cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
895
Views
0
Helpful
0
Replies

IPSEC VPN Down.Want to know why?

vnethirajan
Level 1
Level 1

Hi,

We have setup in our customer as below

Cisco7200----->NAT-T FW------>Endrian Virtual Server

In Firewall they have only NATing enabled and no policy restriction.

All of a sudden the VPNs went down and after deleting and creating the ISPEC- VPN configurations the issue was resolved.

Below is the debug log....Can any one help me in identifing what could have caused the issue?

And also the debug from 26 Sep:

Sep 26 16:13:36.235: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= A.B.C.D, remote= 10X.16Y.17Z.10X,

    local_proxy= 10.10.0.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.1.251.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

Sep 26 16:13:36.235: ISAKMP: local port 500, remote port 500

Sep 26 16:13:36.239: ISAKMP: set new node 0 to QM_IDLE

Sep 26 16:13:36.239: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = A34D778

Sep 26 16:13:36.239: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Sep 26 16:13:36.239: ISAKMP:(0):Found ADDRESS key in keyring Denso

Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-07 ID

Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-03 ID

Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-02 ID

Sep 26 16:13:36.239: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Sep 26 16:13:36.239: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Sep 26 16:13:36.239: ISAKMP:(0): beginning Main Mode exchange

Sep 26 16:13:36.239: ISAKMP:(0): sending packet to 10X.16Y.17Z.10X my_port 500 peer_port 500 (I) MM_NO_STATE

Sep 26 16:13:36.239: ISAKMP:(0):Sending an IKE IPv4 Packet....

Sep 26 16:13:40.727: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

Sep 26 16:13:40.727: IPSEC(key_engine_enable_outbound): enable SA with spi 313148564/50 ..

Success rate is 0 percent (0/5)

phub1-kna1#

Sep 26 16:13:46.239: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Sep 26 16:13:46.239: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Sep 26 16:13:46.239: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Sep 26 16:13:46.239: ISAKMP:(0): sending packet to 10X.16Y.17Z.10X my_port 500 peer_port 500 (I) MM_NO_STATE

Sep 26 16:13:46.239: ISAKMP:(0):Sending an IKE IPv4 Packet.

phub1-kna1#

Sep 26 16:13:53.372: ISAKMP (16576): received packet from 10X.16Y.17Z.10X dport 4500 sport 4500 Global (R) MM_NO_STATE

phub1-kna1#

Sep 26 16:13:55.632: ISAKMP (16587): FSM action returned error: 2

Sep 26 16:13:55.632: ISAKMP:(16587):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.632: ISAKMP (16587): FSM action returned error: 2

Sep 26 16:13:55.632: ISAKMP:(16587):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.636: ISAKMP (16588): FSM action returned error: 2

Sep 26 16:13:55.636: ISAKMP:(16588):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.636: ISAKMP (16588): FSM action returned error: 2

Sep 26 16:13:55.636: ISAKMP:(16588):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.644: ISAKMP (16589): FSM action returned error: 2

Sep 26 16:13:55.644: ISAKMP:(16589):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.644: ISAKMP (16589): FSM action returned error: 2

Sep 26 16:13:55.644: ISAKMP:(16589):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.648: ISAKMP (16590): FSM action returned error: 2

Sep 26 16:13:55.648: ISAKMP:(16590):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Any help would be highly appreciated.

Regards,

Ethi

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: