Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1925
Views
0
Helpful
5
Replies

DMVPN issue MM_KEY_EXCH & MM_NO_STATE

vostro727@gmail.com
Level 1
Level 1

‎02-17-2019 07:36 PM - edited ‎02-21-2020 09:34 PM

Hi there,

I have a problem with one spoke where the DMVPN tunnels are down. There are steps being done so far:-

1. Reset tunnels but still down

2. Tried clearing crypto tunnel but still down

3. reloaded router (Cisco 1941) but no change

 

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
117.102.81.130 5.148.100.100 QM_IDLE 1400 ACTIVE
117.102.81.130 66.150.201.122 QM_IDLE 1378 ACTIVE
66.150.201.117 117.102.81.130 MM_NO_STATE 1409 ACTIVE (deleted)
117.102.81.130 182.23.147.162 QM_IDLE 4724 ACTIVE

IPv6 Crypto ISAKMP SA

 

R1#sh run int Tunnel10
Building configuration...

Current configuration : 699 bytes
!
interface Tunnel10
bandwidth 40000
ip address 10.31.248.246 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip authentication mode eigrp 55 md5
ip authentication key-chain eigrp 55 keychain-1
ip flow monitor flow-monitor input
ip nhrp authentication DMVPN_NW
ip nhrp map multicast 66.150.201.117
ip nhrp map 10.31.248.1 66.150.201.117
ip nhrp network-id 100100
ip nhrp holdtime 600
ip nhrp nhs 10.31.248.1
ip summary-address eigrp 55 10.246.0.0 255.255.0.0
delay 1000
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100100
tunnel path-mtu-discovery
tunnel protection ipsec profile ipsec_dmvpn shared
end

Labels:
0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎02-17-2019 09:05 PM

If you tunnel is flapping between these two states (MM_KEY_EXCH &
MM_NO_STATE
<>)
as in subject, then check that your keys match
0 Helpful

vostro727@gmail.com
Level 1
Level 1
In response to Mohammed al Baqari

‎02-17-2019 09:15 PM

Hi Mohammed,

i can confirm the keys are match as we did as well deleting and adding it again. We have other sites are using the same key but not having this issue.

thanks.

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to vostro727@gmail.com

‎02-18-2019 03:43 AM

Are you using keyrings, or profiles or vrfs. A common error is association
together.

If that's not the case send debug output
0 Helpful

vostro727@gmail.com
Level 1
Level 1
In response to Mohammed al Baqari

‎02-19-2019 12:31 AM

Hi Mohammed,

Here are debug output:-

041014: Feb 19 15:29:39.209 GMT: ISAKMP-PAK: (4760):received packet from 66.150.201.117 dport 500 sport 500 Global (I) MM_KEY_EXCH
041015: Feb 19 15:29:39.209 GMT: ISAKMP: (4760):phase 1 packet is a duplicate of a previous packet.
041016: Feb 19 15:29:39.209 GMT: ISAKMP: (4760):retransmitting due to retransmit phase 1
041017: Feb 19 15:29:39.709 GMT: ISAKMP: (4760):retransmitting phase 1 MM_KEY_EXCH...
041018: Feb 19 15:29:39.709 GMT: ISAKMP: (4760):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
041019: Feb 19 15:29:39.709 GMT: ISAKMP: (4760):retransmitting phase 1 MM_KEY_EXCH
041020: Feb 19 15:29:39.709 GMT: ISAKMP-PAK: (4760):sending packet to 66.150.201.117 my_port 500 peer_port 500 (I) MM_KEY_EXCH
041021: Feb 19 15:29:39.709 GMT: ISAKMP: (4760):Sending an IKE IPv4 Packet.
041022: Feb 19 15:29:41.793 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.27(137) -> 36.86.63.182(137), 1 packet
041023: Feb 19 15:29:44.309 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.12(62654) -> 36.86.63.182(999), 1 packet
041024: Feb 19 15:29:44.877 GMT: ISAKMP: (4727):purging node -1842799308
041025: Feb 19 15:29:48.993 GMT: ISAKMP: (4760):set new node 0 to QM_IDLE
041026: Feb 19 15:29:48.993 GMT: ISAKMP-ERROR: (4760):SA is still budding. Attached new ipsec request to it. (local 117.102.81.130, remote 66.150.201.117)
041027: Feb 19 15:29:48.993 GMT: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
041028: Feb 19 15:29:48.993 GMT: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
041029: Feb 19 15:29:49.709 GMT: ISAKMP: (4760):retransmitting phase 1 MM_KEY_EXCH...
041030: Feb 19 15:29:49.709 GMT: ISAKMP: (4760):peer does not do paranoid keepalives.
041031: Feb 19 15:29:49.709 GMT: ISAKMP-ERROR: (4760):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 66.150.201.117)
041032: Feb 19 15:29:49.709 GMT: ISAKMP-ERROR: (4760):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 66.150.201.117)
041033: Feb 19 15:29:49.709 GMT: ISAKMP: (0):Unlocking peer struct 0x2D3C07A4 for isadb_mark_sa_deleted(), count 0
041034: Feb 19 15:29:49.709 GMT: ISAKMP: (0):Deleting peer node by peer_reap for 66.150.201.117: 2D3C07A4
041035: Feb 19 15:29:49.709 GMT: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:117.102.81.130 local_id:idjktrtr01.global.erm55.com remote:66.150.201.117 remote_id:66.150.201.117 IKE profile:dmvpn fvrf:None fail_reason:Peer lost fail_class_cnt:1
041036: Feb 19 15:29:49.709 GMT: ISAKMP: (4760):deleting node 992136914 error FALSE reason "IKE deleted"
041037: Feb 19 15:29:49.709 GMT: ISAKMP: (4760):deleting node -1015402555 error FALSE reason "IKE deleted"
041038: Feb 19 15:29:49.709 GMT: ISAKMP: (4760):deleting node -1077819325 error FALSE reason "IKE deleted"
041039: Feb 19 15:29:49.709 GMT: ISAKMP: (4760):IKE->PKI End PKI Session state (I) MM_NO_STATE (peer 66.150.201.117)
041040: Feb 19 15:29:49.709 GMT: ISAKMP: (4760):PKI->IKE Ended PKI Session state (I) MM_NO_STATE (peer 66.150.201.117)
041041: Feb 19 15:29:49.709 GMT: ISAKMP: (4760):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
041042: Feb 19 15:29:49.709 GMT: ISAKMP: (4760):Old State = IKE_I_MM5 New State = IKE_DEST_SA

041043: Feb 19 15:29:50.953 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.89(51795) -> 36.86.63.182(999), 1 packet
041044: Feb 19 15:29:56.517 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.91(58751) -> 36.86.63.182(999), 1 packet
041045: Feb 19 15:29:59.221 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.4(62387) -> 36.86.63.182(999), 1 packet
041046: Feb 19 15:30:00.417 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.102(60423) -> 36.86.63.182(999), 1 packet
041047: Feb 19 15:30:02.813 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.24(51460) -> 74.125.130.101(443), 1 packet
041048: Feb 19 15:30:04.397 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.24(58459) -> 172.217.194.84(443), 1 packet
041049: Feb 19 15:30:05.501 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.72(53589) -> 36.86.63.182(999), 1 packet
041050: Feb 19 15:30:06.005 GMT: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:160219676 1493 bytes is out-of-order; expected seq:160194975. Reason: TCP reassembly queue overflow - session 10.246.2.89:50032 to 23.43.56.115:80
041051: Feb 19 15:30:07.109 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.93(54536) -> 36.86.63.182(999), 1 packet
041052: Feb 19 15:30:10.877 GMT: %SEC-6-IPACCESSLOGP: list inside denied udp 10.246.2.22(50235) -> 36.86.63.182(999), 1 packet

0 Helpful

muhammadsafwankamaruddin6312
Level 1
Level 1

‎05-05-2021 06:27 AM

Hi, may I know did you able to solve this issue?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents