- Cisco Community
- Technology and Support
- Security
- VPN
- IPsec over GRE not coming up, cant see why, debug inc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
IPsec over GRE not coming up, cant see why, debug inc...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2013 06:32 AM - edited 02-21-2020 07:00 PM
Hi all,
Rattling my brains here, as far as i can see everything is fine, it should be working, but for some reason its not, and i cant see anything in the debug thats hinting to the reason why, can anyone help me out with this?
im normally good at this stuff, but this time its got me!
the hub config works with many 3 other spokes configured in the same way!
Thanks for any help guys
SPOKE
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxxxxxxxxx address xxx.xxx.xxx.xx3
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set AES-256_SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile GRE_TUNNEL
set transform-set AES-SHA
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface Tunnel1
bandwidth 100000
ip address 192.168.100.103 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication xxxxxx
ip nhrp map 192.168.100.1 xxx.xxx.xxx.xx3
ip nhrp map multicast xxx.xxx.xxx.xx3
ip nhrp network-id 100
ip nhrp holdtime 450
ip nhrp nhs 192.168.100.1
ip tcp adjust-mss 1360
qos pre-classify
tunnel source Vlan100
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile GRE_TUNNEL
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
!
dsl operating-mode auto
!
interface FastEthernet0
switchport access vlan 100
!
interface FastEthernet1
switchport access vlan 103
!
interface FastEthernet2
switchport access vlan 103
!
interface FastEthernet3
switchport access vlan 103
!
interface Vlan1
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
shutdown
!
interface Vlan100
ip address dhcp
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
!
interface Vlan103
ip address 192.168.103.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
router eigrp 100
network 192.168.100.0
network 192.168.103.0
auto-summary
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list OUTBOUND interface Vlan100 overload
!
ip access-list extended INBOUND
deny tcp any any eq 22
deny tcp any any eq telnet
permit ip any any
deny ip any any
ip access-list extended OUTBOUND
permit ip any any
deny ip any any
HUB
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto ipsec security-association idle-time 7800
!
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set AES_MD5_TUNNEL esp-aes 256 esp-md5-hmac
!
crypto ipsec profile DataTunnels
set transform-set AES-SHA
!
!!
interface Tunnel1
bandwidth 1000
ip address 192.168.100.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication xxxxxxxxxxx
ip nhrp map multicast dynamic
ip nhrp network-id 100
ip nhrp holdtime 450
ip tcp adjust-mss 1360
no ip split-horizon eigrp 100
qos pre-classify
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100
tunnel protection ipsec profile DataTunnels
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
!
!
interface FastEthernet0
description INTERNAL LAN
switchport access vlan 201
!
interface FastEthernet1
switchport access vlan 201
!
interface FastEthernet2
switchport access vlan 201
!
interface Vlan201
ip address 192.168.201.254 255.255.255.252
ip nat inside
ip virtual-reassembly
interface Dialer1
ip address negotiated
ip access-group INBOUND in
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
load-interval 30
no cdp enable
!
!
router eigrp 100
network 192.168.100.0
network 192.168.201.0
redistribute static
!
router nhrp
!
router odr
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INBOUND
permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any host xxx.xxx.xxx.xx3 eq www
permit tcp any host xxx.xxx.xxx.xx3 eq 443
permit tcp any host xxx.xxx.xxx.xx3 eq smtp
permit udp any host xxx.xxx.xxx.xx3 eq isakmp
permit esp any host xxx.xxx.xxx.xx3
permit ahp any host xxx.xxx.xxx.xx3
permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp
deny ip any any
permit ip any any
ip access-list extended OUTBOUND
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.201.0 0.0.0.255 any
deny ip any any
DEBUG
CWT-DATA#sh ip nhrp detail
192.168.100.1/32 via 192.168.100.1, Tunnel1 created 1w5d, never expire
Type: static, Flags: used
NBMA address: xxx.xxx.xxx.xx3
CWT-DATA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
xxx.xxx.xxx.xx3 192.168.1.7 MM_NO_STATE 2821 0 ACTIVE (deleted)
Jul 4 12:53:35.551: ISAKMP:(2822):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:53:45.553: ISAKMP:(2822): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:45.553: ISAKMP:(2822):peer does not do paranoid keepalives.
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP:(2822):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer xxx.xxx.xxx.xx3)
Jul 4 12:53:45.553: ISAKMP: Unlocking peer struct 0x835CCCE8 for isadb_mark_sa_deleted(), count 0
Jul 4 12:53:45.553: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.xxx.xx3: 835CCCE8
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node -32418685 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):deleting node 2092182627 error FALSE reason "IKE deleted"
Jul 4 12:53:45.553: ISAKMP:(2822):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 4 12:53:45.553: ISAKMP:(2822):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Jul 4 12:53:45.585: ISAKMP:(0): SA request profile is (NULL)
Jul 4 12:53:45.585: ISAKMP: Created a peer struct for xxx.xxx.xxx.xx3, peer port 500
Jul 4 12:53:45.585: ISAKMP: New peer created peer = 0x835CCCE8 peer_handle = 0x800025C0
Jul 4 12:53:45.585: ISAKMP: Locking peer struct 0x835CCCE8, refcount 1 for isakmp_initiator
Jul 4 12:53:45.585: ISAKMP: local port 500, remote port 500
Jul 4 12:53:45.585: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:53:45.585: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8333DA70
Jul 4 12:53:45.585: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jul 4 12:53:45.585: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jul 4 12:53:45.585: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jul 4 12:53:45.585: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jul 4 12:53:45.585: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Jul 4 12:53:45.589: ISAKMP:(0): beginning Main Mode exchange
Jul 4 12:53:45.589: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 4 12:53:45.589: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.653: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_NO_STATE
Jul 4 12:53:45.653: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.653: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Jul 4 12:53:45.653: ISAKMP:(0): processing SA payload. message ID = 0
Jul 4 12:53:45.653: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.653: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.653: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.653: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.653: ISAKMP:(0): local preshared key found
Jul 4 12:53:45.653: ISAKMP : Scanning profiles for xauth ...
Jul 4 12:53:45.653: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jul 4 12:53:45.653: ISAKMP: encryption AES-CBC
Jul 4 12:53:45.653: ISAKMP: keylength of 256
Jul 4 12:53:45.653: ISAKMP: hash SHA
Jul 4 12:53:45.653: ISAKMP: default group 5
Jul 4 12:53:45.653: ISAKMP: auth pre-share
Jul 4 12:53:45.653: ISAKMP: life type in seconds
Jul 4 12:53:45.653: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 4 12:53:45.657: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Acceptable atts:life: 0
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 4 12:53:45.657: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jul 4 12:53:45.657: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 4 12:53:45.657: ISAKMP:(0)::Started lifetime timer: 86400.
Jul 4 12:53:45.657: ISAKMP:(0): processing vendor id payload
Jul 4 12:53:45.657: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 4 12:53:45.657: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Jul 4 12:53:45.657: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.657: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Jul 4 12:53:45.657: ISAKMP:(0): sending packet to xxx.xxx.xxx.xx3 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jul 4 12:53:45.657: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.661: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.661: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Jul 4 12:53:45.813: ISAKMP (0:0): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_SA_SETUP
Jul 4 12:53:45.817: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 4 12:53:45.817: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Jul 4 12:53:45.817: ISAKMP:(0): processing KE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0): processing NONCE payload. message ID = 0
Jul 4 12:53:45.989: ISAKMP:(0):found peer pre-shared key matching xxx.xxx.xxx.xx3
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is Unity
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): vendor ID is DPD
Jul 4 12:53:45.993: ISAKMP:(2823): processing vendor id payload
Jul 4 12:53:45.993: ISAKMP:(2823): speaking to another IOS box!
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP (0:2823): NAT found, the node inside NAT
Jul 4 12:53:45.993: ISAKMP:received payload type 20
Jul 4 12:53:45.993: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 4 12:53:45.993: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM4
Jul 4 12:53:45.993: ISAKMP:(2823):Send initial contact
Jul 4 12:53:45.993: ISAKMP:(2823):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jul 4 12:53:45.993: ISAKMP (0:2823): ID payload
next-payload : 8
type : 1
address : 192.168.1.7
protocol : 17
port : 0
length : 12
Jul 4 12:53:45.993: ISAKMP:(2823):Total payload length: 12
Jul 4 12:53:45.997: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:53:45.997: ISAKMP:(2823):Sending an IKE IPv4 Packet.
Jul 4 12:53:45.997: ISAKMP:(2823):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
CWT-DATA#
Jul 4 12:53:45.997: ISAKMP:(2823):Old State = IKE_I_MM4 New State = IKE_I_MM5
CWT-DATA#
Jul 4 12:53:55.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:53:55.794: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:53:55.794: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:53:56.294: ISAKMP (0:2823): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 4 12:53:56.294: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:53:56.294: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:53:56.294: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:05.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:05.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:05.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:06.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:06.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:06.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:15.797: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:15.797: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:15.797: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:16.297: ISAKMP (0:2823): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:16.297: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:16.297: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:19.537: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:54:19.537: ISAKMP:(2823):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote xxx.xxx.xxx.xx3)
Jul 4 12:54:19.537: ISAKMP: Error while processing SA request: Failed to initialize SA
Jul 4 12:54:19.537: ISAKMP: Error while processing KMI message 0, error 2.
CWT-DATA#
Jul 4 12:54:25.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:25.798: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:25.798: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:26.298: ISAKMP (0:2823): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 4 12:54:26.298: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:26.298: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:26.298: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#
Jul 4 12:54:35.555: ISAKMP:(2822):purging node -32418685
Jul 4 12:54:35.555: ISAKMP:(2822):purging node 2092182627
Jul 4 12:54:35.795: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:35.795: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:35.795: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:36.295: ISAKMP (0:2823): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 4 12:54:36.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
CWT-DATA#
Jul 4 12:54:36.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:54:36.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
CWT-DATA#no debug all
All possible debugging has been turned off
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2013 04:11 AM
Hi,
For me interesting is the lack of response for packets on UDP port 4500.
HUB permanently sends packets over UDP 500.
Maybe somewhere transmission non-isakmp is blocked ??
Jul 4 12:54:06.295: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:06.295: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:54:06.295: ISAKMP:(2823):Sending an IKE IPv4 Packet.
Jul 4 12:54:15.797: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:15.797: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:15.797: ISAKMP:(2823): retransmitting due to retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH...
Jul 4 12:54:16.297: ISAKMP (0:2823): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 4 12:54:16.297: ISAKMP:(2823): retransmitting phase 1 MM_KEY_EXCH
Jul 4 12:54:16.297: ISAKMP:(2823): sending packet to xxx.xxx.xxx.xx3 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Jul 4 12:54:16.297: ISAKMP:(2823):Sending an IKE IPv4 Packet.
Jul 4 12:54:19.537: ISAKMP: set new node 0 to QM_IDLE
Jul 4 12:54:19.537: ISAKMP:(2823):SA is still budding. Attached new ipsec request to it. (local 192.168.1.7, remote xxx.xxx.xxx.xx3)
Jul 4 12:54:19.537: ISAKMP: Error while processing SA request: Failed to initialize SA
Jul 4 12:54:19.537: ISAKMP: Error while processing KMI message 0, error 2.
Jul 4 12:54:25.794: ISAKMP (0:2823): received packet from xxx.xxx.xxx.xx3 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jul 4 12:54:25.798: ISAKMP:(2823): phase 1 packet is a duplicate of a previous packet.
Jul 4 12:54:25.798: ISAKMP:(2823): retransmitting due to retransmit phase 1
Can you check logs or do debug on the HUB?
________________
Best regards,
MB
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2013 05:59 AM
heres the hub debug
CWCH#
*Jul 5 11:58:16.208: ISAKMP: set new node 1382820308 to QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 4500 (R) QM_IDLE
*Jul 5 11:58:16.208: ISAKMP:(2116):Sending an IKE IPv4 Packet.
*Jul 5 11:58:16.208: ISAKMP:(2116):purging node 1382820308
*Jul 5 11:58:16.208: ISAKMP:(2116):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
*Jul 5 11:58:16.208: ISAKMP:(2116):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP: set new node -146383553 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120): processing HASH payload. message ID = -146383553
*Jul 5 12:02:47.504: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -146383553, sa = 0x854A7094
*Jul 5 12:02:47.504: ISAKMP:(2120):deleting node -146383553 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:47.504: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP: set new node -1398198787 to QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120): seq. no 0x63A1AE3C
*Jul 5 12:02:47.504: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:47.504: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:47.504: ISAKMP:(2120):purging node -1398198787
*Jul 5 12:02:47.504: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:47.504: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:52.516: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP: set new node -459292560 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120): processing HASH payload. message ID = -459292560
*Jul 5 12:02:52.516: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -459292560, sa = 0x854A7094
*Jul 5 12:02:52.516: ISAKMP:(2120):deleting node -459292560 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:52.516: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:52.516: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:52.516: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP: set new node -1245354522 to QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1245354522
*Jul 5 12:02:52.516: ISAKMP:(2120): seq. no 0x63A1AE3D
*Jul 5 12:02:52.516: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:52.516: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:52.516: ISAKMP:(2120):purging node -1245354522
*Jul 5 12:02:52.520: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:52.520: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:02:55.636: ISAKMP:(2119):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:55.636: ISAKMP:(2119):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:55.656: ISAKMP:(2119):purging node 926310294
CWCH#
*Jul 5 12:02:58.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:02:58.000: ISAKMP: set new node -1957053939 to QM_IDLE
*Jul 5 12:02:58.000: ISAKMP:(2120): processing HASH payload. message ID = -1957053939
*Jul 5 12:02:58.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -1957053939, sa = 0x854A7094
*Jul 5 12:02:58.000: ISAKMP:(2120):deleting node -1957053939 error FALSE reason "Informational (in) state 1"
*Jul 5 12:02:58.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:02:58.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:02:58.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3E
*Jul 5 12:02:58.000: ISAKMP: set new node -1198504167 to QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120): seq. no 0x63A1AE3E
*Jul 5 12:02:58.004: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:02:58.004: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:02:58.004: ISAKMP:(2120):purging node -1198504167
*Jul 5 12:02:58.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:02:58.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:03.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP: set new node 599666073 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120): processing HASH payload. message ID = 599666073
*Jul 5 12:03:03.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 599666073, sa = 0x854A7094
*Jul 5 12:03:03.000: ISAKMP:(2120):deleting node 599666073 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:03.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:03.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:03.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP: set new node 1035716483 to QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = 1035716483
*Jul 5 12:03:03.000: ISAKMP:(2120): seq. no 0x63A1AE3F
*Jul 5 12:03:03.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:03.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#
*Jul 5 12:03:03.004: ISAKMP:(2120):purging node 1035716483
*Jul 5 12:03:03.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:03.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CWCH#
*Jul 5 12:03:08.008: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:08.008: ISAKMP: set new node 230166927 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120): processing HASH payload. message ID = 230166927
*Jul 5 12:03:08.008: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 230166927, sa = 0x854A7094
*Jul 5 12:03:08.008: ISAKMP:(2120):deleting node 230166927 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:08.008: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:08.008: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:08.008: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE40
*Jul 5 12:03:08.008: ISAKMP: set new node -1886395474 to QM_IDLE
*Jul 5 12:03:08.008: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -1886395474
*Jul 5 12:03:08.008: ISAKMP:(2120): seq. no 0x63A1AE40
*Jul 5 12:03:08.012: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:08.012: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no
*Jul 5 12:03:08.012: ISAKMP:(2120):purging node -1886395474
*Jul 5 12:03:08.012: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:08.012: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP (2120): received packet from xxx.xxx.xxx.10 dport 4500 sport 62560 Global (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP: set new node 841395293 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120): processing HASH payload. message ID = 841395293
*Jul 5 12:03:13.000: ISAKMP:(2120): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 841395293, sa = 0x854A7094
*Jul 5 12:03:13.000: ISAKMP:(2120):deleting node 841395293 error FALSE reason "Informational (in) state 1"
*Jul 5 12:03:13.000: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jul 5 12:03:13.000: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jul 5 12:03:13.000: ISAKMP:(2120):DPD/R_U_THERE received from peer xxx.xxx.xxx.10, sequence 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP: set new node -820358795 to QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2242383312, message ID = -820358795
*Jul 5 12:03:13.000: ISAKMP:(2120): seq. no 0x63A1AE41
*Jul 5 12:03:13.000: ISAKMP:(2120): sending packet to xxx.xxx.xxx.10 my_port 4500 peer_port 62560 (R) QM_IDLE
*Jul 5 12:03:13.000: ISAKMP:(2120):Sending an IKE IPv4 Packet.
CWCH#no debug all
All possible debugging has been turned off
CWCH#
*Jul 5 12:03:13.004: ISAKMP:(2120):purging node -820358795
*Jul 5 12:03:13.004: ISAKMP:(2120):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jul 5 12:03:13.004: ISAKMP:(2120):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-08-2013 01:02 AM
the tunnels up!
I rekeyed the password, i copy and pasted the original password, can this cause errors you know?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: