cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7007
Views
0
Helpful
5
Replies

IPSEC tunnel not connect

Out of sudden IPSEC tunnel to remote site 202.68.211.20 is not connect. Previously is OK. There is no config changes.

IKE Phase 1 not even connect.

I do a debug, but i don't know what might be the error.

-----------------------------------------------------------------------------

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.05.12 15:19:36 =~=~=~=~=~=~=~=~=~=~=~=
May 12 12:06:50 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 12 12:06:50 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
May 12 12:06:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 12 12:06:53 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
May 12 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE MM Initiator FSM error history (struct &0xd84aff40) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
May 12 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:914f04ce terminating: flags 0x01000022, refcnt 0, tuncnt 0
May 12 12:06:54 [IKEv1 DEBUG]: IP = 202.68.211.20, sending delete/delete with reason message
May 12 12:06:59 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 12 12:06:59 [IKEv1]: IP = 202.68.211.20, IKE Initiator: New Phase 1, Intf internal, IKE Peer 202.68.211.20 local Proxy Address 10.215.20.0, remote Proxy Address 10.210.0.0, Crypto map (VPN_map)
May 12 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, constructing ISAKMP SA payload
May 12 12:06:59 [IKEv1 DEBUG]: IP = 202.68.211.20, constructing Fragmentation VID + extended capabilities payload
May 12 12:06:59 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
May 12 12:07:00 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 12 12:07:00 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
May 12 12:07:03 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 12 12:07:03 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
May 12 12:07:07 [IKEv1]: IP = 202.68.211.20, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
May 12 12:07:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 12 12:07:09 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
May 12 12:07:15 [IKEv1]: IP = 202.68.211.20, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
May 12 12:07:23 [IKEv1]: IP = 202.68.211.20, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
May 12 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE MM Initiator FSM error history (struct &0xd8457958) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
May 12 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, IKE SA MM:be63ea64 terminating: flags 0x01000022, refcnt 0, tuncnt 0
May 12 12:07:31 [IKEv1 DEBUG]: IP = 202.68.211.20, sending delete/delete with reason message
May 12 12:07:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 12 12:07:37 [IKEv1]: IP = 202.68.211.20, IKE Initiator: New Phase 1, Intf internal, IKE Peer 202.68.211.20 local Proxy Address 10.215.20.0, remote Proxy Address 10.210.0.0, Crypto map (VPN_map)
May 12 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, constructing ISAKMP SA payload
May 12 12:07:37 [IKEv1 DEBUG]: IP = 202.68.211.20, constructing Fragmentation VID + extended capabilities payload
May 12 12:07:37 [IKEv1]: IP = 202.68.211.20, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
May 12 12:07:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 12 12:07:40 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
May 12 12:07:45 [IKEv1]: IP = 202.68.211.20, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
May 12 12:07:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
May 12 12:07:46 [IKEv1]: IP = 202.68.211.20, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
May 12 12:07:53 [IKEv1]: IP = 202.68.211.20, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
q

1 Accepted Solution

Accepted Solutions

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

It seems the tunnel is stuck at MSG_2.

Can you check if UDP 500 traffic is not blocked between the peers ?

Please check with your service provider.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

5 Replies 5

Aditya Ganjoo
Cisco Employee
Cisco Employee

Hi,

It seems the tunnel is stuck at MSG_2.

Can you check if UDP 500 traffic is not blocked between the peers ?

Please check with your service provider.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Both site no config changes, and the connection is disconnected.

Sure, i will make a call to the ISP.

Will update the finding

turn out it is ISP problem. Once reported, the check backend and the VPN connection is restored.

TQ

I'm facing the same problem too, we have the redundant VPN connections configured and when disconnecting the primary VPN connections redundant VPN connection goes to MM_WAITMSG2 state

Dec 03 16:26:43 [IKEv1 DEBUG]IP = 10.90.93.1, IKE MM Initiator FSM error history (struct &0x00002aaaca2652f0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Dec 03 16:26:43 [IKEv1 DEBUG]IP = 10.90.93.1, IKE SA MM:5054bbab terminating: flags 0x01000022, refcnt 0, tuncnt 0
Dec 03 16:26:43 [IKEv1 DEBUG]IP = 10.90.93.1, sending delete/delete with reason message
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
Dec 03 16:26:43 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
Dec 03 16:26:43 [IKEv1]IP = 10.90.193.1, IKE Initiator: New Phase 1, Intf BASE, IKE Peer 10.90.193.1 local Proxy Address 10.140.30.0, remote Proxy Address 10.190.38.0, Crypto map (LSC-2_map)
Dec 03 16:26:43 [IKEv1 DEBUG]IP = 10.90.193.1, constructing ISAKMP SA payload
Dec 03 16:26:43 [IKEv1 DEBUG]IP = 10.90.193.1, constructing NAT-Traversal VID ver 02 payload
Dec 03 16:26:43 [IKEv1 DEBUG]IP = 10.90.193.1, constructing NAT-Traversal VID ver 03 payload
Dec 03 16:26:43 [IKEv1 DEBUG]IP = 10.90.193.1, constructing NAT-Traversal VID ver RFC payload
Dec 03 16:26:43 [IKEv1 DEBUG]IP = 10.90.193.1, constructing Fragmentation VID + extended capabilities payload
Dec 03 16:26:43 [IKEv1]IP = 10.90.193.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.130.30.55, sport=13968, daddr=10.190.38.2, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
Dec 03 16:26:43 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.130.30.55, sport=13968, daddr=10.190.38.2, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
Dec 03 16:26:43 [IKEv1]IP = 10.90.193.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.140.30.102, sport=5358, daddr=10.170.38.52, dport=15650
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
Dec 03 16:26:45 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.140.30.102, sport=5358, daddr=10.170.38.52, dport=15650
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
Dec 03 16:26:45 [IKEv1]IP = 10.90.193.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.130.30.55, sport=23011, daddr=10.190.38.2, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.140.30.102, sport=5614, daddr=10.170.38.52, dport=15650
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.130.30.55, sport=23011, daddr=10.190.38.2, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.140.30.102, sport=6382, daddr=10.170.38.52, dport=15650
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.130.30.55, sport=55699, daddr=10.190.38.3, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
Dec 03 16:26:51 [IKEv1]IP = 10.90.193.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.140.30.102, sport=10222, daddr=10.170.38.52, dport=15650
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.130.30.55, sport=55699, daddr=10.190.38.3, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.140.30.102, sport=10990, daddr=10.170.38.52, dport=15650
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.140.30.102, sport=15086, daddr=10.170.38.52, dport=15650
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.130.30.55, sport=8327, daddr=10.190.38.3, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=10.140.30.102, sport=15342, daddr=10.170.38.52, dport=15650
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.130.30.55, sport=8327, daddr=10.190.38.3, dport=41216
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.
Dec 03 16:26:59 [IKEv1]IP = 10.90.193.1, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.140.30.104, sport=63345, daddr=10.190.38.15, dport=63345
IPSEC(crypto_map_check)-3: Checking crypto map LSC-2_map 1: matched.