05-26-2021 01:17 PM
I am trying to configure a VPN Connection from my Cisco ASR 1001 router to AWS. I have used the configuration that I got from AWS but the tunnel protocol will not come up. sh crypto isakmp sa just showed that I have an active connection with MM_No_STATE status. AWS support told me that they are not seeing any like negotiation on their side. Is there anyone there that can help? Thanks.
Solved! Go to Solution.
05-26-2021 01:26 PM
Please can you provide your ASR configuration and information on what is configured in AWS (screenshots).
Turn on ike debugs on the ASR and attempt to establish the VPN, provide the debug output for review.
05-26-2021 01:26 PM
Please can you provide your ASR configuration and information on what is configured in AWS (screenshots).
Turn on ike debugs on the ASR and attempt to establish the VPN, provide the debug output for review.
05-27-2021 07:27 AM
Hi Rob,
Thank you in advance for looking into my issue. Here is the Cisco ASR config with the incorporated AWS Config.
! Last configuration change at 15:51:09 EDT Wed May 26 2021 by admin
! NVRAM config last updated at 09:48:13 EDT Sat May 1 2021 by admin
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service dhcp
no platform punt-keepalive disable-kernel-core
platform qos match-statistics per-filter
!
hostname cogent
!
boot-start-marker
boot system flash bootflash:asr1001-universalk9.03.16.08.S.155-3.S8-ext.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 51200 informational
no logging monitor
enable password 7 XXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
no ip source-route
!
!
!
!
!
!
!
!
!
!
!
no ip bootp server
ip name-server 66.28.0.45 66.28.0.61
ip domain name urban.org
!
!
!
login on-failure log
login on-success log
ipv6 multicast rpf use-bgp
ipv6 multicast vrf Mgmt-intf rpf use-bgp
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
license udi pid ASR1001 sn XXXXXXXXXXXXXXXXXX
license boot level advipservices
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
!
spanning-tree extend system-id
!
username admin password 7 XXXXXXXXXXXXXXXXXX
!
redundancy
mode none
!
!
!
!
!
!
track 1 interface GigabitEthernet0/0/3 line-protocol
!
!
class-map match-all voice
match access-group 130
!
policy-map voicepolicy
class voice
priority percent 20
class class-default
fair-queue
!
!
!
crypto keyring keyring-vpn-0ec351a6e6b2cbd47-1
local-address <ip address of giga0/0/3>
pre-shared-key address <ip address of aws outside tunnel1> key XXXXXXXXXXXXXXXXXX
!
!
!
!
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-0ec351a6e6b2cbd47-1
keyring keyring-vpn-0ec351a6e6b2cbd47-1
match identity address <ip address of aws outside tunnel1>
local-address <ip address of giga0/0/3>
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-0ec351a6e6b2cbd47-1 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-0ec351a6e6b2cbd47-1
set transform-set ipsec-prop-vpn-0ec351a6e6b2cbd47-1
set pfs group2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel1
ip address 169.254.227.218 255.255.255.252
ip tcp adjust-mss 1379
tunnel source <ip address of giga0/0/3>
tunnel mode ipsec ipv4
tunnel destination <ip address of aws outside tunnel1>
tunnel protection ipsec profile ipsec-vpn-0ec351a6e6b2cbd47-1
ip virtual-reassembly
!
interface GigabitEthernet0/0/0
description "Urban Interface"
ip address <Ip address and subnet>
no ip proxy-arp
ip access-group 130 out
standby 1 ip <IP address of HSRP Virtual Interface>
standby 1 priority 101
standby 1 preempt
standby 1 track 1 decrement 10
speed 1000
no negotiation auto
arp timeout 60
!
interface GigabitEthernet0/0/1
description "VOIP Gateway"
ip address <Ip address and subnet>
ip nat inside
ip access-group 120 in
ip access-group 140 out
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
description "Cogent #36KFGS309428CD"
bandwidth 1000000
ip address <ip address of giga0/0/3> 255.255.255.248
no ip proxy-arp
ip nat outside
ip access-group 111 in
ip access-group 120 out
negotiation auto
service-policy output voicepolicy
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router bgp 25778
bgp log-neighbor-changes
neighbor 38.142.219.25 remote-as 174
neighbor 38.142.219.25 version 4
neighbor 169.254.150.41 remote-as 7224
neighbor 169.254.150.41 timers 10 30 30
neighbor 169.254.227.217 remote-as 7224
neighbor 169.254.227.217 timers 10 30 30
neighbor 192.188.252.2 remote-as 25778
!
address-family ipv4
network 38.142.219.24 mask 255.255.255.248
network 192.188.252.0
neighbor 38.142.219.25 activate
neighbor 38.142.219.25 send-community
neighbor 38.142.219.25 route-map TO-COGENT out
neighbor 169.254.150.41 activate
neighbor 169.254.150.41 default-originate
neighbor 169.254.150.41 soft-reconfiguration inbound
neighbor 169.254.150.41 prefix-list filter-default out
neighbor 169.254.150.41 route-map AWS-IN in
neighbor 169.254.227.217 activate
neighbor 169.254.227.217 default-originate
neighbor 169.254.227.217 soft-reconfiguration inbound
neighbor 169.254.227.217 prefix-list filter-default out
neighbor 169.254.227.217 route-map AWS-IN in
neighbor 192.188.252.2 activate
neighbor 192.188.252.2 next-hop-self
exit-address-family
!
ip default-gateway 38.142.219.25
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat pool OverCogent 38.142.219.27 38.142.219.27 netmask 255.255.255.248
ip nat pool FOComcast 38.142.219.28 38.142.219.28 prefix-length 29
ip nat inside source list 20 pool OverCogent overload
ip nat inside source list 30 pool FOComcast overload
no ip forward-protocol nd
!
ip bgp-community new-format
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 38.142.219.25
ip route 192.168.0.0 255.255.0.0 192.188.252.112
ip route 192.168.8.0 255.255.252.0 192.188.252.112
ip route 192.168.16.0 255.255.240.0 192.188.252.112
ip route 192.188.252.128 255.255.255.128 192.188.252.112
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh rsa keypair-name XXXXXXXXXXXXXXXXXX
ip ssh version 2
!
ip access-list extended UrbanPrivNet-AWS-VPN
permit ip 192.168.0.0 0.0.255.255 10.2.0.0 0.0.255.255
!
!
ip prefix-list filter-default seq 5 deny 0.0.0.0/0
ip prefix-list filter-default seq 10 permit 0.0.0.0/0 le 32
logging facility local3
logging source-interface GigabitEthernet0/0/0
logging host 192.188.252.18 transport tcp port 1515
access-list 7 permit 0.0.0.0 255.255.255.240
access-list 10 permit 192.188.252.0 0.0.0.255
access-list 20 permit 192.168.32.0 0.0.15.255
access-list 30 permit 50.238.236.198
access-list 40 permit 204.11.201.12
access-list 40 permit 4.2.2.1
access-list 40 permit 4.2.2.2
access-list 40 permit 192.188.252.2
access-list 40 permit 108.61.73.244
access-list 50 permit 192.188.252.0 0.0.0.255
access-list 70 permit 192.168.8.0 0.0.3.255
access-list 70 permit 192.168.16.0 0.0.15.255
access-list 70 permit 192.188.252.0 0.0.0.255
access-list 70 deny any
access-list 80 permit any
access-list 102 permit udp host 208.67.222.222 eq domain any
access-list 102 permit udp host 208.67.220.220 eq domain any
access-list 102 permit udp host 64.72.64.10 eq domain any
access-list 102 permit udp host 72.22.160.14 eq domain any
access-list 102 permit tcp host 208.67.222.222 eq domain any
access-list 102 permit tcp host 208.67.220.220 eq domain any
access-list 102 permit tcp host 64.72.64.10 eq domain any
access-list 102 permit tcp host 72.22.160.14 eq domain any
access-list 102 permit udp host 66.28.0.45 eq domain any
access-list 102 permit udp host 66.28.0.61 eq domain any
access-list 102 permit tcp host 66.28.0.45 eq domain any
access-list 102 permit tcp host 66.28.0.61 eq domain any
access-list 102 deny ip any host 192.188.252.5
access-list 102 permit ip any any
access-list 110 permit ip 10.2.0.0 0.0.255.255 any
access-list 110 permit ip 10.20.0.0 0.0.255.255 any
access-list 110 permit ip 172.31.0.0 0.0.255.255 any
access-list 111 deny tcp any any eq 139
access-list 111 deny tcp any any eq msrpc
access-list 111 deny tcp any any eq 445
access-list 111 deny ip 127.0.0.0 0.0.0.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.0.15.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 permit ip any any
access-list 120 permit ip any any
access-list 130 deny udp any any eq bootps
access-list 130 deny udp 192.168.32.0 0.0.15.255 host 192.168.8.8 eq ntp
access-list 130 deny tcp host 192.168.32.10 host 192.168.25.40 eq 8014
access-list 130 permit ip any any
access-list 140 permit ip any host 192.168.32.10
access-list 140 permit udp any eq ntp any
access-list 140 permit ip 8.28.0.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 162.221.238.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 192.84.16.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 162.221.236.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 8.5.248.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 63.209.12.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 217.163.57.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 64.95.100.96 0.0.0.15 192.168.32.0 0.0.15.255
access-list 140 permit ip 103.239.164.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 117.20.40.192 0.0.0.15 192.168.32.0 0.0.15.255
access-list 140 permit ip 103.252.162.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 168.90.173.112 0.0.0.15 192.168.32.0 0.0.15.255
access-list 140 permit udp host 208.67.222.222 eq domain any
access-list 140 permit udp host 208.67.222.220 eq domain any
access-list 140 permit tcp host 208.67.222.222 eq domain any
access-list 140 permit tcp host 208.67.222.220 eq domain any
access-list 140 permit icmp 192.168.0.0 0.0.255.255 any
access-list 140 deny ip any any
access-list 150 permit udp any eq ntp any
access-list 150 permit ip host 8.28.0.12 192.168.32.0 0.0.15.255
access-list 150 permit udp 8.28.0.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 162.221.238.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 192.84.16.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 162.221.236.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 8.5.248.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 63.209.12.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 217.163.57.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 64.95.100.96 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit udp 103.239.164.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 117.20.40.192 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit udp 103.252.162.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 168.90.173.112 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit udp 168.138.74.128 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit udp 140.238.129.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit udp 129.151.79.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 152.67.181.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit udp 158.101.200.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit udp 129.159.80.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 168.138.245.128 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit udp 130.61.163.0 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit udp 152.67.145.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 158.101.41.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 8.28.0.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 162.221.238.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 192.84.16.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 162.221.236.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 8.5.248.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 63.209.12.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 217.163.57.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 64.95.100.96 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit tcp 103.239.164.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 117.20.40.192 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit tcp 103.252.162.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 168.90.173.112 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit tcp 168.138.74.128 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit tcp 140.238.129.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit tcp 129.151.79.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 152.67.181.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit tcp 158.101.200.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit tcp 129.159.80.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 168.138.245.128 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit tcp 130.61.163.0 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit tcp 152.67.145.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 158.101.41.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 8.28.0.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 162.221.238.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 192.84.16.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 162.221.236.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 8.5.248.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 63.209.12.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 217.163.57.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 64.95.100.96 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit icmp 103.239.164.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 117.20.40.192 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit icmp 103.252.162.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 168.90.173.112 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit icmp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 150 permit icmp 168.138.74.128 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit icmp 140.238.129.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit icmp 129.151.79.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 152.67.181.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit icmp 158.101.200.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit icmp 129.159.80.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 168.138.245.128 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit icmp 130.61.163.0 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit icmp 152.67.145.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 158.101.41.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp host 208.67.222.222 eq domain any
access-list 150 permit udp host 208.67.220.220 eq domain any
access-list 150 permit tcp host 208.67.222.222 eq domain any
access-list 150 permit tcp host 208.67.222.220 eq domain any
access-list 150 deny ip any any log
!
route-map TO-COGENT permit 10
match ip address 10
set as-path prepend 25778 25778
!
route-map AWS-IN permit 10
match ip address 110
!
snmp-server community XXXXXXXXXXXXXXXXXX RO 70
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login C
*** Access by Unauthorized Users Prohibited ***
!
line con 0
exec-timeout 5 0
password 7 XXXXXXXXXXXXXXXXXX
stopbits 1
line aux 0
exec-timeout 5 0
password 7 XXXXXXXXXXXXXXXXXX
stopbits 1
line vty 0 4
access-class 70 in
exec-timeout 15 0
password 7 XXXXXXXXXXXXXXXXXX
transport input telnet ssh
!
ntp allow mode control 3
ntp server 4.2.2.1
ntp server 4.2.2.2
ntp peer 192.188.252.2
ntp server 0.north-america.pool.ntp.org minpoll 8
!
end
05-27-2021 07:39 AM
@eegrad85 what about the ike debugs output and the AWS configuration screenshots?
05-27-2021 07:42 AM
Rob,
I am still trying to get figure out how to get it.
eegrad85
05-27-2021 08:26 AM
May 27 11:23:36.657 EDT: ISAKMP: (0):purging node 2519928943
May 27 11:23:36.657 EDT: ISAKMP: (0):purging node 1176141962
May 27 11:23:37.093 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:23:37.093 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 27 11:23:37.093 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:23:37.094 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:23:37.094 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:23:45.184 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:23:46.658 EDT: ISAKMP: (0):purging SA., sa=7FA7F9026168, delme=7FA7F9026168
May 27 11:23:47.091 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:23:47.093 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:23:47.093 EDT: ISAKMP: (0):peer does not do paranoid keepalives.
May 27 11:23:47.093 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (p eer 3.216.207.21)
May 27 11:23:47.093 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (p eer 3.216.207.21)
May 27 11:23:47.093 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F91102F8 for isadb_mark_sa_deleted(), count 0
May 27 11:23:47.093 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F91102F8
May 27 11:23:47.098 EDT: ISAKMP: (0):deleting node 1344168541 error FALSE reason "IKE deleted"
May 27 11:23:47.098 EDT: ISAKMP: (0):deleting node 1059467101 error FALSE reason "IKE deleted"
May 27 11:23:47.098 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 27 11:23:47.098 EDT: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
May 27 11:23:47.098 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 27 11:23:47.232 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)
May 27 11:23:47.526 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:23:47.527 EDT: ISAKMP: (0):SA request profile is (NULL)
May 27 11:23:47.527 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500
May 27 11:23:47.527 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F9105438 peer_handle = 0x800006B3
May 27 11:23:47.527 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F9105438, refcount 1 for isakmp_initiator
May 27 11:23:47.527 EDT: ISAKMP: (0):local port 500, remote port 500
May 27 11:23:47.527 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:23:47.527 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9026168
May 27 11:23:47.527 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
May 27 11:23:47.527 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21
May 27 11:23:47.527 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
May 27 11:23:47.527 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID
May 27 11:23:47.527 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID
May 27 11:23:47.527 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID
May 27 11:23:47.527 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 27 11:23:47.527 EDT: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
May 27 11:23:47.527 EDT: ISAKMP: (0):beginning Main Mode exchange
May 27 11:23:47.527 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:23:47.527 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
05-27-2021 08:34 AM
Here is the AWS Config screenshot
05-27-2021 08:39 AM
more logs.
May 27 11:31:00.524 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:31:03.502 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:31:04.526 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:31:10.525 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:31:10.525 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
May 27 11:31:10.525 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:31:10.525 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:31:10.525 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:31:16.815 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)
May 27 11:31:17.839 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)
May 27 11:31:20.524 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:31:20.524 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:31:20.524 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:31:20.524 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)
May 27 11:31:20.526 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
May 27 11:31:20.526 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
May 27 11:31:20.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:31:20.526 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 27 11:31:20.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:31:20.526 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:31:20.526 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:31:23.984 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)
May 27 11:31:29.104 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 10240ms (35000ms max, 60% jitter)
May 27 11:31:29.411 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables
May 27 11:31:29.412 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables
May 27 11:31:29.412 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables
May 27 11:31:29.412 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables
May 27 11:31:30.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:31:30.526 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
May 27 11:31:30.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:31:30.526 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:31:30.526 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:31:38.320 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)
May 27 11:31:39.344 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:31:40.107 EDT: ISAKMP: (0):purging node 2871750416
May 27 11:31:40.107 EDT: ISAKMP: (0):purging node 2025881919
May 27 11:31:40.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:31:40.526 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 27 11:31:40.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:31:40.526 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:31:40.526 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:31:46.512 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)
May 27 11:31:50.107 EDT: ISAKMP: (0):purging SA., sa=7FA7F9026168, delme=7FA7F9026168
May 27 11:31:50.525 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:31:50.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:31:50.526 EDT: ISAKMP: (0):peer does not do paranoid keepalives.
May 27 11:31:50.526 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:31:50.526 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:31:50.526 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F900F968 for isadb_mark_sa_deleted(), count 0
May 27 11:31:50.526 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F900F968
May 27 11:31:50.531 EDT: ISAKMP: (0):deleting node 3217270025 error FALSE reason "IKE deleted"
May 27 11:31:50.531 EDT: ISAKMP: (0):deleting node 698558212 error FALSE reason "IKE deleted"
May 27 11:31:50.531 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 27 11:31:50.531 EDT: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
May 27 11:31:50.531 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 27 11:31:50.950 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:31:50.950 EDT: ISAKMP: (0):SA request profile is (NULL)
May 27 11:31:50.950 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500
May 27 11:31:50.950 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F9105438 peer_handle = 0x800006BB
May 27 11:31:50.950 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F9105438, refcount 1 for isakmp_initiator
May 27 11:31:50.950 EDT: ISAKMP: (0):local port 500, remote port 500
May 27 11:31:50.950 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:31:50.950 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9026168
May 27 11:31:50.950 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
May 27 11:31:50.950 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21
May 27 11:31:50.950 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
May 27 11:31:50.950 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID
May 27 11:31:50.950 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID
May 27 11:31:50.950 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID
May 27 11:31:50.950 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 27 11:31:50.950 EDT: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
May 27 11:31:50.950 EDT: ISAKMP: (0):beginning Main Mode exchange
May 27 11:31:50.950 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:31:50.950 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:31:51.633 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)
May 27 11:31:54.704 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)
May 27 11:32:00.950 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:32:00.950 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 27 11:32:00.950 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:32:00.950 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:32:00.950 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:32:01.873 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)
May 27 11:32:05.968 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)
May 27 11:32:10.951 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:32:10.951 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
May 27 11:32:10.951 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:32:10.951 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:32:10.951 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:32:11.088 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)
May 27 11:32:14.162 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)
May 27 11:32:20.949 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:32:20.950 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:32:20.950 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:32:20.950 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)
May 27 11:32:20.952 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
May 27 11:32:20.952 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
May 27 11:32:20.952 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:32:20.952 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 27 11:32:20.952 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:32:20.952 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:32:20.952 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:32:22.355 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)
May 27 11:32:25.429 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)
May 27 11:32:29.414 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables
May 27 11:32:29.415 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables
May 27 11:32:29.415 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables
May 27 11:32:29.415 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables
May 27 11:32:29.524 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)
May 27 11:32:30.953 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:32:30.953 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
May 27 11:32:30.953 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:32:30.953 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:32:30.953 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:32:33.621 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)
May 27 11:32:40.532 EDT: ISAKMP: (0):purging node 3217270025
May 27 11:32:40.532 EDT: ISAKMP: (0):purging node 698558212
May 27 11:32:40.788 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:32:40.953 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:32:40.953 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 27 11:32:40.953 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:32:40.953 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:32:40.953 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:32:41.812 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)
May 27 11:32:50.531 EDT: ISAKMP: (0):purging SA., sa=7FA7F9158C78, delme=7FA7F9158C78
May 27 11:32:50.949 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:32:50.954 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:32:50.954 EDT: ISAKMP: (0):peer does not do paranoid keepalives.
May 27 11:32:50.954 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:32:50.954 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:32:50.954 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F9105438 for isadb_mark_sa_deleted(), count 0
May 27 11:32:50.954 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F9105438
May 27 11:32:50.959 EDT: ISAKMP: (0):deleting node 3692894607 error FALSE reason "IKE deleted"
May 27 11:32:50.959 EDT: ISAKMP: (0):deleting node 1949528906 error FALSE reason "IKE deleted"
May 27 11:32:50.959 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 27 11:32:50.959 EDT: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
May 27 11:32:50.960 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 27 11:32:51.376 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:32:51.376 EDT: ISAKMP: (0):SA request profile is (NULL)
May 27 11:32:51.376 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500
May 27 11:32:51.376 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F8BD2280 peer_handle = 0x800006BC
May 27 11:32:51.376 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F8BD2280, refcount 1 for isakmp_initiator
May 27 11:32:51.376 EDT: ISAKMP: (0):local port 500, remote port 500
May 27 11:32:51.376 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:32:51.376 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9158C78
May 27 11:32:51.376 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
May 27 11:32:51.377 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21
May 27 11:32:51.377 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
May 27 11:32:51.377 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID
May 27 11:32:51.377 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID
May 27 11:32:51.377 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID
May 27 11:32:51.377 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 27 11:32:51.377 EDT: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
May 27 11:32:51.377 EDT: ISAKMP: (0):beginning Main Mode exchange
May 27 11:32:51.377 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:32:51.377 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:32:53.076 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)
May 27 11:32:54.100 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)
May 27 11:33:00.245 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:33:01.377 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:33:01.377 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 27 11:33:01.377 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:33:01.377 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:33:01.377 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:33:02.295 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:33:11.378 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:33:11.378 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
May 27 11:33:11.378 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:33:11.378 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:33:11.378 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:33:12.534 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)
May 27 11:33:14.582 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:33:21.376 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:33:21.376 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:33:21.376 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:33:21.376 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)
May 27 11:33:21.378 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
May 27 11:33:21.378 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
May 27 11:33:21.378 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:33:21.378 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 27 11:33:21.378 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:33:21.378 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:33:21.378 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:33:23.800 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:33:26.873 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 6144ms (35000ms max, 60% jitter)
May 27 11:33:29.417 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables
May 27 11:33:29.418 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables
May 27 11:33:29.418 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables
May 27 11:33:29.418 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables
May 27 11:33:31.379 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:33:31.379 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
May 27 11:33:31.379 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:33:31.379 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:33:31.379 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:33:33.017 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)
May 27 11:33:37.114 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:33:40.959 EDT: ISAKMP: (0):purging node 3692894607
May 27 11:33:40.959 EDT: ISAKMP: (0):purging node 1949528906
May 27 11:33:41.379 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:33:41.380 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 27 11:33:41.380 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:33:41.380 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:33:41.380 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:33:47.355 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 10240ms (35000ms max, 60% jitter)
May 27 11:33:50.427 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)
May 27 11:33:50.959 EDT: ISAKMP: (0):purging SA., sa=7FA7F9026168, delme=7FA7F9026168
May 27 11:33:51.376 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:33:51.380 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:33:51.380 EDT: ISAKMP: (0):peer does not do paranoid keepalives.
May 27 11:33:51.380 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:33:51.380 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:33:51.380 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F8BD2280 for isadb_mark_sa_deleted(), count 0
May 27 11:33:51.380 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F8BD2280
May 27 11:33:51.384 EDT: ISAKMP: (0):deleting node 2980808616 error FALSE reason "IKE deleted"
May 27 11:33:51.384 EDT: ISAKMP: (0):deleting node 1287617051 error FALSE reason "IKE deleted"
May 27 11:33:51.384 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 27 11:33:51.384 EDT: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
May 27 11:33:51.384 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 27 11:33:51.801 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:33:51.801 EDT: ISAKMP: (0):SA request profile is (NULL)
May 27 11:33:51.801 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500
May 27 11:33:51.801 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F9105438 peer_handle = 0x800006BD
May 27 11:33:51.801 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F9105438, refcount 1 for isakmp_initiator
May 27 11:33:51.801 EDT: ISAKMP: (0):local port 500, remote port 500
May 27 11:33:51.801 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:33:51.801 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9026168
May 27 11:33:51.801 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
May 27 11:33:51.801 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21
May 27 11:33:51.801 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
May 27 11:33:51.801 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID
May 27 11:33:51.801 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID
May 27 11:33:51.802 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID
May 27 11:33:51.802 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 27 11:33:51.802 EDT: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
May 27 11:33:51.802 EDT: ISAKMP: (0):beginning Main Mode exchange
May 27 11:33:51.802 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:33:51.802 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:33:57.596 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)
May 27 11:34:01.692 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)
May 27 11:34:01.801 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:34:01.801 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 27 11:34:01.801 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:34:01.801 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:34:01.801 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:34:06.812 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:34:10.908 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:34:11.802 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:34:11.802 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
May 27 11:34:11.802 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:34:11.802 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:34:11.802 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:34:19.101 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)
May 27 11:34:21.802 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:34:21.802 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:34:21.802 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:34:21.802 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)
May 27 11:34:21.804 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
May 27 11:34:21.804 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
May 27 11:34:21.804 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:34:21.804 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 27 11:34:21.804 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:34:21.804 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:34:21.804 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:34:24.222 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:34:29.420 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables
May 27 11:34:29.421 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables
May 27 11:34:29.421 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables
May 27 11:34:29.421 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables
May 27 11:34:31.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:34:31.805 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
May 27 11:34:31.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:34:31.805 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:34:31.805 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:34:33.438 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)
May 27 11:34:36.510 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:34:41.384 EDT: ISAKMP: (0):purging node 2980808616
May 27 11:34:41.384 EDT: ISAKMP: (0):purging node 1287617051
May 27 11:34:41.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:34:41.805 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 27 11:34:41.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:34:41.805 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:34:41.805 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:34:42.655 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)
May 27 11:34:49.822 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)
May 27 11:34:51.384 EDT: ISAKMP: (0):purging SA., sa=7FA7F9158C78, delme=7FA7F9158C78
May 27 11:34:51.803 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:34:51.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:34:51.805 EDT: ISAKMP: (0):peer does not do paranoid keepalives.
May 27 11:34:51.805 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:34:51.805 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:34:51.805 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F9105438 for isadb_mark_sa_deleted(), count 0
May 27 11:34:51.805 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F9105438
May 27 11:34:51.810 EDT: ISAKMP: (0):deleting node 1472956874 error FALSE reason "IKE deleted"
May 27 11:34:51.810 EDT: ISAKMP: (0):deleting node 2697383770 error FALSE reason "IKE deleted"
May 27 11:34:51.810 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 27 11:34:51.810 EDT: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
May 27 11:34:51.810 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 27 11:34:52.230 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:34:52.230 EDT: ISAKMP: (0):SA request profile is (NULL)
May 27 11:34:52.230 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500
May 27 11:34:52.230 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F8BD2280 peer_handle = 0x800006BE
May 27 11:34:52.230 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F8BD2280, refcount 1 for isakmp_initiator
May 27 11:34:52.230 EDT: ISAKMP: (0):local port 500, remote port 500
May 27 11:34:52.230 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:34:52.230 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9158C78
May 27 11:34:52.230 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
May 27 11:34:52.230 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21
May 27 11:34:52.230 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
May 27 11:34:52.230 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID
May 27 11:34:52.230 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID
May 27 11:34:52.230 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID
May 27 11:34:52.230 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 27 11:34:52.230 EDT: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
May 27 11:34:52.230 EDT: ISAKMP: (0):beginning Main Mode exchange
May 27 11:34:52.230 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:34:52.230 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:34:57.002 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)
May 27 11:34:57.002 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)
May 27 11:35:02.230 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:35:02.230 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 27 11:35:02.230 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:35:02.230 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:35:02.230 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:35:11.338 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:35:11.338 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 10240ms (35000ms max, 60% jitter)
May 27 11:35:12.230 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:35:12.230 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
May 27 11:35:12.230 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:35:12.230 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:35:12.230 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:35:21.580 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:35:22.229 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:35:22.229 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:35:22.229 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:35:22.229 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)
May 27 11:35:22.231 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
May 27 11:35:22.231 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
May 27 11:35:22.231 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:35:22.231 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 27 11:35:22.231 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:35:22.231 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:35:22.231 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:35:23.628 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:35:29.423 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables
May 27 11:35:29.424 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables
May 27 11:35:29.424 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables
May 27 11:35:29.424 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables
May 27 11:35:32.232 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:35:32.232 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
May 27 11:35:32.232 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:35:32.232 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:35:32.232 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:35:33.867 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)
May 27 11:35:35.915 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)
May 27 11:35:41.035 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 6144ms (35000ms max, 60% jitter)
May 27 11:35:41.810 EDT: ISAKMP: (0):purging node 1472956874
May 27 11:35:41.810 EDT: ISAKMP: (0):purging node 2697383770
May 27 11:35:42.233 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:35:42.233 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 27 11:35:42.233 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:35:42.233 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:35:42.233 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:35:45.131 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)
May 27 11:35:47.180 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)
May 27 11:35:51.810 EDT: ISAKMP: (0):purging SA., sa=7FA7F9026168, delme=7FA7F9026168
May 27 11:35:52.230 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:35:52.233 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:35:52.233 EDT: ISAKMP: (0):peer does not do paranoid keepalives.
May 27 11:35:52.233 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:35:52.233 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:35:52.233 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F8BD2280 for isadb_mark_sa_deleted(), count 0
May 27 11:35:52.233 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F8BD2280
May 27 11:35:52.238 EDT: ISAKMP: (0):deleting node 2971984378 error FALSE reason "IKE deleted"
May 27 11:35:52.238 EDT: ISAKMP: (0):deleting node 1541442663 error FALSE reason "IKE deleted"
May 27 11:35:52.238 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 27 11:35:52.238 EDT: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
May 27 11:35:52.238 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 27 11:35:52.658 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:35:52.659 EDT: ISAKMP: (0):SA request profile is (NULL)
May 27 11:35:52.659 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500
May 27 11:35:52.659 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F9105438 peer_handle = 0x800006BF
May 27 11:35:52.659 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F9105438, refcount 1 for isakmp_initiator
May 27 11:35:52.659 EDT: ISAKMP: (0):local port 500, remote port 500
May 27 11:35:52.659 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:35:52.659 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9026168
May 27 11:35:52.659 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
May 27 11:35:52.659 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21
May 27 11:35:52.659 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
May 27 11:35:52.659 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID
May 27 11:35:52.659 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID
May 27 11:35:52.659 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID
May 27 11:35:52.659 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 27 11:35:52.659 EDT: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
May 27 11:35:52.659 EDT: ISAKMP: (0):beginning Main Mode exchange
May 27 11:35:52.659 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:35:52.659 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:35:53.323 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)
May 27 11:35:58.444 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)
May 27 11:36:02.540 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:36:02.659 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:36:02.659 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 27 11:36:02.659 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:36:02.659 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:36:02.659 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:36:05.614 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)
May 27 11:36:12.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:36:12.660 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
May 27 11:36:12.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:36:12.660 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:36:12.660 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:36:12.782 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 6144ms (35000ms max, 60% jitter)
May 27 11:36:14.830 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)
May 27 11:36:18.926 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)
May 27 11:36:22.658 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:36:22.658 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:36:22.658 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:36:22.658 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)
May 27 11:36:22.660 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
May 27 11:36:22.660 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
May 27 11:36:22.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:36:22.660 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 27 11:36:22.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:36:22.660 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:36:22.660 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:36:23.022 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:36:28.924 EDT: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.188.252.112)
May 27 11:36:29.427 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables
May 27 11:36:29.428 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables
May 27 11:36:29.428 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables
May 27 11:36:29.428 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables
May 27 11:36:30.190 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)
May 27 11:36:32.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:36:32.660 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
May 27 11:36:32.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:36:32.660 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:36:32.660 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:36:36.335 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)
May 27 11:36:42.239 EDT: ISAKMP: (0):purging node 2971984378
May 27 11:36:42.239 EDT: ISAKMP: (0):purging node 1541442663
May 27 11:36:42.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:36:42.660 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 27 11:36:42.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
May 27 11:36:42.660 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:36:42.660 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
May 27 11:36:43.503 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)
May 27 11:36:47.601 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)
May 27 11:36:52.238 EDT: ISAKMP: (0):purging SA., sa=7FA7F9158C78, delme=7FA7F9158C78
May 27 11:36:52.658 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
(identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
May 27 11:36:52.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
May 27 11:36:52.660 EDT: ISAKMP: (0):peer does not do paranoid keepalives.
May 27 11:36:52.660 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:36:52.660 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)
May 27 11:36:52.661 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F9105438 for isadb_mark_sa_deleted(), count 0
May 27 11:36:52.661 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F9105438
May 27 11:36:52.665 EDT: ISAKMP: (0):deleting node 530211987 error FALSE reason "IKE deleted"
May 27 11:36:52.665 EDT: ISAKMP: (0):deleting node 462011643 error FALSE reason "IKE deleted"
May 27 11:36:52.665 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 27 11:36:52.665 EDT: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
May 27 11:36:52.665 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
May 27 11:36:53.090 EDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
May 27 11:36:53.090 EDT: ISAKMP: (0):SA request profile is (NULL)
May 27 11:36:53.090 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500
May 27 11:36:53.090 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F8BD2280 peer_handle = 0x800006C0
May 27 11:36:53.090 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F8BD2280, refcount 1 for isakmp_initiator
May 27 11:36:53.090 EDT: ISAKMP: (0):local port 500, remote port 500
May 27 11:36:53.090 EDT: ISAKMP: (0):set new node 0 to QM_IDLE
May 27 11:36:53.090 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9158C78
May 27 11:36:53.090 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
May 27 11:36:53.090 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21
May 27 11:36:53.090 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
May 27 11:36:53.090 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID
May 27 11:36:53.090 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID
May 27 11:36:53.090 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID
May 27 11:36:53.090 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May 27 11:36:53.090 EDT: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
May 27 11:36:53.090 EDT: ISAKMP: (0):beginning Main Mode exchange
May 27 11:36:53.090 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE
May 27 11:36:53.091 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.
cogent#
05-27-2021 08:46 AM
Seems like your router is not hearing back from AWS and is retransmitting the communication - incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 etc etc.
Is there a firewall or ACL in the path that could be blocking communication?
Can you do some debugs on the AWS end determine if you can see inbound traffic?
05-27-2021 09:38 AM
AWS Support told me that they were not seeing any traffic from our side. The router is on the edge of our network and our next hop is Cogent network. Is there a possibility that they are doing some filtering?
We are using giga 0/0/3 as outside Nat interface, would that have anything to do with it that somehow that traffic is being nated out of that interface?
05-27-2021 09:44 AM
@eegrad85 your router is attempting to communicate, the logs indicate the remote peer is not responding. So if AWS aren't see anything then potentially yes investigate further with Cogent tp see if they are blocking traffic.
NAT shouldn't stop the VPN from establishing. NAT could cause an issue later on transmitting traffic over the VPN, but the VPN needs to be established first...which is your issue.
05-27-2021 10:47 AM
I reloaded the router and the tunnel became active but after a few minutes the tunnel protocol was down again. Apparently, you need a reload to activate the ipsec license (first time we are using it).
After the reload I got this:
cogent#sh int tunnel1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 169.254.227.218/30
MTU 9922 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation up
Tunnel source 38.142.219.26, destination 3.216.207.21
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1422 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec-vpn-0ec351a6e6b2cbd47-1")
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:01:41
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
15 packets input, 879 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
15 packets output, 756 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
cogent#show cryp
cogent#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
3.216.207.21 38.142.219.26 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
cogent#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 38.142.219.26
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 3.216.207.21 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36
#pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 27
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 38.142.219.26, remote crypto endpt.: 3.216.207.21
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0xC7E21425(3353482277)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xCAEB6EDE(3404426974)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: HW:1, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607998/3486)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC7E21425(3353482277)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: HW:2, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607988/3486)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
05-27-2021 01:05 PM
Rob,
I just want to thank you. We managed to make it work. As soon as my customer gateway was able to send some connection info to AWS, I called AWS Support and they managed to help me with my issue. In summary, the issue was the IPsec feature that was not activated. When I reloaded the router IPsec was activated, from there we discovered the reason the IPsec kept dropping was due to asymmetrical routing.
I am glad that there are people like you who are willing to help.
Manny
06-02-2021 03:30 AM
I'm trying to configure it using the default settings and guidelines, but still not getting success to complete the configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide