Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
653
Views
2
Helpful
6
Replies

IPSEC stuck at Key_exchange and no_state

amirulharun96
Level 1
Level 1

‎07-04-2023 08:32 PM

I got problem to establish tunnel. All the configuration already same. key, encryption, group.

Debug is on branch.

===Debug===

ISAKMP: (0):purging SA., sa=113F068C, delme=113F068C
ISAKMP-PAK: (1009):received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH
ISAKMP: (1009):phase 1 packet is a duplicate of a previous packet.
ISAKMP: (1009):retransmitting due to retransmit phase 1
ISAKMP: (1009):retransmitting phase 1 MM_KEY_EXCH...
ISAKMP: (1009):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
ISAKMP: (1009):retransmitting phase 1 MM_KEY_EXCH
ISAKMP-PAK: (1009):sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH
ISAKMP: (1009):Sending an IKE IPv4 Packet.
ISAKMP-PAK: (1009):received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH
ISAKMP: (1009):phase 1 packet is a duplicate of a previous packet.
ISAKMP: (1009):retransmitting due to retransmit phase 1
ISAKMP: (1009):retransmitting phase 1 MM_KEY_EXCH...
ISAKMP: (1009):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
ISAKMP: (1009):retransmitting phase 1 MM_KEY_EXCH
ISAKMP-PAK: (1009):sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH
ISAKMP: (1009):Sending an IKE IPv4 Packet.
ISAKMP-PAK: (1009):received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH
ISAKMP: (1009):phase 1 packet is a duplicate of a previous packet.
ISAKMP: (1009):retransmitting due to retransmit phase 1
ISAKMP: (1009):retransmitting phase 1 MM_KEY_EXCH...
ISAKMP: (1009):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
ISAKMP: (1009):retransmitting phase 1 MM_KEY_EXCH
ISAKMP-PAK: (1009):sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH
ISAKMP: (1009):Sending an IKE IPv4 Packet.

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎07-04-2023 09:01 PM

The debug from the branch shows that they are not getting past the key exchange part of the negotiation. My first suggestion would be to make sure that both peers are using the exact same key. And while you are at it make sure that other parameters also match between peers.

What does debug from the head end show?

HTH

Rick
0 Helpful

amirulharun96
Level 1
Level 1
In response to Richard Burts

‎07-04-2023 09:03 PM

I already tried 3 times change the key and all verified the same config for vpn..

debug from hq still does not get. 

But the status in crypto isakmap sa show it will gent qm_idle for a few second and then back to no state.

MHM Cisco World
VIP
VIP
In response to amirulharun96

‎07-05-2023 06:30 AM

this config for 
ASA/FPR ?
ISR IOS/XE ?
what is topology here ?

0 Helpful

Pavan Gundu
Cisco Employee
Cisco Employee

‎07-05-2023 06:22 AM

Kindly take simultaneous captures on the public facing interfaces of spoke and the hub, to check if there is bidirectional communication on port 4500

amirulharun96
Level 1
Level 1

‎07-17-2023 07:14 PM

Hello Everyone,

Sorry for late feedback. We already contact cisco support but have a bit problem also. So we suggest to change from Ikev1 to Ikev2. It can help?

0 Helpful

MHM Cisco World
VIP
VIP
In response to amirulharun96

‎07-18-2023 04:46 AM

But you dont answer me? Make review to my Q

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents