Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2733
Views
0
Helpful
1
Replies

ipsec troubleshooting

desrochj1
Level 1
Level 1

‎06-30-2011 07:45 AM - edited ‎02-21-2020 05:25 PM

i have a small asa 5505 trying to connect to a asa 5510

cisco-26834# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 216.**.**.146
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_CTCP_WAIT_REPLY

here's the full debug for the 5505 :

cisco-26834# Jun 30 03:35:26 [IKEv1 DEBUG]: IP = 216.**.**.146, IKE AM Initiator FSM error history (struct &0xc66a55b8)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_CTCP_WAIT_REPLY, EV_CTCP_LINK_FAIL-->AM_CTCP_WAIT_REPLY, NullEvent-->AM_CTCP_INIT, EV_REQ_CTCP_LINK-->AM_START, EV_START_AM-->AM_START, EV_START_AM-->AM_START, EV_START_AM-->AM_START, EV_START_AM

Jun 30 03:35:26 [IKEv1 DEBUG]: IP = 216.**.**.146, IKE SA AM:c045cc52 terminating:  flags 0x01000021, refcnt 0, tuncnt 0

Jun 30 03:35:26 [IKEv1 DEBUG]: IP = 216.**.**.146, sending delete/delete with reason message

Jun 30 03:35:26 [IKEv1]: IP = 216.**.**.146, Error: Unable to remove IPSec/TCP entry

Jun 30 03:35:26 [IKEv1]: IP = 216.**.**.146, Removing peer from peer table failed, no match!

Jun 30 03:35:26 [IKEv1]: IP = 216.**.**.146, Error: Unable to remove PeerTblEntry

Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead

Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead

Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead

Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead

Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead

Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead

Jun 30 03:35:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

CTM: ike session with no priority allocated @ 0xCA0143A0

CTM: Session 0xCA0143A0 uses a nlite (Nitrox Lite) as its hardware engine

CTM: ike context allocated for session 0xCA0143A0

Jun 30 03:35:26 [IKEv1]: IP = 216.**.**.146, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 216.**.**.146  local Proxy Address 64.**.**.174, remote Proxy Address 216.**.**.146,  Crypto map (_vpnc_cm) cisco-26834# Jun 30 03:35:26 [IKEv1 DEBUG]: IP = 216.**.**.146, IKE AM Initiator FSM error history (struct &0xc66a55b8)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_CTCP_WAIT_REPLY, EV_CTCP_LINK_FAIL-->AM_CTCP_WAIT_REPLY, NullEvent-->AM_CTCP_INIT, EV_REQ_CTCP_LINK-->AM_START, EV_START_AM-->AM_START, EV_START_AM-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Jun 30 03:35:26 [IKEv1 DEBUG]: IP = 216.**.**.146, IKE SA AM:c045cc52 terminating:  flags 0x01000021, refcnt 0, tuncnt 0
Jun 30 03:35:26 [IKEv1 DEBUG]: IP = 216.**.**.146, sending delete/delete with reason message
Jun 30 03:35:26 [IKEv1]: IP = 216.**.**.146, Error: Unable to remove IPSec/TCP entry
Jun 30 03:35:26 [IKEv1]: IP = 216.**.**.146, Removing peer from peer table failed, no match!
Jun 30 03:35:26 [IKEv1]: IP = 216.**.**.146, Error: Unable to remove PeerTblEntry
Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 30 03:35:26 [IKEv1]: Ignoring msg to mark SA with specified coordinates <_vpnc_cm, 10> dead
Jun 30 03:35:26 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
CTM: ike session with no priority allocated @ 0xCA0143A0
CTM: Session 0xCA0143A0 uses a nlite (Nitrox Lite) as its hardware engine
CTM: ike context allocated for session 0xCA0143A0
Jun 30 03:35:26 [IKEv1]: IP = 216.**.**.146, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 216.**.**.146  local Proxy Address 64.**.**.174, remote Proxy Address 216.**.**.146,  Crypto map (_vpnc_cm)

what should i check on my 5510 ?

got an idea ?

thanks

Labels:
0 Helpful
1 Reply 1

Shilpa Gupta
Cisco Employee
Cisco Employee

‎06-30-2011 09:20 AM

Hi ,

I just wanted to confirm few things:-

[1]Are we talking about easy vpn configuration?

[2]Could you please check if the ipsec over tcp is enabled on client and server both?

On client:-

hostname(config)# vpnclient ipsec-over-tcp

And check what port is configured on the client in the above command. If nothing is configured
then by default its 10000.

On server:-

crypto isakmp ipsec-over-tcp port

Configure the same port on the server also.

[3] Is client or server behind any natting device?

If ipsec over tcp does not work, could you please disable the above commands and just enable NAT-T as

crypto isakmp nat-traversal

If it still does not work, then i would like to check the configuration and debugs on both client and server.

I hope it helps.

Thanks,

Shilpa

0 Helpful
Customers Also Viewed These Support Documents