09-25-2012 09:42 AM - edited 03-07-2019 09:06 AM
We have a number of sites running Cisco 881 routers.
A few of the sites are connected by IPSec VPN tunnels that have been configured using Cisco CCP without any issues until now. On one location I can ping from a workstations on Site1 to Site2, however I cannot ping from the same workstation on Site2 back to Site1.
Here is a strange behavior. If I have a continuous ping going from Site1 - Site2 and then start a continuous ping from Site2 - Site1 then I get a response until I stop the ping from Site1 - Site2.
Site 1 has approximately 5 successful tunnels with absolutely no issues.
Here is some site specific Info
Site1
Cisco 881 running Version 15.0(1)M7
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ThePreShareKey address XXX.YYY.ZZZ.232
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toXXX.YYY.ZZZ.232
set peer XXX.YYY.ZZZ.232
set transform-set ESP-3DES-SHA
match address 101
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host XXX.YYY.ZZZ.232 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 104 permit ip 10.60.141.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 104
Site 2
Cisco 881 running Version 15.2(3)T1
crypto isakmp policy 2
encr 3des
group 2
crypto isakmp key ThePreShareKey address TTT.UUU.VVV.224
crypto map SDM_CMAP_1 7 ipsec-isakmp
description Tunnel toTTT.UUU.VVV.224
set peer TTT.UUU.VVV.224
set transform-set ESP-3DES-SHA15
match address 142
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host TTT.UUU.VVV.224 any
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
access-list 104 permit ip 172.16.1.0 0.0.0.255 any
access-list 142 remark CCP_ACL Category=4
access-list 142 remark IPSec Rule
access-list 142 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
route-map SDM_RMAP_1 permit 1
match ip address 104
For additional troubleshooting I established a VPN tunel from Site2 to our office Site3 with no issues at all.
Site3 happens to be one of the VPN tunnels that connects to Site1 with no issues.
I have seen a number of articles on this on the net and gone through the troubleshooting steps of an article such as http://www.cisco.com/en/US/products/ps6658/products_tech_note09186a0080b2a901.shtml
The tunnel is confirmed as up when I have done all my troubleshooting.
I appreciate any guidance on this as I am not sure what to try next.
Thanks everyone for your time.
09-25-2012 07:18 PM
Hi,
Were there any recent changes on any 881's?
Could you post show log and if you can perform debugs?
Sent from Cisco Technical Support iPhone App
09-26-2012 07:02 AM
The router in Site2 was just put in so this tunnel is brand new. The router in Site1 has been there for quite some time prior to me joining the company.
The VPN tunnel and most POST-Initial config was done through CCP on Site2. CCP was used for the tunnel creation and for creating the advanced firewall which is set back to low security level.
Show log is
--------------------------------------------
Site2#show log
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 173 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 11 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 31 message lines logged
Logging Source-Interface: VRF Name:
------------------------------------------
Thanks
09-26-2012 07:28 AM
hi,
i'm not sure whether your show log output is complete. did you configure identical IKE policies on both VPN peers? was this a typo for your Site 1?
set peer XXX.YYY.ZZZ
could you post the following when you've performed a test ping from an inside host in Site 2 towards Site 1:
show crypto isakmp sa
show crypto ipsec sa
debug crypto isakmp sa
debug crypto ipsec sa
09-27-2012 10:34 AM
Sorry I did have a typo. It should have said XXX.YYY.ZZZ.232
Here is the output as you mentioned. At Site 2 there is another VPN tunnel created to Site3 and it works fine so you may see some reference to this in the debugs.
The tunnel always establishes and stays up.
On some of the other sites that have a VPN tunnel to Site1 I had to put in a line crypto ipsec df-bit clear as it appears the packets were fragemented.
However the MTU settings on all the Cisco gear is at the default value of 1500 MTU.
Thanks for your help
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.27 08:44:06 =~=~=~=~=~=~=~=~=~=~=~=
Site2#show crypto isakp mp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
TTT.UUU.VVV.224 XXX.YYY.ZZZ.232 QM_IDLE 2004 ACTIVE
XXX.YYY.ZZZ.232 TTT.UUU.VVV.224 QM_IDLE 2005 ACTIVE
IPv6 Crypto ISAKMP SA
Site2#show crypto ispw psec sa
interface: FastEthernet4
Crypto map tag: SDM_CMAP_1, local addr TTT.UUU.VVV.224
protected vrf: (none)
local ident (addr/mask/prot/port): (10.60.141.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer XXX.YYY.ZZZ.232 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 210421, #pkts encrypt: 210421, #pkts digest: 210421
#pkts decaps: 25509, #pkts decrypt: 25509, #pkts verify: 25509
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: TTT.UUU.VVV.224, remote crypto endpt.: XXX.YYY.ZZZ.232
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x7481E461(1954669665)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1EC08327(515932967)
--More-- transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 99, flow_id: Onboard VPN:99, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4173672/2275)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7481E461(1954669665)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 100, flow_id: Onboard VPN:100, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4150725/2275)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
--More--
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.60.141.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): ( THIS.SITE.WORKS..0/255.255.255.0/0/0)
current_peer THIS.SITE.WORKS port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: TTT.UUU.VVV.224, remote crypto endpt.: THIS.SITE.WORKS
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
--More--
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Site2# term mon
Site2#debug crypto ipsec
Crypto IPSEC debugging is on
Site2#term mon
Site2#term mon debug crypto ipsec
Sep 27 14:47:18.378: ISAKMP (2005): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 27 14:47:18.378: ISAKMP: set new node -1617340658 to QM_IDLE
Sep 27 14:47:18.378: ISAKMP:(2005): processing HASH payload. message ID = 2677626638
Sep 27 14:47:18.378: ISAKMP:(2005): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2677626638, sa = 0x8880DA68
Sep 27 14:47:18.378: ISAKMP:(2005):deleting node -1617340658 error FALSE reason "Informational (in) state 1"
Sep 27 14:47:18.378: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:47:18.378: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:47:18.378: ISAKMP:(2005):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232 , sequence 0xEA9AB55
Sep 27 14:47:18.378: ISAKMP: set new node -16420335 to QM_IDLE
Sep 27 14:47:18.378: ISAKMP:(2005):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 4278546961
Sep 27 14:47:18.378: ISAKMP:(2005): seq. no 0xEA9AB55
Sep 27 14:47:18.378: ISAKMP:(2005): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 27 14:47:18.378: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Sep 27 14:47:18.378: ISAKMP:(2005):purging node -16420335
Sep 27 14:47:18.378: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 27 14:47:18.378: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:47:30.110: ISAKMP: set new node -761006079 to QM_IDLE
Sep 27 14:47:30.110: ISAKMP:(2004):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 3533961217
Sep 27 14:47:30.110: ISAKMP:(2004): seq. no 0xB5E67EE
Sep 27 14:47:30.110: ISAKMP:(2004): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 27 14:47:30.110: ISAKMP:(2004):Sending an IKE IPv4 Packet.
Sep 27 14:47:30.110: ISAKMP:(2004):purging node -761006079
Sep 27 14:47:30.110: ISAKMP:(2004):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 27 14:47:30.110: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:47:30.150: ISAKMP (2004): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 27 14:47:30.150: ISAKMP: set new node 1551329102 to QM_IDLE
Sep 27 14:47:30.150: ISAKMP:(2004): processing HASH payload. message ID = 1551329102
Sep 27 14:47:30.150: ISAKMP:(2004): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 1551329102, sa = 0x887C5694
Sep 27 14:47:30.150: ISAKMP:(2004): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232 , sequence 0xB5E67EE
Sep 27 14:47:30.154: ISAKMP:(2004):deleting node 1551329102 error FALSE reason "Informational (in) state 1"
Sep 27 14:47:30.154: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:47:30.154: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
sakmp sa term mon
Sep 27 14:48:08.379: ISAKMP:(2005):purging node -1617340658bug
Sep 27 14:48:20.156: ISAKMP:(2004):purging node 1551329102
Sep 27 14:49:43.454: ISAKMP: set new node -1394870801 to QM_IDLE
Sep 27 14:49:43.454: ISAKMP:(2005):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 2900096495
Sep 27 14:49:43.454: ISAKMP:(2005): seq. no 0xB5E67EF
Sep 27 14:49:43.454: ISAKMP:(2005): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 27 14:49:43.454: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Sep 27 14:49:43.454: ISAKMP:(2005):purging node -1394870801
Sep 27 14:49:43.454: ISAKMP:(2005):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 27 14:49:43.454: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:49:43.494: ISAKMP (2005): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 27 14:49:43.494: ISAKMP: set new node -603252858 to QM_IDLE
Sep 27 14:49:43.494: ISAKMP:(2005): processing HASH payload. message ID = 3691714438
Sep 27 14:49:43.494: ISAKMP:(2005): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 3691714438, sa = 0x8880DA68
Sep 27 14:49:43.494: ISAKMP:(2005): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232 , sequence 0xB5E67EF
Sep 27 14:49:43.494: ISAKMP:(2005):deleting node -603252858 error FALSE reason "Informational (in) state 1"
Sep 27 14:49:43.494: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:49:43.494: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:49:58.586: ISAKMP (2004): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 27 14:49:58.586: ISAKMP: set new node 668937152 to QM_IDLE
Sep 27 14:49:58.586: ISAKMP:(2004): processing HASH payload. message ID = 668937152
Sep 27 14:49:58.586: ISAKMP:(2004): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 668937152, sa = 0x887C5694
Sep 27 14:49:58.586: ISAKMP:(2004):deleting node 668937152 error FALSE reason "Informational (in) state 1"
Sep 27 14:49:58.586: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:49:58.586: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:49:58.586: ISAKMP:(2004):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232 , sequence 0xEA9AB56
Sep 27 14:49:58.586: ISAKMP: set new node 1685634131 to QM_IDLE
Sep 27 14:49:58.586: ISAKMP:(2004):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 1685634131
Sep 27 14:49:58.586: ISAKMP:(2004): seq. no 0xEA9AB56
Sep 27 14:49:58.586: ISAKMP:(2004): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 27 14:49:58.586: ISAKMP:(2004):Sending an IKE IPv4 Packet.
Sep 27 14:49:58.586: ISAKMP:(2004):purging node 1685634131
Sep 27 14:49:58.586: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 27 14:49:58.586: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:50:33.495: ISAKMP:(2005):purging node -603252858
Sep 27 14:50:48.587: ISAKMP:(2004):purging node 668937152
Sep 27 14:52:10.686: ISAKMP (2005): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 27 14:52:10.686: ISAKMP: set new node 1426187616 to QM_IDLE
Sep 27 14:52:10.686: ISAKMP:(2005): processing HASH payload. message ID = 1426187616
Sep 27 14:52:10.686: ISAKMP:(2005): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1426187616, sa = 0x8880DA68
Sep 27 14:52:10.686: ISAKMP:(2005):deleting node 1426187616 error FALSE reason "Informational (in) state 1"
Sep 27 14:52:10.686: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:52:10.686: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:52:10.686: ISAKMP:(2005):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232 , sequence 0xEA9AB57
Sep 27 14:52:10.686: ISAKMP: set new node -1804667826 to QM_IDLE
Sep 27 14:52:10.686: ISAKMP:(2005):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 2490299470
Sep 27 14:52:10.686: ISAKMP:(2005): seq. no 0xEA9AB57
Sep 27 14:52:10.686: ISAKMP:(2005): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 27 14:52:10.686: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Sep 27 14:52:10.686: ISAKMP:(2005):purging node -1804667826
Sep 27 14:52:10.690: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 27 14:52:10.690: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:52:25.042: ISAKMP: set new node 1591249097 to QM_IDLE
Sep 27 14:52:25.042: ISAKMP:(2004):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 1591249097
Sep 27 14:52:25.042: ISAKMP:(2004): seq. no 0xB5E67F0
Sep 27 14:52:25.042: ISAKMP:(2004): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 27 14:52:25.042: ISAKMP:(2004):Sending an IKE IPv4 Packet.
Sep 27 14:52:25.042: ISAKMP:(2004):purging node 1591249097
Sep 27 14:52:25.042: ISAKMP:(2004):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 27 14:52:25.042: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:52:25.082: ISAKMP (2004): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 27 14:52:25.082: ISAKMP: set new node -264926664 to QM_IDLE
Sep 27 14:52:25.082: ISAKMP:(2004): processing HASH payload. message ID = 4030040632
Sep 27 14:52:25.082: ISAKMP:(2004): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 4030040632, sa = 0x887C5694
Sep 27 14:52:25.082: ISAKMP:(2004): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232 , sequence 0xB5E67F0
Sep 27 14:52:25.082: ISAKMP:(2004):deleting node -264926664 error FALSE reason "Informational (in) state 1"
Sep 27 14:52:25.082: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:52:25.082: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:53:15.083: ISAKMP:(2004):purging node -264926664
Sep 27 14:54:31.541: ISAKMP: set new node 1184933904 to QM_IDLE
Sep 27 14:54:31.541: ISAKMP:(2005):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 1184933904
Sep 27 14:54:31.541: ISAKMP:(2005): seq. no 0xB5E67F1
Sep 27 14:54:31.541: ISAKMP:(2005): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 27 14:54:31.541: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Sep 27 14:54:31.541: ISAKMP:(2005):purging node 1184933904
Sep 27 14:54:31.541: ISAKMP:(2005):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 27 14:54:31.541: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 27 14:54:31.581: ISAKMP (2005): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 27 14:54:31.581: ISAKMP: set new node -528980753 to QM_IDLE
Sep 27 14:54:31.581: ISAKMP:(2005): processing HASH payload. message ID = 3765986543
Sep 27 14:54:31.581: ISAKMP:(2005): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 3765986543, sa = 0x8880DA68
Sep 27 14:54:31.581: ISAKMP:(2005): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232 , sequence 0xB5E67F1
Sep 27 14:54:31.581: ISAKMP:(2005):deleting node -528980753 error FALSE reason "Informational (in) state 1"kmp
Sep 27 14:54:31.581: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:54:31.581: ISAKMP:(2005):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Site2#exit
09-27-2012 08:47 PM
hi,
thanks for the debugs! however, i don't see any debugs showing any IPSEC SA or IKE phase 2 exchanges.
could you post show run | sec crypto from both site 1 and 2?
09-28-2012 07:17 AM
As requested
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.28 07:54:43 =~=~=~=~=~=~=~=~=~=~=~=
Site1#show run | sec crypto
crypto pki trustpoint TP-self-signed-BLAHBLAH
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-BLAHBLAH
revocation-check none
rsakeypair TP-self-signed-BLAHBLAH
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr 3des
group 2
crypto isakmp key TunnelPassword address Site3.That.Works.195
crypto isakmp key TunnelPassword address Site4.That.Works.242
crypto isakmp key TunnelPassword address Site7.That.Works.167
crypto isakmp key TunnelPassword address Site6.That.Works.126
crypto isakmp key TunnelPassword address THIS.SITE.WORKS.208
crypto isakmp key TunnelPassword address Site7.That.Works.96
crypto isakmp key TunnelPassword address Site2.That.Doesn'tWork.224
crypto isakmp keepalive 300 periodic
crypto isakmp client configuration group VPN_GROUP_WE_SETUP
key VPN_GROUP_PASSWORD
dns DNSServer1 DNSServer2
--More-- pool SDM_POOL_1
acl 139
save-password
split-dns OurFQDN
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPN_GROUP_WE_SETUP
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac
--More-- crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA12 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA13 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA14 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA15 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA16 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA13
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toSite3.That.Works.195
set peer Site3.That.Works.195
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA1
match address 101
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel toSite7.That.Works.167
set peer Site7.That.Works.167
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA4
match address 111
--More-- crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel toSite6.That.Works.126
set peer Site6.That.Works.126
set transform-set ESP-3DES-SHA5
match address 122
crypto map SDM_CMAP_1 5 ipsec-isakmp
description Tunnel toTHIS.SITE.WORKS.208
set peer THIS.SITE.WORKS.208
set transform-set ESP-3DES-SHA9
match address 131
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Tunnel toSite7.That.Works.96
set peer Site7.That.Works.96
set transform-set ESP-3DES-SHA11
match address 135
crypto map SDM_CMAP_1 7 ipsec-isakmp
description Tunnel toSite2.That.Doesn'tWork.224
set peer Site2.That.Doesn'tWork.224
set transform-set ESP-3DES-SHA16
match address 146
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
Site1# exit
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.28 07:48:23 =~=~=~=~=~=~=~=~=~=~=~=
Site2#show run | sec crypto
crypto pki trustpoint TP-self-signed-BLAHBLAH
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-BLAHBLAH
revocation-check none
rsakeypair TP-self-signed-BLAHBLAH
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key TunnelPassword address XXX.YYY.ZZZ.232
crypto isakmp key TunnelPassword address THIS.SITE.WORKS.208
crypto isakmp keepalive 300 periodic
crypto isakmp client configuration group VPN_GROUP_WE_SETUP
key VPN_GROUP_PASSWORD
dns DNSServer1 DNSServer2
pool SDM_POOL_1
acl 105
save-password
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPN_GROUP_WE_SETUP
client authentication list ciscocp_vpn_xauth_ml_1
--More-- isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to XXX.YYY.ZZZ.232
set peer XXX.YYY.ZZZ.232
set transform-set ESP-3DES-SHA
match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toTHIS.SITE.WORKS.208
set peer THIS.SITE.WORKS.208
set transform-set ESP-3DES-SHA2
match address 107
crypto map SDM_CMAP_1
Site2# exit
Thanks
09-28-2012 08:08 AM
hi,
i've noticed that the WAN interface is configured with 'crypto ipsec df-bit clear' for site 1 but not for site 2. i suspect this might your culprit.
try configuring site 2's WAN interface (where the crypto map is applied) with the same command line and test again. could you post site 2's sanitized 'debug ipsec sa' this time?
09-28-2012 09:01 PM
The Crypto ipsec df-bit clear was applied globally so does appear in the output but further up in the text.
On other sites I did have to apply the command locally as some of the sites did experience the same sort of issues agains this site.
I did apply it specifically to fa4 but with no change.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.28 21:21:51 =~=~=~=~=~=~=~=~=~=~=~=
Site2#show run | sec crypto
crypto pki trustpoint TP-self-signed-BLAHBLAH
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-BLAHBLAH
revocation-check none
rsakeypair TP-self-signed-BLAHBLAH
crypto pki certificate chain TP-self-signed-BLAHBLAH
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key TunnelPassword address XXX.YYY.ZZZ.232
crypto isakmp key TunnelPassword address THIS.SITE.WORKS.208
crypto isakmp keepalive 300 periodic
crypto isakmp client configuration group VPN_GROUP_WE_SETUP
key VPN_GROUP_PASSWORD
dns DNSServer1 DNSServer2
pool SDM_POOL_1
acl 105
save-password
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPN_GROUP_WE_SETUP
client authentication list ciscocp_vpn_xauth_ml_1
--More-- isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toXXX.YYY.ZZZ.232
set peer XXX.YYY.ZZZ.232
set transform-set ESP-3DES-SHA
match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toTHIS.SITE.WORKS.208
set peer THIS.SITE.WORKS.208
set transform-set ESP-3DES-SHA2
match address 107
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
Site2#term mon
debug isakmp
Crypto ISAKMP debugging is on
Site2#show de
Sep 29 03:24:01.775: ISAKMP:(2012):purging node BLAHBLAHbug crypto is psec
Crypto IPSEC debugging is on
Site2#
Sep 29 03:25:30.978: ISAKMP (2009): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 29 03:25:30.978: ISAKMP: set new node -163456653 to QM_IDLE
Sep 29 03:25:30.982: ISAKMP:(2009): processing HASH payload. message ID = 4131510643
Sep 29 03:25:30.982: ISAKMP:(2009): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 4131510643, sa = 0x8787EA84
Sep 29 03:25:30.982: ISAKMP:(2009):deleting node -163456653 error FALSE reason "Informational (in) state 1"
Sep 29 03:25:30.982: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:25:30.982: ISAKMP:(2009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:25:30.982: ISAKMP:(2009):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9AEDA
Sep 29 03:25:30.982: ISAKMP: set new node 2018908904 to QM_IDLE
Sep 29 03:25:30.982: ISAKMP:(2009):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 2018908904
Sep 29 03:25:30.982: ISAKMP:(2009): seq. no 0xEA9AEDA
Sep 29 03:25:30.982: ISAKMP:(2009): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 29 03:25:30.982: ISAKMP:(2009):Sending an IKE IPv4 Packet.
Sep 29 03:25:30.982: ISAKMP:(2009):purging node 2018908904
Sep 29 03:25:30.982: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 29 03:25:30.982: ISAKMP:(2009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:26:01.443: ISAKMP (2010): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 29 03:26:01.443: ISAKMP: set new node 226486783 to QM_IDLE
Sep 29 03:26:01.443: ISAKMP:(2010): processing HASH payload. message ID = 226486783
Sep 29 03:26:01.443: ISAKMP:(2010): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 226486783, sa = 0x88D27A8C
Sep 29 03:26:01.447: ISAKMP:(2010):deleting node 226486783 error FALSE reason "Informational (in) state 1"
Sep 29 03:26:01.447: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:26:01.447: ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:26:01.447: ISAKMP:(2010):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9AEDB
Sep 29 03:26:01.447: ISAKMP: set new node -167278245 to QM_IDLE
Sep 29 03:26:01.447: ISAKMP:(2010):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 4127689051
Sep 29 03:26:01.447: ISAKMP:(2010): seq. no 0xEA9AEDB
Sep 29 03:26:01.447: ISAKMP:(2010): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 29 03:26:01.447: ISAKMP:(2010):Sending an IKE IPv4 Packet.
Sep 29 03:26:01.447: ISAKMP:(2010):purging node -167278245
Sep 29 03:26:01.447: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 29 03:26:01.447: ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:26:20.983: ISAKMP:(2009):purging node -163456653
Sep 29 03:26:23.287: ISAKMP: set new node -1820403052 to QM_IDLE
Sep 29 03:26:23.287: ISAKMP:(2009):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 2474564244
Sep 29 03:26:23.287: ISAKMP:(2009): seq. no 0xB5E6B73
Sep 29 03:26:23.287: ISAKMP:(2009): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 29 03:26:23.287: ISAKMP:(2009):Sending an IKE IPv4 Packet.
Sep 29 03:26:23.287: ISAKMP:(2009):purging node -1820403052
Sep 29 03:26:23.287: ISAKMP:(2009):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 29 03:26:23.287: ISAKMP:(2009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:26:23.327: ISAKMP (2009): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 29 03:26:23.327: ISAKMP: set new node -1598659514 to QM_IDLE
Sep 29 03:26:23.327: ISAKMP:(2009): processing HASH payload. message ID = 2696307782
Sep 29 03:26:23.327: ISAKMP:(2009): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 2696307782, sa = 0x8787EA84
Sep 29 03:26:23.327: ISAKMP:(2009): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6B73
Sep 29 03:26:23.327: ISAKMP:(2009):deleting node -1598659514 error FALSE reason "Informational (in) state 1"
Sep 29 03:26:23.327: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:26:23.327: ISAKMP:(2009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:26:51.448: ISAKMP:(2010):purging node 226486783
Sep 29 03:27:06.524: ISAKMP: set new node -50588970 to QM_IDLE
Sep 29 03:27:06.524: ISAKMP:(2010):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 4244378326
Sep 29 03:27:06.524: ISAKMP:(2010): seq. no 0xB5E6B74
Sep 29 03:27:06.524: ISAKMP:(2010): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 29 03:27:06.524: ISAKMP:(2010):Sending an IKE IPv4 Packet.
Sep 29 03:27:06.524: ISAKMP:(2010):purging node -50588970
Sep 29 03:27:06.524: ISAKMP:(2010):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 29 03:27:06.524: ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:27:06.564: ISAKMP (2010): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 29 03:27:06.564: ISAKMP: set new node 1981900763 to QM_IDLE
Sep 29 03:27:06.564: ISAKMP:(2010): processing HASH payload. message ID = 1981900763
Sep 29 03:27:06.564: ISAKMP:(2010): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 1981900763, sa = 0x88D27A8C
Sep 29 03:27:06.564: ISAKMP:(2010): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6B74
Sep 29 03:27:06.564: ISAKMP:(2010):deleting node 1981900763 error FALSE reason "Informational (in) state 1"
Sep 29 03:27:06.564: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:27:06.564: ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:27:13.328: ISAKMP:(2009):purging node -1598659514
Sep 29 03:27:56.570: ISAKMP:(2010):purging node 1981900763
Sep 29 03:28:06.582: ISAKMP (2012): received packet from THIS.SITE.WORKS.208 dport 500 sport 500 Global (R) QM_IDLE
Sep 29 03:28:06.582: ISAKMP: set new node -1450327841 to QM_IDLE
Sep 29 03:28:06.582: ISAKMP:(2012): processing HASH payload. message ID = 2844639455
Sep 29 03:28:06.582: ISAKMP:(2012): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2844639455, sa = 0x887C5694
Sep 29 03:28:06.582: ISAKMP:(2012):deleting node -1450327841 error FALSE reason "Informational (in) state 1"
Sep 29 03:28:06.582: ISAKMP:(2012):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:28:06.582: ISAKMP:(2012):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:28:06.582: ISAKMP:(2012):DPD/R_U_THERE received from peer THIS.SITE.WORKS.208, sequence 0x719EED0A
Sep 29 03:28:06.582: ISAKMP: set new node 1754192287 to QM_IDLE
Sep 29 03:28:06.582: ISAKMP:(2012):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 1754192287
Sep 29 03:28:06.582: ISAKMP:(2012): seq. no 0x719EED0A
Sep 29 03:28:06.582: ISAKMP:(2012): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (R) QM_IDLE
Sep 29 03:28:06.582: ISAKMP:(2012):Sending an IKE IPv4 Packet.
Sep 29 03:28:06.582: ISAKMP:(2012):purging node 1754192287
Sep 29 03:28:06.582: ISAKMP:(2012):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 29 03:28:06.582: ISAKMP:(2012):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:28:56.583: ISAKMP:(2012):purging node -1450327841
Sep 29 03:29:50.973: %SYS-5-CONFIG_I: Configured from console by Administrator on vty0 (10.60.141.158)
Sep 29 03:30:18.781: ISAKMP (2009): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 29 03:30:18.781: ISAKMP: set new node 1381376361 to QM_IDLE
Sep 29 03:30:18.781: ISAKMP:(2009): processing HASH payload. message ID = 1381376361
Sep 29 03:30:18.781: ISAKMP:(2009): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1381376361, sa = 0x8787EA84
Sep 29 03:30:18.781: ISAKMP:(2009):deleting node 1381376361 error FALSE reason "Informational (in) state 1"
Sep 29 03:30:18.781: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:30:18.781: ISAKMP:(2009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 29 03:30:18.785: ISAKMP:(2009):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9AEDC
Sep 29 03:30:18.785: ISAKMP: set new node 1361150104 to QM_IDLE
Sep 29 03:30:18.785: ISAKMP:(2009):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 1361150104
Sep 29 03:30:18.785: ISAKMP:(2009): seq. no 0xEA9AEDC
Sep 29 03:30:18.785: ISAKMP:(2009): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 29 03:30:18.785: ISAKMP:(2009):Sending an IKE IPv4 Packet.
Sep 29 03:30:18.785: ISAKMP:(2009):purging node 1361150104
Sep 29 03:30:18.785: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 29 03:30:18.785: ISAKMP:(2009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Site2#
-------------------
There doesn't seem to be much debugging unless I start the pings from Site1.
It really feels that this traffic is not attempting to try to route up the tunnel but rather trying to go out the default GW.
Thanks again for your continued help.
09-28-2012 11:34 PM
Hi,
Thanks for the update! We can eliminate the said command line for this issue.
I've noticed you kept changing the crypto ACL.
Could you post show ip interface brief and show access-list from both Site 1 and 2?
Sent from Cisco Technical Support iPad App
09-29-2012 10:07 AM
as request. I am sorry I wasn't aware I was changing the ACL. I have been trying a few things from the net but wasn't aware I was affecting that part of the config.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.29 10:17:48 =~=~=~=~=~=~=~=~=~=~=~=
Using keyboard-interactive authentication.
Site1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 XXX.YYY.ZZZ.232 YES NVRAM up up
NVI0 XXX.YYY.ZZZ.232 YES unset up up
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 XXX.YYY.ZZZ.232 YES unset up down
Vlan1 172.16.1.254 YES NVRAM up up
Site1#show access-list
Standard IP access list 1
10 permit 172.16.1.0, wildcard bits 0.0.0.255
Extended IP access list 100
10 permit ip host 255.255.255.255 any
20 permit ip 127.0.0.0 0.255.255.255 any
30 permit ip XXX.0.0.0 0.255.255.255 any
40 permit ip XXX.YYY.ZZZ.0 0.0.0.255 any
Extended IP access list 101
10 permit ip 172.16.1.0 0.0.0.255 10.10.10.0 0.0.0.255 (21980 matches)
Extended IP access list 102
10 permit ip host Site3.That.Works.195 any (46 matches)
20 permit ip host NotSureonThisSite.That.Works.242 any
30 permit ip host Site4.That.Works.242 any
40 permit ip host Not.Sure.About.Thisone.54 any
50 permit ip host Site7.That.Works.167 any (40 matches)
60 permit ip host Site6.That.Works.126 any (183 matches)
70 permit ip host THIS.SITE.WORKS.208 any (401 matches)
80 permit ip host Site7.That.Works.96 any (1512 matches)
90 permit ip host TTT.UUU.VVV.224 any (1756 matches)
Extended IP access list 103
10 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255 (2 matches)
Extended IP access list 104
10 deny ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255 (383730 matches)
20 deny ip 172.16.1.0 0.0.0.255 10.41.2.0 0.0.0.255 (1837 matches)
30 deny ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255 (31743 matches)
40 deny ip 172.16.1.0 0.0.0.255 10.60.56.0 0.0.0.255 (3047 matches)
50 deny ip 172.16.1.0 0.0.0.255 10.60.53.0 0.0.0.255 (2488 matches)
60 deny ip 172.16.1.0 0.0.0.255 10.10.10.0 0.0.0.255 (19687 matches)
70 permit ip 172.16.1.0 0.0.0.255 any (60542 matches)
Extended IP access list 105
10 permit ip 172.16.1.0 0.0.0.255 10.60.145.0 0.0.0.255
Extended IP access list 106
10 permit ip 10.60.145.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 107
10 permit ip 172.16.1.0 0.0.0.255 10.60.145.0 0.0.0.255
Extended IP access list 108
10 permit ip 10.60.145.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 109
10 permit ip 172.16.1.0 0.0.0.255 10.60.56.0 0.0.0.255
Extended IP access list 110
10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255 (2 matches)
20 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 111
10 permit ip 172.16.1.0 0.0.0.255 10.60.53.0 0.0.0.255 (7910 matches)
Extended IP access list 112
10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255 (1 match)
Extended IP access list 113
10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 114
10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (347084 matches)
40 permit ip 10.60.145.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 115
10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.0.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 116
10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 117
10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 118
10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 119
10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 120
10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 121
10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 122
10 permit ip 172.16.1.0 0.0.0.255 10.60.56.0 0.0.0.255 (8094 matches)
Extended IP access list 123
10 permit ip 10.30.56.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 124
10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 125
10 permit ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255
Extended IP access list 126
10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255 (6 matches)
Extended IP access list 127
10 permit ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255
Extended IP access list 128
10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 129
10 permit ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255
Extended IP access list 130
10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 131
10 permit ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255 (60912 matches)
Extended IP access list 132
10 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 133
10 permit ip 172.16.1.0 0.0.0.255 10.41.2.0 0.0.0.255
Extended IP access list 134
10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255 (3 matches)
40 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 135
10 permit ip 172.16.1.0 0.0.0.255 10.41.2.0 0.0.0.255 (3724 matches)
Extended IP access list 136
10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 137
10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
Extended IP access list 138
10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
60 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 139
10 permit ip 172.16.1.0 0.0.0.255 any
Extended IP access list 140
10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
Extended IP access list 141
10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 142
10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
Extended IP access list 143
10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 144
10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 145
10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 146
10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255 (790099 matches)
Extended IP access list 147
10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 148
10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list SDM_AH
10 permit ahp any any
Extended IP access list SDM_ESP
10 permit esp any any (238 matches)
Extended IP access list SDM_GRE
10 permit gre any any
Extended IP access list SDM_HTTP
10 permit tcp any any eq www
Extended IP access list SDM_HTTPS
10 permit tcp any any eq 443
Extended IP access list SDM_IP
10 permit ip any any
Extended IP access list SDM_SHELL
10 permit tcp any any eq cmd
Extended IP access list SDM_SSH
10 permit tcp any any eq 22
Site1# exit
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.29 10:15:43 =~=~=~=~=~=~=~=~=~=~=~=
Using keyboard-interactive authentication.
Password:
Site2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 TTT.UUU.VVV.224 YES NVRAM up up
NVI0 TTT.UUU.VVV.224 YES unset up up
Virtual-Template1 TTT.UUU.VVV.224 YES unset up down
Vlan1 10.60.141.30 YES NVRAM up up
Site2#show access-list
Standard IP access list 1
10 permit 10.60.141.0, wildcard bits 0.0.0.255
Extended IP access list 100
10 permit ip host 255.255.255.255 any
20 permit ip 127.0.0.0 0.255.255.255 any
30 permit ip TTT.UUU.VVV.0 0.0.0.255 any
Extended IP access list 101
10 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (367758 matches)
Extended IP access list 102
10 permit ip host XXX.YYY.ZZZ.232 any (1258 matches)
20 permit ip host THIS.SITE.WORKS.208 any (107 matches)
Extended IP access list 103
10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255 (17 matches)
Extended IP access list 104
10 deny ip 10.60.141.0 0.0.0.255 172.27.0.0 0.0.0.255 (257 matches)
20 deny ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (367767 matches)
30 permit ip 10.60.141.0 0.0.0.255 any (12854 matches)
Extended IP access list 105
10 permit ip 10.60.141.0 0.0.0.255 any
Extended IP access list 106
10 permit tcp any any eq 10000
Extended IP access list 107
10 permit ip 10.60.141.0 0.0.0.255 172.27.0.0 0.0.0.255 (257 matches)
Extended IP access list 108
10 permit ip 172.27.0.0 0.0.0.255 10.60.141.0 0.0.0.255 (7 matches)
20 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
Extended IP access list SDM_AH
10 permit ahp any any
Extended IP access list SDM_ESP
10 permit esp any any
Extended IP access list SDM_GRE
10 permit gre any any
Extended IP access list SDM_IP
10 permit ip any any (1269 matches)
Site2# exit
Thanks for your continued help.
09-29-2012 08:11 PM
hi,
based from your ACL and latest show run, i think you've correctly setup your VPN policies (sites 1 and 2) and already got some ACL hits.
site 1:
crypto map SDM_CMAP_1 7 ipsec-isakmp
set peer Site2.That.Doesn'tWork.224
match address 146
Extended IP access list 146
10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255 (790099 matches)
route-map SDM_RMAP_1 permit 1
match ip address 104
Extended IP access list 104
deny ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
70 permit ip 172.16.1.0 0.0.0.255 any (60542 matches)
----
Site 2:
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer XXX.YYY.ZZZ.232
match address 101
Extended IP access list 101
10 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (367758 matches)
route-map SDM_RMAP_1 permit 1
match ip address 104
Extended IP access list 104
10 deny ip 10.60.141.0 0.0.0.255 172.27.0.0 0.0.0.255 (257 matches)
20 deny ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (367767 matches)
30 permit ip 10.60.141.0 0.0.0.255 any (12854 matches)
why don't you use the CCP's VPN diagnostics to help you troubleshoot and inform you what needs to be change. i'm also still curious and waiting though for the IPSEC SA debug output (debug crypto ipsec sa).
09-30-2012 02:59 PM
Good day
I have been running the VPN diagnostics and it consistantly says
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets. | 1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation. |
I had this same info on other sites I configured to tunnel to Site 1 but the command worked on them with no issues.
I had been running the debug crypto ipsec but there were no results displayed.
I ran it again today and still no ipsec debugs.
Here is the output of todays debugs.
Thanks for your continued help.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.30 13:41:58 =~=~=~=~=~=~=~=~=~=~=~=
----------------------------------------------------------------
Using keyboard-interactive authentication.
Site2#term mon
Site2#show crypto is
Site2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
TTT.UUU.VVV.224 XXX.YYY.ZZZ.232 QM_IDLE 2015 ACTIVE
XXX.YYY.ZZZ.232 TTT.UUU.VVV.224 QM_IDLE 2016 ACTIVE
IPv6 Crypto ISAKMP SA
Site2#show crypto isakmp
interface: FastEthernet4
Crypto map tag: SDM_CMAP_1, local addr TTT.UUU.VVV.224
protected vrf: (none)
local ident (addr/mask/prot/port): (10.60.141.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer XXX.YYY.ZZZ.232 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 94752, #pkts encrypt: 94752, #pkts digest: 94752
#pkts decaps: 8133, #pkts decrypt: 8133, #pkts verify: 8133
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: TTT.UUU.VVV.224, remote crypto endpt.: XXX.YYY.ZZZ.232
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x46A7F1F4(1185411572)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2B148960(722766176)
--More--
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 71, flow_id: Onboard VPN:71, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4373272/3094)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x46A7F1F4(1185411572)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 72, flow_id: Onboard VPN:72, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4373227/3094)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
--More--
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.60.141.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.0.0/255.255.255.0/0/0)
current_peer THIS.SITE.WORKS.208 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 253, #pkts encrypt: 253, #pkts digest: 253
#pkts decaps: 273, #pkts decrypt: 273, #pkts verify: 273
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: TTT.UUU.VVV.224, remote crypto endpt.: THIS.SITE.WORKS.208
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
--More--
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Site2# debug cry
Site2# debug crypto is
Site2# debug crypto isakmp ?
aaa ISAKMP AAA
error ISAKMP Errors
ha ISAKMP High Availability
Site2# debug crypto isakmp
Crypto ISAKMP debugging is on
Site2# debug crypto isakmp ipsec
Sep 30 19:49:07.299: ISAKMP:(2016):purging node -1638821314?
client Client Debug
error IPSEC errors
ha IPSEC High Availability
hw-request IPSEC hw-request
message IPSEC message
metadata CTS metadata
states IPSEC states
Site2# debug crypto ipsec
Crypto IPSEC debugging is on
Site2#
Sep 30 19:49:35.712: ISAKMP:(2016):purging node 278770064
Sep 30 19:52:07.868: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= TTT.UUU.VVV.224:500, remote= THIS.SITE.WORKS.208:500,
local_proxy= 10.60.141.0/255.255.255.0/256/0,
remote_proxy= 172.27.0.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Sep 30 19:52:07.868: ISAKMP:(0): SA request profile is (NULL)
Sep 30 19:52:07.868: ISAKMP: Created a peer struct for THIS.SITE.WORKS.208, peer port 500
Sep 30 19:52:07.868: ISAKMP: New peer created peer = 0x89ECDE74 peer_handle = 0x8000000D
Sep 30 19:52:07.868: ISAKMP: Locking peer struct 0x89ECDE74, refcount 1 for isakmp_initiator
Sep 30 19:52:07.868: ISAKMP: local port 500, remote port 500
Sep 30 19:52:07.868: ISAKMP: set new node 0 to QM_IDLE
Sep 30 19:52:07.868: ISAKMP:(0):insert sa successfully sa = 88D8FC14
Sep 30 19:52:07.868: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Sep 30 19:52:07.872: ISAKMP:(0):found peer pre-shared key matching THIS.SITE.WORKS.208
Sep 30 19:52:07.872: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Sep 30 19:52:07.872: ISAKMP:(0): constructed NAT-T vendor-07 ID
Sep 30 19:52:07.872: ISAKMP:(0): constructed NAT-T vendor-03 ID
Sep 30 19:52:07.872: ISAKMP:(0): constructed NAT-T vendor-02 ID
Sep 30 19:52:07.872: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Sep 30 19:52:07.872: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Sep 30 19:52:07.872: ISAKMP:(0): beginning Main Mode exchange
Sep 30 19:52:07.872: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:07.872: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:17.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:17.872: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Sep 30 19:52:17.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:17.872: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:17.872: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:27.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:27.872: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Sep 30 19:52:27.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:27.872: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:27.872: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:37.869: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= TTT.UUU.VVV.224:0, remote= THIS.SITE.WORKS.208:0,
local_proxy= 10.60.141.0/255.255.255.0/256/0,
remote_proxy= 172.27.0.0/255.255.255.0/256/0
Sep 30 19:52:37.869: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= TTT.UUU.VVV.224:500, remote= THIS.SITE.WORKS.208:500,
local_proxy= 10.60.141.0/255.255.255.0/256/0,
remote_proxy= 172.27.0.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Sep 30 19:52:37.869: ISAKMP: set new node 0 to QM_IDLE
Sep 30 19:52:37.869: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local TTT.UUU.VVV.224, remote THIS.SITE.WORKS.208)
Sep 30 19:52:37.869: ISAKMP: Error while processing SA request: Failed to initialize SA
Sep 30 19:52:37.869: ISAKMP: Error while processing KMI message 0, error 2.
Sep 30 19:52:37.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:37.873: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Sep 30 19:52:37.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:37.873: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:37.873: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:43.689: ISAKMP (2015): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 30 19:52:43.689: ISAKMP: set new node -2093195178 to QM_IDLE
Sep 30 19:52:43.689: ISAKMP:(2015): processing HASH payload. message ID = 2201772118
Sep 30 19:52:43.689: ISAKMP:(2015): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2201772118, sa = 0x887C5694
Sep 30 19:52:43.689: ISAKMP:(2015):deleting node -2093195178 error FALSE reason "Informational (in) state 1"
Sep 30 19:52:43.689: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:52:43.689: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:52:43.689: ISAKMP:(2015):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9B2BE
Sep 30 19:52:43.693: ISAKMP: set new node 727941331 to QM_IDLE
Sep 30 19:52:43.693: ISAKMP:(2015):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 727941331
Sep 30 19:52:43.693: ISAKMP:(2015): seq. no 0xEA9B2BE
Sep 30 19:52:43.693: ISAKMP:(2015): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 30 19:52:43.693: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 30 19:52:43.693: ISAKMP:(2015):purging node 727941331
Sep 30 19:52:43.693: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 30 19:52:43.693: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:52:47.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:47.873: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Sep 30 19:52:47.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:47.873: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:47.873: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:48.377: ISAKMP: set new node 923998259 to QM_IDLE
Sep 30 19:52:48.377: ISAKMP:(2015):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 923998259
Sep 30 19:52:48.377: ISAKMP:(2015): seq. no 0xB5E6F57
Sep 30 19:52:48.377: ISAKMP:(2015): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 30 19:52:48.377: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 30 19:52:48.377: ISAKMP:(2015):purging node 923998259
Sep 30 19:52:48.377: ISAKMP:(2015):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 30 19:52:48.377: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:52:48.417: ISAKMP (2015): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 30 19:52:48.417: ISAKMP: set new node -709724728 to QM_IDLE
Sep 30 19:52:48.417: ISAKMP:(2015): processing HASH payload. message ID = 3585242568
Sep 30 19:52:48.417: ISAKMP:(2015): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 3585242568, sa = 0x887C5694
Sep 30 19:52:48.417: ISAKMP:(2015): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6F57
Sep 30 19:52:48.417: ISAKMP:(2015):deleting node -709724728 error FALSE reason "Informational (in) state 1"
Sep 30 19:52:48.417: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:52:48.417: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:52:57.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:57.873: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Sep 30 19:52:57.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:57.873: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:57.873: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:53:07.869: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= TTT.UUU.VVV.224:0, remote= THIS.SITE.WORKS.208:0,
local_proxy= 10.60.141.0/255.255.255.0/256/0,
remote_proxy= 172.27.0.0/255.255.255.0/256/0
Sep 30 19:53:07.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:53:07.873: ISAKMP:(0):peer does not do paranoid keepalives.
Sep 30 19:53:07.873: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer THIS.SITE.WORKS.208)
Sep 30 19:53:07.873: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer THIS.SITE.WORKS.208)
Sep 30 19:53:07.873: ISAKMP: Unlocking peer struct 0x89ECDE74 for isadb_mark_sa_deleted(), count 0
Sep 30 19:53:07.873: ISAKMP: Deleting peer node by peer_reap for THIS.SITE.WORKS.208: 89ECDE74
Sep 30 19:53:07.873: ISAKMP:(0):deleting node -899971120 error FALSE reason "IKE deleted"
Sep 30 19:53:07.873: ISAKMP:(0):deleting node -966086895 error FALSE reason "IKE deleted"
Sep 30 19:53:07.873: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Sep 30 19:53:07.873: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Sep 30 19:53:07.873: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 30 19:53:14.686: ISAKMP: set new node -1006717167 to QM_IDLE
Sep 30 19:53:14.686: ISAKMP:(2016):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 3288250129
Sep 30 19:53:14.686: ISAKMP:(2016): seq. no 0xB5E6F58
Sep 30 19:53:14.686: ISAKMP:(2016): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 30 19:53:14.686: ISAKMP:(2016):Sending an IKE IPv4 Packet.
Sep 30 19:53:14.686: ISAKMP:(2016):purging node -1006717167
Sep 30 19:53:14.686: ISAKMP:(2016):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 30 19:53:14.686: ISAKMP:(2016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:53:14.726: ISAKMP (2016): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 30 19:53:14.726: ISAKMP: set new node -1460159407 to QM_IDLE
Sep 30 19:53:14.726: ISAKMP:(2016): processing HASH payload. message ID = 2834807889
Sep 30 19:53:14.726: ISAKMP:(2016): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 2834807889, sa = 0x88D27A8C
Sep 30 19:53:14.726: ISAKMP:(2016): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6F58
Sep 30 19:53:14.726: ISAKMP:(2016):deleting node -1460159407 error FALSE reason "Informational (in) state 1"
Sep 30 19:53:14.726: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:53:14.726: ISAKMP:(2016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:53:32.842: ISAKMP (2016): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 30 19:53:32.842: ISAKMP: set new node -830862528 to QM_IDLE
Sep 30 19:53:32.842: ISAKMP:(2016): processing HASH payload. message ID = 3464104768
Sep 30 19:53:32.842: ISAKMP:(2016): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 3464104768, sa = 0x88D27A8C
Sep 30 19:53:32.842: ISAKMP:(2016):deleting node -830862528 error FALSE reason "Informational (in) state 1"
Sep 30 19:53:32.842: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:53:32.842: ISAKMP:(2016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:53:32.842: ISAKMP:(2016):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9B2BF
Sep 30 19:53:32.842: ISAKMP: set new node 396837477 to QM_IDLE
Sep 30 19:53:32.842: ISAKMP:(2016):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 396837477
Sep 30 19:53:32.846: ISAKMP:(2016): seq. no 0xEA9B2BF
Sep 30 19:53:32.846: ISAKMP:(2016): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 30 19:53:32.846: ISAKMP:(2016):Sending an IKE IPv4 Packet.
Sep 30 19:53:32.846: ISAKMP:(2016):purging node 396837477
Sep 30 19:53:32.846: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 30 19:53:32.846: ISAKMP:(2016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:53:33.690: ISAKMP:(2015):purging node -2093195178
Sep 30 19:53:38.418: ISAKMP:(2015):purging node -709724728
Sep 30 19:53:57.875: ISAKMP:(0):purging node -899971120
Sep 30 19:53:57.875: ISAKMP:(0):purging node -966086895
Sep 30 19:54:04.727: ISAKMP:(2016):purging node -1460159407
Sep 30 19:54:07.875: ISAKMP:(0):purging SA., sa=88D8FC14, delme=88D8FC14
Sep 30 19:54:22.843: ISAKMP:(2016):purging node -830862528
Sep 30 19:57:38.257: ISAKMP (2015): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 30 19:57:38.257: ISAKMP: set new node -1394998553 to QM_IDLE
Sep 30 19:57:38.257: ISAKMP:(2015): processing HASH payload. message ID = 2899968743
Sep 30 19:57:38.257: ISAKMP:(2015): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2899968743, sa = 0x887C5694
Sep 30 19:57:38.257: ISAKMP:(2015):deleting node -1394998553 error FALSE reason "Informational (in) state 1"
Sep 30 19:57:38.257: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:57:38.257: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:57:38.257: ISAKMP:(2015):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9B2C0
Sep 30 19:57:38.257: ISAKMP: set new node -1370278299 to QM_IDLE
Sep 30 19:57:38.257: ISAKMP:(2015):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 2924688997
Sep 30 19:57:38.257: ISAKMP:(2015): seq. no 0xEA9B2C0
Sep 30 19:57:38.261: ISAKMP:(2015): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 30 19:57:38.261: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 30 19:57:38.261: ISAKMP:(2015):purging node -1370278299
Sep 30 19:57:38.261: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 30 19:57:38.261: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:57:40.093: ISAKMP: set new node 1761811813 to QM_IDLE
Sep 30 19:57:40.093: ISAKMP:(2015):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 1761811813
Sep 30 19:57:40.093: ISAKMP:(2015): seq. no 0xB5E6F59
Sep 30 19:57:40.093: ISAKMP:(2015): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE
Sep 30 19:57:40.093: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 30 19:57:40.093: ISAKMP:(2015):purging node 1761811813
Sep 30 19:57:40.093: ISAKMP:(2015):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 30 19:57:40.093: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:57:40.133: ISAKMP (2015): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE
Sep 30 19:57:40.133: ISAKMP: set new node -1986599737 to QM_IDLE
Sep 30 19:57:40.133: ISAKMP:(2015): processing HASH payload. message ID = 2308367559
Sep 30 19:57:40.133: ISAKMP:(2015): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 2308367559, sa = 0x887C5694
Sep 30 19:57:40.133: ISAKMP:(2015): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6F59
Sep 30 19:57:40.133: ISAKMP:(2015):deleting node -1986599737 error FALSE reason "Informational (in) state 1"
Sep 30 19:57:40.133: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:57:40.133: ISAKMP:(2015):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:58:12.413: ISAKMP: set new node 775548616 to QM_IDLE
Sep 30 19:58:12.413: ISAKMP:(2016):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 775548616
Sep 30 19:58:12.413: ISAKMP:(2016): seq. no 0xB5E6F5A
Sep 30 19:58:12.413: ISAKMP:(2016): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 30 19:58:12.413: ISAKMP:(2016):Sending an IKE IPv4 Packet.
Sep 30 19:58:12.413: ISAKMP:(2016):purging node 775548616
Sep 30 19:58:12.413: ISAKMP:(2016):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 30 19:58:12.413: ISAKMP:(2016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:58:12.453: ISAKMP (2016): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 30 19:58:12.453: ISAKMP: set new node -1114220985 to QM_IDLE
Sep 30 19:58:12.453: ISAKMP:(2016): processing HASH payload. message ID = 3180746311
Sep 30 19:58:12.453: ISAKMP:(2016): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 3180746311, sa = 0x88D27A8C
Sep 30 19:58:12.453: ISAKMP:(2016): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6F5A
Sep 30 19:58:12.453: ISAKMP:(2016):deleting node -1114220985 error FALSE reason "Informational (in) state 1"
Sep 30 19:58:12.457: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:58:12.457: ISAKMP:(2016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:58:28.258: ISAKMP:(2015):purging node -1394998553
Sep 30 19:58:29.050: ISAKMP (2016): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE
Sep 30 19:58:29.050: ISAKMP: set new node -1513448807 to QM_IDLE
Sep 30 19:58:29.050: ISAKMP:(2016): processing HASH payload. message ID = 2781518489
Sep 30 19:58:29.050: ISAKMP:(2016): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2781518489, sa = 0x88D27A8C
Sep 30 19:58:29.050: ISAKMP:(2016):deleting node -1513448807 error FALSE reason "Informational (in) state 1"
Sep 30 19:58:29.050: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:58:29.050: ISAKMP:(2016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:58:29.050: ISAKMP:(2016):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9B2C1
Sep 30 19:58:29.050: ISAKMP: set new node -1856552293 to QM_IDLE
Sep 30 19:58:29.054: ISAKMP:(2016):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 2438415003
Sep 30 19:58:29.054: ISAKMP:(2016): seq. no 0xEA9B2C1
Sep 30 19:58:29.054: ISAKMP:(2016): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE
Sep 30 19:58:29.054: ISAKMP:(2016):Sending an IKE IPv4 Packet.
Sep 30 19:58:29.054: ISAKMP:(2016):purging node -1856552293
Sep 30 19:58:29.054: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 30 19:58:29.054: ISAKMP:(2016):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 30 19:58:30.134: ISAKMP:(2015):purging node -1986599737
Sep 30 19:59:02.459: ISAKMP:(2016):purging node -1114220985
Sep 30 19:59:19.051: ISAKMP:(2016):purging node -1513448807 debug crypto ipsec ndebug crypto ipsec odebug crypto ipsec debug crypto ipsec
Crypto IPSEC debugging is off
Crypto IPSEC (detailed) debugging is off
Site2# no debug crypto ipsec debug crypto ipsec sakmp n debug crypto isakmp o debug crypto isakmp debug crypto isakmp
Crypto ISAKMP debugging is off
Site2#cont f t
Enter configuration commands, one per line. End with CNTL/Z.
Site2(config)#int fa4
Site2(config-if)#crypto ipsec df-bit clear
Site2(config-if)#exit
Site2(config)#exit
Site2#
Sep 30 20:01:33.779: %SYS-5-CONFIG_I: Configured from console by Administrator on vty0 (10.60.141.158)
Sep 30 20:05:02.328: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Template1, changed state to down
Site2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Site2#
Sep 30 20:08:06.553: %SYS-5-CONFIG_I: Configured from console by Administrator on vty0 (10.60.141.158)
Sep 30 20:08:28.102: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
Sep 30 20:08:28.278: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Sep 30 20:08:40.274: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
exit
09-30-2012 08:12 PM
hi,
thanks for the update! could you play around with the values for these commands and try again?
vlan 1
ip tcp adjust-mss 1300
int f4
ip mtu 1440
09-30-2012 09:08 PM
Good evening
I tried setting the mtu on int fa4 down as low as 1300 in several resizing steps. Basically down at 1300 MTU the internet speed was unusable but with no change.
on Vlan1 I played with the adjust-mss settings but again with no change.
I will be out of town for the next few days so likely won't be able to troubleshoot much Monday and Tuesday.
Have a good one and thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide