cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2225
Views
0
Helpful
7
Replies

881 VPN fails after 24hrs/IKE key lifetime

Hi all,

This is my first post on the support forms and I only just got my CCNA, so please bear with me and don't shoot me if I pose a slightly newbish perspective on things. Thanks in advance.       

We've got a central office (actually quite small) where several IPSec connections connect to. Two of these connections are Cisco 881 routers. One of them works fine, the other craps out after 24 hours (coincidentally also the IKE key lifetime). When I mean "craps out", it means the VPN worked fine from the get go, until 24 hours later. Only a reload will bring back the VPN tunnel. I've verified my PFS and DPD configurations are solid, because these kind of symptoms would most likely occur when these configurations aren't in order.

The two 881 configurations are quite similar. The only differences between the two are some details in the PPPoE configurations and (quite obviously) the IP address space for the two sites. Both operate on the premise of a point to point connection (no multipoint stuff going on here).

I have examined all I can. It took me two weeks to make sure I exhausted all my options before I post my issue here.

Here is a brief list of things I've done.

- Checked configuration of central router (which is a Mikrotik RB800 btw)

- Verified that the central router is not the cause of the VPN not coming back. Rebooted it as a last resort; VPN stays down. Rebooted 881, VPN comes back.

- I've downgraded the 881 firmware image from version 152.4.M2 to 151.4.M4 (the succesful 881 was running the 151.4.M4 image, and I found some Ipsec issues in the caveat for version 152.4.M2), but to no avail.

- I've tried to clear several crypto components hoping to restore key exchanging, also to no avail. Only a reload will suffice.

I've included the 881's config:

                

Building configuration...

Current configuration : 7795 bytes
!
! Last configuration change at 15:37:50 Paris Tue May 28 2013 by admin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <<removed>>
!
boot-start-marker
boot system flash c880data-universalk9-mz.151-4.M4.bin
boot-end-marker
!
!
logging buffered 102400
enable secret 4 <<removed>>
!
no aaa new-model
memory-size iomem 10
clock timezone Paris 1 0
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki token default removal timeout 0
!

no ip source-route
!
!
!
ip dhcp excluded-address 192.168.4.1 192.168.4.9
ip dhcp excluded-address 192.168.4.199 192.168.4.254
!
ip dhcp pool Main
network 192.168.4.0 255.255.255.0
dns-server 192.168.4.250 8.8.4.4
default-router 192.168.4.250
lease infinite
!
!
ip cef
ip domain lookup source-interface Dialer1
ip domain name <<removed>>
ip name-server 8.8.4.4
ip name-server 192.168.58.199
no ipv6 cef
!
!
password encryption aes

!
!
object-group network SUBNET_DUITSLAND
description Hele subnet IC Duitsland
192.168.4.0 255.255.255.0
!
object-group network SUBNET_IC_ARNHEM
description Hele subnet IC Arnhem
192.168.58.0 255.255.255.0
!
object-group network WAN_IC_ARNHEM
description Het WAN IP adres van IC Arnhem
host <<removed>>
!
vtp mode transparent
username <<removed>> privilege 15 view root secret 4 <<removed>>
!
!
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 102
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 105
class-map type inspect match-all ccp-cls--1
match access-group name Outgoing
class-map type inspect match-all ccp-cls--2
match access-group name Incoming
!
!
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
  pass
class class-default
  drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
  pass
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
class class-default
  drop
!
zone security Inside
zone security Outside
zone-pair security sdm-zp-Inside-Outside source Inside destination Outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-Outside-Inside source Outside destination Inside
service-policy type inspect ccp-policy-ccp-cls--2
!
crypto logging ezvpn
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key <<removed>> address <<removed>>
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to CO
set peer <<removed>>
set transform-set ESP-AES256-SHA
set pfs group5
match address 104
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description DeutscheTelekom$ETH-WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.4.250 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security Inside
ip tcp adjust-mss 1412
!
interface Dialer1
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
zone-member security Outside
encapsulation ppp
no ip route-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname <<removed>>
ppp chap password 7 <<removed>>
ppp pap sent-username <<removed>> password 7 <<removed>>
ppp ipcp dns request
ppp ipcp address accept
crypto map SDM_CMAP_1
!
ip forward-protocol nd
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
ip access-list extended Incoming
remark CCP_ACL Category=128
permit ip any object-group SUBNET_DUITSLAND
ip access-list extended Outgoing
remark CCP_ACL Category=128
permit ip object-group SUBNET_DUITSLAND any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 permit <<removed>>
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.58.0 0.0.0.255
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip host <<removed>> any
access-list 101 permit ip 192.168.58.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
password 7 <<removed>>
login local
transport input ssh
!
ntp update-calendar
ntp server de.pool.ntp.org prefer
end

Also, I have some ISAKMP debug output (when the VPN fails, I can still reach the router via the internet):

.May 29 08:31:22.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:28.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:30.016: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:31:30.016: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:31:30.016: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:31:30.016: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:30.016: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:34.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:40.016: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:40.844: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:46.380: ISAKMP:(0):purging node 297623767
.May 29 08:31:46.380: ISAKMP:(0):purging node -1266458641
.May 29 08:31:46.452: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:49.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:50.016: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:52.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:56.381: ISAKMP:(0):purging SA., sa=874CF15C, delme=874CF15C
.May 29 08:31:58.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:00.017: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:00.017: ISAKMP:(0):peer does not do paranoid keepalives.

.May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP: Unlocking peer struct 0x874792E0 for isadb_mark_sa_deleted(), count 0
.May 29 08:32:00.017: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 874792E0
.May 29 08:32:00.017: ISAKMP:(0):deleting node -118750948 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):deleting node -1193365643 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:32:00.017: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

.May 29 08:32:02.037: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:32:02.037: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:32:02.037: ISAKMP: New peer created peer = 0x875BF6B8 peer_handle = 0x8000000A
.May 29 08:32:02.037: ISAKMP: Locking peer struct 0x875BF6B8, refcount 1 for isakmp_initiator
.May 29 08:32:02.037: ISAKMP: local port 500, remote port 500
.May 29 08:32:02.037: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:02.037: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85C6B420
.May 29 08:32:02.037: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:32:02.037: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:32:02.037: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:32:02.041: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:32:02.041: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

.May 29 08:32:02.041: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:32:02.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:02.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:04.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:10.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:12.041: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:16.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:22.041: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:22.449: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:28.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:32.038: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:32.038: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:32:32.038: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:32:32.038: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:32.042: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:34.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:40.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:42.042: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:46.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:50.018: ISAKMP:(0):purging node -118750948
.May 29 08:32:50.018: ISAKMP:(0):purging node -1193365643
.May 29 08:32:51.346: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:52.042: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:52.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:58.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:33:00.019: ISAKMP:(0):purging SA., sa=875BE8B8, delme=875BE8B8
.May 29 08:33:02.043: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:02.043: ISAKMP:(0):peer does not do paranoid keepalives.

.May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP: Unlocking peer struct 0x875BF6B8 for isadb_mark_sa_deleted(), count 0
.May 29 08:33:02.043: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 875BF6B8
.May 29 08:33:02.043: ISAKMP:(0):deleting node 1839947115 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):deleting node -1221586275 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:33:02.043: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

.May 29 08:33:02.455: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:33:02.455: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:33:02.455: ISAKMP: New peer created peer = 0x874792E0 peer_handle = 0x8000000B
.May 29 08:33:02.455: ISAKMP: Locking peer struct 0x874792E0, refcount 1 for isakmp_initiator
.May 29 08:33:02.455: ISAKMP: local port 500, remote port 500
.May 29 08:33:02.455: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:33:02.455: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87060E68
.May 29 08:33:02.455: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:33:02.455: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:33:02.455: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:33:02.455: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

.May 29 08:33:02.455: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:33:02.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:02.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:33:04.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>ndebug crypto isakmp
.May 29 08:33:10.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>o debug crypto isakmp
Crypto ISAKMP debugging is off
IC-Deutschland#
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:12.455: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0):Sending an IKE IPv4 Packet.

Can anyone shed some light as what could be going on?

Much obliged!

Everyone's tags (5)
7 REPLIES 7
Highlighted
Beginner

881 VPN fails after 24hrs/IKE key lifetime

I saw something once very similar on an ASA once. The VPN would just quit and a reload would fix it. TAC looked at it and found that the SPI was not being deleted and/or not bing recreated correctly. Unfortunatley for you this was resolved by a code upgrade. I did find a quicker solution than a reboot, when I removed the crypto map from the interface and re-applied it the vpn came up. Although yours appears to be a phase1/isakmp issue so maybe remove the isakmp profile and re-add it. Also did you add the "crypto isakmp invalid-spi-recovery" or is that a default config?

Highlighted

881 VPN fails after 24hrs/IKE key lifetime

Hi Ken,

Thanks for your insight!

This does not bode well. But I considered this to be a plausible outcome.

I hope Cisco acknowledges the issue(s) and resolves it soon.

What does TAC stand for btw? I assume it is a development of support team from Cisco?

Is there any way I can submit this issue for review or support by Cisco so it can be resolved?

The "crypto isakmp invalid-spi-recovery" is not a default, I've added it manually. I had some trouble before (which later seemed to be a PFS issue) and found this to be a sollution for the symptoms I encountered. I was under the impression the setting does no harm. I shall disable it for trial sake.

Highlighted
Beginner

881 VPN fails after 24hrs/IKE key lifetime

TAC is the Cisco Technical Support Center. Unfortunately this was almost 2 years ago so I dont think they will be doing anything about it. You can only open a support case if your equipment is under a support contract.

Is there a particular reason you chose the level of encryption you are using? It is the most secure, but also the most processor intensive, I personally have never seen this combination used. I would recommend AES128 with DH Group 2 and SHA hash.

What debug commands did you use to produce those logs? Where you looking at ipsec or just isakmp?

Highlighted

881 VPN fails after 24hrs/IKE key lifetime

Unfortunately I do not have a support contract for our hardware. I wouldn't even know how to get one.

However, we do pay top dollar for the equipment and it seems one it's components doesn't work as advertised. So if no support is given I will have to try warrenty instead. This does mean I have to replace the unit with a competitor brand which isn't something I'm keen to do because I want to use Cisco as our main brand. This issue effectively nukes my entire plan.

Given our work load, CPU power isn't an issue. The encryption level is set to this level because I'm paranoid. Which I reckon is a good thing when it comes to network security (correct me if I'm wrong). Do you suspect these settings could be of any influence in this particular case?

If I remember correctly I used the "debug crypto isakmp" or "debug crypto isakmp errors" and "debug crypto ipsec" (also perhaps with the "error" suffix), I'm not sure.

Highlighted
Beginner

881 VPN fails after 24hrs/IKE key lifetime

I suppose it could be an issue if the cpu is overwhelmed during a rekey. Considering this is a branch office router it could be an issue. I would just try it on the lower settings for a week to see if it resolves the issue.

Also you could try an pull the debugs from the other side, usually one side of the VPN has the more relevant logs.

Highlighted

881 VPN fails after 24hrs/IKE key lifetime

I have adjusted the settings and will wait for the result.

Because the issues arrises every 24 hours, the answer will be available tomorrow

Highlighted

881 VPN fails after 24hrs/IKE key lifetime

I'm sorry to say the problem still persists when using PFS group 2 and AES 128 encryption (for the IKE as well as the IPSec encryption)