Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- Re: IKE Phase 1 status only reaches MM_WAIT_MSG6 state
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
4852
Views
0
Helpful
3
Replies
IKE Phase 1 status only reaches MM_WAIT_MSG6 state
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2018 11:04 AM - edited 08-07-2018 06:44 AM
We've had existing site-to-site VPNs established with clients for over a year. We've recently moved facility and changed our gateway device to a Cisco ASA 5515. Previously, the VPN gateways were Cisco 800 series routers.
The clients have updated their gateways with our new public IP, and also confirmed and re-entered the PSKs. All but one of the client VPNs have been successfully established on the ASA, and work correctly.
However, one of them fails to establish the tunnel, and the IKE Phase 1 status only reaches MM_WAIT_MSG6 state. Please note, the PSK has been confirmed and re-entered at both ends. We are getting errors about "Duplicate Phase 1 packet detected". I'm hoping someone may be able to review the debug log, and explain what is happening and what may be causing the problem.
[IKEv1]IP = 8.8.8.8, IKE Initiator: New Phase 1, Intf outside, IKE Peer 8.8.8.8 local Proxy Address 172.1.0.0, remote Proxy Address 10.1.0.0, Crypto map (outside_map) [IKEv1 DEBUG]IP = 8.8.8.8, constructing ISAKMP SA payload [IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver 02 payload [IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver 03 payload [IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver RFC payload [IKEv1 DEBUG]IP = 8.8.8.8, constructing Fragmentation VID + extended capabilities payload [IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324 [IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132 [IKEv1 DEBUG]IP = 8.8.8.8, processing SA payload [IKEv1 DEBUG]IP = 8.8.8.8, Oakley proposal is acceptable [IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload [IKEv1 DEBUG]IP = 8.8.8.8, Received Fragmentation VID [IKEv1 DEBUG]IP = 8.8.8.8, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False [IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload [IKEv1 DEBUG]IP = 8.8.8.8, constructing ke payload [IKEv1 DEBUG]IP = 8.8.8.8, constructing nonce payload [IKEv1 DEBUG]IP = 8.8.8.8, constructing Cisco Unity VID payload [IKEv1 DEBUG]IP = 8.8.8.8, constructing xauth V6 VID payload [IKEv1 DEBUG]IP = 8.8.8.8, Send IOS VID [IKEv1 DEBUG]IP = 8.8.8.8, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) [IKEv1 DEBUG]IP = 8.8.8.8, constructing VID payload [IKEv1 DEBUG]IP = 8.8.8.8, Send Altiga/Cisco VPN3000/Cisco ASA GW VID [IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 [IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180 [IKEv1 DEBUG]IP = 8.8.8.8, processing ke payload [IKEv1 DEBUG]IP = 8.8.8.8, processing ISA_KE payload [IKEv1 DEBUG]IP = 8.8.8.8, processing nonce payload [IKEv1]IP = 8.8.8.8, Connection landed on tunnel_group 8.8.8.8 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Generating keys for Initiator... [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing ID payload [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing hash payload [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Computing hash for ISAKMP [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing dpd vid payload [IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84 [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected. Retransmitting last packet. [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected. Retransmitting last packet. [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM [IKEv1]IP = 8.8.8.8, Header invalid, missing SA payload! (next payload = 4) [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected. Retransmitting last packet. [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, IKE MM Initiator FSM error history (struct &0x0000) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_RESEND_MSG [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, IKE SA MM:345hd337fgh terminating: flags 0x01000022, refcnt 0, tuncnt 0 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, sending delete/delete with reason message [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing blank hash payload [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing IKE delete payload [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing qm hash payload [IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=5h3458e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 [IKEv1]IP = 8.8.8.8, Header invalid, missing SA payload! (next payload = 4)
Labels:
- Labels:
-
VPN
3 Replies 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2018 05:57 AM
I don't see the full debugs, looks like something is missing from there. But my understanding so far is that your side sends MM5 and keeps getting MM4 back from their side. This would most likely mean that your MM5 never made it to their side. I have seen this happen often if you have a NAT device in between. MM5 is when the devices start using udp 4500 for NAT traversal. So if your side initiated MM5 on port 4500 and that was blocked in the path, that would explain the debugs. Get the entire "debug crypto ikev1 127" from your ASA when this happens.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2018 06:04 AM - edited 08-07-2018 06:41 AM
Thanks very much for your response. You're right that our device is behind a NAT. Full log is as follows.
[IKEv1]IP = 8.8.8.8, IKE Initiator: New Phase 1, Intf outside, IKE Peer 8.8.8.8 local Proxy Address 10.2.0.0, remote Proxy Address 10.1.0.0, Crypto map (outside_map)
[IKEv1 DEBUG]IP = 8.8.8.8, constructing ISAKMP SA payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver 02 payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver 03 payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver RFC payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing Fragmentation VID + extended capabilities payload
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
SENDING PACKET to 8.8.8.8
RECV PACKET from 8.8.8.8
ISAKMP Header
Initiator COOKIE:
Responder COOKIE:
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 132
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 60
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 48
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data (In Hex):
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
[IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
[IKEv1 DEBUG]IP = 8.8.8.8, processing SA payload
[IKEv1 DEBUG]IP = 8.8.8.8, Oakley proposal is acceptable
[IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, Received Fragmentation VID
[IKEv1 DEBUG]IP = 8.8.8.8, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
[IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing ke payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing nonce payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing Cisco Unity VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing xauth V6 VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, Send IOS VID
[IKEv1 DEBUG]IP = 8.8.8.8, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
[IKEv1 DEBUG]IP = 8.8.8.8, constructing VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
SENDING PACKET to 8.8.8.8
RECV PACKET from 8.8.8.8
ISAKMP Header
Initiator COOKIE:
Responder COOKIE:
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 180
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 20
Data:
[IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
[IKEv1 DEBUG]IP = 8.8.8.8, processing ke payload
[IKEv1 DEBUG]IP = 8.8.8.8, processing ISA_KE payload
[IKEv1 DEBUG]IP = 8.8.8.8, processing nonce payload
[IKEv1]IP = 8.8.8.8, Connection landed on tunnel_group 8.8.8.8
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Generating keys for Initiator...
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing ID payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing hash payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Computing hash for ISAKMP
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing dpd vid payload
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
BEFORE ENCRYPTION
ISAKMP Header
Initiator COOKIE:
Responder COOKIE:
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: 10.100.1.10
Payload Hash
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data:
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
SENDING PACKET to 8.8.8.8
RECV PACKET from 8.8.8.8
ISAKMP Header
Initiator COOKIE:
Responder COOKIE:
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 180
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 20
Data:
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected. Retransmitting last packet.
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM
RECV PACKET from 8.8.8.8
ISAKMP Header
Initiator COOKIE:
Responder COOKIE:
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 180
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 20
Data:
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected. Retransmitting last packet.
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM
RECV PACKET from 8.8.8.8
ISAKMP Header
Initiator COOKIE:
Responder COOKIE:
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 180
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 20
Data:
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected. Retransmitting last packet.
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, IKE MM Initiator FSM error history (struct &0x0000) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_RESEND_MSG
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, IKE SA MM:a6trfnf21 terminating: flags 0x01000022, refcnt 0, tuncnt 0
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, sending delete/delete with reason message
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing blank hash payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing IKE delete payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing qm hash payload
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=dc834529) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
BEFORE ENCRYPTION
ISAKMP Header
Initiator COOKIE:
Responder COOKIE:
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 35673567DC
Length: 469762048
Payload Hash
Next Payload: Delete
Reserved: 00
Payload Length: 24
Data:
Payload Delete
Next Payload: None
Reserved: 00
Payload Length: 28
DOI: IPsec
Protocol-ID: PROTO_ISAKMP
Spi Size: 16
# of SPIs: 1
SPI (Hex dump):
RECV PACKET from 8.8.8.8
ISAKMP Header
Initiator COOKIE:
Responder COOKIE:
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 180
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 20
Data:
[IKEv1]IP = 8.8.8.8, Header invalid, missing SA payload! (next payload = 4)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-06-2018 06:52 AM
You are sending MM5 on udp 500 not 4500 on the debugs:
ISAKMP Header
Initiator COOKIE: 21 df eb a2 57 2e 86 bf
Responder COOKIE: cd 8b e8 94 43 5a a0 ff
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 469762048
Payload Identification
Next Payload: Hash
Reserved: 00
Payload Length: 12
ID Type: IPv4 Address (1)
Protocol ID (UDP/TCP, etc...): 17
Port: 500
ID Data: 10.100.1.10
This should have been 4500 since you are behind a NAT device. NAT traversal is dependent on both sides supporting NAT traversal. I see from MM2 that the other side does not sending any NAT traversal VID payloads.
Aug 06 09:47:01 [IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132 Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, processing SA payload Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, Oakley proposal is acceptable Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, Received Fragmentation VID Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload
If they did support NAT-T or enabled NAT-T support, you should see something like this:
[IKEv1 DEBUG]: IP = 10.0.0.2, processing SA payload [IKEv1 DEBUG]: IP = 10.0.0.2, Oakley proposal is acceptable [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload [IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal RFC VID [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload [IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal ver 03 VID [IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload [IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal ver 02 VID [IKEv1 DEBUG]: IP = 10.0.0.2, processing IKE SA payload [IKEv1 DEBUG]: IP = 10.0.0.2, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
Do you know what type of device is on the other end? If it's an ASA, the NAT-traversal is enabled using the following command globally (default).
crypto isakmp nat-traversal
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents