Hi,
We have setup in our customer as below
Cisco7200----->NAT-T FW------>Endrian Virtual Server
In Firewall they have only NATing enabled and no policy restriction.
All of a sudden the VPNs went down and after deleting and creating the ISPEC- VPN configurations the issue was resolved.
Below is the debug log....Can any one help me in identifing what could have caused the issue?
And also the debug from 26 Sep:
Sep 26 16:13:36.235: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= A.B.C.D, remote= 10X.16Y.17Z.10X,
local_proxy= 10.10.0.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.251.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 26 16:13:36.235: ISAKMP: local port 500, remote port 500
Sep 26 16:13:36.239: ISAKMP: set new node 0 to QM_IDLE
Sep 26 16:13:36.239: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = A34D778
Sep 26 16:13:36.239: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Sep 26 16:13:36.239: ISAKMP:(0):Found ADDRESS key in keyring Denso
Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-07 ID
Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-03 ID
Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-02 ID
Sep 26 16:13:36.239: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Sep 26 16:13:36.239: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Sep 26 16:13:36.239: ISAKMP:(0): beginning Main Mode exchange
Sep 26 16:13:36.239: ISAKMP:(0): sending packet to 10X.16Y.17Z.10X my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 26 16:13:36.239: ISAKMP:(0):Sending an IKE IPv4 Packet....
Sep 26 16:13:40.727: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Sep 26 16:13:40.727: IPSEC(key_engine_enable_outbound): enable SA with spi 313148564/50 ..
Success rate is 0 percent (0/5)
phub1-kna1#
Sep 26 16:13:46.239: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 26 16:13:46.239: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Sep 26 16:13:46.239: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 26 16:13:46.239: ISAKMP:(0): sending packet to 10X.16Y.17Z.10X my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 26 16:13:46.239: ISAKMP:(0):Sending an IKE IPv4 Packet.
phub1-kna1#
Sep 26 16:13:53.372: ISAKMP (16576): received packet from 10X.16Y.17Z.10X dport 4500 sport 4500 Global (R) MM_NO_STATE
phub1-kna1#
Sep 26 16:13:55.632: ISAKMP (16587): FSM action returned error: 2
Sep 26 16:13:55.632: ISAKMP:(16587):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)
Sep 26 16:13:55.632: ISAKMP (16587): FSM action returned error: 2
Sep 26 16:13:55.632: ISAKMP:(16587):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)
Sep 26 16:13:55.636: ISAKMP (16588): FSM action returned error: 2
Sep 26 16:13:55.636: ISAKMP:(16588):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)
Sep 26 16:13:55.636: ISAKMP (16588): FSM action returned error: 2
Sep 26 16:13:55.636: ISAKMP:(16588):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)
Sep 26 16:13:55.644: ISAKMP (16589): FSM action returned error: 2
Sep 26 16:13:55.644: ISAKMP:(16589):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)
Sep 26 16:13:55.644: ISAKMP (16589): FSM action returned error: 2
Sep 26 16:13:55.644: ISAKMP:(16589):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)
Sep 26 16:13:55.648: ISAKMP (16590): FSM action returned error: 2
Sep 26 16:13:55.648: ISAKMP:(16590):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)
Any help would be highly appreciated.
Regards,
Ethi