cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
791
Views
0
Helpful
3
Replies

cannot get site2vpn come up

Hi,

I have one 3925 which has working tunnels to two 861 routers.

IPSEC etc.

now I want to add a third and with the same config cannot get the vpn up.

the third unit is an 881-sec-k9

any idea why it doesn't work ????

config main site

crypto isakmp policy 1

encr aes 192

authentication pre-share

group 2

crypto isakmp key 234723467 address 110.5.x.x  (this one works)

crypto isakmp key 234723467 address 197.96.x.x (this one works)

crypto isakmp key 234723467 address 124.74.x.x   (this is connection to problem site)

crypto ipsec transform-set ID-SET esp-aes esp-sha-hmac

crypto ipsec transform-set SA-SET esp-aes esp-sha-hmac

crypto ipsec transform-set CN-SET esp-aes esp-sha-hmac

crypto map RTD01_ID01 10 ipsec-isakmp

set peer 197.96.x.x

set transform-set SA-SET

set pfs group2

match address 101

crypto map RTD01_ID01 20 ipsec-isakmp

set peer 110.5.x.x

set transform-set ID-SET

set pfs group2

match address 102

crypto map RTD01_ID01 30 ipsec-isakmp

set peer 124.74.x.x

set transform-set CN-SET

set pfs group2

match address 103

and I have then the access lists.

config remote site

crypto isakmp policy 1

encr aes 192

authentication pre-share

group 2

crypto isakmp key 234723467 address 213.208.x.x

crypto ipsec transform-set CN-SET esp-aes esp-sha-hmac

mode tunnel

crypto map RTD01_ID01 10 ipsec-isakmp

set peer 213.208.x.x

set transform-set CN-SET

set pfs group2

match address 101

output debug crypto isakmp

*Jul 17 09:31:38.185: ISAKMP:(0): SA request profile is (NULL)

*Jul 17 09:31:38.185: ISAKMP: Created a peer struct for x.x.x.x, peer port 500

*Jul 17 09:31:38.185: ISAKMP: New peer created peer = 0x89C9B670 peer_handle = 0x80000010

*Jul 17 09:31:38.185: ISAKMP: Locking peer struct 0x89C9B670, refcount 1 for isakmp_initiator

*Jul 17 09:31:38.185: ISAKMP: local port 500, remote port 500

*Jul 17 09:31:38.185: ISAKMP: set new node 0 to QM_IDLE     

*Jul 17 09:31:38.185: ISAKMP:(0):insert sa successfully sa = 89C69A28

*Jul 17 09:31:38.185: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Jul 17 09:31:38.185: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Jul 17 09:31:38.185: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jul 17 09:31:38.185: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jul 17 09:31:38.185: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jul 17 09:31:38.185: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jul 17 09:31:38.185: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jul 17 09:31:38.185: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jul 17 09:31:38.185: ISAKMP:(0): beginning Main Mode exchange

*Jul 17 09:31:38.185: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

*Jul 17 09:31:38.185: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul 17 09:31:38.765: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE

*Jul 17 09:31:38.765: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 17 09:31:38.765: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Jul 17 09:31:38.765: ISAKMP:(0): processing SA payload. message ID = 0

*Jul 17 09:31:38.765: ISAKMP:(0): processing vendor id payload

*Jul 17 09:31:38.765: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 17 09:31:38.765: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 17 09:31:38.765: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Jul 17 09:31:38.765: ISAKMP:(0): local preshared key found

*Jul 17 09:31:38.765: ISAKMP : Scanning profiles for xauth ...

*Jul 17 09:31:38.765: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Jul 17 09:31:38.765: ISAKMP:      encryption AES-CBC

*Jul 17 09:31:38.765: ISAKMP:      keylength of 192

*Jul 17 09:31:38.765: ISAKMP:      hash SHA

*Jul 17 09:31:38.765: ISAKMP:      default group 2

*Jul 17 09:31:38.765: ISAKMP:      auth pre-share

*Jul 17 09:31:38.765: ISAKMP:      life type in seconds

*Jul 17 09:31:38.765: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Jul 17 09:31:38.765: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jul 17 09:31:38.765: ISAKMP:(0):Acceptable atts:actual life: 0

*Jul 17 09:31:38.765: ISAKMP:(0):Acceptable atts:life: 0

*Jul 17 09:31:38.765: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jul 17 09:31:38.765: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Jul 17 09:31:38.765: ISAKMP:(0):Returning Actual lifetime: 86400

*Jul 17 09:31:38.765: ISAKMP:(0)::Started lifetime timer: 86400.

*Jul 17 09:31:38.765: ISAKMP:(0): processing vendor id payload

*Jul 17 09:31:38.765: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 17 09:31:38.765: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 17 09:31:38.765: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 17 09:31:38.765: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Jul 17 09:31:38.765: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_SA_SETUP

*Jul 17 09:31:38.765: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul 17 09:31:38.769: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 17 09:31:38.769: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Jul 17 09:31:39.349: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_SA_SETUP

*Jul 17 09:31:39.349: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 17 09:31:39.349: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Jul 17 09:31:39.349: ISAKMP:(0): processing KE payload. message ID = 0

*Jul 17 09:31:39.377: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jul 17 09:31:39.377: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Jul 17 09:31:39.377: ISAKMP:(2015): processing vendor id payload

*Jul 17 09:31:39.377: ISAKMP:(2015): vendor ID is Unity

*Jul 17 09:31:39.377: ISAKMP:(2015): processing vendor id payload

*Jul 17 09:31:39.377: ISAKMP:(2015): vendor ID is DPD

*Jul 17 09:31:39.377: ISAKMP:(2015): processing vendor id payload

*Jul 17 09:31:39.377: ISAKMP:(2015): speaking to another IOS box!

*Jul 17 09:31:39.377: ISAKMP:received payload type 20

*Jul 17 09:31:39.377: ISAKMP (2015): His hash no match - this node outside NAT

*Jul 17 09:31:39.377: ISAKMP:received payload type 20

*Jul 17 09:31:39.377: ISAKMP (2015): No NAT Found for self or peer

*Jul 17 09:31:39.377: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 17 09:31:39.377: ISAKMP:(2015):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Jul 17 09:31:39.377: ISAKMP:(2015):Send initial contact

*Jul 17 09:31:39.377: ISAKMP:(2015):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR.

*Jul 17 09:31:39.377: ISAKMP (2015): ID payload

next-payload : 8

type         : 1

address      : x.x.x.x

protocol     : 17

port         : 500

length       : 12

*Jul 17 09:31:39.381: ISAKMP:(2015):Total payload length: 12

*Jul 17 09:31:39.381: ISAKMP:(2015): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:31:39.381: ISAKMP:(2015):Sending an IKE IPv4 Packet.

*Jul 17 09:31:39.381: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 17 09:31:39.381: ISAKMP:(2015):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Jul 17 09:31:40.953: ISAKMP (2015): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:31:40.957: ISAKMP:(2015): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:31:40.957: ISAKMP:(2015): retransmitting due to retransmit phase 1

*Jul 17 09:31:41.457: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:31:41.457: ISAKMP (2015): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Jul 17 09:31:41.457: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:31:41.457: ISAKMP:(2015): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH.

*Jul 17 09:31:41.457: ISAKMP:(2015):Sending an IKE IPv4 Packet.

*Jul 17 09:31:42.529: ISAKMP (2015): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:31:42.529: ISAKMP:(2015): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:31:42.529: ISAKMP:(2015): retransmitting due to retransmit phase 1

*Jul 17 09:31:43.029: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:31:43.029: ISAKMP (2015): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Jul 17 09:31:43.029: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:31:43.029: ISAKMP:(2015): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:31:43.029: ISAKMP:(2015):Sending an IKE IPv4 Packet..

*Jul 17 09:31:44.105: ISAKMP (2015): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:31:44.105: ISAKMP:(2015): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:31:44.105: ISAKMP:(2015): retransmitting due to retransmit phase 1

*Jul 17 09:31:44.605: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:31:44.605: ISAKMP (2015): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Jul 17 09:31:44.605: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:31:44.605: ISAKMP:(2015): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:31:44.605: ISAKMP:(2015):Sending an IKE IPv4 Packet..

*Jul 17 09:31:45.685: ISAKMP (2015): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:31:45.689: ISAKMP:(2015): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:31:45.689: ISAKMP:(2015): retransmitting due to retransmit phase 1

*Jul 17 09:31:46.189: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:31:46.189: ISAKMP (2015): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Jul 17 09:31:46.189: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:31:46.189: ISAKMP:(2015): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:31:46.189: ISAKMP:(2015):Sending an IKE IPv4 Packet......

*Jul 17 09:31:56.189: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:31:56.189: ISAKMP (2015): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Jul 17 09:31:56.189: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:31:56.189: ISAKMP:(2015): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:31:56.189: ISAKMP:(2015):Sending an IKE IPv4 Packet......

*Jul 17 09:32:06.189: ISAKMP:(2015): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:32:06.189: ISAKMP:(2015):peer does not do paranoid keepalives.

*Jul 17 09:32:06.189: ISAKMP:(2015):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer x.x.x.x)

*Jul 17 09:32:06.189: ISAKMP:(2015):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer x.x.x.x)

*Jul 17 09:32:06.189: ISAKMP: Unlocking peer struct 0x89C9B670 for isadb_mark_sa_deleted(), count 0

*Jul 17 09:32:06.189: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 89C9B670

*Jul 17 09:32:06.189: ISAKMP:(2015):deleting node 363817478 error FALSE reason "IKE deleted"

*Jul 17 09:32:06.189: ISAKMP:(2015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jul 17 09:32:06.189: ISAKMP:(2015):Old State = IKE_I_MM5  New State = IKE_DEST_SA

.

*Jul 17 09:32:08.185: ISAKMP:(0): SA request profile is (NULL)

*Jul 17 09:32:08.185: ISAKMP: Created a peer struct for x.x.x.x, peer port 500

*Jul 17 09:32:08.185: ISAKMP: New peer created peer = 0x89C9B670 peer_handle = 0x80000011

*Jul 17 09:32:08.185: ISAKMP: Locking peer struct 0x89C9B670, refcount 1 for isakmp_initiator

*Jul 17 09:32:08.185: ISAKMP: local port 500, remote port 500

*Jul 17 09:32:08.185: ISAKMP: set new node 0 to QM_IDLE     

*Jul 17 09:32:08.185: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 89930540

*Jul 17 09:32:08.185: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Jul 17 09:32:08.185: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Jul 17 09:32:08.185: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jul 17 09:32:08.185: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jul 17 09:32:08.185: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jul 17 09:32:08.185: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jul 17 09:32:08.185: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jul 17 09:32:08.185: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jul 17 09:32:08.185: ISAKMP:(0): beginning Main Mode exchange

*Jul 17 09:32:08.185: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

*Jul 17 09:32:08.185: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul 17 09:32:08.773: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE

*Jul 17 09:32:08.773: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 17 09:32:08.773: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Jul 17 09:32:08.773: ISAKMP:(0): processing SA payload. message ID = 0

*Jul 17 09:32:08.773: ISAKMP:(0): processing vendor id payload

*Jul 17 09:32:08.773: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 17 09:32:08.773: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 17 09:32:08.773: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Jul 17 09:32:08.773: ISAKMP:(0): local preshared key found

*Jul 17 09:32:08.773: ISAKMP : Scanning profiles for xauth ...

*Jul 17 09:32:08.773: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Jul 17 09:32:08.773: ISAKMP:      encryption AES-CBC

*Jul 17 09:32:08.773: ISAKMP:      keylength of 192

*Jul 17 09:32:08.773: ISAKMP:      hash SHA

*Jul 17 09:32:08.773: ISAKMP:      default group 2

*Jul 17 09:32:08.773: ISAKMP:      auth pre-share

*Jul 17 09:32:08.773: ISAKMP:      life type in seconds

*Jul 17 09:32:08.773: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Jul 17 09:32:08.773: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jul 17 09:32:08.773: ISAKMP:(0):Acceptable atts:actual life: 0

*Jul 17 09:32:08.773: ISAKMP:(0):Acceptable atts:life: 0

*Jul 17 09:32:08.773: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jul 17 09:32:08.773: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Jul 17 09:32:08.773: ISAKMP:(0):Returning Actual lifetime: 86400

*Jul 17 09:32:08.773: ISAKMP:(0)::Started lifetime timer: 86400.

*Jul 17 09:32:08.773: ISAKMP:(0): processing vendor id payload

*Jul 17 09:32:08.773: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 17 09:32:08.773: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 17 09:32:08.773: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 17 09:32:08.773: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Jul 17 09:32:08.777: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_SA_SETUP

*Jul 17 09:32:08.777: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul 17 09:32:08.777: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 17 09:32:08.777: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Jul 17 09:32:09.361: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_SA_SETUP

*Jul 17 09:32:09.361: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 17 09:32:09.361: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Jul 17 09:32:09.361: ISAKMP:(0): processing KE payload. message ID = 0

*Jul 17 09:32:09.389: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jul 17 09:32:09.389: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Jul 17 09:32:09.389: ISAKMP:(2016): processing vendor id payload

*Jul 17 09:32:09.389: ISAKMP:(2016): vendor ID is Unity

*Jul 17 09:32:09.389: ISAKMP:(2016): processing vendor id payload

*Jul 17 09:32:09.389: ISAKMP:(2016): vendor ID is DPD

*Jul 17 09:32:09.389: ISAKMP:(2016): processing vendor id payload

*Jul 17 09:32:09.393: ISAKMP:(2016): speaking to another IOS box!

*Jul 17 09:32:09.393: ISAKMP:received payload type 20

*Jul 17 09:32:09.393: ISAKMP (2016): His hash no match - this node outside NAT

*Jul 17 09:32:09.393: ISAKMP:received payload type 20

*Jul 17 09:32:09.393: ISAKMP (2016): No NAT Found for self or peer

*Jul 17 09:32:09.393: ISAKMP:(2016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 17 09:32:09.393: ISAKMP:(2016):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Jul 17 09:32:09.393: ISAKMP:(2016):Send initial contact

*Jul 17 09:32:09.393: ISAKMP:(2016):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR.

*Jul 17 09:32:09.393: ISAKMP (2016): ID payload

next-payload : 8

type         : 1

address      : x.x.x.x

protocol     : 17

port         : 500

length       : 12

*Jul 17 09:32:09.393: ISAKMP:(2016):Total payload length: 12

*Jul 17 09:32:09.393: ISAKMP:(2016): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:32:09.393: ISAKMP:(2016):Sending an IKE IPv4 Packet.

*Jul 17 09:32:09.393: ISAKMP:(2016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 17 09:32:09.393: ISAKMP:(2016):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Jul 17 09:32:10.981: ISAKMP (2016): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:32:10.981: ISAKMP:(2016): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:32:10.981: ISAKMP:(2016): retransmitting due to retransmit phase 1

*Jul 17 09:32:11.481: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:32:11.481: ISAKMP (2016): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Jul 17 09:32:11.481: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:32:11.481: ISAKMP:(2016): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH.

*Jul 17 09:32:11.481: ISAKMP:(2016):Sending an IKE IPv4 Packet.

*Jul 17 09:32:12.573: ISAKMP (2016): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:32:12.573: ISAKMP:(2016): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:32:12.573: ISAKMP:(2016): retransmitting due to retransmit phase 1

*Jul 17 09:32:13.073: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:32:13.073: ISAKMP (2016): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Jul 17 09:32:13.073: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:32:13.073: ISAKMP:(2016): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH.

*Jul 17 09:32:13.073: ISAKMP:(2016):Sending an IKE IPv4 Packet.

*Jul 17 09:32:14.165: ISAKMP (2016): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:32:14.165: ISAKMP:(2016): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:32:14.165: ISAKMP:(2016): retransmitting due to retransmit phase 1

*Jul 17 09:32:14.665: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:32:14.665: ISAKMP (2016): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Jul 17 09:32:14.665: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:32:14.665: ISAKMP:(2016): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:32:14.665: ISAKMP:(2016):Sending an IKE IPv4 Packet..

*Jul 17 09:32:15.753: ISAKMP (2016): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:32:15.753: ISAKMP:(2016): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:32:15.753: ISAKMP:(2016): retransmitting due to retransmit phase 1

*Jul 17 09:32:16.253: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:32:16.253: ISAKMP (2016): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Jul 17 09:32:16.253: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:32:16.253: ISAKMP:(2016): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:32:16.253: ISAKMP:(2016):Sending an IKE IPv4 Packet......

*Jul 17 09:32:26.253: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:32:26.253: ISAKMP (2016): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Jul 17 09:32:26.253: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:32:26.253: ISAKMP:(2016): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:32:26.253: ISAKMP:(2016):Sending an IKE IPv4 Packet......

*Jul 17 09:32:36.253: ISAKMP:(2016): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:32:36.253: ISAKMP:(2016):peer does not do paranoid keepalives.

*Jul 17 09:32:36.253: ISAKMP:(2016):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer x.x.x.x)

*Jul 17 09:32:36.253: ISAKMP:(2016):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer x.x.x.x)

*Jul 17 09:32:36.253: ISAKMP: Unlocking peer struct 0x89C9B670 for isadb_mark_sa_deleted(), count 0

*Jul 17 09:32:36.253: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 89C9B670

*Jul 17 09:32:36.253: ISAKMP:(2016):deleting node -601125758 error FALSE reason "IKE deleted"

*Jul 17 09:32:36.253: ISAKMP:(2016):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Jul 17 09:32:36.253: ISAKMP:(2016):Old State = IKE_I_MM5  New State = IKE_DEST_SA

.

*Jul 17 09:32:38.185: ISAKMP:(0): SA request profile is (NULL)

*Jul 17 09:32:38.185: ISAKMP: Created a peer struct for x.x.x.x, peer port 500

*Jul 17 09:32:38.185: ISAKMP: New peer created peer = 0x89C9B670 peer_handle = 0x80000012

*Jul 17 09:32:38.185: ISAKMP: Locking peer struct 0x89C9B670, refcount 1 for isakmp_initiator

*Jul 17 09:32:38.185: ISAKMP: local port 500, remote port 500

*Jul 17 09:32:38.185: ISAKMP: set new node 0 to QM_IDLE     

*Jul 17 09:32:38.185: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 898D6364

*Jul 17 09:32:38.185: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*Jul 17 09:32:38.185: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Jul 17 09:32:38.185: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Jul 17 09:32:38.185: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Jul 17 09:32:38.185: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Jul 17 09:32:38.185: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Jul 17 09:32:38.185: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Jul 17 09:32:38.185: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jul 17 09:32:38.185: ISAKMP:(0): beginning Main Mode exchange

*Jul 17 09:32:38.185: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

*Jul 17 09:32:38.185: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul 17 09:32:38.757: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE

*Jul 17 09:32:38.757: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 17 09:32:38.757: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Jul 17 09:32:38.757: ISAKMP:(0): processing SA payload. message ID = 0

*Jul 17 09:32:38.757: ISAKMP:(0): processing vendor id payload

*Jul 17 09:32:38.757: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 17 09:32:38.757: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 17 09:32:38.757: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Jul 17 09:32:38.757: ISAKMP:(0): local preshared key found

*Jul 17 09:32:38.757: ISAKMP : Scanning profiles for xauth ...

*Jul 17 09:32:38.757: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Jul 17 09:32:38.757: ISAKMP:      encryption AES-CBC

*Jul 17 09:32:38.757: ISAKMP:      keylength of 192

*Jul 17 09:32:38.757: ISAKMP:      hash SHA

*Jul 17 09:32:38.757: ISAKMP:      default group 2

*Jul 17 09:32:38.757: ISAKMP:      auth pre-share

*Jul 17 09:32:38.757: ISAKMP:      life type in seconds

*Jul 17 09:32:38.757: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Jul 17 09:32:38.757: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jul 17 09:32:38.757: ISAKMP:(0):Acceptable atts:actual life: 0

*Jul 17 09:32:38.757: ISAKMP:(0):Acceptable atts:life: 0

*Jul 17 09:32:38.757: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jul 17 09:32:38.757: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Jul 17 09:32:38.757: ISAKMP:(0):Returning Actual lifetime: 86400

*Jul 17 09:32:38.757: ISAKMP:(0)::Started lifetime timer: 86400.

*Jul 17 09:32:38.757: ISAKMP:(0): processing vendor id payload

*Jul 17 09:32:38.757: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Jul 17 09:32:38.757: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Jul 17 09:32:38.757: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 17 09:32:38.757: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Jul 17 09:32:38.761: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_SA_SETUP

*Jul 17 09:32:38.761: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul 17 09:32:38.761: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 17 09:32:38.761: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Jul 17 09:32:39.329: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_SA_SETUP

*Jul 17 09:32:39.329: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul 17 09:32:39.329: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Jul 17 09:32:39.329: ISAKMP:(0): processing KE payload. message ID = 0

*Jul 17 09:32:39.357: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jul 17 09:32:39.357: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Jul 17 09:32:39.357: ISAKMP:(2017): processing vendor id payload

*Jul 17 09:32:39.357: ISAKMP:(2017): vendor ID is Unity

*Jul 17 09:32:39.361: ISAKMP:(2017): processing vendor id payload

*Jul 17 09:32:39.361: ISAKMP:(2017): vendor ID is DPD

*Jul 17 09:32:39.361: ISAKMP:(2017): processing vendor id payload

*Jul 17 09:32:39.361: ISAKMP:(2017): speaking to another IOS box!

*Jul 17 09:32:39.361: ISAKMP:received payload type 20

*Jul 17 09:32:39.361: ISAKMP (2017): His hash no match - this node outside NAT

*Jul 17 09:32:39.361: ISAKMP:received payload type 20

*Jul 17 09:32:39.361: ISAKMP (2017): No NAT Found for self or peer

*Jul 17 09:32:39.361: ISAKMP:(2017):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul 17 09:32:39.361: ISAKMP:(2017):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Jul 17 09:32:39.361: ISAKMP:(2017):Send initial contact

*Jul 17 09:32:39.361: ISAKMP:(2017):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR.

*Jul 17 09:32:39.361: ISAKMP (2017): ID payload

next-payload : 8

type         : 1

address      : x.x.x.x

protocol     : 17

port         : 500

length       : 12

*Jul 17 09:32:39.361: ISAKMP:(2017):Total payload length: 12

*Jul 17 09:32:39.361: ISAKMP:(2017): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

*Jul 17 09:32:39.361: ISAKMP:(2017):Sending an IKE IPv4 Packet.

*Jul 17 09:32:39.361: ISAKMP:(2017):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul 17 09:32:39.361: ISAKMP:(2017):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Jul 17 09:32:40.929: ISAKMP (2017): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:32:40.929: ISAKMP:(2017): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:32:40.929: ISAKMP:(2017): retransmitting due to retransmit phase 1

*Jul 17 09:32:41.429: ISAKMP:(2017): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:32:41.429: ISAKMP (2017): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Jul 17 09:32:41.429: ISAKMP:(2017): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:32:41.429: ISAKMP:(2017): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH.

*Jul 17 09:32:41.429: ISAKMP:(2017):Sending an IKE IPv4 Packet.

*Jul 17 09:32:42.509: ISAKMP (2017): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Jul 17 09:32:42.509: ISAKMP:(2017): phase 1 packet is a duplicate of a previous packet.

*Jul 17 09:32:42.509: ISAKMP:(2017): retransmitting due to retransmit phase 1

*Jul 17 09:32:43.009: ISAKMP:(2017): retransmitting phase 1 MM_KEY_EXCH...

*Jul 17 09:32:43.009: ISAKMP (2017): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Jul 17 09:32:43.009: ISAKMP:(2017): retransmitting phase 1 MM_KEY_EXCH

*Jul 17 09:32:43.009: ISAKMP:(2017): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH

3 Replies 3

Andrew Phirsov
Level 7
Level 7

Check that pre-shared keys are correct for both sites.

I did and are the same.

I even did a copy past from the main one to the remote site (881).

Any other ideas, all welcome !

Martin

provider found the issue,some loop internally with them, that forward some and copy other data.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: