Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6721
Views
0
Helpful
4
Replies

DMVPN problem MM_KEY_Exch

edondurguti
Level 4
Level 4

‎03-13-2012 06:01 AM - edited ‎02-21-2020 05:56 PM

Hi..

I have around 100 sites that all connect to my HUB dmvpn router and all work fine except one.. heh.

here is the debug

I am sure the configs are the same as I use it in like 100 other sites so everything else works great and this one worked great but now it doesn't.

I have pings on both ends so that's fine too.

r0#debug crypto isakmp

Crypto ISAKMP debugging is on

milwaukee-rtr0#u all             

Mar 13 07:52:48.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:52:48.496: ISAKMP (0:134219236): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Mar 13 07:52:48.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:52:48.496: ISAKMP:(0:1508:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:52:48.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:52:48.500: ISAKMP (0:134219237): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Mar 13 07:52:48.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:52:48.500: ISAKMP:(0:1509:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:52:58.344: ISAKMP:(0:1507:SW:1):purging node 1384246893

Mar 13 07:52:58.344: ISAKMP:(0:1506:SW:1):purging node -169644745

Mar 13 07:52:58.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:52:58.496: ISAKMP (0:134219236): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Mar 13 07:52:58.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:52:58.496: ISAKMP:(0:1508:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:52:58.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:52:58.500: ISAKMP (0:134219237): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Mar 13 07:52:58.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:52:58.500: ISAKMP:(0:1509:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:53:08.343: ISAKMP:(0:1507:SW:1):purging SA., sa=65155984, delme=65155984

Mar 13 07:53:08.343: ISAKMP:(0:1506:SW:1):purging SA., sa=66D59880, delme=66D59880

Mar 13 07:53:08.343: ISAKMP: received ke message (3/1)

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):peer does not do paranoid keepalives.

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):peer does not do paranoid keepalives.

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)

Mar 13 07:53:08.343: ISAKMP: received ke message (1/1)

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

Mar 13 07:53:08.343: ISAKMP: Created a peer struct for 70.236.111.11, peer port 500

Mar 13 07:53:08.343: ISAKMP: New peer created peer = 0x6514EEA0 peer_handle = 0x800051ED

Mar 13 07:53:08.343: ISAKMP: Locking peer struct 0x6514EEA0, IKE refcount 1 for isakmp_initiator

Mar 13 07:53:08.343: ISAKMP: local port 500, remote port 500

Mar 13 07:53:08.343: ISAKMP: set new node 0 to QM_IDLE     

Mar 13 07:53:08.343: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65154190

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 70.236.111.11

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): sending packet to 70.236.111.11 my_port 500 peer_port 500 (I) MM_NO_STATE

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)

Mar 13 07:53:08.343: ISAKMP: Unlocking IKE struct 0x65155608 for isadb_mark_sa_deleted(), count 0

Mar 13 07:53:08.343: ISAKMP: Deleting peer node by peer_reap for 70.236.111.11: 65155608

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):deleting node -816338854 error FALSE reason "IKE deleted"

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):Old State = IKE_I_MM5  New State = IKE_DEST_SA

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)

Mar 13 07:53:08.343: ISAKMP: Unlocking IKE struct 0x65153588 for isadb_mark_sa_deleted(), count 0

Mar 13 07:53:08.343: ISAKMP: Deleting peer node by peer_reap for 70.236.111.11: 65153588

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):deleting node 648673899 error FALSE reason "IKE deleted"

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Mar 13 07:53:08.347: ISAKMP:(0:1508:SW:1):Old State = IKE_I_MM5  New State = IKE_DEST_SA

Mar 13 07:53:08.383: ISAKMP (0:0): received packet from 70.236.111.11 dport 500 sport 500 Global (I) MM_NO_STATE

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): processing vendor id payload

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

Mar 13 07:53:08.383: ISAKMP (0:0): vendor ID is NAT-T v7

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 70.236.111.11

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): local preshared key found

Mar 13 07:53:08.383: ISAKMP : Scanning profiles for xauth ...

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 2 policy

Mar 13 07:53:08.383: ISAKMP:      encryption 3DES-CBC

Mar 13 07:53:08.383: ISAKMP:      hash SHA

Mar 13 07:53:08.383: ISAKMP:      default group 2

Mar 13 07:53:08.383: ISAKMP:      auth pre-share

Mar 13 07:53:08.383: ISAKMP:      life type in seconds

Mar 13 07:53:08.383: ISAKMP:      life duration (basic) of 28800

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1): processing vendor id payload

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

Mar 13 07:53:08.399: ISAKMP (0:134219238): vendor ID is NAT-T v7

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 500 peer_port 500 (I) MM_SA_SETUP

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

Mar 13 07:53:08.475: ISAKMP (0:134219238): received packet from 70.236.111.11 dport 500 sport 500 Global (I) MM_SA_SETUP

Mar 13 07:53:08.475: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Mar 13 07:53:08.475: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

Mar 13 07:53:08.479: ISAKMP:(0:1510:SW:1): processing KE payload. message ID = 0

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing NONCE payload. message ID = 0

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):found peer pre-shared key matching 70.236.111.11

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):SKEYID state generated

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing vendor id payload

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): vendor ID is Unity

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing vendor id payload

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): vendor ID is DPD

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing vendor id payload

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): speaking to another IOS box!

Mar 13 07:53:08.495: ISAKMP (0:134219238): NAT found, the node inside NAT

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Send initial contact

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Mar 13 07:53:08.495: ISAKMP (0:134219238): ID payload

        next-payload : 8

        type         : 1

        address      : 192.168.3.100

        protocol     : 17

        port         : 0

        length       : 12

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Total payload length: 12

Mar 13 07:53:08.499: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:53:08.499: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Mar 13 07:53:08.499: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

Mar 13 07:53:18.499: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:53:18.499: ISAKMP (0:134219238): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Mar 13 07:53:18.499: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:53:18.499: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:53:28.498: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:53:28.498: ISAKMP (0:134219238): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Mar 13 07:53:28.498: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:53:28.498: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

All possible debugging has been turned off

Labels:
0 Helpful
4 Replies 4

rizwanr74
Level 7
Level 7

‎03-13-2012 12:32 PM

I would confirm whether both client and server have phase 1 policy in placed. 

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
0 Helpful

jacksonm15
Level 1
Level 1

‎10-15-2012 11:30 AM

I was having a similar issue. My problem was that there was an ACL on the tunnel source that was was not permitting the Public IP of the HUB.

0 Helpful

Rudy Sanjoko
Level 4
Level 4

‎10-16-2012 02:18 AM

You might want to check your NAT-T configuration, because it looks like that your VPN has problem with NAT-T, it can be seen from the port number(4500), the good news is that it succeded on negotiating ISAKMP attributes.

0 Helpful

Steve11
Level 1
Level 1

‎02-02-2016 01:46 PM

I realise this was 3 years ago, but did you manage to find a fix for this? I'm coming up against a similar problem and can't get to the bottom of it.

0 Helpful
Customers Also Viewed These Support Documents