cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
35988
Views
0
Helpful
10
Replies
harsha senaratna
Beginner

cannot establish Site to Site VPN....

hi all,

It is required to setup site to site vpn between cisco 7200 and checkpoint firewall.
But tunnel won't establish and following error occured. It's difficult to troubleshoot because other end managed
by different party. In our side udp port 500 opened.

debug crypto isakmp output :

Jul 30 09:50:15.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jul 30 09:50:15.291: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 30 09:50:15.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jul 30 09:50:15.291: ISAKMP:(0): sending packet to <peer-public-ip> my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 30 09:50:15.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 30 09:50:25.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jul 30 09:50:25.291: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 30 09:50:25.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jul 30 09:50:25.291: ISAKMP:(0): sending packet to <peer-public-ip> my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 30 09:50:25.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 30 09:50:35.287: ISAKMP: set new node 0 to CONF_XAUTH
Jul 30 09:50:35.287: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <local-ip>, remote <peer-public-ip>)
Jul 30 09:50:35.287: ISAKMP: Error while processing SA request: Failed to initialize SA
Jul 30 09:50:35.287: ISAKMP: Error while processing KMI message 0, error 2.
Jul 30 09:50:35.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jul 30 09:50:35.291: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 30 09:50:35.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jul 30 09:50:35.291: ISAKMP:(0): sending packet to <peer-public-ip> my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 30 09:50:35.291: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 30 09:50:45.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jul 30 09:50:45.291: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 30 09:50:45.291: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jul 30 09:50:45.291: ISAKMP:(0): sending packet to <peer-public-ip> my_port 500 peer_port 500 (I) MM_NO_STATE
Jul 30 09:50:45.291: ISAKMP:(0):Sending an IKE IPv4 Packet.


7200 config used :

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp key <key> address <peer-public-ip>

crypto ipsec transform-set test-s2s-transform esp-3des esp-sha-hmac

crypto map test-s2s 5 ipsec-isakmp
set peer <peer-public-ip>
set transform-set test-s2s-transform
match address 100

access-list 100 <source-ip> <destination-ip>


int gi 0/1
  crypto map test-s2s


please provide me a way to solve this problem.

Thanks

10 REPLIES 10
mkdccie
Beginner

Hi harsha,

Can both ends reach each other?

Regards,

MKD

hi Mohammed,

Thanks for you quick response. My 7200 resides in DMZ and ping/traceroute disabled by the other end. I dont have a way to check the other end. So I cannot figure out whether I have the reachability or not. But I can reach the global IP's like 4.2.2.2 - Global GNS as well as google.com etc from my 7200 router.

Thanks

Hi Harsha,

It clearly shows a connectivy issue.

I would recommend to you to check on both sides (if possible) and make sure they can reach each other.

Keep us posted.

Please rate any post that you find useful.

  Hi harsha,

According to your posted logs, it looks like its on the very beginning of first step of the vpn tunnel , you must be sure of the connectivity with port UDP 500 at both ends.

Second step will be the parameteres and pre-shared-key,.....

Regards,

MKD

If they can communicate across the Internet, then check the Phase 1 settings.

Make sure the other side has you as a VPN peer and that it currently runs VPN services (ISAKMP and IPsec enabled on the outside).

hi all,

I could be able to make tunnel with the other side and be able to reach the peer remote network. But once
I remove the crypto map from the interface and re-aply it ,I couldnt establish the tunnel. Then I clear the all security assosiations using "clear crypto sa" and "clear crypto isakmp" in both sides. But still I have the issue.

config:

crypto isakmp policy 3
      encr 3des
      authentication pre-share
      group 2


crypto isakmp key ***** address

crypto ipsec transform-set transform-s2s esp-3des esp-sha-hmac

crypto map Crypto-Map-S2s 1 ipsec-isakmp
      set peer
      set transform-set transform-s2s
      match address ACL

ip access-list extended ACL
      permit ip host host

interface GigabitEthernet0/1
     crypto map Crypto-Map-S2s


Debug Output:

ISAKMP:(0):peer does not do paranoid keepalives
%CRYPTO-4-IKMP_NO_SA: IKE message from  no SA and is not an initialization offer


What is the issue with these.
Thanks

Hi Harsha,

Could you post the show run from the 7200? Please remove any sensitive info.

Also, kindly post the output of the following after you've made a ping from a source host/PC behind the 7200 towards the remote internal IP:

show crypto isakmp sa

show crypto ipsec sa

debug crypto isakmp

debug crypto ipsec

Sent from Cisco Technical Support iPhone App

hi johnlloyd_13,

Thanks for your post. Config I used mentioned in my previous post. Here are the debug outputs you required.

CISCO7200#ping source

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:
Packet sent with a source address of

Aug  4 11:02:32.739: ISAKMP:(0): SA request profile is (NULL)
Aug  4 11:02:32.739: ISAKMP: Found a peer struct for , peer port 500
Aug  4 11:02:32.739: ISAKMP: Locking peer struct 0x67FDAC30, refcount 2 for isakmp_initiator
Aug  4 11:02:32.739: ISAKMP: local port 500, remote port 500
Aug  4 11:02:32.739: ISAKMP: set new node 0 to CONF_XAUTH
Aug  4 11:02:32.739: ISAKMP:(0):insert sa successfully sa = 6841AD2C
Aug  4 11:02:32.739: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Aug  4 11:02:32.739: ISAKMP:(0):found peer pre-shared key matching
Aug  4 11:02:32.739: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Aug  4 11:02:32.739: ISAKMP:(0): constructed NAT-T vendor-07 ID
Aug  4 11:02:32.739: ISAKMP:(0): constructed NAT-T vendor-03 ID
Aug  4 11:02:32.739: ISAKMP:(0): constructed NAT-T vendor-02 ID
Aug  4 11:02:32.739: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Aug  4 11:02:32.739: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Aug  4 11:02:32.739: ISAKMP:(0): beginning Main Mode exchange
Aug  4 11:02:32.739: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
Aug  4 11:02:32.739: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
CISCO7200#
Aug  4 11:02:42.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug  4 11:02:42.739: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Aug  4 11:02:42.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug  4 11:02:42.739: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
Aug  4 11:02:42.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug  4 11:02:52.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug  4 11:02:52.739: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug  4 11:02:52.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug  4 11:02:52.739: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
Aug  4 11:02:52.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
CISCO7200#
CISCO7200#
CISCO7200#
CISCO7200#
Aug  4 11:03:02.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug  4 11:03:02.739: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Aug  4 11:03:02.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug  4 11:03:02.739: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
Aug  4 11:03:02.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug  4 11:03:02.739: ISAKMP: set new node 0 to CONF_XAUTH
Aug  4 11:03:02.739: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 172.21.2.106, remote )
Aug  4 11:03:02.739: ISAKMP: Error while processing SA request: Failed to initialize SA
Aug  4 11:03:02.739: ISAKMP: Error while processing KMI message 0, error 2.
Aug  4 11:03:12.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug  4 11:03:12.739: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Aug  4 11:03:12.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug  4 11:03:12.739: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
Aug  4 11:03:12.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug  4 11:03:22.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug  4 11:03:22.739: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Aug  4 11:03:22.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Aug  4 11:03:22.739: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
Aug  4 11:03:22.739: ISAKMP:(0):Sending an IKE IPv4 Packet.
Aug  4 11:03:32.739: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Aug  4 11:03:32.739: ISAKMP:(0):peer does not do paranoid keepalives.

Aug  4 11:03:32.739: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer )
Aug  4 11:03:32.739: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer )
Aug  4 11:03:32.739: ISAKMP: Unlocking peer struct 0x67FDAC30 for isadb_mark_sa_deleted(), count 1
Aug  4 11:03:32.739: ISAKMP:(0):deleting node 301456956 error FALSE reason "IKE deleted"
Aug  4 11:03:32.739: ISAKMP:(0):deleting node 187793590 error FALSE reason "IKE deleted"
Aug  4 11:03:32.739: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug  4 11:03:32.739: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

sh crypto isakmp sa :

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

I also have a similar problem. My vpn still not working.

 

So I had this very problem, with the same error messages in the log after doing a debug (see below):

 

000496: Oct 26 2017 20:16:36.469 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
000497: Oct 26 2017 20:16:36.469 UTC: ISAKMP: Error while processing KMI message 0, error 2.

 

In my case, I was doing front-door vrf, so my tunnels were in a different vrf.  I was about to reload the router because I had exhausted all other options (configs were fine and identical to other sites that were working fine).

Finally, I tried removing the vrf from the router and re-added it - litterally:

no ip vrf INET

ip vrf INET

...of course this removes all the vrf configuration from interfaces, etc... so that had to get re-added too.  Long story short - this completely fixed it!

 

If you have a similar issue - give it a try.  This was on a 4431.

Create
Recognize Your Peers
Content for Community-Ad