IPSEC Tunnel Fails with IOS 15.3

fwiest · ‎02-07-2015

We have been using IPSEC tunnels forever but after upgrading to IOS 15.3, the tunnels stop working. It only happens when both ends are on 15.3. Has anyone seen this before?

David paull · ‎02-07-2015

Have not. Which portion of the tunnel is failing? Is it establishing IKE Phase 1? What do the logs say?

My guess is something that was optional is standard or vice versa in 15.3.

fwiest · ‎02-07-2015

Well, that was my guess. I'm not a VPN expert but below is the ISAKMP debug. I have one hub that works with it's spokes but that one also has FlexVPN configured on it. So I suspect there is something I configured for FlexVPN that makes it happy. But I can't figure out what that might be.

Feb 7 19:20:49.749 CET: ISAKMP:(0): SA request profile is (NULL)
Feb 7 19:20:49.749 CET: ISAKMP: Created a peer struct for 193.3.3.6, peer port 500
Feb 7 19:20:49.749 CET: ISAKMP: New peer created peer = 0x1663CD4 peer_handle = 0x800000AE
Feb 7 19:20:49.749 CET: ISAKMP: Locking peer struct 0x1663CD4, refcount 1 for isakmp_initiator
Feb 7 19:20:49.749 CET: ISAKMP: local port 500, remote port 500
Feb 7 19:20:49.749 CET: ISAKMP: set new node 0 to QM_IDLE
Feb 7 19:20:49.749 CET: ISAKMP:(0):insert sa successfully sa = 1068D68
Feb 7 19:20:49.749 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Feb 7 19:20:49.749 CET: ISAKMP:(0):found peer pre-shared key matching 193.3.3.6
Feb 7 19:20:49.749 CET: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 7 19:20:49.749 CET: ISAKMP:(0): constructed NAT-T vendor-07 ID
Feb 7 19:20:49.749 CET: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 7 19:20:49.749 CET: ISAKMP:(0): constructed NAT-T vendor-02 ID
Feb 7 19:20:49.749 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Feb 7 19:20:49.749 CET: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Feb 7 19:20:49.749 CET: ISAKMP:(0): beginning Main Mode exchange
Feb 7 19:20:49.749 CET: ISAKMP:(0): sending packet to 193.3.3.6 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 7 19:20:49.749 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 7 19:20:49.837 CET: ISAKMP (0): received packet from 193.3.3.6 dport 500 sport 500 Global (I) MM_NO_STATE
Feb 7 19:20:49.837 CET: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 19:20:49.837 CET: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

Feb 7 19:20:49.837 CET: ISAKMP:(0): processing SA payload. message ID = 0
Feb 7 19:20:49.837 CET: ISAKMP:(0): processing vendor id payload
Feb 7 19:20:49.837 CET: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 7 19:20:49.837 CET: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 7 19:20:49.837 CET: ISAKMP:(0):found peer pre-shared key matching 193.3.3.6
Feb 7 19:20:49.837 CET: ISAKMP:(0): local preshared key found
Feb 7 19:20:49.837 CET: ISAKMP : Scanning profiles for xauth ...
Feb 7 19:20:49.837 CET: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Feb 7 19:20:49.837 CET: ISAKMP:      encryption DES-CBC
Feb 7 19:20:49.837 CET: ISAKMP:      hash SHA
Feb 7 19:20:49.837 CET: ISAKMP:      default group 1
Feb 7 19:20:49.837 CET: ISAKMP:      auth pre-share
Feb 7 19:20:49.837 CET: ISAKMP:      life type in seconds
Feb 7 19:20:49.837 CET: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Feb 7 19:20:49.837 CET: ISAKMP:(0):atts are acceptable. Next payload is 0
Feb 7 19:20:49.837 CET: ISAKMP:(0):Acceptable atts:actual life: 0
Feb 7 19:20:49.837 CET: ISAKMP:(0):Acceptable atts:life: 0
Feb 7 19:20:49.837 CET: ISAKMP:(0):Fill atts in sa vpi_length:4
Feb 7 19:20:49.837 CET: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Feb 7 19:20:49.837 CET: ISAKMP:(0):Returning Actual lifetime: 86400
Feb 7 19:20:49.837 CET: ISAKMP:(0)::Started lifetime timer: 86400.

Feb 7 19:20:49.837 CET: ISAKMP:(0): processing vendor id payload
Feb 7 19:20:49.837 CET: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Feb 7 19:20:49.837 CET: ISAKMP (0): vendor ID is NAT-T RFC 3947
Feb 7 19:20:49.837 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 19:20:49.837 CET: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

Feb 7 19:20:49.837 CET: ISAKMP:(0): sending packet to 193.3.3.6 my_port 500 peer_port 500 (I) MM_SA_SETUP
Feb 7 19:20:49.837 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 7 19:20:49.837 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 19:20:49.837 CET: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

Feb 7 19:20:49.925 CET: ISAKMP (0): received packet from 193.3.3.6 dport 500 sport 500 Global (I) MM_SA_SETUP
Feb 7 19:20:49.925 CET: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 7 19:20:49.925 CET: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

Feb 7 19:20:49.925 CET: ISAKMP:(0): processing KE payload. message ID = 0
Feb 7 19:20:49.925 CET: ISAKMP:(0): processing NONCE payload. message ID = 0
Feb 7 19:20:49.925 CET: ISAKMP:(0):found peer pre-shared key matching 193.3.3.6
Feb 7 19:20:49.925 CET: ISAKMP:(9103): processing vendor id payload
Feb 7 19:20:49.925 CET: ISAKMP:(9103): vendor ID is Unity
Feb 7 19:20:49.925 CET: ISAKMP:(9103): processing vendor id payload
Feb 7 19:20:49.925 CET: ISAKMP:(9103): vendor ID is DPD
Feb 7 19:20:49.925 CET: ISAKMP:(9103): processing vendor id payload
Feb 7 19:20:49.925 CET: ISAKMP:(9103): speaking to another IOS box!
Feb 7 19:20:49.925 CET: ISAKMP:received payload type 20
Feb 7 19:20:49.925 CET: ISAKMP (9103): His hash no match - this node outside NAT
Feb 7 19:20:49.925 CET: ISAKMP:received payload type 20
Feb 7 19:20:49.925 CET: ISAKMP (9103): No NAT Found for self or peer
Feb 7 19:20:49.925 CET: ISAKMP:(9103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 7 19:20:49.925 CET: ISAKMP:(9103):Old State = IKE_I_MM4 New State = IKE_I_MM4

Feb 7 19:20:49.925 CET: ISAKMP:(9103):Send initial contact
Feb 7 19:20:49.925 CET: ISAKMP:(9103):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Feb 7 19:20:49.925 CET: ISAKMP (9103): ID payload
        next-payload : 8
        type         : 1
        address      : 82.141.163.10
        protocol     : 17
        port         : 500
        length       : 12
Feb 7 19:20:49.925 CET: ISAKMP:(9103):Total payload length: 12
Feb 7 19:20:49.929 CET: ISAKMP:(9103): sending packet to 193.3.3.6 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Feb 7 19:20:49.929 CET: ISAKMP:(9103):Sending an IKE IPv4 Packet.
Feb 7 19:20:49.929 CET: ISAKMP:(9103):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 7 19:20:49.929 CET: ISAKMP:(9103):Old State = IKE_I_MM4 New State = IKE_I_MM5
.
Feb 7 19:20:51.017 CET: ISAKMP (9103): received packet from 193.3.3.6 dport 500 sport 500 Global (I) MM_KEY_EXCH
Feb 7 19:20:51.017 CET: ISAKMP:(9103): phase 1 packet is a duplicate of a previous packet.
Feb 7 19:20:51.017 CET: ISAKMP:(9103): retransmitting due to retransmit phase 1
Feb 7 19:20:51.517 CET: ISAKMP:(9103): retransmitting phase 1 MM_KEY_EXCH...
Feb 7 19:20:51.517 CET: ISAKMP (9103): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Feb 7 19:20:51.517 CET: ISAKMP:(9103): retransmitting phase 1 MM_KEY_EXCH
Feb 7 19:20:51.517 CET: ISAKMP:(9103): sending packet to 193.3.3.6 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Feb 7 19:20:51.517 CET: ISAKMP:(9103):Sending an IKE IPv4 Packet.....
Success rate is 0 percent (0/5)
vpn-01.bud.gss.hu#
Feb 7 19:21:01.517 CET: ISAKMP:(9103): retransmitting phase 1 MM_KEY_EXCH...
Feb 7 19:21:01.517 CET: ISAKMP (9103): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Feb 7 19:21:01.517 CET: ISAKMP:(9103): retransmitting phase 1 MM_KEY_EXCH
Feb 7 19:21:01.517 CET: ISAKMP:(9103): sending packet to 193.3.3.6 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Feb 7 19:21:01.517 CET: ISAKMP:(9103):Sending an IKE IPv4 Packet.
Feb 7 19:21:02.109 CET: ISAKMP (9103): received packet from 193.3.3.6 dport 500 sport 500 Global (I) MM_KEY_EXCH
Feb 7 19:21:02.109 CET: ISAKMP:(9103): phase 1 packet is a duplicate of a previous packet.
Feb 7 19:21:02.109 CET: ISAKMP:(9103): retransmission skipped for phase 1 (time since last transmission 592)term no mon

David paull · ‎02-07-2015

Feb 7 19:20:49.925 CET: ISAKMP (9103): His hash no match - this node outside NAT
Feb 7 19:20:49.925 CET: ISAKMP:received payload type 20
Feb 7 19:20:49.925 CET: ISAKMP (9103): No NAT Found for self or peer

I think this is related to the mismatch error also.

As far as I know NAT-Traversal is disabled by default.

The command to enable it is "isakmp nat-traversal natkeepalive 3600" that's an hour.

But I feel like something is expecting a NAT address and not getting it or something else NAT-related.

fwiest · ‎02-07-2015

Thanks Paul. I couldn't find that command exactly but found "crypto isakmp nat keepalive...". I assume that is the same thing? I tried that with no difference. I am bypassing NAT in my ACL so I shouldn't have a need for anything relating to NATing.So this is pretty perplexing.

David paull · ‎02-07-2015

How are you bypassing NAT?

fwiest · ‎02-07-2015

Oh, well, I guess that isn't exactly true. I'm not going through an "nat inside" interface but it still could get hung up with NAT. After I make that change, is there a clear of some sort to make it effective?

David paull · ‎02-07-2015

No, it'll renegotiate. You can clear crypto ipsec sa or whatever the command is to bring down the tunnel and let is renegotiate it if phase 1 is stull up.