Re: ios 12.3(9) tunnel to pix

kseraphine · ‎06-04-2004

Hi

I have a customer with a tunnel between a router and a pix. I'm trying to replace the 2621xm with ios 12.2(11)T9 with a new 2621xm running 12.3(9). I've copied the config from the old one to the new one and put it in place but the tunnel won't come up. Here's part of what I see when I debug

Jun 4 21:57:35.376: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP

Jun 4 21:57:35.376: ISAKMP (0:1): sending packet to xx.xx.xx.xx my_port 500 peer_port 500 (R) MM_SA_SETUP

Jun 4 21:57:43.676: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...

Jun 4 21:57:43.676: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

Jun 4 21:57:43.676: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP

Jun 4 21:57:43.676: ISAKMP (0:2): sending packet to xx.xx.xx.xx my_port 500 peer_port 500 (I) MM_SA_SETUP

Jun 4 21:57:45.376: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...

Jun 4 21:57:45.376: ISAKMP (0:1): peer does not do paranoid keepalives.

Jun 4 21:57:45.376: ISAKMP (0:1): deleting SA reason "death by retransmission P1" state (R) MM_SA_SETUP (peer xx.xx.xx.xx) input queue 0

Jun 4 21:57:45.376: ISAKMP: Unlocking IKE struct 0x83780B94 for isadb_mark_sa_deleted(), count 0

Jun 4 21:57:45.376: ISAKMP: Deleting peer node by peer_reap for xx.xx.xx.xx: 83780B94

Jun 4 21:57:45.376: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Jun 4 21:57:45.376: ISAKMP (0:1): Old State = IKE_R_MM2 New State = IKE_DEST_SA

I've tried manually reentering the shared keys, disabling nat-t on the ios side and recreating the rsa key on the router.

I'll attempt to update the code on the pix when I get a chance but until then I'm looking for any suggestions.

Thanks

jfrahim · ‎06-05-2004

seemd like the other side is not responding for some reason. Can you paste the debugs from both sides taken simultaneously.

-Jazib

rhholmes · ‎07-16-2004

Does the following look familiar? This is from a 3640 running 12.3(9) that is connecting to another 3640 12.2(19a). Have heard about slight differences in IOS having trouble establishing ISAKMP properly. The suggestion for this problem was to set the crypto isakmp keepalive to an aggressive value. Unfortunately, TAC didn't suggest what an aggressive value is. Will let you know if I get anything working.

Jul 16 20:50:19.018: ISAKMP (0:5): sending packet to 192.168.205.37 my_port 500 peer_port 500 (I) MM_SA_SETUP

Jul 16 20:50:20.070: ISAKMP (0:5): received packet from 192.168.205.37 dport 500 sport 500 Global (I) MM_SA_SETUP

Jul 16 20:50:20.070: ISAKMP (0:5): phase 1 packet is a duplicate of a previous packet.

Jul 16 20:50:20.070: ISAKMP (0:5): retransmitting due to retransmit phase 1

Jul 16 20:50:20.070: ISAKMP (0:5): retransmitting phase 1 MM_SA_SETUP...

Jul 16 20:50:20.446: ISAKMP (0:3): received packet from 192.168.205.37 dport 500 sport 500 Global (I) MM_NO_STATE

Jul 16 20:50:20.570: ISAKMP (0:5): retransmitting phase 1 MM_SA_SETUP...

Jul 16 20:50:20.570: ISAKMP (0:5): peer does not do paranoid keepalives.

Jul 16 20:50:20.570: ISAKMP (0:5): deleting SA reason "death by retransmission P1" state (I) MM_SA_SETUP (peer 19

2.168.205.37) input queue 0

Jul 16 20:50:20.570: ISAKMP (0:5): deleting SA reason "death by retransmission P1" state (I) MM_SA_SETUP (peer 19

2.168.205.37) input queue 0

Jul 16 20:50:20.570: ISAKMP (0:5): deleting node -2122903102 error TRUE reason "death by retransmission P1"

Jul 16 20:50:20.570: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Jul 16 20:50:20.570: ISAKMP (0:5): Old State = IKE_I_MM3 New State = IKE_DEST_SA

Cheers,

Rob

kseraphine · ‎07-20-2004

Hi

I did actually figure out the problem. I had to open UDP 4500 on the router (for nat-t).