Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2941
Views
0
Helpful
9
Replies

IPSEC not always up

Shqiptari
Level 1
Level 1

‎09-29-2010 06:47 AM - edited ‎02-21-2020 04:52 PM

Hi,

I am testing the ipsec protocol for school on a CISCO 871. And the IPSEC isnt always up.. if i want to get it up i ping the router or from the router to the other subnet..

And if i want to test the tunnel when its up, i get always Checking peer connectivity Failed..

Why is that..

Ive tried with DPD( keep alive: 10 sec, retry: 2 sec, dpd type: on-demand )

Thanks

Labels:
0 Helpful
9 Replies 9

Shqiptari
Level 1
Level 1

‎09-29-2010 07:57 AM

One problem has been resolved, that if i do test tunnel, it is running..

But after 3/4 minutes, the ipsec tunnel gets down and then i need again to ping to get it up..

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Shqiptari

‎09-29-2010 08:16 AM

there are some issues with keep alives (dpd's)

why dont you try to capture packets once they leave the router, probably if you have a switch in between you can span that port

lets see once the tunnel is established we see some traffic on port 500 which are dpd's

also do you have any firewalls in between or on the router

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to Shqiptari

‎09-29-2010 08:46 AM

Hi,

Please enable "debug crypto isakmp" and "debug crypto ipsec" and paste the debugs when the tunnel goes down. Also, please try changing the DPDs to "periodic" instead of "on-demand". Let me know how it goes!1

Thanks and Regards,

Prapanch

0 Helpful

Shqiptari
Level 1
Level 1

‎09-30-2010 02:32 AM

Hi Guys,

Thanks for the reply.

1. No I disabled the firewall on the cisco 871, and the ipsec tunnel is to an isa server and not a gateway.

2. Yeah I tried to switch the dpd type, but with no result.

3. And I have enable those 2 debugs, but what are they for. I dont have experience with cisco

Greets,

0 Helpful

Namit Agarwal
Cisco Employee
Cisco Employee
In response to Shqiptari

‎09-30-2010 04:51 AM

Hi,

Here is a link that throws some light on the details of the debugs http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#iosdbgs

Please capture and post these debugs when the tunnel goes down. I hope it helps.

Thanks,

Namit

0 Helpful

Shqiptari
Level 1
Level 1

‎09-30-2010 06:08 AM

Oke ive run the debug.

show crypto isakmp       sa

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
78.1**.**1.61   78.1**.**1.58   QM_IDLE           2002    0 ACTIVE

IPv6 Crypto ISAKMP SA

show crypto ipsec       sa

interface: FastEthernet4
    Crypto map tag: SDM_CMAP_1, local addr 78.1**.**1.58

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.62.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
   current_peer 78.1**.**1.58 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 984, #pkts encrypt: 984, #pkts digest: 984

    #pkts decaps: 883, #pkts decrypt: 883, #pkts verify: 883
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 2, #recv errors 0

     local crypto endpt.: 78.1**.**1.58, remote crypto endpt.: 78.1**.**1.58
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)


     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
0 Helpful

Shqiptari
Level 1
Level 1

‎10-04-2010 02:40 AM

Does anybody have an idea?

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Shqiptari

‎10-04-2010 03:12 AM

as previously requested please provide the debugs

debug crypto isa sa

debug crypto ipsec sa

if you do not see them coming up

give the command

term mon

but just make sure that you do not have any logging monitor else your screen will be flooded

0 Helpful

Shqiptari
Level 1
Level 1
In response to Jitendriya Athavale

‎10-04-2010 03:56 AM

001215: Oct  4 12:45:25.353 PCTime: ISAKMP (0:2001): received packet from 78.108                                                                                        .141.61 dport 500 sport 500 Global (I) QM_IDLE

001216: Oct  4 12:45:25.353 PCTime: ISAKMP: set new node -2068453838 to QM_IDLE

001217: Oct  4 12:45:25.353 PCTime: ISAKMP:(2001): processing HASH payload. mess                                                                                        age ID = -2068453838

001218: Oct  4 12:45:25.353 PCTime: ISAKMP:(2001): processing DELETE payload. me                                                                                        ssage ID = -2068453838

001219: Oct  4 12:45:25.353 PCTime: ISAKMP:(2001):peer does not do paranoid keep                                                                                        alives.

001220: Oct  4 12:45:25.353 PCTime: ISAKMP:(2001):deleting node -2068453838 erro                                                                                        r FALSE reason "Informational (in) state 1"

001221: Oct  4 12:45:25.353 PCTime: IPSEC(key_engine): got a queue event with 1                                                                                         KMI message(s)

001222: Oct  4 12:45:25.353 PCTime: IPSEC(key_engine_delete_sas): rec'd delete n                                                                                        otify from ISAKMP

001223: Oct  4 12:45:25.353 PCTime: IPSEC(key_engine_delete_sas): delete SA with                                                                                         spi 0x76CAA56C proto 50 for 78.1**.**1.61

001224: Oct  4 12:45:25.353 PCTime: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 78.1**.**1.58, sa_proto= 50,

    sa_spi= 0x7D1A00F4(2098856180),

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 27,

  (identity) local= 78.1**.**1.58, remote= 78.1**.**1.61,

    local_proxy=

192.168.62.0/255.255.255.0/0/0 (type=4),

    remote_proxy=

192.168.5.0/255.255.255.0/0/0 (type=4)

001225: Oct  4 12:45:25.353 PCTime: IPSEC(update_current_outbound_sa): updated p                                                                                        eer 78.1**.**1.61 current outbound sa to SPI 0

001226: Oct  4 12:45:25.357 PCTime: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 78.1**.**1.61, sa_proto= 50,

    sa_spi= 0x76CAA56C(1992992108),

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 28,

  (identity) local= 78.1**.**1.58, remote= 78.1**.**1.61,

    local_proxy=

192.168.62.0/255.255.255.0/0/0 (type=4),

    remote_proxy=

192.168.5.0/255.255.255.0/0/0 (type=4)

001227: Oct  4 12:45:25.357 PCTime: IPSEC(rte_mgr): VPN Route Event rekey so dec                                                                                        rement refcount

001228: Oct  4 12:45:25.357 PCTime: IPSEC(rte_mgr): VPN Route Refcount 0 FastEth                                                                                        ernet4

001229: Oct  4 12:45:25.357 PCTime: IPSEC(rte_mgr): VPN Route Removed 192.168.5.                                                                                        0 255.255.255.0 via 78.1**.**1.61 in IP DEFAULT TABLE FastEthernet4

001230: Oct  4 12:46:15.355 PCTime: ISAKMP:(2001):purging node -2068453838
0 Helpful
Customers Also Viewed These Support Documents