:32:47.203 MYY: ISAKMP:(0): sending packet to 211.24.252.54 my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec  5 11:32:47.203 MYY: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Dec  5 11:32:57.199 MYY: ISAKMP: set new node 0 to QM_IDLE

*Dec  5 11:32:57.199 MYY: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 218.208.234.6, remote 211.24.252.54)

*Dec  5 11:32:57.199 MYY: ISAKMP: Error while processing SA request: Failed to initialize SA

*Dec  5 11:32:57.199 MYY: ISAKMP: Error while processing KMI message 0, error 2.

*Dec  5 11:32:57.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Dec  5 11:32:57.203 MYY: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Dec  5 11:32:57.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Dec  5 11:32:57.203 MYY: ISAKMP:(0): sending packet to 211.24.252.54 my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec  5 11:32:57.203 MYY: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Dec  5 11:33:07.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Dec  5 11:33:07.203 MYY: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Dec  5 11:33:07.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Dec  5 11:33:07.203 MYY: ISAKMP:(0): sending packet to 211.24.252.54 my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec  5 11:33:07.203 MYY: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Dec  5 11:33:15.611 MYY: ISAKMP:(0):purging node 920695309

*Dec  5 11:33:15.611 MYY: ISAKMP:(0):purging node -888975984

*Dec  5 11:33:17.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Dec  5 11:33:17.203 MYY: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Dec  5 11:33:17.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Dec  5 11:33:17.203 MYY: ISAKMP:(0): sending packet to 211.24.252.54 my_port 500 peer_port 500 (I) MM_NO_STATE

*Dec  5 11:33:17.203 MYY: ISAKMP:(0):Sending an IKE IPv4 Packet.

mymso01rt2811#

*Dec  5 11:33:25.611 MYY: ISAKMP:(0):purging SA., sa=4969CFB4, delme=4969CFB4co

*Dec  5 11:33:27.203 MYY: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Dec  5 11:33:27.203 MYY: ISAKMP:(0):peer does not do paranoid keepalives.

*Dec  5 11:33:27.203 MYY: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 211.24.252.54)

*Dec  5 11:33:27.203 MYY: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 211.24.252.54)

*Dec  5 11:33:27.203 MYY: ISAKMP: Unlocking peer struct 0x49B258F8 for isadb_mark_sa_deleted(), count 0

*Dec  5 11:33:27.203 MYY: ISAKMP: Deleting peer node by peer_reap for 211.24.252.54: 49B258F8

*Dec  5 11:33:27.203 MYY: ISAKMP:(0):deleting node 690617595 error FALSE reason "IKE deleted"

*Dec  5 11:33:27.203 MYY: ISAKMP:(0):deleting node -815424110 error FALSE reason "IKE deleted"

*Dec  5 11:33:27.203 MYY: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Dec  5 11:33:27.203 MYY: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Dec  5 11:33:27.231 MYYnf: ISAKMP:(0): SA request profile is (NULL)

*Dec  5 11:33:27.231 MYY: ISAKMP: Created a peer struct for 211.24.252.54, peer port 500

*Dec  5 11:33:27.231 MYY: ISAKMP: New peer created peer = 0x49B258F8 peer_handle = 0x80000B57

*Dec  5 11:33:27.231 MYY: ISAKMP: Locking peer struct 0x49B258F8, refcount 1 for isakmp_initiator

*Dec  5 11:33:27.231 MYY: ISAKMP: local port 500, remote port 500

*Dec  5 11:33:27.231 MYY: ISAKMP: set new node 0 to QM_IDLE

*Dec  5 11:33:27.231 MYY: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4969CFB4

*Dec  5 11:33:27.231 MYY: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Dec  5 11:33:27.231 MYY: ISAKMP:(0):found peer pre-shared key matching 211.24.252.54

*Dec  5 11:33:27.235 MYY: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Dec  5 11:33:27.235 MYY: ISAKMP:(0): constructed NAT-T venor-07 ID

*Dec  5 11:33:27.235 MYY: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Dec  5 11:33:27.235 MYY: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Dec  5 11:33:27.235 MYY: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Dec  5 11:33:27.235 MYY: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

What is the possible problem?

Thanks!!!

1 person had this problem
Labels:
0 Helpful
1 Reply 1

mfurnival
Level 4
Level 4

‎12-05-2013 03:24 AM

From that debug it looks as if Router A is not getting a response from Router B. Are you able to run debug on Router B and post it? Does Router B even receive any traffic relating to this tunnel?

0 Helpful
Customers Also Viewed These Support Documents