Cisco 6500 Mode-Config problem

stevegreg · ‎07-18-2011

Hi all,

In an IPSec port to DUT scenario, with Mode-Config set so as the DUT sends the IP address to the port, I get to a situation in which the DUT continuously enter the "Need config/address" state for the port, even if the port sends its ACK packet to every set IP address from the DUT.

The DUT is a Cisco 6500 Version 12.2 (33) SXI3, having Mode-Configuration configured to provide clients with IP addresses from a local pool.

I enabled the "debug crypto isakmp" on Cisco, and below is an extract form the log file:

5d23h: ISAKMP:(80653):Need config/address /* My comments here: This is the first Address configuration message from Cisco to port */

5d23h: ISAKMP: set new node 1768971286 to CONF_ADDR

5d23h: ISAKMP: Sending private address: 94.94.0.164

5d23h: ISAKMP:(80653): initiating peer config to 171.159.1.113. ID = 1768971286

5d23h: ISAKMP:(80653): sending packet to 171.159.1.113 my_port 500 peer_port 500 (R) CONF_ADDR

5d23h: ISAKMP:(80653):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

5d23h: ISAKMP:(80653):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_SET_SENT

5d23h: ISAKMP (80653): received packet from 171.159.1.113 dport 500 sport 500 Global (R) CONF_ADDR

5d23h: ISAKMP:(80653):processing transaction payload from 171.159.1.113. message ID = 1768971286

5d23h: ISAKMP: Config payload ACK

5d23h: ISAKMP:(80653):peer accepted the address!

5d23h: ISAKMP:(80653):deleting node 1768971286 error FALSE reason "Transaction mode done"

5d23h: ISAKMP:(80653):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK

5d23h: ISAKMP:(80653):Old State = IKE_CONFIG_MODE_SET_SENT New State = IKE_P1_COMPLETE

5d23h: ISAKMP:(80653):Need config/address

5d23h: ISAKMP: set new node 54789084 to CONF_ADDR

5d23h: ISAKMP: Sending private address: 94.94.0.164

5d23h: ISAKMP:(80653): initiating peer config to 171.159.1.113. ID = 54789084

5d23h: ISAKMP:(80653): sending packet to 171.159.1.113 my_port 500 peer_port 500 (R) CONF_ADDR

5d23h: ISAKMP:(80653):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

5d23h: ISAKMP:(80653):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_SET_SENT

/* My comments: Here is the first Quick mode packet (IKEv1) from the port */

5d23h: ISAKMP (80653): received packet from 171.159.1.113 dport 500 sport 500 Global (R) CONF_ADDR

5d23h: ISAKMP: set new node 1878084416 to CONF_ADDR

5d23h: ISAKMP: set new node -2058471196 to CONF_ADDR

5d23h: ISAKMP:(80653):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 1240980124, message ID = -2058471196

5d23h: ISAKMP:(80653): sending packet to 171.159.1.113 my_port 500 peer_port 500 (R) CONF_ADDR

5d23h: ISAKMP:(80653):purging node -2058471196

5d23h: ISAKMP:(80653):deleting node 1878084416 error FALSE reason "Saved QM no longer needed"

5d23h: ISAKMP (80653): Unknown Input IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE:state = IKE_CONFIG_MODE_SET_SENT

5d23h: ISAKMP:(80653):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

5d23h: ISAKMP:(80653):Old State = IKE_CONFIG_MODE_SET_SENT New State = KE_CONFIG_MODE_SET_SENT

/* My comments: The port will answer to set address from Cisco */

5d23h: ISAKMP (80653): received packet from 171.159.1.113 dport 500 sport 500 Global (R) CONF_ADDR

5d23h: ISAKMP:(80653):processing transaction payload from 171.159.1.113. message ID = 54789084

5d23h: ISAKMP: Config payload ACK

5d23h: ISAKMP:(80653):peer accepted the address!

5d23h: ISAKMP:(80653):deleting node 54789084 error FALSE reason "Transaction mode done"

5d23h: ISAKMP:(80653):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK

5d23h: ISAKMP:(80653):Old State = IKE_CONFIG_MODE_SET_SENT New State = IKE_P1_COMPLETE

5d23h: ISAKMP:(80653):Need config/address

5d23h: ISAKMP: set new node -317124967 to CONF_ADDR

5d23h: ISAKMP: Sending private address: 94.94.0.164

5d23h: ISAKMP:(80653): initiating peer config to 171.159.1.113. ID = -317124967

5d23h: ISAKMP:(80653): sending packet to 171.159.1.113 my_port 500 peer_port 500 (R) CONF_ADDR

5d23h: ISAKMP:(80653):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

5d23h: ISAKMP:(80653):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_SET_SENT

5d23h: ISAKMP (80653): received packet from 171.159.1.113 dport 500 sport 500 Global (R) CONF_ADDR

5d23h: ISAKMP:(80653):processing transaction payload from 171.159.1.113. message ID = -317124967

5d23h: ISAKMP: Config payload ACK

5d23h: ISAKMP:(80653):peer accepted the address!

5d23h: ISAKMP:(80653):deleting node -317124967 error FALSE reason "Transaction mode done"

5d23h: ISAKMP:(80653):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK

5d23h: ISAKMP:(80653):Old State = IKE_CONFIG_MODE_SET_SENT New State = IKE_P1_COMPLETE

From the above debug messages that Cisco produces I can not realize why Cisco resends the IP adderss configuration message for remote peer.

Do you know other methods to use so as to get the reason behind this behavior? Or do you have any explanation to the above behavior?

Thank you,

Marcin Latosiewicz · ‎07-18-2011

William,

Is this new setup/problem or did this work before?

Can you paste in full debugs and

show run | s crypto

There are a few known problems in mode config like:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte83052

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb72638

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtb60330

So going for latest in SXI might be best.

But anyway if possible I wouldlike to see these debugs fully before we move forward ;]

debug crypto isa

debug crypto isa err

You can use "debug crypto condition peer ipv4" to narrow down the debugs.

Marcin