Solved: Comparing the encrypt

Phillip Gibson · ‎07-21-2015

Hi all,

I have 3 sites, main site has a cisco router behind a mikrotik firewall.

There is an existing ipsec vpn between the cisco router and another cisco router at the 2nd site and it works well.

I have now added another vpn between a 3rd site and the main site. The router at the 3rd site is a mikrotik firewall.

I had the vpn up and running from the main site and the 3rd site where the mikrotik firewall is and it was running well,

then for some reason, the vpn with the 3rd site failed and I have been unable to get it working again.

When looking for answers I see that the vpn to the 3rd site shows the following:

#pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

So it appears that no traffic is getting back to the cisco,

I also found the following output listed below when diagnosing the issue.

It appears that there is communication but If I read this right, then It looks like the cisco sets a new number but the other end doesn't get the new number

new node -1868419487

deleting node -1868419487 error FALSE reason "Informational (in) state 1"

Any help would be appreciated.

*Jul 22 02:49:51.911: ISAKMP:(2060):purging node -1140469772

*Jul 22 02:49:59.723: ISAKMP: DPD received KMI message.

*Jul 22 02:49:59.723: ISAKMP: set new node 1053074288 to QM_IDLE

*Jul 22 02:49:59.723: ISAKMP:(2060):Sending NOTIFY DPD/R_U_THERE protocol 1

spi 2273844328, message ID = 1053074288

*Jul 22 02:49:59.723: ISAKMP:(2060): seq. no 0x645EC368

*Jul 22 02:49:59.723: ISAKMP:(2060): sending packet to x.x.x.127 my_port 5

00 peer_port 500 (R) QM_IDLE

*Jul 22 02:49:59.723: ISAKMP:(2060):Sending an IKE IPv4 Packet.

*Jul 22 02:49:59.723: ISAKMP:(2060):purging node 1053074288

*Jul 22 02:49:59.767: ISAKMP (2060): received packet from x.x.x.127 dport

500 sport 500 Global (R) QM_IDLE

*Jul 22 02:49:59.767: ISAKMP: set new node -1868419487 to QM_IDLE

*Jul 22 02:49:59.771: ISAKMP:(2060): processing HASH payload. message ID = 24265

47809

*Jul 22 02:49:59.771: ISAKMP:(2060): processing NOTIFY DPD/R_U_THERE_ACK protoco

l 1

spi 0, message ID = 2426547809, sa = 0x8705F854

*Jul 22 02:49:59.771: ISAKMP:(2060): DPD/R_U_THERE_ACK received from peer 125.23

6.211.127, sequence 0x645EC368

*Jul 22 02:49:59.771: ISAKMP:(2060):deleting node -1868419487 error FALSE reason

"Informational (in) state 1"

*Jul 22 02:49:59.771: ISAKMP:(2060):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul 22 02:49:59.771: ISAKMP:(2060):Old State = IKE_P1_COMPLETE New State = IKE

_P1_COMPLETE

*Jul 22 02:50:01.111: ISAKMP:(2060):purging node -1201068805

Dinesh Moudgil · ‎07-21-2015

Comparing the encrypt counters from 46 to 47436, it seems like router is ecncrypting the traffic but we are not getting any interesting traffic from remote side.

Most likely, you might want to check on the remote side if you see the decryption counters incrementing in parallel and encryption counters are incrementing or not.

On the IOS router , if the encrypt counters are incrementing , then confirm you do not have any pre existing tunnel on router which might be having same proxy IDs and is already negotiated with another peer.

Lastly, please make sure the ESP , protocol 50 traffic is not blocked in the transit.
Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎07-21-2015

Hi Phillip Gibson ,

Looking at the output:
#pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Seems like the tunnel is up and we are not passing traffic.
The debugs do not seem to be giving full information as it just show that only phase 1 is completed and nothing about phase 2.

To confirm if the tunnel is up or not, please check the output of "show crypto ipsec sa peer x.x.x.x" .
It must show the valid inbound and outbound esp sa's. If it is not present , then it means that the phase 2 is down.

For example (Truncated output)

The output marked in red should be similar to this and not all 0s.

Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y

Taking complete debugs with these commands will give better understanding of the problem

debug crypto condition peer ipv4 x.x.x.x (ip of remote peer)
debug crypto isakmp
debug crypto ipsec

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Phillip Gibson · ‎07-21-2015

Hi Dinesh, thanks for your reply.

the output is as follows: looks like it is up but not passing traffic

When running the debug commands I don't really get any errors other than what I have already shown.

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

current_peer x.x.x.127 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 47436, #pkts encrypt: 47436, #pkts digest: 47436

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.11.2, remote crypto endpt.: x.x.x.127

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

current outbound spi: 0x7C5B109(130396425)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x31969499(831952025)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 79, flow_id: Onboard VPN:79, sibling_flags 80000040, crypto map

: cm-cryptomap

sa timing: remaining key lifetime (k/sec): (4181537/522)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x7C5B109(130396425)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 80, flow_id: Onboard VPN:80, sibling_flags 80000040, crypto map

: cm-cryptomap

sa timing: remaining key lifetime (k/sec): (4181516/522)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x7C5B109(130396425)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 80, flow_id: Onboard VPN:80, sibling_flags 80000040, crypto map

: cm-cryptomap

sa timing: remaining key lifetime (k/sec): (4181516/522)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

============================

debug crypto condition peer ipv4 x.x.x.127
Adv-Cashel#terminal monitor

debug crypto condition peer ipv4 x.x.x.127

Adv-Cashel#terminal monitor

Adv-Cashel#

*Jul 22 04:15:12.867: ISAKMP (2060): received packet from x.x.x.127 dport

500 sport 500 Global (R) QM_IDLE

*Jul 22 04:15:12.871: ISAKMP: set new node -1055404213 to QM_IDLE

*Jul 22 04:15:12.871: ISAKMP:(2060): processing HASH payload. message ID = 32395

63083

*Jul 22 04:15:12.871: ISAKMP:(2060): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = 3239563083, sa = 0x8705F854

*Jul 22 04:15:12.871: ISAKMP:(2060):deleting node -1055404213 error FALSE reason

"Informational (in) state 1"

*Jul 22 04:15:12.871: ISAKMP:(2060):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*Jul 22 04:15:12.871: ISAKMP:(2060):Old State = IKE_P1_COMPLETE New State = IKE

_P1_COMPLETE

*Jul 22 04:15:12.871: ISAKMP:(2060):DPD/R_U_THERE received from peer x.x.x

.127, sequence 0xF7D

*Jul 22 04:15:12.871: ISAKMP: set new node 929300059 to QM_IDLE

*Jul 22 04:15:12.871: ISAKMP:(2060):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 2278152216, message ID = 929300059

*Jul 22 04:15:12.871: ISAKMP:(2060): seq. no 0xF7D

*Jul 22 04:15:12.871: ISAKMP:(2060): sending packet to x.x.x.127 my_port 5

00 peer_port 500 (R) QM_IDLE

*Jul 22 04:15:12.871: ISAKMP:(2060):Sending an IKE IPv4 Packet.

*Jul 22 04:15:12.871: ISAKMP:(2060):purging node 929300059

*Jul 22 04:15:12.871: ISAKMP:(2060):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_AL

IVE

*Jul 22 04:15:12.871: ISAKMP:(2060):Old State = IKE_P1_COMPLETE New State = IKE

_P1_COMPLETE

*Jul 22 04:15:27.947: ISAKMP:(2060):purging node -1215330891

Dinesh Moudgil · ‎07-21-2015

Comparing the encrypt counters from 46 to 47436, it seems like router is ecncrypting the traffic but we are not getting any interesting traffic from remote side.

Most likely, you might want to check on the remote side if you see the decryption counters incrementing in parallel and encryption counters are incrementing or not.

On the IOS router , if the encrypt counters are incrementing , then confirm you do not have any pre existing tunnel on router which might be having same proxy IDs and is already negotiated with another peer.

Lastly, please make sure the ESP , protocol 50 traffic is not blocked in the transit.
Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Cisco IPSec vpn help please