- Cisco Community
- Technology and Support
- Security
- VPN
- Re: DMVPN my_port 500 peer_port 500 (I) MM_NO_STATE
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
DMVPN my_port 500 peer_port 500 (I) MM_NO_STATE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2013 10:49 AM - edited 02-21-2020 06:59 PM
Hello EveryBody here is a resume of my configuration
in My HUBE Router :
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key 6 aageePSZ_[\GCMWIJWcC\VW_V\AIhKQBHfGV address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec profile My_DMVPN
set transform-set AES-SHA
interface Tunnel0
description MultiPoint_HUBE_DMVPN
bandwidth 1000
ip address 10.100.100.10 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
ip nhrp authentication My_DMVPN
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp cache non-authoritative
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
shutdown
tunnel source FastEthernet0/1.212
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile My_DMVPN
interface FastEthernet0/1.212
description RESERVED-ISP3(ITA)
encapsulation dot1Q 212
ip address 41.218.114.86 255.255.255.252
ip access-group ingress-filter in
ip nat outside
ip virtual-reassembly
crypto map VPN-TUNNEL
ip access-list extended ingress-filter
remark Allow VPN Traffic
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit tcp any any eq 10000
remark Allow Professional Traffic
permit tcp any host 10.30.33.6 eq 443
permit tcp any host 10.30.21.3 eq telnet
permit tcp any host 10.30.33.6 eq 22
permit ip any any fragments
permit ip any any
remark Deny Everythings Else
deny ip any any
ip nat inside source list PERMIT-WEB-TRAFFIC interface FastEthernet0/1.212 overload
ip nat inside source static tcp 10.30.21.3 23 41.218.114.86 23 extendable
ip nat inside source static tcp 10.30.33.6 443 41.218.114.86 443 extendable
ip nat inside source static udp 10.30.33.6 4500 41.218.114.86 4500 extendable
ip nat inside source static udp 10.30.33.6 10000 41.218.114.86 10000 extendable
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ON my SPOKE Router :
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key 6 c]FCThE\OeiFPeWYMcT[DUBOWRcDWMg`WLeB address 0.0.0.0 0.0.0.0
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile My_DMVPN
set transform-set AES-SHA
interface Tunnel0
bandwidth 1000
ip address 10.100.100.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication My_DMVPN
ip nhrp map 10.100.100.10 41.218.114.86
ip nhrp map multicast 41.218.114.86
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 10.100.100.10
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile My_DMVPN
interface FastEthernet0/1
description Outside Connection
ip address 41.218.103.166 255.255.255.252
ip access-group ingress-filter in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
service-policy output SDM-QOS-Policy-2
ip nat inside source list 101 interface FastEthernet0/1 overload
ip access-list extended ingress-filter
remark Allow VPN Traffic
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit tcp any any eq 10000
remark Allow Professional Traffic
permit tcp any host 10.30.33.6 eq 443
permit tcp any host 10.30.21.3 eq telnet
permit tcp any host 10.30.33.6 eq 22
permit ip any any fragments
permit ip any any
remark Deny Everythings Else
deny ip any any
Outpu from Spoke to HUBE
NoceboRT#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
41.218.114.86 41.218.103.166 MM_NO_STATE 0 ACTIVE
Debug on SPOKE
003884: *Jun 25 18:25:24.530 CET: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
003885: *Jun 25 18:25:24.538 CET: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
003886: *Jun 25 18:25:24.546 CET: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
003887: *Jun 25 18:25:24.550 CET: IPSEC(recalculate_mtu): reset sadb_root 47C6E5C8 mtu to 1500
003888: *Jun 25 18:25:24.550 CET: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 41.218.103.166, remote= 41.218.114.86,
local_proxy= 41.218.103.166/255.255.255.255/47/0 (type=1),
remote_proxy= 41.218.114.86/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
003889: *Jun 25 18:25:24.550 CET: ISAKMP:(0): SA request profile is (NULL)
003890: *Jun 25 18:25:24.550 CET: ISAKMP: Created a peer struct for 41.218.114.86, peer port 500
003891: *Jun 25 18:25:24.550 CET: ISAKMP: New peer created peer = 0x4A3ABAB4 peer_handle = 0x8000003C
003892: *Jun 25 18:25:24.554 CET: ISAKMP: Locking peer struct 0x4A3ABAB4, refcount 1 for isakmp_initiator
003893: *Jun 25 18:25:24.554 CET: ISAKMP: local port 500, remote port 500
003894: *Jun 25 18:25:24.554 CET: ISAKMP: set new node 0 to QM_IDLE
003895: *Jun 25 18:25:24.554 CET: ISAKMP:(0):insert sa successfully sa = 49F9DA24
003896: *Jun 25 18:25:24.554 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
003897: *Jun 25 18:25:24.554 CET: ISAKMP:(0):found peer pre-shared key matching 41.218.114.86
003898: *Jun 25 18:25:24.554 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
003899: *Jun 25 18:25:24.554 CET: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
003900: *Jun 25 18:25:24.554 CET: ISAKMP:(0): beginning Main Mode exchange
003901: *Jun 25 18:25:24.554 CET: ISAKMP:(0): sending packet to 41.218.114.86 my_port 500 peer_port 500 (I) MM_NO_STATE
003902: *Jun 25 18:25:24.554 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
NoceboRT(config-if)#
003903: *Jun 25 18:25:25.530 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
NoceboRT(config-if)#
003904: *Jun 25 18:25:34.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
003905: *Jun 25 18:25:34.554 CET: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
003906: *Jun 25 18:25:34.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
003907: *Jun 25 18:25:34.554 CET: ISAKMP:(0): sending packet to 41.218.114.86 my_port 500 peer_port 500 (I) MM_NO_STATE
003908: *Jun 25 18:25:34.554 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
NoceboRT(config-if)#
003909: *Jun 25 18:25:44.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
003910: *Jun 25 18:25:44.554 CET: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
003911: *Jun 25 18:25:44.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
003912: *Jun 25 18:25:44.554 CET: ISAKMP:(0): sending packet to 41.218.114.86 my_port 500 peer_port 500 (I) MM_NO_STATE
003913: *Jun 25 18:25:44.554 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
NoceboRT(config-if)#
003914: *Jun 25 18:25:54.550 CET: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 41.218.103.166, remote= 41.218.114.86,
local_proxy= 41.218.103.166/255.255.255.255/47/0 (type=1),
remote_proxy= 41.218.114.86/255.255.255.255/47/0 (type=1)
003915: *Jun 25 18:25:54.550 CET: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 41.218.103.166, remote= 41.218.114.86,
local_proxy= 41.218.103.166/255.255.255.255/47/0 (type=1),
remote_proxy= 41.218.114.86/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
003916: *Jun 25 18:25:54.550 CET: ISAKMP: set new node 0 to QM_IDLE
003917: *Jun 25 18:25:54.550 CET: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 41.218.103.166, remote 41.218.114.86)
003918: *Jun 25 18:25:54.550 CET: ISAKMP: Error while processing SA request: Failed to initialize SA
003919: *Jun 25 18:25:54.550 CET: ISAKMP: Error while processing KMI message 0, error 2.
003920: *Jun 25 18:25:54.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
003921: *Jun 25 18:25:54.554 CET: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
NoceboRT(config-if)#
003922: *Jun 25 18:25:54.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
003923: *Jun 25 18:25:54.554 CET: ISAKMP:(0): sending packet to 41.218.114.86 my_port 500 peer_port 500 (I) MM_NO_STATE
003924: *Jun 25 18:25:54.554 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
NoceboRT(config-if)#
003925: *Jun 25 18:26:04.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
003926: *Jun 25 18:26:04.554 CET: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
003927: *Jun 25 18:26:04.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
003928: *Jun 25 18:26:04.554 CET: ISAKMP:(0): sending packet to 41.218.114.86 my_port 500 peer_port 500 (I) MM_NO_STATE
003929: *Jun 25 18:26:04.554 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
NoceboRT(config-if)#
003930: *Jun 25 18:26:14.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
003931: *Jun 25 18:26:14.554 CET: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
003932: *Jun 25 18:26:14.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
003933: *Jun 25 18:26:14.554 CET: ISAKMP:(0): sending packet to 41.218.114.86 my_port 500 peer_port 500 (I) MM_NO_STATE
003934: *Jun 25 18:26:14.554 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
NoceboRT(config-if)#
003935: *Jun 25 18:26:24.550 CET: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 41.218.103.166, remote= 41.218.114.86,
local_proxy= 41.218.103.166/255.255.255.255/47/0 (type=1),
remote_proxy= 41.218.114.86/255.255.255.255/47/0 (type=1)
003936: *Jun 25 18:26:24.550 CET: %DMVPN-7-CRYPTO_SS: Tunnel0-41.218.103.166 socket is DOWN
003937: *Jun 25 18:26:24.554 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
003938: *Jun 25 18:26:24.554 CET: ISAKMP:(0):peer does not do paranoid keepalives.
003939: *Jun 25 18:26:24.554 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 41.218.114.86)
003940: *Jun 25 18:26:24.554 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 41.218.114.86)
003941: *Jun 25 18:26:24.554 CET: ISAKMP: Unlocking peer struct 0x4A3ABAB4 for isadb_mark_sa_deleted(), count 0
003942: *Jun 25 18:26:24.554 CET: ISAKMP: Deleting peer node by peer_reap for 41.218.114.86: 4A3ABAB4
003943: *Jun 25 18:26:24.554 CET: ISAKMP:(0):deleting node -1023496767 error FALSE reason "IKE deleted"
003944: *Jun 25 18:26:24.554 CET: ISAKMP:(0):deleting node 47365806 error FALSE reason "IKE deleted"
003945: *Jun 25 18:26:24.554 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
NoceboRT(config-if)#
003946: *Jun 25 18:26:24.554 CET: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
003947: *Jun 25 18:26:24.554 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
NoceboRT(config-if)#unde
NoceboRT(config-if)#un
003948: *Jun 25 18:27:04.534 CET: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 41.218.103.166, remote= 41.218.114.86,
local_proxy= 41.218.103.166/255.255.255.255/47/0 (type=1),
remote_proxy= 41.218.114.86/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
003949: *Jun 25 18:27:04.534 CET: %DMVPN-3-NHRP_ERROR: Registration Request failed for 10.100.100.10 on Tunnel0
003950: *Jun 25 18:27:04.534 CET: ISAKMP:(0): SA request profile is (NULL)
003951: *Jun 25 18:27:04.534 CET: ISAKMP: Created a peer struct for 41.218.114.86, peer port 500
003952: *Jun 25 18:27:04.534 CET: ISAKMP: New peer created peer = 0x4A01F2A8 peer_handle = 0x8000003D
003953: *Jun 25 18:27:04.534 CET: ISAKMP: Locking peer struct 0x4A01F2A8, refcount 1 for isakmp_initiator
003954: *Jun 25 18:27:04.538 CET: ISAKMP: local port 500, remote port 500
003955: *Jun 25 18:27:04.538 CET: ISAKMP: set new node 0 to QM_IDLE
003956: *Jun 25 18:27:04.538 CET: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 49E4D438
NoceboRT(config-if)#
003957: *Jun 25 18:27:04.538 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
003958: *Jun 25 18:27:04.538 CET: ISAKMP:(0):found peer pre-shared key matching 41.218.114.86
003959: *Jun 25 18:27:04.538 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
003960: *Jun 25 18:27:04.538 CET: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
003961: *Jun 25 18:27:04.538 CET: ISAKMP:(0): beginning Main Mode exchange
003962: *Jun 25 18:27:04.538 CET: ISAKMP:(0): sending packet to 41.218.114.86 my_port 500 peer_port 500 (I) MM_NO_STATE
003963: *Jun 25 18:27:04.538 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
NoceboRT(config-if)#end
NoceboRT#unde
NoceboRT#undebug
003964: *Jun 25 18:27:07.674 CET: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (41.74.246.134)
NoceboRT#undebug all
All possible debugging has been turned off
PLEASE SOMEONE CAN HELP SEEM LIKE A NAT ISSUE HOW CAN I FIX THAT ?????
I already Open Port for 50, 4500,500, 47 but it doesn´t work !
- Labels:
-
DMVPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-16-2024 05:57 AM
you could try to ensure bidirectional UDP 500/4500 traffic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide