Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1305
Views
0
Helpful
7
Replies

IPSEC VPN WENT DOWN after restarting router

bor2021
Level 1
Level 1

‎10-14-2021 03:12 AM

Dears,VPN and AnyConnect, IPSec

My site-to-site VPN was working fine till restart the router. It went down after the restart

Here is the configuration

 

crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
lifetime 2700
crypto isakmp key DR address 1.1.1.1
crypto isakmp aggressive-mode disable

!
crypto ipsec transform-set DR esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac
mode tunnel
crypto ipsec nat-transparency spi-matching
!
crypto ipsec profile DR
set transform-set DR
!
crypto dynamic-map vpn-client 100
set transform-set vpn-client
reverse-route
!
crypto map CITC-ARC local-address Loopback1
crypto map CITC-ARC 12 ipsec-isakmp
set peer 1.1.1.1
set transform-set CITC-ARC
match address DR-ACL
----------------------------------------------------------------

Debug logs


*Oct 14 13:03:34.240 KSA: ISAKMP-PAK: (58244):received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Oct 14 13:03:34.240 KSA: ISAKMP: (58244):phase 1 packet is a duplicate of a previous packet.
*Oct 14 13:03:34.240 KSA: ISAKMP: (58244):retransmitting due to retransmit phase 1
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):retransmitting phase 1 MM_KEY_EXCH...
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):retransmitting phase 1 MM_KEY_EXCH
NCDC-ASR1K-PRI#
*Oct 14 13:03:34.741 KSA: ISAKMP-PAK: (58244):sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):Sending an IKE IPv4 Packet.

 

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎10-14-2021 03:16 AM

@bor2021 check your pre-shared key is the same as the peer, re-enter to be sure.

0 Helpful

bor2021
Level 1
Level 1
In response to Rob Ingram

‎10-14-2021 03:31 AM

@Rob Ingram yes, I did that still not coming up

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-14-2021 04:09 AM 

*Oct 14 13:03:34.240 KSA: ISAKMP-PAK: (58244):received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Oct 14 13:03:34.240 KSA: ISAKMP: (58244):phase 1 packet is a duplicate of a previous packet.
*Oct 14 13:03:34.240 KSA: ISAKMP: (58244):retransmitting due to retransmit phase 1
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):retransmitting phase 1 MM_KEY_EXCH...
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):retransmitting phase 1 MM_KEY_EXCH

Looks for me something blocking due i see retransmission ?

 

Do you have any ACL which prevent this ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

bor2021
Level 1
Level 1
In response to balaji.bandi

‎10-14-2021 04:31 AM

@balaji.bandi 

Now debug outputs are coming as given below

*Oct 14 14:25:08.741 KSA: ISAKMP-PAK: (58405):received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):phase 2 packet is a duplicate of a previous packet.
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):retransmitting due to retransmit phase 2
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):Quick Mode is being processed. Ignoring retransmission
*Oct 14 14:25:08.741 KSA: ISAKMP-PAK: (58405):received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):phase 2 packet is a duplicate of a previous packet.
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):retransmitting due to retransmit phase 2
*Oct 14 14:25:08.742 KSA: ISAKMP: (58405):Quick Mode is being processed. Ignoring retransmission
*Oct 14 14:25:08.742 KSA: ISAKMP-PAK: (58405):received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Oct 14 14:25:08.742 KSA: ISAKMP: (58405):phase 2 packet is a duplicate of a previous packet.
*Oct 14 14:25:08.742 KSA: ISAKMP: (58405):retransmitting due to retransmit phase 2
*Oct 14 14:25:08.742 KSA: ISAKMP: (58405):Quick Mode is being processed. Ignoring retransmission

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to bor2021

‎10-14-2021 04:55 AM

May be as suggested @rob before, worth replacing the key both the side and check.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

bor2021
Level 1
Level 1

‎10-14-2021 04:43 AM

Dears

Things are up and running now,

The encryption was mismatching both sides. After comparing and changing tunnel came up. Thanks all

0 Helpful

klapfei590815
Level 1
Level 1

‎11-30-2021 12:47 PM - edited ‎12-01-2021 04:54 AM

What I modified into getting at is that the Management interface of the ASA isn't normally used definitely due to the fact you can manipulate the ASA by the usage of going to the inside interface for new review article page. The motive you likely cannot attain the control interface is because of a loss of a route:

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents