DMVPN-Why received packet doesn't use UDP port 4500 but 500?

superlion · ‎09-11-2014

Hello everyone

I got a problem with my DMVPN. Spoke is behind a NAT device. x.x.x.x is an public IP address which hub uses. I don't know why it discovered that the hub is also inside a NAT device. And after it sends a packet using port 4500, the received packet from hub was not using port 4500 but 500. I'm confused now. Any advise would be much appreciated.

*Sep 10 08:56:02 UTC: ISAKMP:(0): beginning Main Mode exchange

*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE

*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Sep 10 08:56:02 UTC: ISAKMP:(0): processing SA payload. message ID = 0

*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload

*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching

*Sep 10 08:56:02 UTC: ISAKMP:(0): local preshared key found

*Sep 10 08:56:02 UTC: ISAKMP : Scanning profiles for xauth ...

*Sep 10 08:56:02 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Sep 10 08:56:02 UTC: ISAKMP: encryption 3DES-CBC

*Sep 10 08:56:02 UTC: ISAKMP: hash MD5

*Sep 10 08:56:02 UTC: ISAKMP: default group 1

*Sep 10 08:56:02 UTC: ISAKMP: auth pre-share

*Sep 10 08:56:02 UTC: ISAKMP: life type in seconds

*Sep 10 08:56:02 UTC: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Sep 10 08:56:02 UTC: ISAKMP:(0):atts are acceptable. Next payload is 0

*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:actual life: 0

*Sep 10 08:56:02 UTC: ISAKMP:(0):Acceptable atts:life: 0

*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4

*Sep 10 08:56:02 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Sep 10 08:56:02 UTC: ISAKMP:(0):Returning Actual lifetime: 86400

*Sep 10 08:56:02 UTC: ISAKMP:(0)::Started lifetime timer: 86400.

*Sep 10 08:56:02 UTC: ISAKMP:(0): processing vendor id payload

*Sep 10 08:56:02 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Sep 10 08:56:02 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Sep 10 08:56:02 UTC: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_SA_SETUP

*Sep 10 08:56:02 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Sep 10 08:56:02 UTC: ISAKMP (0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_SA_SETUP

*Sep 10 08:56:02 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Sep 10 08:56:02 UTC: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Sep 10 08:56:02 UTC: ISAKMP:(0): processing KE payload. message ID = 0

*Sep 10 08:56:02 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0

*Sep 10 08:56:02 UTC: ISAKMP:(0):found peer pre-shared key matching x.x.x.x

*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload

*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is Unity

*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload

*Sep 10 08:56:02 UTC: ISAKMP:(2746): vendor ID is DPD

*Sep 10 08:56:02 UTC: ISAKMP:(2746): processing vendor id payload

*Sep 10 08:56:02 UTC: ISAKMP:(2746): speaking to another IOS box!

*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20

*Sep 10 08:56:02 UTC: ISAKMP (2746): NAT found, both nodes inside NAT

*Sep 10 08:56:02 UTC: ISAKMP:received payload type 20

*Sep 10 08:56:02 UTC: ISAKMP (2746): My hash no match - this node inside NAT

*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Sep 10 08:56:02 UTC: ISAKMP:(2746):Send initial contact

*Sep 10 08:56:02 UTC: ISAKMP:(2746):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Sep 10 08:56:02 UTC: ISAKMP (2746): ID payload

next-payload : 8

type : 1

address : 192.168.1.101

protocol : 17

port : 0

length : 12

*Sep 10 08:56:02 UTC: ISAKMP:(2746):Total payload length: 12

*Sep 10 08:56:02 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Sep 10 08:56:02 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.

*Sep 10 08:56:02 UTC: ISAKMP:(2746):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Sep 10 08:56:02 UTC: ISAKMP:(2746):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Sep 10 08:56:03 UTC: ISAKMP (2746): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*Sep 10 08:56:03 UTC: ISAKMP:(2746): phase 1 packet is a duplicate of a previous packet.
*Sep 10 08:56:03 UTC: ISAKMP:(2746): retransmitting due to retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH...
*Sep 10 08:56:04 UTC: ISAKMP (2746): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Sep 10 08:56:04 UTC: ISAKMP:(2746): retransmitting phase 1 MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746): sending packet to x.x.x.x my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Sep 10 08:56:04 UTC: ISAKMP:(2746):Sending an IKE IPv4 Packet.

Raja Periyasamy · ‎09-14-2014

This could be because the port 4500 packet that is being sent is not being received by the peer side or it is ignoring that packet.

Since the port 500 packet that you are receiving is a duplicate of the previous packet it is definitely not a reply packet for the port 4500 packet.

If you can get the debugs from the other end, then you could see if the peer side is receiving the udp port 4500 packets.

If not that then this could be a UDP port 4500 block with the ISP.