cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
198
Views
0
Helpful
6
Replies
bor2021
Beginner

IPSEC VPN WENT DOWN after restarting router

Dears,VPN and AnyConnect, IPSec

My site-to-site VPN was working fine till restart the router. It went down after the restart

Here is the configuration

 

crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
lifetime 2700
crypto isakmp key DR address 1.1.1.1
crypto isakmp aggressive-mode disable

!
crypto ipsec transform-set DR esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac
mode tunnel
crypto ipsec nat-transparency spi-matching
!
crypto ipsec profile DR
set transform-set DR
!
crypto dynamic-map vpn-client 100
set transform-set vpn-client
reverse-route
!
crypto map CITC-ARC local-address Loopback1
crypto map CITC-ARC 12 ipsec-isakmp
set peer 1.1.1.1
set transform-set CITC-ARC
match address DR-ACL
----------------------------------------------------------------

Debug logs


*Oct 14 13:03:34.240 KSA: ISAKMP-PAK: (58244):received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Oct 14 13:03:34.240 KSA: ISAKMP: (58244):phase 1 packet is a duplicate of a previous packet.
*Oct 14 13:03:34.240 KSA: ISAKMP: (58244):retransmitting due to retransmit phase 1
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):retransmitting phase 1 MM_KEY_EXCH...
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):retransmitting phase 1 MM_KEY_EXCH
NCDC-ASR1K-PRI#
*Oct 14 13:03:34.741 KSA: ISAKMP-PAK: (58244):sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):Sending an IKE IPv4 Packet.

 

6 REPLIES 6
Rob Ingram
VIP Mentor

@bor2021 check your pre-shared key is the same as the peer, re-enter to be sure.

@Rob Ingram yes, I did that still not coming up

balaji.bandi
VIP Master

*Oct 14 13:03:34.240 KSA: ISAKMP-PAK: (58244):received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Oct 14 13:03:34.240 KSA: ISAKMP: (58244):phase 1 packet is a duplicate of a previous packet.
*Oct 14 13:03:34.240 KSA: ISAKMP: (58244):retransmitting due to retransmit phase 1
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):retransmitting phase 1 MM_KEY_EXCH...
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 14 13:03:34.741 KSA: ISAKMP: (58244):retransmitting phase 1 MM_KEY_EXCH

Looks for me something blocking due i see retransmission ?

 

Do you have any ACL which prevent this ?

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

@balaji.bandi 

Now debug outputs are coming as given below

*Oct 14 14:25:08.741 KSA: ISAKMP-PAK: (58405):received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):phase 2 packet is a duplicate of a previous packet.
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):retransmitting due to retransmit phase 2
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):Quick Mode is being processed. Ignoring retransmission
*Oct 14 14:25:08.741 KSA: ISAKMP-PAK: (58405):received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):phase 2 packet is a duplicate of a previous packet.
*Oct 14 14:25:08.741 KSA: ISAKMP: (58405):retransmitting due to retransmit phase 2
*Oct 14 14:25:08.742 KSA: ISAKMP: (58405):Quick Mode is being processed. Ignoring retransmission
*Oct 14 14:25:08.742 KSA: ISAKMP-PAK: (58405):received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
*Oct 14 14:25:08.742 KSA: ISAKMP: (58405):phase 2 packet is a duplicate of a previous packet.
*Oct 14 14:25:08.742 KSA: ISAKMP: (58405):retransmitting due to retransmit phase 2
*Oct 14 14:25:08.742 KSA: ISAKMP: (58405):Quick Mode is being processed. Ignoring retransmission

May be as suggested @rob before, worth replacing the key both the side and check.

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

bor2021
Beginner

Dears

Things are up and running now,

The encryption was mismatching both sides. After comparing and changing tunnel came up. Thanks all