Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3188
Views
0
Helpful
13
Replies

AWS Site to Site VPN + Cisco ASR 1001 Issue

Go to solution
eegrad85
Level 1
Level 1

‎05-26-2021 01:17 PM

I am trying to configure a VPN Connection from my Cisco ASR 1001 router to AWS. I have used the configuration that I got from AWS but the tunnel protocol will not come up. sh crypto isakmp sa just showed that I have an active connection with MM_No_STATE status. AWS support told me that they are not seeing any like negotiation on their side. Is there anyone there that can help? Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-26-2021 01:26 PM

@eegrad85 

Please can you provide your ASR configuration and information on what is configured in AWS (screenshots).

Turn on ike debugs on the ASR and attempt to establish the VPN, provide the debug output for review.

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Rob Ingram
VIP
VIP

‎05-26-2021 01:26 PM

@eegrad85 

Please can you provide your ASR configuration and information on what is configured in AWS (screenshots).

Turn on ike debugs on the ASR and attempt to establish the VPN, provide the debug output for review.

0 Helpful

Go to solution
eegrad85
Level 1
Level 1
In response to Rob Ingram

‎05-27-2021 07:27 AM

Hi Rob,

 

Thank you in advance for looking into my issue. Here is the Cisco ASR config with the incorporated AWS Config.

 


! Last configuration change at 15:51:09 EDT Wed May 26 2021 by admin
! NVRAM config last updated at 09:48:13 EDT Sat May 1 2021 by admin
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service dhcp
no platform punt-keepalive disable-kernel-core
platform qos match-statistics per-filter
!
hostname cogent
!
boot-start-marker
boot system flash bootflash:asr1001-universalk9.03.16.08.S.155-3.S8-ext.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 51200 informational
no logging monitor
enable password 7 XXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
no ip source-route
!
!
!
!
!
!
!
!
!
!
!


no ip bootp server
ip name-server 66.28.0.45 66.28.0.61

ip domain name urban.org
!
!
!
login on-failure log
login on-success log
ipv6 multicast rpf use-bgp
ipv6 multicast vrf Mgmt-intf rpf use-bgp
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
license udi pid ASR1001 sn XXXXXXXXXXXXXXXXXX
license boot level advipservices
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
!
spanning-tree extend system-id
!
username admin password 7 XXXXXXXXXXXXXXXXXX
!
redundancy
mode none
!
!
!
!
!
!
track 1 interface GigabitEthernet0/0/3 line-protocol
!
!
class-map match-all voice
match access-group 130
!
policy-map voicepolicy
class voice
priority percent 20
class class-default
fair-queue
!
!
!
crypto keyring keyring-vpn-0ec351a6e6b2cbd47-1
local-address <ip address of giga0/0/3>
pre-shared-key address <ip address of aws outside tunnel1> key XXXXXXXXXXXXXXXXXX
!
!
!
!
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-0ec351a6e6b2cbd47-1
keyring keyring-vpn-0ec351a6e6b2cbd47-1
match identity address <ip address of aws outside tunnel1>
local-address <ip address of giga0/0/3>
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-0ec351a6e6b2cbd47-1 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-0ec351a6e6b2cbd47-1
set transform-set ipsec-prop-vpn-0ec351a6e6b2cbd47-1
set pfs group2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel1
ip address 169.254.227.218 255.255.255.252
ip tcp adjust-mss 1379
tunnel source <ip address of giga0/0/3>
tunnel mode ipsec ipv4
tunnel destination <ip address of aws outside tunnel1>
tunnel protection ipsec profile ipsec-vpn-0ec351a6e6b2cbd47-1
ip virtual-reassembly
!
interface GigabitEthernet0/0/0
description "Urban Interface"
ip address <Ip address and subnet>
no ip proxy-arp
ip access-group 130 out
standby 1 ip <IP address of HSRP Virtual Interface>
standby 1 priority 101
standby 1 preempt
standby 1 track 1 decrement 10
speed 1000
no negotiation auto
arp timeout 60
!
interface GigabitEthernet0/0/1
description "VOIP Gateway"
ip address <Ip address and subnet>
ip nat inside
ip access-group 120 in
ip access-group 140 out
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
description "Cogent #36KFGS309428CD"
bandwidth 1000000
ip address <ip address of giga0/0/3> 255.255.255.248
no ip proxy-arp
ip nat outside
ip access-group 111 in
ip access-group 120 out
negotiation auto
service-policy output voicepolicy
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router bgp 25778
bgp log-neighbor-changes
neighbor 38.142.219.25 remote-as 174
neighbor 38.142.219.25 version 4
neighbor 169.254.150.41 remote-as 7224
neighbor 169.254.150.41 timers 10 30 30
neighbor 169.254.227.217 remote-as 7224
neighbor 169.254.227.217 timers 10 30 30
neighbor 192.188.252.2 remote-as 25778
!
address-family ipv4
network 38.142.219.24 mask 255.255.255.248
network 192.188.252.0
neighbor 38.142.219.25 activate
neighbor 38.142.219.25 send-community
neighbor 38.142.219.25 route-map TO-COGENT out
neighbor 169.254.150.41 activate
neighbor 169.254.150.41 default-originate
neighbor 169.254.150.41 soft-reconfiguration inbound
neighbor 169.254.150.41 prefix-list filter-default out
neighbor 169.254.150.41 route-map AWS-IN in
neighbor 169.254.227.217 activate
neighbor 169.254.227.217 default-originate
neighbor 169.254.227.217 soft-reconfiguration inbound
neighbor 169.254.227.217 prefix-list filter-default out
neighbor 169.254.227.217 route-map AWS-IN in
neighbor 192.188.252.2 activate
neighbor 192.188.252.2 next-hop-self
exit-address-family
!
ip default-gateway 38.142.219.25
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat pool OverCogent 38.142.219.27 38.142.219.27 netmask 255.255.255.248
ip nat pool FOComcast 38.142.219.28 38.142.219.28 prefix-length 29
ip nat inside source list 20 pool OverCogent overload
ip nat inside source list 30 pool FOComcast overload
no ip forward-protocol nd
!
ip bgp-community new-format
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 38.142.219.25
ip route 192.168.0.0 255.255.0.0 192.188.252.112
ip route 192.168.8.0 255.255.252.0 192.188.252.112
ip route 192.168.16.0 255.255.240.0 192.188.252.112
ip route 192.188.252.128 255.255.255.128 192.188.252.112
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh rsa keypair-name XXXXXXXXXXXXXXXXXX
ip ssh version 2
!
ip access-list extended UrbanPrivNet-AWS-VPN
permit ip 192.168.0.0 0.0.255.255 10.2.0.0 0.0.255.255
!
!
ip prefix-list filter-default seq 5 deny 0.0.0.0/0
ip prefix-list filter-default seq 10 permit 0.0.0.0/0 le 32
logging facility local3
logging source-interface GigabitEthernet0/0/0
logging host 192.188.252.18 transport tcp port 1515
access-list 7 permit 0.0.0.0 255.255.255.240
access-list 10 permit 192.188.252.0 0.0.0.255
access-list 20 permit 192.168.32.0 0.0.15.255
access-list 30 permit 50.238.236.198
access-list 40 permit 204.11.201.12
access-list 40 permit 4.2.2.1
access-list 40 permit 4.2.2.2
access-list 40 permit 192.188.252.2
access-list 40 permit 108.61.73.244
access-list 50 permit 192.188.252.0 0.0.0.255
access-list 70 permit 192.168.8.0 0.0.3.255
access-list 70 permit 192.168.16.0 0.0.15.255
access-list 70 permit 192.188.252.0 0.0.0.255
access-list 70 deny any
access-list 80 permit any
access-list 102 permit udp host 208.67.222.222 eq domain any
access-list 102 permit udp host 208.67.220.220 eq domain any
access-list 102 permit udp host 64.72.64.10 eq domain any
access-list 102 permit udp host 72.22.160.14 eq domain any
access-list 102 permit tcp host 208.67.222.222 eq domain any
access-list 102 permit tcp host 208.67.220.220 eq domain any
access-list 102 permit tcp host 64.72.64.10 eq domain any
access-list 102 permit tcp host 72.22.160.14 eq domain any
access-list 102 permit udp host 66.28.0.45 eq domain any
access-list 102 permit udp host 66.28.0.61 eq domain any
access-list 102 permit tcp host 66.28.0.45 eq domain any
access-list 102 permit tcp host 66.28.0.61 eq domain any
access-list 102 deny ip any host 192.188.252.5
access-list 102 permit ip any any
access-list 110 permit ip 10.2.0.0 0.0.255.255 any
access-list 110 permit ip 10.20.0.0 0.0.255.255 any
access-list 110 permit ip 172.31.0.0 0.0.255.255 any
access-list 111 deny tcp any any eq 139
access-list 111 deny tcp any any eq msrpc
access-list 111 deny tcp any any eq 445
access-list 111 deny ip 127.0.0.0 0.0.0.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.0.15.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 permit ip any any
access-list 120 permit ip any any
access-list 130 deny udp any any eq bootps
access-list 130 deny udp 192.168.32.0 0.0.15.255 host 192.168.8.8 eq ntp
access-list 130 deny tcp host 192.168.32.10 host 192.168.25.40 eq 8014
access-list 130 permit ip any any
access-list 140 permit ip any host 192.168.32.10
access-list 140 permit udp any eq ntp any
access-list 140 permit ip 8.28.0.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 162.221.238.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 192.84.16.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 162.221.236.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 8.5.248.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 63.209.12.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 217.163.57.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 64.95.100.96 0.0.0.15 192.168.32.0 0.0.15.255
access-list 140 permit ip 103.239.164.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 117.20.40.192 0.0.0.15 192.168.32.0 0.0.15.255
access-list 140 permit ip 103.252.162.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 140 permit ip 168.90.173.112 0.0.0.15 192.168.32.0 0.0.15.255
access-list 140 permit udp host 208.67.222.222 eq domain any
access-list 140 permit udp host 208.67.222.220 eq domain any
access-list 140 permit tcp host 208.67.222.222 eq domain any
access-list 140 permit tcp host 208.67.222.220 eq domain any
access-list 140 permit icmp 192.168.0.0 0.0.255.255 any
access-list 140 deny ip any any
access-list 150 permit udp any eq ntp any
access-list 150 permit ip host 8.28.0.12 192.168.32.0 0.0.15.255
access-list 150 permit udp 8.28.0.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 162.221.238.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 192.84.16.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 162.221.236.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 8.5.248.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 63.209.12.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 217.163.57.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 64.95.100.96 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit udp 103.239.164.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 117.20.40.192 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit udp 103.252.162.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 168.90.173.112 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit udp 168.138.74.128 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit udp 140.238.129.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit udp 129.151.79.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 152.67.181.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit udp 158.101.200.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit udp 129.159.80.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 168.138.245.128 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit udp 130.61.163.0 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit udp 152.67.145.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp 158.101.41.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 8.28.0.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 162.221.238.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 192.84.16.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 162.221.236.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 8.5.248.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 63.209.12.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 217.163.57.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 64.95.100.96 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit tcp 103.239.164.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 117.20.40.192 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit tcp 103.252.162.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 168.90.173.112 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit tcp 168.138.74.128 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit tcp 140.238.129.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit tcp 129.151.79.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 152.67.181.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit tcp 158.101.200.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit tcp 129.159.80.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 168.138.245.128 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit tcp 130.61.163.0 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit tcp 152.67.145.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit tcp 158.101.41.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 8.28.0.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 162.221.238.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 192.84.16.0 0.0.3.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 162.221.236.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 8.5.248.0 0.0.1.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 63.209.12.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 217.163.57.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 64.95.100.96 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit icmp 103.239.164.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 117.20.40.192 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit icmp 103.252.162.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 168.90.173.112 0.0.0.15 192.168.32.0 0.0.15.255
access-list 150 permit icmp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 150 permit icmp 168.138.74.128 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit icmp 140.238.129.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit icmp 129.151.79.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 152.67.181.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit icmp 158.101.200.0 0.0.0.63 192.168.32.0 0.0.15.255
access-list 150 permit icmp 129.159.80.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 168.138.245.128 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit icmp 130.61.163.0 0.0.0.127 192.168.32.0 0.0.15.255
access-list 150 permit icmp 152.67.145.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit icmp 158.101.41.0 0.0.0.255 192.168.32.0 0.0.15.255
access-list 150 permit udp host 208.67.222.222 eq domain any
access-list 150 permit udp host 208.67.220.220 eq domain any
access-list 150 permit tcp host 208.67.222.222 eq domain any
access-list 150 permit tcp host 208.67.222.220 eq domain any
access-list 150 deny ip any any log
!
route-map TO-COGENT permit 10
match ip address 10
set as-path prepend 25778 25778
!
route-map AWS-IN permit 10
match ip address 110
!
snmp-server community XXXXXXXXXXXXXXXXXX RO 70
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login C
*** Access by Unauthorized Users Prohibited ***

!
line con 0
exec-timeout 5 0
password 7 XXXXXXXXXXXXXXXXXX
stopbits 1
line aux 0
exec-timeout 5 0
password 7 XXXXXXXXXXXXXXXXXX
stopbits 1
line vty 0 4
access-class 70 in
exec-timeout 15 0
password 7 XXXXXXXXXXXXXXXXXX
transport input telnet ssh
!
ntp allow mode control 3
ntp server 4.2.2.1
ntp server 4.2.2.2
ntp peer 192.188.252.2
ntp server 0.north-america.pool.ntp.org minpoll 8
!
end

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to eegrad85

‎05-27-2021 07:39 AM

@eegrad85 what about the ike debugs output and the AWS configuration screenshots?

0 Helpful

Go to solution
eegrad85
Level 1
Level 1
In response to Rob Ingram

‎05-27-2021 07:42 AM

Rob,

 

I am still trying to get figure out how to get it.

 

eegrad85

0 Helpful

Go to solution
eegrad85
Level 1
Level 1
In response to Rob Ingram

‎05-27-2021 08:26 AM

May 27 11:23:36.657 EDT: ISAKMP: (0):purging node 2519928943

May 27 11:23:36.657 EDT: ISAKMP: (0):purging node 1176141962

May 27 11:23:37.093 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:23:37.093 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

May 27 11:23:37.093 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:23:37.094 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:23:37.094 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:23:45.184 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active                                                                                          delayed 13312ms (35000ms max, 60% jitter)

May 27 11:23:46.658 EDT: ISAKMP: (0):purging SA., sa=7FA7F9026168, delme=7FA7F9026168

May 27 11:23:47.091 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:23:47.093 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:23:47.093 EDT: ISAKMP: (0):peer does not do paranoid keepalives.

May 27 11:23:47.093 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (p                                                                                         eer 3.216.207.21)

May 27 11:23:47.093 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (p                                                                                         eer 3.216.207.21)

May 27 11:23:47.093 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F91102F8 for isadb_mark_sa_deleted(), count 0

May 27 11:23:47.093 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F91102F8

May 27 11:23:47.098 EDT: ISAKMP: (0):deleting node 1344168541 error FALSE reason "IKE deleted"

May 27 11:23:47.098 EDT: ISAKMP: (0):deleting node 1059467101 error FALSE reason "IKE deleted"

May 27 11:23:47.098 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

May 27 11:23:47.098 EDT: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

 

May 27 11:23:47.098 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)

May 27 11:23:47.232 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active                                                                                          delayed 9216ms (35000ms max, 60% jitter)

May 27 11:23:47.526 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:23:47.527 EDT: ISAKMP: (0):SA request profile is (NULL)

May 27 11:23:47.527 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500

May 27 11:23:47.527 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F9105438 peer_handle = 0x800006B3

May 27 11:23:47.527 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F9105438, refcount 1 for isakmp_initiator

May 27 11:23:47.527 EDT: ISAKMP: (0):local port 500, remote port 500

May 27 11:23:47.527 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:23:47.527 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9026168

May 27 11:23:47.527 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.

May 27 11:23:47.527 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21

May 27 11:23:47.527 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID

May 27 11:23:47.527 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID

May 27 11:23:47.527 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID

May 27 11:23:47.527 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID

May 27 11:23:47.527 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

May 27 11:23:47.527 EDT: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

 

May 27 11:23:47.527 EDT: ISAKMP: (0):beginning Main Mode exchange

May 27 11:23:47.527 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:23:47.527 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

0 Helpful

Go to solution
eegrad85
Level 1
Level 1
In response to eegrad85

‎05-27-2021 08:34 AM

Here is the AWS Config screenshotCapture.PNG

0 Helpful

Go to solution
eegrad85
Level 1
Level 1
In response to eegrad85

‎05-27-2021 08:39 AM

more logs. 

 

May 27 11:31:00.524 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:31:03.502 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)

May 27 11:31:04.526 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)

May 27 11:31:10.525 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:31:10.525 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

May 27 11:31:10.525 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:31:10.525 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:31:10.525 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:31:16.815 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)

May 27 11:31:17.839 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)

May 27 11:31:20.524 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:31:20.524 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:31:20.524 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:31:20.524 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)

May 27 11:31:20.526 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

May 27 11:31:20.526 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

May 27 11:31:20.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:31:20.526 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May 27 11:31:20.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:31:20.526 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:31:20.526 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:31:23.984 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)

May 27 11:31:29.104 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 10240ms (35000ms max, 60% jitter)

May 27 11:31:29.411 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables

May 27 11:31:29.412 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables

May 27 11:31:29.412 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables

May 27 11:31:29.412 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables

May 27 11:31:30.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:31:30.526 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

May 27 11:31:30.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:31:30.526 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:31:30.526 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:31:38.320 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)

May 27 11:31:39.344 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:31:40.107 EDT: ISAKMP: (0):purging node 2871750416

May 27 11:31:40.107 EDT: ISAKMP: (0):purging node 2025881919

May 27 11:31:40.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:31:40.526 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

May 27 11:31:40.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:31:40.526 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:31:40.526 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:31:46.512 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)

May 27 11:31:50.107 EDT: ISAKMP: (0):purging SA., sa=7FA7F9026168, delme=7FA7F9026168

May 27 11:31:50.525 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:31:50.526 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:31:50.526 EDT: ISAKMP: (0):peer does not do paranoid keepalives.

May 27 11:31:50.526 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:31:50.526 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:31:50.526 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F900F968 for isadb_mark_sa_deleted(), count 0

May 27 11:31:50.526 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F900F968

May 27 11:31:50.531 EDT: ISAKMP: (0):deleting node 3217270025 error FALSE reason "IKE deleted"

May 27 11:31:50.531 EDT: ISAKMP: (0):deleting node 698558212 error FALSE reason "IKE deleted"

May 27 11:31:50.531 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

May 27 11:31:50.531 EDT: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

 

May 27 11:31:50.531 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)

May 27 11:31:50.950 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:31:50.950 EDT: ISAKMP: (0):SA request profile is (NULL)

May 27 11:31:50.950 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500

May 27 11:31:50.950 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F9105438 peer_handle = 0x800006BB

May 27 11:31:50.950 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F9105438, refcount 1 for isakmp_initiator

May 27 11:31:50.950 EDT: ISAKMP: (0):local port 500, remote port 500

May 27 11:31:50.950 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:31:50.950 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9026168

May 27 11:31:50.950 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.

May 27 11:31:50.950 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21

May 27 11:31:50.950 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID

May 27 11:31:50.950 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID

May 27 11:31:50.950 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID

May 27 11:31:50.950 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID

May 27 11:31:50.950 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

May 27 11:31:50.950 EDT: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

 

May 27 11:31:50.950 EDT: ISAKMP: (0):beginning Main Mode exchange

May 27 11:31:50.950 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:31:50.950 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:31:51.633 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)

May 27 11:31:54.704 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)

May 27 11:32:00.950 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:32:00.950 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May 27 11:32:00.950 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:32:00.950 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:32:00.950 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:32:01.873 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)

May 27 11:32:05.968 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)

May 27 11:32:10.951 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:32:10.951 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

May 27 11:32:10.951 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:32:10.951 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:32:10.951 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:32:11.088 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)

May 27 11:32:14.162 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)

May 27 11:32:20.949 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:32:20.950 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:32:20.950 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:32:20.950 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)

May 27 11:32:20.952 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

May 27 11:32:20.952 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

May 27 11:32:20.952 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:32:20.952 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May 27 11:32:20.952 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:32:20.952 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:32:20.952 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:32:22.355 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)

May 27 11:32:25.429 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)

May 27 11:32:29.414 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables

May 27 11:32:29.415 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables

May 27 11:32:29.415 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables

May 27 11:32:29.415 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables

May 27 11:32:29.524 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)

May 27 11:32:30.953 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:32:30.953 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

May 27 11:32:30.953 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:32:30.953 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:32:30.953 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:32:33.621 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)

May 27 11:32:40.532 EDT: ISAKMP: (0):purging node 3217270025

May 27 11:32:40.532 EDT: ISAKMP: (0):purging node 698558212

May 27 11:32:40.788 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)

May 27 11:32:40.953 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:32:40.953 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

May 27 11:32:40.953 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:32:40.953 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:32:40.953 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:32:41.812 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)

May 27 11:32:50.531 EDT: ISAKMP: (0):purging SA., sa=7FA7F9158C78, delme=7FA7F9158C78

May 27 11:32:50.949 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:32:50.954 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:32:50.954 EDT: ISAKMP: (0):peer does not do paranoid keepalives.

May 27 11:32:50.954 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:32:50.954 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:32:50.954 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F9105438 for isadb_mark_sa_deleted(), count 0

May 27 11:32:50.954 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F9105438

May 27 11:32:50.959 EDT: ISAKMP: (0):deleting node 3692894607 error FALSE reason "IKE deleted"

May 27 11:32:50.959 EDT: ISAKMP: (0):deleting node 1949528906 error FALSE reason "IKE deleted"

May 27 11:32:50.959 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

May 27 11:32:50.959 EDT: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

 

May 27 11:32:50.960 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)

May 27 11:32:51.376 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:32:51.376 EDT: ISAKMP: (0):SA request profile is (NULL)

May 27 11:32:51.376 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500

May 27 11:32:51.376 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F8BD2280 peer_handle = 0x800006BC

May 27 11:32:51.376 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F8BD2280, refcount 1 for isakmp_initiator

May 27 11:32:51.376 EDT: ISAKMP: (0):local port 500, remote port 500

May 27 11:32:51.376 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:32:51.376 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9158C78

May 27 11:32:51.376 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.

May 27 11:32:51.377 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21

May 27 11:32:51.377 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID

May 27 11:32:51.377 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID

May 27 11:32:51.377 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID

May 27 11:32:51.377 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID

May 27 11:32:51.377 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

May 27 11:32:51.377 EDT: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

 

May 27 11:32:51.377 EDT: ISAKMP: (0):beginning Main Mode exchange

May 27 11:32:51.377 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:32:51.377 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:32:53.076 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)

May 27 11:32:54.100 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)

May 27 11:33:00.245 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:33:01.377 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:33:01.377 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May 27 11:33:01.377 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:33:01.377 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:33:01.377 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:33:02.295 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:33:11.378 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:33:11.378 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

May 27 11:33:11.378 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:33:11.378 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:33:11.378 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:33:12.534 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)

May 27 11:33:14.582 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:33:21.376 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:33:21.376 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:33:21.376 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:33:21.376 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)

May 27 11:33:21.378 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

May 27 11:33:21.378 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

May 27 11:33:21.378 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:33:21.378 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May 27 11:33:21.378 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:33:21.378 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:33:21.378 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:33:23.800 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)

May 27 11:33:26.873 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 6144ms (35000ms max, 60% jitter)

May 27 11:33:29.417 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables

May 27 11:33:29.418 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables

May 27 11:33:29.418 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables

May 27 11:33:29.418 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables

May 27 11:33:31.379 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:33:31.379 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

May 27 11:33:31.379 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:33:31.379 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:33:31.379 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:33:33.017 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)

May 27 11:33:37.114 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)

May 27 11:33:40.959 EDT: ISAKMP: (0):purging node 3692894607

May 27 11:33:40.959 EDT: ISAKMP: (0):purging node 1949528906

May 27 11:33:41.379 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:33:41.380 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

May 27 11:33:41.380 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:33:41.380 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:33:41.380 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:33:47.355 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 10240ms (35000ms max, 60% jitter)

May 27 11:33:50.427 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)

May 27 11:33:50.959 EDT: ISAKMP: (0):purging SA., sa=7FA7F9026168, delme=7FA7F9026168

May 27 11:33:51.376 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:33:51.380 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:33:51.380 EDT: ISAKMP: (0):peer does not do paranoid keepalives.

May 27 11:33:51.380 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:33:51.380 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:33:51.380 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F8BD2280 for isadb_mark_sa_deleted(), count 0

May 27 11:33:51.380 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F8BD2280

May 27 11:33:51.384 EDT: ISAKMP: (0):deleting node 2980808616 error FALSE reason "IKE deleted"

May 27 11:33:51.384 EDT: ISAKMP: (0):deleting node 1287617051 error FALSE reason "IKE deleted"

May 27 11:33:51.384 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

May 27 11:33:51.384 EDT: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

 

May 27 11:33:51.384 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)

May 27 11:33:51.801 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:33:51.801 EDT: ISAKMP: (0):SA request profile is (NULL)

May 27 11:33:51.801 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500

May 27 11:33:51.801 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F9105438 peer_handle = 0x800006BD

May 27 11:33:51.801 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F9105438, refcount 1 for isakmp_initiator

May 27 11:33:51.801 EDT: ISAKMP: (0):local port 500, remote port 500

May 27 11:33:51.801 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:33:51.801 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9026168

May 27 11:33:51.801 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.

May 27 11:33:51.801 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21

May 27 11:33:51.801 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID

May 27 11:33:51.801 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID

May 27 11:33:51.801 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID

May 27 11:33:51.802 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID

May 27 11:33:51.802 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

May 27 11:33:51.802 EDT: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

 

May 27 11:33:51.802 EDT: ISAKMP: (0):beginning Main Mode exchange

May 27 11:33:51.802 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:33:51.802 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:33:57.596 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)

May 27 11:34:01.692 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)

May 27 11:34:01.801 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:34:01.801 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May 27 11:34:01.801 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:34:01.801 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:34:01.801 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:34:06.812 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:34:10.908 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)

May 27 11:34:11.802 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:34:11.802 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

May 27 11:34:11.802 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:34:11.802 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:34:11.802 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:34:19.101 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)

May 27 11:34:21.802 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:34:21.802 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:34:21.802 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:34:21.802 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)

May 27 11:34:21.804 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

May 27 11:34:21.804 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

May 27 11:34:21.804 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:34:21.804 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May 27 11:34:21.804 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:34:21.804 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:34:21.804 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:34:24.222 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:34:29.420 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables

May 27 11:34:29.421 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables

May 27 11:34:29.421 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables

May 27 11:34:29.421 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables

May 27 11:34:31.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:34:31.805 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

May 27 11:34:31.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:34:31.805 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:34:31.805 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:34:33.438 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)

May 27 11:34:36.510 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)

May 27 11:34:41.384 EDT: ISAKMP: (0):purging node 2980808616

May 27 11:34:41.384 EDT: ISAKMP: (0):purging node 1287617051

May 27 11:34:41.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:34:41.805 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

May 27 11:34:41.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:34:41.805 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:34:41.805 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:34:42.655 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)

May 27 11:34:49.822 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)

May 27 11:34:51.384 EDT: ISAKMP: (0):purging SA., sa=7FA7F9158C78, delme=7FA7F9158C78

May 27 11:34:51.803 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:34:51.805 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:34:51.805 EDT: ISAKMP: (0):peer does not do paranoid keepalives.

May 27 11:34:51.805 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:34:51.805 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:34:51.805 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F9105438 for isadb_mark_sa_deleted(), count 0

May 27 11:34:51.805 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F9105438

May 27 11:34:51.810 EDT: ISAKMP: (0):deleting node 1472956874 error FALSE reason "IKE deleted"

May 27 11:34:51.810 EDT: ISAKMP: (0):deleting node 2697383770 error FALSE reason "IKE deleted"

May 27 11:34:51.810 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

May 27 11:34:51.810 EDT: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

 

May 27 11:34:51.810 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)

May 27 11:34:52.230 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:34:52.230 EDT: ISAKMP: (0):SA request profile is (NULL)

May 27 11:34:52.230 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500

May 27 11:34:52.230 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F8BD2280 peer_handle = 0x800006BE

May 27 11:34:52.230 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F8BD2280, refcount 1 for isakmp_initiator

May 27 11:34:52.230 EDT: ISAKMP: (0):local port 500, remote port 500

May 27 11:34:52.230 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:34:52.230 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9158C78

May 27 11:34:52.230 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.

May 27 11:34:52.230 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21

May 27 11:34:52.230 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID

May 27 11:34:52.230 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID

May 27 11:34:52.230 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID

May 27 11:34:52.230 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID

May 27 11:34:52.230 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

May 27 11:34:52.230 EDT: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

 

May 27 11:34:52.230 EDT: ISAKMP: (0):beginning Main Mode exchange

May 27 11:34:52.230 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:34:52.230 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:34:57.002 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)

May 27 11:34:57.002 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 14336ms (35000ms max, 60% jitter)

May 27 11:35:02.230 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:35:02.230 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May 27 11:35:02.230 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:35:02.230 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:35:02.230 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:35:11.338 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:35:11.338 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 10240ms (35000ms max, 60% jitter)

May 27 11:35:12.230 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:35:12.230 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

May 27 11:35:12.230 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:35:12.230 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:35:12.230 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:35:21.580 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:35:22.229 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:35:22.229 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:35:22.229 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:35:22.229 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)

May 27 11:35:22.231 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

May 27 11:35:22.231 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

May 27 11:35:22.231 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:35:22.231 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May 27 11:35:22.231 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:35:22.231 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:35:22.231 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:35:23.628 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:35:29.423 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables

May 27 11:35:29.424 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables

May 27 11:35:29.424 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables

May 27 11:35:29.424 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables

May 27 11:35:32.232 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:35:32.232 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

May 27 11:35:32.232 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:35:32.232 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:35:32.232 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:35:33.867 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)

May 27 11:35:35.915 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)

May 27 11:35:41.035 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 6144ms (35000ms max, 60% jitter)

May 27 11:35:41.810 EDT: ISAKMP: (0):purging node 1472956874

May 27 11:35:41.810 EDT: ISAKMP: (0):purging node 2697383770

May 27 11:35:42.233 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:35:42.233 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

May 27 11:35:42.233 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:35:42.233 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:35:42.233 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:35:45.131 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)

May 27 11:35:47.180 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)

May 27 11:35:51.810 EDT: ISAKMP: (0):purging SA., sa=7FA7F9026168, delme=7FA7F9026168

May 27 11:35:52.230 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:35:52.233 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:35:52.233 EDT: ISAKMP: (0):peer does not do paranoid keepalives.

May 27 11:35:52.233 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:35:52.233 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:35:52.233 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F8BD2280 for isadb_mark_sa_deleted(), count 0

May 27 11:35:52.233 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F8BD2280

May 27 11:35:52.238 EDT: ISAKMP: (0):deleting node 2971984378 error FALSE reason "IKE deleted"

May 27 11:35:52.238 EDT: ISAKMP: (0):deleting node 1541442663 error FALSE reason "IKE deleted"

May 27 11:35:52.238 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

May 27 11:35:52.238 EDT: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

 

May 27 11:35:52.238 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)

May 27 11:35:52.658 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:35:52.659 EDT: ISAKMP: (0):SA request profile is (NULL)

May 27 11:35:52.659 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500

May 27 11:35:52.659 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F9105438 peer_handle = 0x800006BF

May 27 11:35:52.659 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F9105438, refcount 1 for isakmp_initiator

May 27 11:35:52.659 EDT: ISAKMP: (0):local port 500, remote port 500

May 27 11:35:52.659 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:35:52.659 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9026168

May 27 11:35:52.659 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.

May 27 11:35:52.659 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21

May 27 11:35:52.659 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID

May 27 11:35:52.659 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID

May 27 11:35:52.659 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID

May 27 11:35:52.659 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID

May 27 11:35:52.659 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

May 27 11:35:52.659 EDT: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

 

May 27 11:35:52.659 EDT: ISAKMP: (0):beginning Main Mode exchange

May 27 11:35:52.659 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:35:52.659 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:35:53.323 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 9216ms (35000ms max, 60% jitter)

May 27 11:35:58.444 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)

May 27 11:36:02.540 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:36:02.659 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:36:02.659 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May 27 11:36:02.659 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:36:02.659 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:36:02.659 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:36:05.614 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 7168ms (35000ms max, 60% jitter)

May 27 11:36:12.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:36:12.660 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

May 27 11:36:12.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:36:12.660 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:36:12.660 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:36:12.782 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 6144ms (35000ms max, 60% jitter)

May 27 11:36:14.830 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 8192ms (35000ms max, 60% jitter)

May 27 11:36:18.926 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)

May 27 11:36:22.658 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:36:22.658 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:36:22.658 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:36:22.658 EDT: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 38.142.219.26, remote 3.216.207.21)

May 27 11:36:22.660 EDT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA

May 27 11:36:22.660 EDT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.

May 27 11:36:22.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:36:22.660 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May 27 11:36:22.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:36:22.660 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:36:22.660 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:36:23.022 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)

May 27 11:36:28.924 EDT: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.188.252.112)

May 27 11:36:29.427 EDT: BGP: topo global:IPv4 Unicast:base Scanning routing tables

May 27 11:36:29.428 EDT: BGP: topo global:IPv4 Multicast:base Scanning routing tables

May 27 11:36:29.428 EDT: BGP: topo global:L2VPN E-VPN:base Scanning routing tables

May 27 11:36:29.428 EDT: BGP: topo global:MVPNv4 Unicast:base Scanning routing tables

May 27 11:36:30.190 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 13312ms (35000ms max, 60% jitter)

May 27 11:36:32.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:36:32.660 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

May 27 11:36:32.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:36:32.660 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:36:32.660 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:36:36.335 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)

May 27 11:36:42.239 EDT: ISAKMP: (0):purging node 2971984378

May 27 11:36:42.239 EDT: ISAKMP: (0):purging node 1541442663

May 27 11:36:42.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:36:42.660 EDT: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

May 27 11:36:42.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

May 27 11:36:42.660 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:36:42.660 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

May 27 11:36:43.503 EDT: BGP: 169.254.150.41 Active open failed - update-source NULL is not available, open active delayed 12288ms (35000ms max, 60% jitter)

May 27 11:36:47.601 EDT: BGP: 169.254.227.217 Active open failed - update-source NULL is not available, open active delayed 11264ms (35000ms max, 60% jitter)

May 27 11:36:52.238 EDT: ISAKMP: (0):purging SA., sa=7FA7F9158C78, delme=7FA7F9158C78

May 27 11:36:52.658 EDT: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,

  (identity) local= 38.142.219.26:0, remote= 3.216.207.21:0,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0

May 27 11:36:52.660 EDT: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

May 27 11:36:52.660 EDT: ISAKMP: (0):peer does not do paranoid keepalives.

May 27 11:36:52.660 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:36:52.660 EDT: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 3.216.207.21)

May 27 11:36:52.661 EDT: ISAKMP: (0):Unlocking peer struct 0x7FA7F9105438 for isadb_mark_sa_deleted(), count 0

May 27 11:36:52.661 EDT: ISAKMP: (0):Deleting peer node by peer_reap for 3.216.207.21: 7FA7F9105438

May 27 11:36:52.665 EDT: ISAKMP: (0):deleting node 530211987 error FALSE reason "IKE deleted"

May 27 11:36:52.665 EDT: ISAKMP: (0):deleting node 462011643 error FALSE reason "IKE deleted"

May 27 11:36:52.665 EDT: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

May 27 11:36:52.665 EDT: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

 

May 27 11:36:52.665 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)

May 27 11:36:53.090 EDT: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 38.142.219.26:500, remote= 3.216.207.21:500,

    local_proxy= 0.0.0.0/0.0.0.0/256/0,

    remote_proxy= 0.0.0.0/0.0.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

May 27 11:36:53.090 EDT: ISAKMP: (0):SA request profile is (NULL)

May 27 11:36:53.090 EDT: ISAKMP: (0):Created a peer struct for 3.216.207.21, peer port 500

May 27 11:36:53.090 EDT: ISAKMP: (0):New peer created peer = 0x7FA7F8BD2280 peer_handle = 0x800006C0

May 27 11:36:53.090 EDT: ISAKMP: (0):Locking peer struct 0x7FA7F8BD2280, refcount 1 for isakmp_initiator

May 27 11:36:53.090 EDT: ISAKMP: (0):local port 500, remote port 500

May 27 11:36:53.090 EDT: ISAKMP: (0):set new node 0 to QM_IDLE

May 27 11:36:53.090 EDT: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7FA7F9158C78

May 27 11:36:53.090 EDT: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.

May 27 11:36:53.090 EDT: ISAKMP: (0):found peer pre-shared key matching 3.216.207.21

May 27 11:36:53.090 EDT: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID

May 27 11:36:53.090 EDT: ISAKMP: (0):constructed NAT-T vendor-07 ID

May 27 11:36:53.090 EDT: ISAKMP: (0):constructed NAT-T vendor-03 ID

May 27 11:36:53.090 EDT: ISAKMP: (0):constructed NAT-T vendor-02 ID

May 27 11:36:53.090 EDT: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

May 27 11:36:53.090 EDT: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

 

May 27 11:36:53.090 EDT: ISAKMP: (0):beginning Main Mode exchange

May 27 11:36:53.090 EDT: ISAKMP-PAK: (0):sending packet to 3.216.207.21 my_port 500 peer_port 500 (I) MM_NO_STATE

May 27 11:36:53.091 EDT: ISAKMP: (0):Sending an IKE IPv4 Packet.

cogent#

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to eegrad85

‎05-27-2021 08:46 AM

@eegrad85 

Seems like your router is not hearing back from AWS and is retransmitting the communication - incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 etc etc.

 

Is there a firewall or ACL in the path that could be blocking communication?

Can you do some debugs on the AWS end determine if you can see inbound traffic?

0 Helpful

Go to solution
eegrad85
Level 1
Level 1
In response to Rob Ingram

‎05-27-2021 09:38 AM

AWS Support told me that they were not seeing any traffic from our side. The router is on the edge of our network and our next hop is Cogent network. Is there a possibility that they are doing some filtering? 

 

We are using giga 0/0/3 as outside Nat interface, would that have anything to do with it that somehow that traffic is being nated out of that interface?

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to eegrad85

‎05-27-2021 09:44 AM

@eegrad85 your router is attempting to communicate, the logs indicate the remote peer is not responding. So if AWS aren't see anything then potentially yes investigate further with Cogent tp see if they are blocking traffic.

 

NAT shouldn't stop the VPN from establishing. NAT could cause an issue later on transmitting traffic over the VPN, but the VPN needs to be established first...which is your issue.

0 Helpful

Go to solution
eegrad85
Level 1
Level 1
In response to Rob Ingram

‎05-27-2021 10:47 AM

I reloaded the router and the tunnel became active but after a few minutes the tunnel protocol was down again. Apparently, you need a reload to activate the ipsec license (first time we are using it).

 

After the reload I got this:

cogent#sh int tunnel1

Tunnel1 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 169.254.227.218/30

  MTU 9922 bytes, BW 100 Kbit/sec, DLY 50000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel linestate evaluation up

  Tunnel source 38.142.219.26, destination 3.216.207.21

  Tunnel protocol/transport IPSEC/IP

  Tunnel TTL 255

  Tunnel transport MTU 1422 bytes

  Tunnel transmit bandwidth 8000 (kbps)

  Tunnel receive bandwidth 8000 (kbps)

  Tunnel protection via IPSec (profile "ipsec-vpn-0ec351a6e6b2cbd47-1")

  Last input never, output never, output hang never

  Last clearing of "show interface" counters 00:01:41

  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     15 packets input, 879 bytes, 0 no buffer

     Received 0 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     15 packets output, 756 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 unknown protocol drops

     0 output buffer failures, 0 output buffers swapped out

cogent#show cryp

cogent#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

3.216.207.21    38.142.219.26   QM_IDLE           1001 ACTIVE

 

IPv6 Crypto ISAKMP SA

 

cogent#show crypto ipsec sa

 

interface: Tunnel1

    Crypto map tag: Tunnel1-head-0, local addr 38.142.219.26

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 3.216.207.21 port 4500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 36, #pkts encrypt: 36, #pkts digest: 36

    #pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 27

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: 38.142.219.26, remote crypto endpt.: 3.216.207.21

     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0xC7E21425(3353482277)

     PFS (Y/N): Y, DH group: group2

 

     inbound esp sas:

      spi: 0xCAEB6EDE(3404426974)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2001, flow_id: HW:1, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0

        sa timing: remaining key lifetime (k/sec): (4607998/3486)

        IV size: 16 bytes

        replay detection support: Y  replay window size: 128

        Status: ACTIVE(ACTIVE)

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0xC7E21425(3353482277)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2002, flow_id: HW:2, sibling_flags FFFFFFFF80004048, crypto map: Tunnel1-head-0

        sa timing: remaining key lifetime (k/sec): (4607988/3486)

        IV size: 16 bytes

        replay detection support: Y  replay window size: 128

        Status: ACTIVE(ACTIVE)

 

     outbound ah sas:

 

     outbound pcp sas:

0 Helpful

Go to solution
eegrad85
Level 1
Level 1
In response to eegrad85

‎05-27-2021 01:05 PM

Rob,

 

I just want to thank you. We managed to make it work. As soon as my customer gateway was able to send some connection info to AWS, I called AWS Support and they managed to help me with my issue. In summary, the issue was the IPsec feature that was not activated. When I reloaded the router IPsec was activated, from there we discovered the reason the IPsec kept dropping was due to asymmetrical routing.

 

I am glad that there are people like you who are willing to help.

 

Manny

 

0 Helpful

Go to solution
LewisFord
Level 1
Level 1
In response to eegrad85

‎06-02-2021 03:30 AM

I'm trying to configure it using the default settings and guidelines, but still not getting success to complete the configuration. 

0 Helpful
Customers Also Viewed These Support Documents