Cisco 2901 Router Tunnel & IPSec Issue

Quintin.Mayo · ‎12-04-2018

We recently purchased a security license our Cisco 2901 router. The GRE tunnel using 3des I have created using the new license is showing up/down. I’ve confirmed the tunnel has the same configuration on both ends and that it is configured like all 15 other tunnels at our other sites, but I’m getting the following debug errors. There are no NATs or PATs being used on the routers or between the tunnel interfaces. Any assistance or direction would be greatly appreciated.

*Dec 3 23:30:34.664: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xx.xxx.xxx.xx) *Dec 3 23:30:34.664: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xx.xxx.xxx.xx) no debug *Dec 3 23:31:03.552: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local xx.xxx.xxx.xx, remote xx.xxx.xxx.xx) *Dec 3 23:31:03.552: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA *Dec 3 23:31:03.552: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.crypto *Dec 3 23:31:05.088: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local xx.xxx.xxx.xx, remote xx.xxx.xxx.xx) *Dec 3 23:31:05.088: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA *Dec 3 23:31:05.088: ISAKMP-ERROR: (0):Error while processing KMI mess B62RTR# B62RTR# *Dec 3 23:31:33.552: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xx.xxx.xxx.xx)

Thanks,

Rob Ingram · ‎12-04-2018

Hi,
Is there a firewall or ACLs between the routers blocking udp/500 or esp?
Can the routers ping each other?
Do you definately have the correct peer IP address defined?
Are you running a DVTI on a hub and a SVTI on the spokes?

Quintin.Mayo · ‎12-04-2018

Hi,
Everything were working fine until we applied the new licensing.

Rob Ingram · ‎12-04-2018

So was a VPN tunnel working on this router before you applied the license then?
What is the output of "show crypto isakmp sa"? from both routers
What about the debug logs of the other routers?

Quintin.Mayo · ‎12-04-2018

Hi,

See the VPN tunnel was working before we applied the new licensing. I found the below link informing to issue the below command but the routers aren't using PAT or NAT. Is this command valid?

crypto ipsec nat-transparency spi-matching

Documentation link
https://community.cisco.com/t5/vpn-and-anyconnect/error-quot-death-by-retransmission-p1-quot-with-an-ipsec-tunnel/td-p/1221781

------------------ show crypto isakmp sa ------------------

IPv4 Crypto ISAKMP SA
dst src state conn-id status
X.X.X.85 X.X.X.86 MM_NO_STATE 0 ACTIVE
X.X.X.85 X.X.X.86 MM_NO_STATE 0 ACTIVE (deleted)
X.X.X.85 X.X.X.86 MM_NO_STATE 0 ACTIVE
X.X.X.85 X.X.X.86 MM_NO_STATE 0 ACTIVE (deleted)

------------------ show crypto isakmp sa ------------------

IPv4 Crypto ISAKMP SA
dst src state conn-id status
X.X.X.86 X.X.X.85 MM_NO_STATE 0 ACTIVE
X.X.X.86 X.X.X.85 MM_NO_STATE 0 ACTIVE (deleted)

Rob Ingram · ‎12-04-2018

So those peer IP addresses are the actual other routers' peer IP address? implying there is connectivity between the peers?

Clear the crypto SAs
Configure DPD/isakmp keepalive - assuming it's not already configured.

Quintin.Mayo · ‎12-05-2018

HI,
We cleared the crypto SA's and configured the keepalive on both sides tunnel still remain in an up/down state. Is there any other options that can be pursued? Also, thanks for your assistance.