cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4853
Views
0
Helpful
3
Replies

IKE Phase 1 status only reaches MM_WAIT_MSG6 state

davros_hwd
Level 1
Level 1

We've had existing site-to-site VPNs established with clients for over a year. We've recently moved facility and changed our gateway device to a Cisco ASA 5515. Previously, the VPN gateways were Cisco 800 series routers. 

 

The clients have updated their gateways with our new public IP, and also confirmed and re-entered the PSKs. All but one of the client VPNs have been successfully established on the ASA, and work correctly. 

 

However, one of them fails to establish the tunnel, and the IKE Phase 1 status only reaches MM_WAIT_MSG6 state. Please note, the PSK has been confirmed and re-entered at both ends. We are getting errors about "Duplicate Phase 1 packet detected". I'm hoping someone may be able to review the debug log, and explain what is happening and what may be causing the problem. 

 

 

[IKEv1]IP = 8.8.8.8, IKE Initiator: New Phase 1, Intf outside, IKE Peer 8.8.8.8  local Proxy Address 172.1.0.0, remote Proxy Address 10.1.0.0,  Crypto map (outside_map)
[IKEv1 DEBUG]IP = 8.8.8.8, constructing ISAKMP SA payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver 02 payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver 03 payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver RFC payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing Fragmentation VID + extended capabilities payload
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
[IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
[IKEv1 DEBUG]IP = 8.8.8.8, processing SA payload
[IKEv1 DEBUG]IP = 8.8.8.8, Oakley proposal is acceptable
[IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, Received Fragmentation VID
[IKEv1 DEBUG]IP = 8.8.8.8, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
[IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing ke payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing nonce payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing Cisco Unity VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing xauth V6 VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, Send IOS VID
[IKEv1 DEBUG]IP = 8.8.8.8, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
[IKEv1 DEBUG]IP = 8.8.8.8, constructing VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
[IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
[IKEv1 DEBUG]IP = 8.8.8.8, processing ke payload
[IKEv1 DEBUG]IP = 8.8.8.8, processing ISA_KE payload
[IKEv1 DEBUG]IP = 8.8.8.8, processing nonce payload
[IKEv1]IP = 8.8.8.8, Connection landed on tunnel_group 8.8.8.8
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Generating keys for Initiator...
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing ID payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing hash payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Computing hash for ISAKMP
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing dpd vid payload
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM
[IKEv1]IP = 8.8.8.8, Header invalid, missing SA payload! (next payload = 4)
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, IKE MM Initiator FSM error history (struct &0x0000)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_RESEND_MSG
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, IKE SA MM:345hd337fgh terminating:  flags 0x01000022, refcnt 0, tuncnt 0
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, sending delete/delete with reason message
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing blank hash payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing IKE delete payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing qm hash payload
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=5h3458e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
[IKEv1]IP = 8.8.8.8, Header invalid, missing SA payload! (next payload = 4)

 

3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

I don't see the full debugs, looks like something is missing from there. But my understanding so far is that your side sends MM5 and keeps getting MM4 back from their side. This would most likely mean that your MM5 never made it to their side. I have seen this happen often if you have a NAT device in between. MM5 is when the devices start using udp 4500 for NAT traversal. So if your side initiated MM5 on port 4500 and that was blocked in the path, that would explain the debugs. Get the entire "debug crypto ikev1 127" from your ASA when this happens. 

Thanks very much for your response. You're right that our device is behind a NAT. Full log is as follows. 

 

[IKEv1]IP = 8.8.8.8, IKE Initiator: New Phase 1, Intf outside, IKE Peer 8.8.8.8  local Proxy Address 10.2.0.0, remote Proxy Address 10.1.0.0,  Crypto map (outside_map)
[IKEv1 DEBUG]IP = 8.8.8.8, constructing ISAKMP SA payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver 02 payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver 03 payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing NAT-Traversal VID ver RFC payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing Fragmentation VID + extended capabilities payload
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324

SENDING PACKET to 8.8.8.8

RECV PACKET from 8.8.8.8
ISAKMP Header
  Initiator COOKIE: 
  Responder COOKIE: 
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 132
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 60
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 48
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 1
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
[IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
[IKEv1 DEBUG]IP = 8.8.8.8, processing SA payload
[IKEv1 DEBUG]IP = 8.8.8.8, Oakley proposal is acceptable
[IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, Received Fragmentation VID
[IKEv1 DEBUG]IP = 8.8.8.8, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
[IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing ke payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing nonce payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing Cisco Unity VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, constructing xauth V6 VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, Send IOS VID
[IKEv1 DEBUG]IP = 8.8.8.8, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
[IKEv1 DEBUG]IP = 8.8.8.8, constructing VID payload
[IKEv1 DEBUG]IP = 8.8.8.8, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

SENDING PACKET to 8.8.8.8

RECV PACKET from 8.8.8.8
ISAKMP Header
  Initiator COOKIE: 
  Responder COOKIE: 
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 180
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
  Payload Nonce
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data:
[IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
[IKEv1 DEBUG]IP = 8.8.8.8, processing ke payload
[IKEv1 DEBUG]IP = 8.8.8.8, processing ISA_KE payload
[IKEv1 DEBUG]IP = 8.8.8.8, processing nonce payload
[IKEv1]IP = 8.8.8.8, Connection landed on tunnel_group 8.8.8.8
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Generating keys for Initiator...
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing ID payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing hash payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Computing hash for ISAKMP
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing dpd vid payload
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84

BEFORE ENCRYPTION

ISAKMP Header
  Initiator COOKIE: 
  Responder COOKIE: 
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 469762048
  Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 500
    ID Data: 10.100.1.10
  Payload Hash
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data:
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):

SENDING PACKET to 8.8.8.8

RECV PACKET from 8.8.8.8
ISAKMP Header
  Initiator COOKIE: 
  Responder COOKIE: 
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 180
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
  Payload Nonce
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data:
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM

RECV PACKET from 8.8.8.8
ISAKMP Header
  Initiator COOKIE: 
  Responder COOKIE: 
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 180
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
  Payload Nonce
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data:
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM

RECV PACKET from 8.8.8.8
ISAKMP Header
  Initiator COOKIE: 
  Responder COOKIE: 
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 180
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
  Payload Nonce
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data:
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected.  Retransmitting last packet.
[IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, IKE MM Initiator FSM error history (struct &0x0000)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_RESEND_MSG
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, IKE SA MM:a6trfnf21 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, sending delete/delete with reason message
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing blank hash payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing IKE delete payload
[IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing qm hash payload
[IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=dc834529) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

BEFORE ENCRYPTION
ISAKMP Header
  Initiator COOKIE: 
  Responder COOKIE: 
  Next Payload: Hash
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 35673567DC
  Length: 469762048
  Payload Hash
    Next Payload: Delete
    Reserved: 00
    Payload Length: 24
    Data:
  Payload Delete
    Next Payload: None
    Reserved: 00
    Payload Length: 28
    DOI: IPsec
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 16
    # of SPIs: 1
    SPI (Hex dump):

RECV PACKET from 8.8.8.8
ISAKMP Header
  Initiator COOKIE: 
  Responder COOKIE: 
  Next Payload: Key Exchange
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 180
  Payload Key Exchange
    Next Payload: Nonce
    Reserved: 00
    Payload Length: 132
    Data:
  Payload Nonce
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data:
[IKEv1]IP = 8.8.8.8, Header invalid, missing SA payload! (next payload = 4)

You are sending MM5 on udp 500 not 4500 on the debugs:

ISAKMP Header
  Initiator COOKIE: 21 df eb a2 57 2e 86 bf
  Responder COOKIE: cd 8b e8 94 43 5a a0 ff
  Next Payload: Identification
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 469762048
  Payload Identification
    Next Payload: Hash
    Reserved: 00
    Payload Length: 12
    ID Type: IPv4 Address (1)
    Protocol ID (UDP/TCP, etc...): 17
    Port: 500
    ID Data: 10.100.1.10

This should have been 4500 since you are behind a NAT device. NAT traversal is dependent on both sides supporting NAT traversal. I see from MM2 that the other side does not sending any NAT traversal VID payloads. 

 

Aug 06 09:47:01 [IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, processing SA payload
Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, Oakley proposal is acceptable
Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload
Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, Received Fragmentation VID
Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
Aug 06 09:47:01 [IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload

If they did support NAT-T or enabled NAT-T support, you should see something like this:

[IKEv1 DEBUG]: IP = 10.0.0.2, processing SA payload
[IKEv1 DEBUG]: IP = 10.0.0.2, Oakley proposal is acceptable
[IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal RFC VID
[IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal ver 03 VID
[IKEv1 DEBUG]: IP = 10.0.0.2, processing VID payload
[IKEv1 DEBUG]: IP = 10.0.0.2, Received NAT-Traversal ver 02 VID
[IKEv1 DEBUG]: IP = 10.0.0.2, processing IKE SA payload
[IKEv1 DEBUG]: IP = 10.0.0.2, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 2

 

Do you know what type of device is on the other end? If it's an ASA, the NAT-traversal is enabled using the following command globally (default).

 

crypto isakmp nat-traversal