Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
831
Views
0
Helpful
1
Replies

down-negotiating VPN "addition" sessions but main session up and running.

Andriy Sidko
Level 1
Level 1

‎06-22-2018 08:58 AM - edited ‎03-12-2019 05:24 AM

Hi guys.

 

Just curios what this?

I have DVTI IOS router (HUB) as VPN gateway and many dynamic sites with IOS gateways (SPOKE) as well. Everithing looks like working fine. VPN, sessions established. dynamic subnets exchanged via VPN

 

Just my curiosity.

HUB (aaa.aaa.188.59) router shows following:

+++++++++++

gate#sh cry sess bri
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
xxx.xxx.237.177 Vi28 gate-spoke177.test.net 08:51:07 UA
yyy.yyy.188.11 Vi12 gate-spoke11.test.net 2d12h UA
zzz.zzz.151.130 Vi3 gate-spoke130.test.net 1d02h UA

-= output omitted for briefly =-

yyy.yyy.188.11 Vi12 DN
yyy.yyy.188.11 Vi12 DN
zzz.zzz.151.130 Vi3 DN
xxx.xxx.237.177 Vi28 DN
zzz.zzz.151.130 Vi3 DN

-= output omitted for briefly =-

gate#

+++++++++++++++++

from spoke, for example #130, I see following:

++++++++++++++++++

gate-130#sh cry sess bri
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
aaa.aaa.188.59 Tu0 aaa.aaa.188.59 23:59:42 UA
aaa.aaa.188.59 Gi0 DN
aaa.aaa.188.59 Gi0 DN

gate-130#

++++++++++++++++++

 

why hub&spoke routers show addition sessions as down/negotiated state?

 

In hub log file I see this:

++++++++++++++++++

Jun 22 11:39:59 gate.test.net 621651: Jun 22 11:39:58: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:aaa.aaa.188.59 local_id:aaa.aaa.188.59 remote:zzz.zzz.151.130 remote_id:zzz.zzz.151.130 IKE profile:RA-DVPN-IKE-PROFILE fvrf:None fail_reason:Peer lost fail_class_cnt:2

++++++++++++++++++

in spokes log file I 've fount following:

++++++++++++++++++
Jun 22 15:51:06.054: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:aaa.aaa.188.59 local_id:aaa.aaa.188.59 remote:10.5.23.150 remote_id:10.5.23.150 IKE profile:None fvrf:None fail_reason:Peer lost fail_class_cnt:1
Jun 22 15:52:06.812: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:aaa.aaa.188.59 local_id:aaa.aaa.188.59 remote:10.5.23.150 remote_id:10.5.23.150 IKE profile:None fvrf:None fail_reason:Peer lost fail_class_cnt:2
++++++++++++++++++

is it because hub router successfully competed phase1 and waiting till phase2 timer expired (red above)? but why spoke routers shown all addition sessions both phases failed (greed above) Could you explain? I didn't find explanation at cisco site.

 

Thank you.

 

Labels:
0 Helpful
1 Reply 1

Andriy Sidko
Level 1
Level 1

‎08-03-2018 02:08 PM

anyone?

0 Helpful
Customers Also Viewed These Support Documents