03-25-2021 04:48 PM
I'm facing some issues with the IPsec VPN tunnel. VPN created between Cisco ISR4331 router and Cisco ASR1001-X.
I'm getting Ph-1 coming up and get deleted. error "MM_NO_STATE - ACTIVE (Deleted)"
When I run debug on the ASR1001-X router found the below error and find attached all debug logs
Mar 25 21:19:42: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Mar 25 21:19:42: ISAKMP: (0):peer does not do paranoid keepalives.
Mar 25 21:19:42: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 10.126.253.69)
Mar 25 21:19:42: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 10.126.253.69)
Mar 25 21:19:42: ISAKMP: (0):Deleting the unauthenticated sa
Mar 25 21:19:42: ISAKMP: (0):Unlocking peer struct 0x7FC1B38B8498 for isadb_mark_sa_deleted(), count 0
Mar 25 21:19:42: ISAKMP: (0):Deleting the peer struct for unauthenticated sa
Mar 25 21:19:42: ISAKMP: (0):Deleting peer node by peer_reap for 10.126.253.69: 7FC1B38B8498
Mar 25 21:19:42: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 25 21:19:42: ISAKMP: (0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
Mar 25 21:19:49: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 25 21:19:49: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 25 21:19:49: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 25 21:19:49: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 25 21:19:49: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:19:51: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP
Mar 25 21:19:51: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Mar 25 21:19:51: ISAKMP: (0):retransmitting due to retransmit phase 1
Mar 25 21:19:52: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Mar 25 21:19:52: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 25 21:19:52: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Mar 25 21:19:52: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP
Mar 25 21:19:52: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:19:59: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 25 21:19:59: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 25 21:19:59: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 25 21:19:59: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 25 21:19:59: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:20:01: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP
Mar 25 21:20:01: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Mar 25 21:20:01: ISAKMP: (0):retransmitting due to retransmit phase 1
Mar 25 21:20:02: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Mar 25 21:20:02: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 25 21:20:02: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Mar 25 21:20:02: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP
Mar 25 21:20:02: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:20:09: ISAKMP: (0):set new node 0 to QM_IDLE
Mar 25 21:20:09: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 203.13.114.4, remote 10.126.253.69)
Mar 25 21:20:09: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
Mar 25 21:20:09: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 25 21:20:09: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Mar 25 21:20:09: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 25 21:20:09: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 25 21:20:09: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:20:11: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP
Mar 25 21:20:11: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Mar 25 21:20:11: ISAKMP: (0):retransmitting due to retransmit phase 1
Mar 25 21:20:12: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Mar 25 21:20:12: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Mar 25 21:20:12: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Mar 25 21:20:12: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP
Mar 25 21:20:12: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:20:19: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 25 21:20:19: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 25 21:20:19: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 25 21:20:19: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 25 21:20:19: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:20:21: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP
Mar 25 21:20:21: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Mar 25 21:20:21: ISAKMP: (0):retransmitting due to retransmit phase 1
Mar 25 21:20:22: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Mar 25 21:20:22: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 25 21:20:22: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Mar 25 21:20:22: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP
Mar 25 21:20:22: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:20:28: ISAKMP: (0):purging node 3684507416
Mar 25 21:20:28: ISAKMP: (0):purging node 2547109587
Mar 25 21:20:29: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 25 21:20:29: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 25 21:20:29: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 25 21:20:29: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 25 21:20:29: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:20:31: ISAKMP-PAK: (0):received packet from 10.126.253.69 dport 500 sport 500 ewan-vpn (R) MM_SA_SETUP
Mar 25 21:20:31: ISAKMP: (0):phase 1 packet is a duplicate of a previous packet.
Mar 25 21:20:31: ISAKMP: (0):retransmitting due to retransmit phase 1
Mar 25 21:20:32: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
Mar 25 21:20:32: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 25 21:20:32: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
Mar 25 21:20:32: ISAKMP-PAK: (0):sending packet to 10.126.253.69 my_port 500 peer_port 500 (R) MM_SA_SETUP
Mar 25 21:20:32: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 25 21:20:38: ISAKMP: (0):purging SA., sa=7FC1A6B21CD0, delme=7FC1A6B21CD0
Mar 25 21:20:39: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 25 21:20:39: ISAKMP: (0):peer does not do paranoid keepalives.
Mar 25 21:20:39: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.126.253.69)
Mar 25 21:20:39: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 10.126.253.69)
Mar 25 21:20:39: ISAKMP: (0):Unlocking peer struct 0x7FC1B32B68B0 for isadb_mark_sa_deleted(), count 0
Mar 25 21:20:39: ISAKMP: (0):Deleting peer node by peer_reap for 10.126.253.69: 7FC1B32B68B0
Mar 25 21:20:39: ISAKMP: (0):deleting node 1024521642 error FALSE reason "IKE deleted"
Mar 25 21:20:39: ISAKMP: (0):deleting node 2934222722 error FALSE reason "IKE deleted"
Mar 25 21:20:39: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 25 21:20:39: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Solved! Go to Solution.
09-09-2021 02:55 PM
Hi Sachin,
From the ###ISP router side you have configuration mismatch:
you have
interface Loopback52
however
interface Tunnel2045011
tunnel source Loop52
You should change to
tunnel source Loopback52
10-06-2021 01:09 PM - edited 10-09-2021 01:04 PM
What I changed into getting at is that the Management interface of the ASA isn't commonly used simply because you could manipulate the ASA by using going to the inside interface for new review article. The purpose you in all likelihood cannot reach the management interface is because of a lack of a route:
03-26-2021 01:26 AM
double check your side and remote end if you match the PFS group values.
03-28-2021 04:58 PM
Hi Sheraz, thanks for the reply to my post.
I have verified both end configurations. not seen any issue. Please find below ISP and Remote end config
###ISP router
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto keyring ewan-vpn vrf ewan-vpn
pre-shared-key address 10.126.253.69 key XXXXXXXXXX
!
crypto ipsec transform-set ts-extranet-vti esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile ipsec-extranet
set transform-set ts-extranet-vti
set reverse-route distance 255
!
interface Loopback52
description Loopback for ewan-vpn VRF
ip vrf forwarding ewan-vpn
ip address 203.13.114.4 255.255.255.255
!
interface Tunnel2045011
description IPSEC Tunnel to Mobileum Bangalore Tu2071
ip unnumbered Loop56
ip virtual-reassembly
ip tcp adjust-mss 1387
tunnel source Loop52
tunnel mode ipsec ipv4
tunnel destination 10.126.253.69
tunnel vrf ewan-vpn
ip vrf forwarding vti-semitrusted
tunnel protection ipsec profile ipsec-extranet
service-policy output shape-5mbps-mobileum
!
------------------------------------------------------------------------------------------
###Remote end router
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key XXXXXXXXXX address 203.13.114.4
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set optus-ts esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile optus-ipsec
set transform-set optus-ts
interface Loopback0
description Loopback for data and bgp peer
ip address 10.240.176.238 255.255.255.255
!
interface Loopback65100
description Optus VTI tunnel termination loopback
ip address 10.126.253.69 255.255.255.255
!
interface Tunnel2031
description IPSEC Tunnel to CHOC EO2KYGZAT01 Tu3010011
ip unnumbered GigabitEthernet0/0/1
ip tcp adjust-mss 1387
tunnel source Loopback65100
tunnel mode ipsec ipv4
tunnel destination 203.13.114.4
tunnel protection ipsec profile optus-ipsec
ip virtual-reassembly
!
interface GigabitEthernet0/0/0
ip address 115.31.251.254 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 10.10.16.2 255.255.248.0
negotiation auto
!
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 115.31.251.253
ip route 0.0.0.0 0.0.0.0 Tunnel2031 name default-to-optus_via_tunnel2031
ip route 10.10.16.0 255.255.248.0 10.10.16.13
ip route 10.10.24.0 255.255.248.0 10.10.16.13
ip route 203.13.114.4 255.255.255.255 115.31.251.253 name EO2KYGZAT01-loop52
!
04-05-2021 12:53 AM
sorry for the late reply. looking into your configuration and your debug I noted we only see the "MM_SA_SETUP" which means "The peers have agreed on parameters for the ISAKMP SA." however, we do not see anyother ISAKMP parameters. seem like UDP 500 dropped in the path unidirectionnaly from this router to the remote peer. could you also debug on the remote site and check what you see on the other end.
could you please show the out put of both side "show crypto isakmp sa detail" and also could you enable/caputer the packet on the routers at one or both end.
access-list CAP-ACL
permit ip host x.x.x.x ip y.y.y.y
monitor capture mycap access-list CAP-ACL
monitor capture mycap limit duration 1000
monitor capture mycap interface loopback52 both
monitor capture mycap buffer circular size 100
monitor capture mycap start
monitor capture mycap export tftp://192.168.x.x/mycap.pcap
monitor capture mycap stop
09-09-2021 02:55 PM
Hi Sachin,
From the ###ISP router side you have configuration mismatch:
you have
interface Loopback52
however
interface Tunnel2045011
tunnel source Loop52
You should change to
tunnel source Loopback52
10-06-2021 01:09 PM - edited 10-09-2021 01:04 PM
What I changed into getting at is that the Management interface of the ASA isn't commonly used simply because you could manipulate the ASA by using going to the inside interface for new review article. The purpose you in all likelihood cannot reach the management interface is because of a lack of a route:
10-22-2021 11:14 PM
debug encryption is 2 ISAKMP ISAKMP encrypted debugging is at 3! Four, four, four, four, 5s Feb 17 10:58:20.066: ISAKMP (0:1): SA uses identity type ID_IPV4_ADDR RSA 6 encryption authentication! Seven, seven! 8 Feb 17 10:58:20.554: %Encryption-6-IKMP_CRYPT_FAILURE: IKE (Connection ID 1) Undote (W/RSA Private Key) Pack 9! One of them! 11 Feb 17 10:58:41.706: ISAKMP (0:1): MM_SA_SETUP Broadcast Stage 1... 12 Feb 17 10:58:41.706: ISAKMP (0:1): Incremental error counter in Sae: Resubmit step 1 13! 14th! 15 Feb 17 10:59:19:918: ISAMMP (0:1): SA ratio "gen_IPsec_isakmp_delete but Doi isakmp" status (I) MM_SA_SETUP (Peer 200) .0.0.2) Entry queue 0 16 s Feb 17 10:59:19:19 918: ISAMMP (Enter 0:1) - Enter: IKE_ MESG_INTERNAL IKE_PHASE1_DEL 17 Feb 17 10:59:19:918: ISAKMP (0:1): The IKE_I_MM3 of the old state IKE_DEST_SA 18 encryption debugging Isakmp 20 isakmp encrypted is at 21! Twenty-two! 23 Feb 17 10:01:10.930: ISAKMP: (0:1:SW:1): SA is using id type ID_IPV4_ADDR 24 for RSA encryption authentication! Twenty-five! Feb 26, 17 10:01:21:658: ISAKMP: (0:1:SW:1): Broadcast Phase 1 MM_KEY_EXCH February 27 10:01:21.658: ISAKMP: (0:1:SW:1): MM_KEY_EXCH 200.1.1.my_port 500 peer_port 500! Twenty-nine! 30 Feb 17 10:01:55.466: ISAKMP: Fast mode time has expired. 31 Feb 17 10:01:55.466: ISAKMP: (0:1:SW:1): src 200.0.0.1 dst 200.0.0.0.2, Sa disapproved certification 32 s Feb 17 10:01:55.466: ISAKMP: (0:1:SW:1)do not allow paranoia to remain. Thirty-three! Thirty-four! 35 Feb 17 10:01:55.4666: ISAKMP: (0:1:SW:1) :d SA ratio "QM_TIMER expires" status (R) MM_KEY_EXCH (Peer 200.01) 0.0.1) Feb 1710:01:55.466: ISA KMP : (0:1:SW:1) :d SA status "Cause QM_TIMER Expires" status (R)MM_KEY_ EXCH (Pierre 200.1.1.1)37/17/10:01:55.4666: ISAKMP: Unlock the iKE stroke 0x65C405A8 Is isadb_mark_sa_deleted (isadb_mark_sa_deleted). Count 0 38 s Feb 17 10:01:55.466: ISAKMP: Remove 200.1.1.1.1 from peer_reap point node: 65C4 5A8 39 s Feb 171:01:55.55.1 46 6: ISAKMP: (0:1:SW:1:1 IKE_MESG_INTERNAL entry) IKE_PHASE1_DEL 40 s 17 February 10:01:55.466: ISAKMP: (0:1:SW:1): Old State s IKE_R_MM4 NSW's IKE_DEST_SA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide