Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4117
Views
0
Helpful
1
Replies

isakmp state MM_NO_STATE troubleshooting

AbdiMreza
Level 1
Level 1

‎05-24-2015 06:46 AM - edited ‎03-08-2019 12:09 AM

hi

up and down crypto

 

isakmp state MM_NO_STATE troubleshooting

------------------------------------------------------------------

Descriptio UP and DOWN IPSec (Crypto)

------------------------------------------------------------------

*May 18 04:20:53.404: Crypto mapdb : proxy_match
        src addr     : 192.168.10.30
        dst addr     : 192.168.10.40
        protocol     : 47
        src port     : 0
        dst port     : 0
*May 18 04:20:53.404: ISAKMP:(0:8:SW:1): processing NONCE payload. message ID = 2083290255
*May 18 04:20:53.404: ISAKMP:(0:8:SW:1): processing ID payload. message ID = 2083290255
*May 18 04:20:53.404: ISAKMP:(0:8:SW:1): processing ID payload. message ID = 2083290255
*May 18 04:20:53.404: ISAKMP:(0:8:SW:1): asking for 1 spis from ipsec
*May 18 04:20:53.404: ISAKMP:(0:8:SW:1):Node 2083290255, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May 18 04:20:53.404: ISAKMP:(0:8:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*May 18 04:20:53.404: IPSEC(key_engine): got a queue event with 1 kei messages
*May 18 04:20:53.404: IPSEC(spi_response): getting spi 366915434 for SA
        from 192.168.10.30 to 192.168.10.40 for prot 3
*May 18 04:20:53.408: ISAKMP: received ke message (2/1)
*May 18 04:20:53.408: ISAKMP: Locking peer struct 0x46770744, IPSEC refcount 1 for for stuff_ke
*May 18 04:20:53.408: ISAKMP:(0:8:SW:1): Creating IPSec SAs
*May 18 04:20:53.408:         inbound SA from 192.168.10.40 to 192.168.10.30 (f/i)  0/ 0
        (proxy 192.168.10.40 to 192.168.10.30)
*May 18 04:20:53.408:         has spi 0x15DEAF6A and conn_id 0 and flags 2
*May 18 04:20:53.408:         lifetime of 84000 seconds
*May 18 04:20:53.408:         lifetime of 4608000 kilobytes
*May 18 04:20:53.408:         has client flags 0x0
*May 18 04:20:53.408:         outbound SA from 192.168.10.30 to 192.168.10.40 (f/i) 0/0
        (proxy 192.168.10.30 to 192.168.10.40)
*May 18 04:20:53.408:         has spi 1116270960 and conn_id 0 and flags A
*May 18 04:20:53.408:         lifetime of 84000 seconds
*May 18 04:20:53.408:         lifetime of 4608000 kilobytes
*May 18 04:20:53.408:         has client flags 0x0
*May 18 04:20:53.412: ISAKMP:(0:8:SW:1): sending packet to 192.168.10.40 my_port 500 peer_port 500 (R) QM_IDLE
*May 18 04:20:53.412: ISAKMP:(0:8:SW:1):Node 2083290255, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*May 18 04:20:53.412: ISAKMP:(0:8:SW:1):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
*May 18 04:20:53.412: IPSEC(key_engine): got a queue event with 2 kei messages
*May 18 04:20:53.412: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 192.168.10.30, remote= 192.168.10.40,
    local_proxy= 192.168.10.30/0.0.0.0/47/0 (type=1),
    remote_proxy= 192.168.10.40/0.0.0.0/47/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 84000s and 4608000kb,
    spi= 0x15DEAF6A(366915434), conn_id= 0, keysize= 0, flags= 0x2
*May 18 04:20:53.412: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 192.168.10.30, remote= 192.168.10.40,
    local_proxy= 192.168.10.30/0.0.0.0/47/0 (type=1),
    remote_proxy= 192.168.10.40/0.0.0.0/47/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 84000s and 4608000kb,
    spi= 0x4288F170(1116270960), conn_id= 0, keysize= 0, flags= 0xA
*May 18 04:20:53.412: Crypto mapdb : proxy_match
        src addr     : 192.168.10.30
        dst addr     : 192.168.10.40
        protocol     : 47
        src port     : 0
        dst port     : 0
*May 18 04:20:53.412: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.10.40
*May 18 04:20:53.412: IPSec: Flow_switching Allocated flow for sibling 80000009
*May 18 04:20:53.412: IPSEC(policy_db_add_ident): src 192.168.10.30, dest 192.168.10.40, dest_port 0

*May 18 04:20:53.412: ISAKMP: Locking peer struct 0x46770744, IPSEC refcount 2 for from create_transforms
*May 18 04:20:53.412: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.10.30, sa_proto= 50,
    sa_spi= 0x15DEAF6A(366915434),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3002
*May 18 04:20:53.412: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.10.40, sa_proto= 50,
    sa_spi= 0x4288F170(1116270960),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3001
*May 18 04:20:53.416: ISAKMP: Unlocking IPSEC struct 0x46770744 from create_transforms, count 1
*May 18 04:20:53.420: ISAKMP (0:134217736): received packet from 192.168.10.40 dport 500 sport 500 Global (R) QM_IDLE
*May 18 04:20:53.420: ISAKMP:(0:8:SW:1):deleting node 2083290255 error FALSE reason "QM done (await)"
*May 18 04:20:53.420: ISAKMP:(0:8:SW:1):Node 2083290255, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May 18 04:20:53.420: ISAKMP:(0:8:SW:1):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*May 18 04:20:53.424: IPSEC(key_engine): got a queue event with 1 kei messages
*May 18 04:20:53.424: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*May 18 04:20:53.424: IPSEC(key_engine_enable_outbound): enable SA with spi 1116270960/50
*May 18 04:21:38.484: ISAKMP:(0:7:SW:1):purging SA., sa=467B15DC, delme=467B15DC
*May 18 04:21:43.420: ISAKMP:(0:8:SW:1):purging node 2083290255

*May 18 04:22:40.320: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.10.30, sa_proto= 50,
    sa_spi= 0x15DEAF6A(366915434),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3002,
  (identity) local= 192.168.10.30, remote= 192.168.10.40,
    local_proxy= 192.168.10.30/255.255.255.255/47/0 (type=1),
    remote_proxy= 192.168.10.40/255.255.255.255/47/0 (type=1)
*May 18 04:22:40.320: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
  (sa) sa_dest= 192.168.10.40, sa_proto= 50,
    sa_spi= 0x4288F170(1116270960),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3001,
  (identity) local= 192.168.10.30, remote= 192.168.10.40,
    local_proxy= 192.168.10.30/255.255.255.255/47/0 (type=1),
    remote_proxy= 192.168.10.40/255.255.255.255/47/0 (type=1)
*May 18 04:22:40.320: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.10.40, sa_proto= 50,
    sa_spi= 0x4288F170(1116270960),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3001,
  (identity) local= 192.168.10.30, remote= 192.168.10.40,
    local_proxy= 192.168.10.30/255.255.255.255/47/0 (type=1),
    remote_proxy= 192.168.10.40/255.255.255.255/47/0 (type=1)
*May 18 04:22:40.320: IPSec: Flow_switching Deallocated flow for sibling 80000009
*May 18 04:22:40.320: ISAKMP: Unlocking IPSEC struct 0x46770744 from delete_siblings, count 0
*May 18 04:22:40.324: ISAKMP: received ke message (3/1)
*May 18 04:22:40.324: ISAKMP: set new node 639087800 to QM_IDLE
*May 18 04:22:40.324: ISAKMP:(0:8:SW:1): sending packet to 192.168.10.40 my_port 500 peer_port 500 (R) QM_IDLE
*May 18 04:22:40.324: ISAKMP:(0:8:SW:1):purging node 639087800
*May 18 04:22:40.324: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*May 18 04:22:40.324: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*May 18 04:22:40.324: ISAKMP: received ke message (3/1)
*May 18 04:22:40.324: ISAKMP:(0:8:SW:1):peer does not do paranoid keepalives.

*May 18 04:22:40.324: ISAKMP:(0:8:SW:1):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE       (peer 192.168.10.40)
*May 18 04:22:40.328: ISAKMP: set new node 287995127 to QM_IDLE
*May 18 04:22:40.328: ISAKMP:(0:8:SW:1): sending packet to 192.168.10.40 my_port 500 peer_port 500 (R) QM_IDLE
*May 18 04:22:40.328: ISAKMP:(0:8:SW:1):purging node 287995127
*May 18 04:22:40.328: ISAKMP:(0:8:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*May 18 04:22:40.328: ISAKMP:(0:8:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*May 18 04:22:40.328: ISAKMP:(0:8:SW:1):deleting SA reason "No reason" state (R) QM_IDLE       (peer 192.168.10.40)
*May 18 04:22:40.328: ISAKMP: Unlocking IKE struct 0x46770744 for isadb_mark_sa_deleted(), count 0
*May 18 04:22:40.328: ISAKMP: Deleting peer node by peer_reap for 192.168.10.40: 46770744
*May 18 04:22:40.332: ISAKMP:(0:8:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 18 04:22:40.332: ISAKMP:(0:8:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*May 18 04:22:40.332: IPSEC(key_engine): got a queue event with 1 kei messages

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎05-24-2015 12:05 PM

It is difficult to determine the cause of this problem but my guess is that there is some mismatch between the two configurations. Could you post the appropriate parts of the configuration from both peer devices? Especially we would need the crypto maps and the crypto access lists.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card