Solved: Help! My 2691xm router is deaf to ISAKMP

Vittorio Alfieri · ‎02-29-2012

Hello.

I am trying to set up a DMVPN.

The setup is the following:

1751-V is a spoke - c1700-advsecurityk9-mz.124-15.T14.bin

2691xm is a hub - c2691-advsecurityk9-mz.124-15.T14.bin

As I stated in the title, my clients' 2691xm router is deaf to ISAKMP. It is configured as a hub for DMVPN, and doesn't show that it is receiving anything VPN-related. The 1751-V on the other hand is very noisy sending out alot of IKE requests to the 2691xm.

I made the 1751-V talk to my home's 1751-V with a slightly modified version of the 2691xm's config without any problems. I didn't get access through the VPN quite yet, but they at least got through ISAKMP.

I turned on "debug dmvpn all all" and "term mon", and I get NO ouput from the 2691xm.

I also get nothing from "show crypto isakmp sa".

I thought the traffic might be blocked by the ISP. I called and asked, and it isn't.

I thought the traffic might be stopped at the firewall, so I set the relevant ports to log traffic as evident in the next paste.

router-1#show access-list INTERNET_IN

Extended IP access list INTERNET_IN

...

70 permit udp any any eq isakmp log (2576 matches)

80 permit gre any any log

90 permit esp any any log

...

So I AM getting traffic through to the router, but my router isn't reacting to it?

Below are snippets of relevant configs.

HUB:

Internet: int fa0/1 - T1 w/ static IP through ethernet

LAN : int fa0/0 - lan 192.168.20.1

ip multicast-routing

!

crypto isakmp policy 100

encr aes 256

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp key ABCD address 0.0.0.0 no-xauth

!

crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile PROFILE_1

set security-association lifetime seconds 600

set transform-set TRANSFORM_1

set pfs group2

!

interface Tunnel0

ip pim sparse-mod

bandwidth 1536

ip address 10.0.20.20 255.255.255.0

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source fa0/1

tunnel mode gre multipoint

tunnel protection ipsec profile PROFILE_1

ip nhrp map multicast dynamic

ip nhrp network-id 20

ip nhrp holdtime 600

ip nhrp authentication ABCD ip hold-time eigrp 1 35

no ip next-hop-self eigrp 1

no ip split-horizon eigrp 1

!

router eigrp 1

network 10.0.20.0 0.0.0.255

network 192.168.20.0 0.0.0.255

no auto-summary

!

ip access-list extended NAT_TRAFFIC

deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

route-map NONAT permit 10

match ip address NAT_TRAFFIC

ip nat inside source route-map NONAT interface fa0/1 overload

SPOKE:

Internet: int dialer0 - DSL, PPPoE, DHCP

LAN : int vlan0 - 192.168.22.1

ip multicast-routing

!

crypto isakmp policy 100

encr aes 256

authentication pre-share

group 2

lifetime 28800

crypto isakmp key ABCD address 0.0.0.0 no-xauth

!

crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac

!

crypto ipsec profile PROFILE_1

set security-association lifetime seconds 600

set transform-set TRANSFORM_1

set pfs group2

!

interface Tunnel0

ip pim sparse-mod

bandwidth 1536

ip address 10.0.20.22 255.255.255.0

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source d0

tunnel mode gre multipoint

tunnel protection ipsec profile PROFILE_1

ip nhrp map 10.0.20.20 2691_WAN_IP

ip nhrp map multicast 2691_WAN_IP

ip nhrp network-id 20

ip nhrp holdtime 600

ip nhrp nhs 10.0.20.20

ip nhrp authentication ABCD ip hold-time eigrp 1 35

no ip next-hop-self eigrp 1

no ip split-horizon eigrp 1

!

router eigrp 1

network 10.0.20.0 0.0.0.255

network 192.168.22.0 0.0.0.255

no auto-summary

eigrp stub connected

!

ip access-list extended NAT_TRAFFIC

deny ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.22.0 0.0.0.255 any

route-map NONAT permit 10

match ip address NAT_TRAFFIC

!

ip nat inside source route-map NONAT interface Dialer0 overload

!

As I previously said, 2691xm DOES NOT REACT. Only thing I have been able to determine is the router DOES NOT block traffic on port 500 UDP.

Here is some output from 1751-v (spoke router).

ISAKMP: set new node 0 to QM_IDLE

ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 1751_WAN_IP, remote 2691_WAN_IP)

ISAKMP: Error while processing SA request: Failed to initialize SA

ISAKMP: Error while processing KMI message 0, error 2.

ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

router-1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE

2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE (deleted)

The 1751-v works with another 1751-v (to an extent), just not the 2691xm I need it to work with.

Please help as this is driving me CRAZY!!!!

I would appreciate ANY suggestions/comments/critisicms/hypotheses/requests/ANYTHING!!!!

-Vittorio

Jason Gervia · ‎02-29-2012

No crypto map means theres some sort of issue on the hub with config - try the following:

term mon

debug crypto socket

debug tunnel protection

conf t

logging on

logging mon debugging

int tunnel0

shut

no tunnel protection ipsec profile PROFILE_1

tunnel protection ipsec profile PROFILE_1

no shut

See if that gives us any debugs.

View solution in original post

Jason Gervia · ‎02-29-2012

Need to see the interface config for fa0/1 on the hub as well as any routing statement and ACL used by the interface.

--Jason

Vittorio Alfieri · ‎02-29-2012

Here is the requested information:

interface Tunnel0

bandwidth 1536

ip address 10.0.20.20 255.255.255.0

no ip redirects

ip mtu 1400

ip hold-time eigrp 1 35

no ip next-hop-self eigrp 1

ip pim sparse-mode

ip nhrp authentication ABADCADS

ip nhrp map multicast dynamic

ip nhrp network-id 20

ip nhrp holdtime 600

ip tcp adjust-mss 1360

no ip split-horizon eigrp 1

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel protection ipsec profile PROFILE_1

!

interface FastEthernet0/0

ip address 192.168.20.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/1

ip address INTERNET_ADDRESS 255.255.255.248

ip access-group INTERNET_IN in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

router eigrp 1

network 10.0.20.0 0.0.0.255

network 192.168.20.0

no auto-summary

!

ip access-list extended INTERNET_IN

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

permit tcp any any established

permit udp any eq domain any

permit udp any any eq ntp

permit udp any any eq isakmp log

permit gre any any log

permit esp any any log

permit udp any eq ntp any

permit tcp any any eq 22

deny ip any any log-input

ip access-list extended NAT_TRAFFIC

deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255

deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 any

!

ip nat inside source route-map NONAT interface FastEthernet0/1 overload

!

Thank you, please tell me if you need anything else

-Vittorio

Jason Gervia · ‎02-29-2012

Hmmm.

Try:

conf t

crypto isakmp enable

Also, what is the output of a 'show crypto map' ?

Vittorio Alfieri · ‎02-29-2012

crypto isakmp enable didn't do anything.

router-1# show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

router-1# show crypto map

No crypto maps found.

Jason Gervia · ‎02-29-2012

No crypto map means theres some sort of issue on the hub with config - try the following:

term mon

debug crypto socket

debug tunnel protection

conf t

logging on

logging mon debugging

int tunnel0

shut

no tunnel protection ipsec profile PROFILE_1

tunnel protection ipsec profile PROFILE_1

no shut

See if that gives us any debugs.

Vittorio Alfieri · ‎02-29-2012

My God man. You sir are a genius.

Who would've thunk turning it on and off again would do the trick!!

That should be the first troubleshooting step LOL!

I couldn't reset it because it's a production machine, and I didn't wanna save the config in case everything went wrong.

Interface reset was definitely the way to go!

Just for your info there was NO output even after debug crypto socket and debug tunnel protection. Everything sparked to life as soon as I typed no shut.

Thank you very much for your help!