Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1424
Views
0
Helpful
7
Replies
Ali Razavi
Beginner
Beginner
‎05-07-2013 01:30 PM
‎05-07-2013 01:30 PM

IPsec VTI over NAT IKE Phase I Failure

Hey everyone,

I have two routers and an ASA with one of the routers sitting behind the ASA.  I have a VTI configuration between the two routers, the regular GRE traffic passes through just fine but after applying an IPsec profile to the interfaces, IKE Phase I never completes.  I have the configurations and debugs posted below.  Thank you in advance for your help.  I have confirmed reachability and there are no access list issues.

Router 1:

crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac

mode tunnel

!

crypto ipsec profile IPSEC

set transform-set SEC

!

!

interface Tunnel2

ip address 172.16.1.1 255.255.255.252

tunnel source 200.1.1.1

tunnel destination 200.1.1.2

tunnel protection ipsec profile IPSEC

!

crypto isakmp key SECURITYKEY address 200.1.1.2

!

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 2

ASA:

static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255

Router 2:

interface Tunnel121

ip address 172.16.1.2 255.255.255.252

ip nat inside

ip virtual-reassembly

tunnel source 10.1.1.1

tunnel destination 200.1.1.1

tunnel protection ipsec profile IPSEC

!

crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac

mode tunnel

!

crypto ipsec profile IPSEC

set transform-set SEC

!

crypto isakmp key SECURITYKEY address 200.1.1.1

!

crypto isakmp policy 2

encr aes 256

hash md5

authentication pre-share

group 2

R2#debug crypto isakmp

R2#

R2#

May  7 14:30:35 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE

May  7 14:30:35 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.

May  7 14:30:35 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1

May  7 14:30:35 CDT: ISAKMP (0:134218443): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE

May  7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE      ...

May  7 14:30:36 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May  7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE

May  7 14:30:36 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE       -1092494630 ...

May  7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on node, attempt 2 of 5: retransmit phase 2

May  7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2

May  7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 -1092494630 QM_IDLE

May  7 14:30:42 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  7 14:30:45 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE

May  7 14:30:45 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.

May  7 14:30:45 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1

May  7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE      ...

May  7 14:30:46 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

May  7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE

May  7 14:30:46 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  7 14:30:52 CDT: ISAKMP: received ke message (3/1)

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE       (peer 200.1.1.1)

May  7 14:30:52 CDT: ISAKMP:(0:715:SW:1):peer does not do paranoid keepalives.

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE       -1092494630 ...

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.

May  7 14:30:52 CDT: ISAKMP: set new node 1345361410 to QM_IDLE

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):purging node 1345361410

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "No reason" state (R) QM_IDLE       (peer 200.1.1.1)

May  7 14:30:52 CDT: ISAKMP: Unlocking IKE struct 0x656AA2B0 for isadb_mark_sa_deleted(), count 0

May  7 14:30:52 CDT: ISAKMP: Deleting peer node by peer_reap for 200.1.1.1: 656AA2B0

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting node -1092494630 error FALSE reason "IKE deleted"

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

May  7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

May  7 14:30:55 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE

May  7 14:31:05 CDT: ISAKMP:(0:715:SW:1):purging node 1843499205

May  7 14:31:05 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE

May  7 14:31:15 CDT: ISAKMP:(0:715:SW:1):purging SA., sa=64E4AB14, delme=64E4AB14

May  7 14:31:42 CDT: ISAKMP:(0:716:SW:1):purging node -1092494630

May  7 14:31:45 CDT: ISAKMP (0:0): received packet from 200.1.1.1 dport 500 sport 500 Global (N) NEW SA

May  7 14:31:45 CDT: ISAKMP: Created a peer struct for 200.1.1.1, peer port 500

May  7 14:31:45 CDT: ISAKMP: New peer created peer = 0x656AA2B0 peer_handle = 0x80000514

May  7 14:31:45 CDT: ISAKMP: Locking peer struct 0x656AA2B0, IKE refcount 1 for crypto_isakmp_process_block

May  7 14:31:45 CDT: ISAKMP: local port 500, remote port 500

May  7 14:31:45 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E4AB14

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

May  7 14:31:45 CDT: ISAKMP (0:0): vendor ID is NAT-T v7

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): local preshared key found

May  7 14:31:45 CDT: ISAKMP : Scanning profiles for xauth ...

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy

May  7 14:31:45 CDT: ISAKMP:      encryption DES-CBC

May  7 14:31:45 CDT: ISAKMP:      hash SHA

May  7 14:31:45 CDT: ISAKMP:      default group 1

May  7 14:31:45 CDT: ISAKMP:      auth pre-share

May  7 14:31:45 CDT: ISAKMP:      life type in seconds

May  7 14:31:45 CDT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy

May  7 14:31:45 CDT: ISAKMP:      encryption 3DES-CBC

May  7 14:31:45 CDT: ISAKMP:      hash SHA

May  7 14:31:45 CDT: ISAKMP:      default group 2

May  7 14:31:45 CDT: ISAKMP:      auth pre-share

May  7 14:31:45 CDT: ISAKMP:      life type in seconds

May  7 14:31:45 CDT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy

May  7 14:31:45 CDT: ISAKMP:      encryption AES-CBC

May  7 14:31:45 CDT: ISAKMP:      keylength of 256

May  7 14:31:45 CDT: ISAKMP:      hash SHA

May  7 14:31:45 CDT: ISAKMP:      default group 2

May  7 14:31:45 CDT: ISAKMP:      auth pre-share

May  7 14:31:45 CDT: ISAKMP:      life type in seconds

May  7 14:31:45 CDT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy

May  7 14:31:45 CDT: ISAKMP:      encryption AES-CBC

May  7 14:31:45 CDT: ISAKMP:      keylength of 256

May  7 14:31:45 CDT: ISAKMP:      hash SHA

May  7 14:31:45 CDT: ISAKMP:      default group 5

May  7 14:31:45 CDT: ISAKMP:      auth pre-share

May  7 14:31:45 CDT: ISAKMP:      life type in seconds

May  7 14:31:45 CDT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

May  7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 69 mismatch

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

May  7 14:31:45 CDT: ISAKMP (0:134218445): vendor ID is NAT-T v7

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v3

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v2

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): constructed NAT-T vendor-07 ID

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

May  7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing KE payload. message ID = 0

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NONCE payload. message ID = 0

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):found peer pre-shared key matching 200.1.1.1

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SKEYID state generated

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is Unity

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is DPD

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): speaking to another IOS box!

May  7 14:31:45 CDT: ISAKMP (0:134218445): NAT found, the node inside NAT

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4

May  7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing ID payload. message ID = 0

May  7 14:31:45 CDT: ISAKMP (0:134218445): ID payload

        next-payload : 8

        type         : 1

        address      : 200.1.1.1

        protocol     : 17

        port         : 0

        length       : 12

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):: peer matches *none* of the profiles

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing HASH payload. message ID = 0

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1

        spi 0, message ID = 0, sa = 64E4AB14

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:

        authenticated

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): Process initial contact,

bring down existing phase 1 and 2 SA's with local 10.1.1.1 remote 200.1.1.1 remote port 4500

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:

        authenticated

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA has been authenticated with 200.1.1.1

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Detected port floating to port = 4500

May  7 14:31:45 CDT: ISAKMP: Trying to insert a peer 10.1.1.1/200.1.1.1/4500/,  and inserted successfully 656AA2B0.

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Setting UDP ENC peer struct 0x661D688C sa= 0x64E4AB14

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

May  7 14:31:45 CDT: ISAKMP (0:134218445): ID payload

        next-payload : 8

        type         : 1

        address      : 10.1.1.1

        protocol     : 17

        port         : 0

        length       : 12

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Total payload length: 12

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

May  7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

May  7 14:31:52 CDT: ISAKMP: received ke message (1/1)

May  7 14:31:52 CDT: ISAKMP: set new node 0 to QM_IDLE

May  7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE      )

May  7 14:31:52 CDT: ISAKMP:(0:717:SW:1):beginning Quick Mode exchange, M-ID of -1201835538

May  7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

May  7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

May  7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0

May  7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE

May  7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.

May  7 14:31:55 CDT: ISAKMP:(0:717:SW:1): retransmitting due to retransmit phase 1

May  7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE      ...

May  7 14:31:56 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May  7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE

May  7 14:31:56 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

R2#

R2#

R2#

R2#un

May  7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 QM_IDLE       -1201835538 ...

May  7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

May  7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2

May  7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 -1201835538 QM_IDLE

May  7 14:32:02 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

The specific portion of the debug that has caught my attention is as follows toward the end:

May  7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

May  7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

May  7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0

May  7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE

May  7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.

Labels:
0 Helpful
7 REPLIES 7
Ali Razavi
Beginner
Beginner
‎05-08-2013 08:13 AM
‎05-08-2013 08:13 AM

As an added clue, R1 displays the following message at the console:

*May  8 15:34:28.857: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.1.1.2 has no SA and is not an initialization offer

0 Helpful
sokakkar
Cisco Employee
Cisco Employee
In response to Ali Razavi
‎05-08-2013 12:06 PM
‎05-08-2013 12:06 PM

Hi,

Can you add 'tunnel mode ipsec ipv4' under both tunnel interfaces?

Since all config is not available on this post (routes/keys etc), here is a link wherein you can match your config:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

If you have the above command under both tunnel interfaces and a route for remote subnet pointing to tunnel interface, it should work fine.

If it doesn't please post 'show run' from both routers. Change the external IP's if this is not a lab setup.

-

Sourav

0 Helpful
Ali Razavi
Beginner
Beginner
In response to sokakkar
‎05-08-2013 12:21 PM
‎05-08-2013 12:21 PM

Good point Sokakkar.  Thank you for the reminder.  To be honest the config above was an original config, I had since added "tunnel mode ipsec ipv4" as follows:

Router 1:

crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac

mode tunnel

!

crypto ipsec profile IPSEC

set transform-set SEC

!

!

interface Tunnel1

ip address 172.16.1.1 255.255.255.252

tunnel source 200.1.1.1

tunnel destination 200.1.1.2

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC

!

crypto isakmp key SECURITYKEY address 200.1.1.2

!

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 2

ASA:

static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255

Router 2:

interface Tunnel2

ip address 172.16.1.2 255.255.255.252

tunnel source 10.1.1.1

tunnel destination 200.1.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC

!

crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac

mode tunnel

!

crypto ipsec profile IPSEC

set transform-set SEC

!

crypto isakmp key SECURITYKEY address 200.1.1.1

!

crypto isakmp policy 2

encr aes 256

hash md5

authentication pre-share

group 5

Everything else is the same, the debug was actually applied after the tunnel mode command was added to the config.

0 Helpful
Ali Razavi
Beginner
Beginner
‎05-08-2013 11:35 AM
‎05-08-2013 11:35 AM

Another clue might be that R2 shows the following for several seconds:

10.1.1.1    200.1.1.1     QM_IDLE           1935    0 ACTIVE

While R2 shows:

200.1.1.2   200.1.1.1    MM_KEY_EXCH       5927    0 ACTIVE

After a few seconds both sides revert to MM_NO_STATE

0 Helpful
sokakkar
Cisco Employee
Cisco Employee
In response to Ali Razavi
‎05-08-2013 12:46 PM
‎05-08-2013 12:46 PM

Ok, is this a production setup? If not, can you do a 'write memory' on both ends, reload the routers and test again?

If that doesn't resolve the issue, please run conditional debugs as follows on both routers:

undebug all
debug crypto condition peer ipv4 
debug crypto isakmp

-
Sourav

0 Helpful
Ali Razavi
Beginner
Beginner
In response to sokakkar
‎05-08-2013 01:00 PM
‎05-08-2013 01:00 PM

Thank you for the suggestions Sokakkar.  I did just what you asked with 

undebug all
debug crypto condition peer ipv4 
debug crypto isakmp

this is a production environment and I have altered the information for privacy reasons.  So I am not able to reload either of the devices.

The debugs are as follows:

R1 DEBUGS:

R1#debug crypto isakmp

Crypto ISAKMP debugging is on

R1#

*May  8 20:14:18.668: ISAKMP:(6151):purging node -1205767715

*May  8 20:14:28.140: ISAKMP: local port 500, remote port 500

*May  8 20:14:28.144: ISAKMP: set new node 0 to QM_IDLE

*May  8 20:14:28.144: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FED9E4

*May  8 20:14:28.144: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*May  8 20:14:28.144: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

*May  8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*May  8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-07 ID

*May  8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-03 ID

*May  8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-02 ID

*May  8 20:14:28.144: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*May  8 20:14:28.144: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*May  8 20:14:28.144: ISAKMP:(0): beginning Main Mode exchange

*May  8 20:14:28.144: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*May  8 20:14:28.144: ISAKMP:(0):Sending an IKE IPv4 Packet.

*May  8 20:14:28.356: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE

*May  8 20:14:28.356: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May  8 20:14:28.356: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*May  8 20:14:28.356: ISAKMP:(0): processing SA payload. message ID = 0

*May  8 20:14:28.356: ISAKMP:(0): processing vendor id payload

*May  8 20:14:28.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*May  8 20:14:28.356: ISAKMP (0:0): vendor ID is NAT-T v7

*May  8 20:14:28.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

*May  8 20:14:28.356: ISAKMP:(0): local preshared key found

*May  8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*May  8 20:14:28.356: ISAKMP:      encryption AES-CBC

*May  8 20:14:28.356: ISAKMP:      keylength of 256

*May  8 20:14:28.356: ISAKMP:      hash SHA

*May  8 20:14:28.356: ISAKMP:      default group 5

*May  8 20:14:28.356: ISAKMP:      auth pre-share

*May  8 20:14:28.356: ISAKMP:      life type in seconds

*May  8 20:14:28.356: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*May  8 20:14:28.356: ISAKMP:(0):Encryption algorithm offered does not match policy!

*May  8 20:14:28.356: ISAKMP:(0):atts are not acceptable. Next payload is 0

*May  8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy

*May  8 20:14:28.360: ISAKMP:      encryption AES-CBC

*May  8 20:14:28.360: ISAKMP:      keylength of 256

*May  8 20:14:28.360: ISAKMP:      hash SHA

*May  8 20:14:28.360: ISAKMP:      default group 5

*May  8 20:14:28.360: ISAKMP:      auth pre-share

*May  8 20:14:28.360: ISAKMP:      life type in seconds

*May  8 20:14:28.360: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*May  8 20:14:28.360: ISAKMP:(0):Encryption algorithm offered does not match policy!

*May  8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0

*May  8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy

*May  8 20:14:28.360: ISAKMP:      encryption AES-CBC

*May  8 20:14:28.360: ISAKMP:      keylength of 256

*May  8 20:14:28.360: ISAKMP:      hash SHA

*May  8 20:14:28.360: ISAKMP:      default group 5

*May  8 20:14:28.360: ISAKMP:      auth pre-share

*May  8 20:14:28.360: ISAKMP:      life type in seconds

*May  8 20:14:28.360: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*May  8 20:14:28.360: ISAKMP:(0):Diffie-Hellman group offered does not match policy!

*May  8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0

*May  8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy

*May  8 20:14:28.360: ISAKMP:      encryption AES-CBC

*May  8 20:14:28.360: ISAKMP:      keylength of 256

*May  8 20:14:28.360: ISAKMP:      hash SHA

*May  8 20:14:28.360: ISAKMP:      default group 5

*May  8 20:14:28.360: ISAKMP:      auth pre-share

*May  8 20:14:28.360: ISAKMP:      life type in seconds

*May  8 20:14:28.360: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*May  8 20:14:28.360: ISAKMP:(0):atts are acceptable. Next payload is 0

*May  8 20:14:28.360: ISAKMP:(0):Acceptable atts:actual life: 0

*May  8 20:14:28.360: ISAKMP:(0):Acceptable atts:life: 0

*May  8 20:14:28.360: ISAKMP:(0):Fill atts in sa vpi_length:4

*May  8 20:14:28.360: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*May  8 20:14:28.360: ISAKMP:(0):Returning Actual lifetime: 86400

*May  8 20:14:28.360: ISAKMP:(0)::Started lifetime timer: 86400.

*May  8 20:14:28.360: ISAKMP:(0): processing vendor id payload

*May  8 20:14:28.360: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*May  8 20:14:28.360: ISAKMP (0:0): vendor ID is NAT-T v7

*May  8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May  8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*May  8 20:14:28.360: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP

*May  8 20:14:28.360: ISAKMP:(0):Sending an IKE IPv4 Packet.

*May  8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May  8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*May  8 20:14:28.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP

*May  8 20:14:28.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May  8 20:14:28.580: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*May  8 20:14:28.580: ISAKMP:(0): processing KE payload. message ID = 0

*May  8 20:14:28.672: ISAKMP:(0): processing NONCE payload. message ID = 0

*May  8 20:14:28.672: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

*May  8 20:14:28.672: ISAKMP:(6153): processing vendor id payload

*May  8 20:14:28.672: ISAKMP:(6153): vendor ID is Unity

*May  8 20:14:28.672: ISAKMP:(6153): processing vendor id payload

*May  8 20:14:28.672: ISAKMP:(6153): vendor ID is DPD

*May  8 20:14:28.672: ISAKMP:(6153): processing vendor id payload

*May  8 20:14:28.672: ISAKMP:(6153): speaking to another IOS box!

*May  8 20:14:28.672: ISAKMP (0:6153): NAT found, the node outside NAT

*May  8 20:14:28.672: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May  8 20:14:28.672: ISAKMP:(6153):Old State = IKE_I_MM4  New State = IKE_I_MM4

*May  8 20:14:28.672: ISAKMP:(6151):purging SA., sa=45291908, delme=45291908

*May  8 20:14:28.672: ISAKMP:(6153):Send initial contact

*May  8 20:14:28.672: ISAKMP:(6153):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*May  8 20:14:28.672: ISAKMP (0:6153): ID payload

        next-payload : 8

        type         : 1

        address      : 200.1.1.1

        protocol     : 17

        port         : 0

        length       : 12

*May  8 20:14:28.672: ISAKMP:(6153):Total payload length: 12

*May  8 20:14:28.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*May  8 20:14:28.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.

*May  8 20:14:28.676: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May  8 20:14:28.676: ISAKMP:(6153):Old State = IKE_I_MM4  New State = IKE_I_MM5

*May  8 20:14:33.780: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.1.1.2 has no SA and is not an initialization offer

R1#

*May  8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...

*May  8 20:14:38.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*May  8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH

*May  8 20:14:38.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*May  8 20:14:38.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.

R1#

*May  8 20:14:48.664: ISAKMP:(6152):purging node 1194713063

*May  8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...

*May  8 20:14:48.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*May  8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH

*May  8 20:14:48.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*May  8 20:14:48.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.

R1#

*May  8 20:14:58.140: ISAKMP: local port 500, remote port 500

*May  8 20:14:58.140: ISAKMP: set new node 0 to QM_IDLE

*May  8 20:14:58.140: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FEE170

*May  8 20:14:58.140: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

*May  8 20:14:58.140: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

*May  8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*May  8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-07 ID

*May  8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-03 ID

*May  8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-02 ID

*May  8 20:14:58.140: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*May  8 20:14:58.140: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*May  8 20:14:58.140: ISAKMP:(0): beginning Main Mode exchange

*May  8 20:14:58.140: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE

*May  8 20:14:58.140: ISAKMP:(0):Sending an IKE IPv4 Packet.

*May  8 20:14:58.352: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE

*May  8 20:14:58.352: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May  8 20:14:58.352: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*May  8 20:14:58.352: ISAKMP:(0): processing SA payload. message ID = 0

*May  8 20:14:58.356: ISAKMP:(0): processing vendor id payload

*May  8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*May  8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7

*May  8 20:14:58.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

*May  8 20:14:58.356: ISAKMP:(0): local preshared key found

*May  8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*May  8 20:14:58.356: ISAKMP:      encryption AES-CBC

*May  8 20:14:58.356: ISAKMP:      keylength of 256

*May  8 20:14:58.356: ISAKMP:      hash SHA

*May  8 20:14:58.356: ISAKMP:      default group 5

*May  8 20:14:58.356: ISAKMP:      auth pre-share

*May  8 20:14:58.356: ISAKMP:      life type in seconds

*May  8 20:14:58.356: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*May  8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!

*May  8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0

*May  8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy

*May  8 20:14:58.356: ISAKMP:      encryption AES-CBC

*May  8 20:14:58.356: ISAKMP:      keylength of 256

*May  8 20:14:58.356: ISAKMP:      hash SHA

*May  8 20:14:58.356: ISAKMP:      default group 5

*May  8 20:14:58.356: ISAKMP:      auth pre-share

*May  8 20:14:58.356: ISAKMP:      life type in seconds

*May  8 20:14:58.356: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*May  8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!

*May  8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0

*May  8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy

*May  8 20:14:58.356: ISAKMP:      encryption AES-CBC

*May  8 20:14:58.356: ISAKMP:      keylength of 256

*May  8 20:14:58.356: ISAKMP:      hash SHA

*May  8 20:14:58.356: ISAKMP:      default group 5

*May  8 20:14:58.356: ISAKMP:      auth pre-share

*May  8 20:14:58.356: ISAKMP:      life type in seconds

*May  8 20:14:58.356: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*May  8 20:14:58.356: ISAKMP:(0):Diffie-Hellman group offered does not match policy!

*May  8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0

*May  8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy

*May  8 20:14:58.356: ISAKMP:      encryption AES-CBC

*May  8 20:14:58.356: ISAKMP:      keylength of 256

*May  8 20:14:58.356: ISAKMP:      hash SHA

*May  8 20:14:58.356: ISAKMP:      default group 5

*May  8 20:14:58.356: ISAKMP:      auth pre-share

*May  8 20:14:58.356: ISAKMP:      life type in seconds

*May  8 20:14:58.356: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*May  8 20:14:58.356: ISAKMP:(0):atts are acceptable. Next payload is 0

*May  8 20:14:58.356: ISAKMP:(0):Acceptable atts:actual life: 0

*May  8 20:14:58.356: ISAKMP:(0):Acceptable atts:life: 0

*May  8 20:14:58.356: ISAKMP:(0):Fill atts in sa vpi_length:4

*May  8 20:14:58.356: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*May  8 20:14:58.356: ISAKMP:(0):Returning Actual lifetime: 86400

*May  8 20:14:58.356: ISAKMP:(0)::Started lifetime timer: 86400.

*May  8 20:14:58.356: ISAKMP:(0): processing vendor id payload

*May  8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch

*May  8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7

*May  8 20:14:58.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May  8 20:14:58.356: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*May  8 20:14:58.356: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP

*May  8 20:14:58.356: ISAKMP:(0):Sending an IKE IPv4 Packet.

*May  8 20:14:58.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May  8 20:14:58.360: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*May  8 20:14:58.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP

*May  8 20:14:58.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May  8 20:14:58.580: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*May  8 20:14:58.580: ISAKMP:(0): processing KE payload. message ID = 0

*May  8 20:14:58.668: ISAKMP:(0): processing NONCE payload. message ID = 0

*May  8 20:14:58.668: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2

*May  8 20:14:58.668: ISAKMP:(6154): processing vendor id payload

*May  8 20:14:58.668: ISAKMP:(6154): vendor ID is Unity

*May  8 20:14:58.668: ISAKMP:(6154): processing vendor id payload

*May  8 20:14:58.668: ISAKMP:(6154): vendor ID is DPD

*May  8 20:14:58.668: ISAKMP:(6154): processing vendor id payload

*May  8 20:14:58.668: ISAKMP:(6154): speaking to another IOS box!

*May  8 20:14:58.668: ISAKMP (0:6154): NAT found, the node outside NAT

*May  8 20:14:58.668: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May  8 20:14:58.668: ISAKMP:(6154):Old State = IKE_I_MM4  New State = IKE_I_MM4

*May  8 20:14:58.668: ISAKMP:(6152):purging SA., sa=45FEB894, delme=45FEB894

*May  8 20:14:58.668: ISAKMP:(6154):Send initial contact

*May  8 20:14:58.668: ISAKMP:(6154):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*May  8 20:14:58.668: ISAKMP (0:6154): ID payload

        next-payload : 8

        type         : 1

        address      : 200.1.1.1

        protocol     : 17

        port         : 0

        length       : 12

*May  8 20:14:58.668: ISAKMP:(6154):Total payload length: 12

*May  8 20:14:58.672: ISAKMP:(6154): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*May  8 20:14:58.672: ISAKMP:(6154):Sending an IKE IPv4 Packet.

*May  8 20:14:58.672: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May  8 20:14:58.672: ISAKMP:(6154):Old State = IKE_I_MM4  New State = IKE_I_MM5

*May  8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...

*May  8 20:14:58.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*May  8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH

*May  8 20:14:58.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*May  8 20:14:58.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.

R2 DEBUGS:

R2#debug crypto isakmp

Crypto ISAKMP debugging is on

R2#

May  8 15:17:52 CDT: ISAKMP: set new node 0 to QM_IDLE

May  8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE      )

May  8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):beginning Quick Mode exchange, M-ID of -1574699992

May  8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Node -1574699992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

May  8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

May  8 15:17:52 CDT: ISAKMP:(0:1990:SW:1):purging SA., sa=64E62620, delme=64E62620

May  8 15:17:57 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE

May  8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.

May  8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1

May  8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE      ...

May  8 15:17:58 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May  8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE

May  8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE       -1574699992 ...

May  8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

May  8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2

May  8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE

May  8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  8 15:18:07 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE

May  8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.

May  8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1

May  8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE      ...

May  8 15:18:08 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May  8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE

May  8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE       -1574699992 ...

May  8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 2 of 5: retransmit phase 2

May  8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2

May  8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE

May  8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  8 15:18:17 CDT: ISAKMP: local port 500, remote port 500

May  8 15:18:17 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E62620

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_R_MM1

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

May  8 15:18:17 CDT: ISAKMP (0:0): vendor ID is NAT-T v7

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): local preshared key found

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy

May  8 15:18:17 CDT: ISAKMP:      encryption DES-CBC

May  8 15:18:17 CDT: ISAKMP:      hash SHA

May  8 15:18:17 CDT: ISAKMP:      default group 1

May  8 15:18:17 CDT: ISAKMP:      auth pre-share

May  8 15:18:17 CDT: ISAKMP:      life type in seconds

May  8 15:18:17 CDT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy

May  8 15:18:17 CDT: ISAKMP:      encryption 3DES-CBC

May  8 15:18:17 CDT: ISAKMP:      hash SHA

May  8 15:18:17 CDT: ISAKMP:      default group 2

May  8 15:18:17 CDT: ISAKMP:      auth pre-share

May  8 15:18:17 CDT: ISAKMP:      life type in seconds

May  8 15:18:17 CDT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy

May  8 15:18:17 CDT: ISAKMP:      encryption AES-CBC

May  8 15:18:17 CDT: ISAKMP:      keylength of 256

May  8 15:18:17 CDT: ISAKMP:      hash SHA

May  8 15:18:17 CDT: ISAKMP:      default group 2

May  8 15:18:17 CDT: ISAKMP:      auth pre-share

May  8 15:18:17 CDT: ISAKMP:      life type in seconds

May  8 15:18:17 CDT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy

May  8 15:18:17 CDT: ISAKMP:      encryption AES-CBC

May  8 15:18:17 CDT: ISAKMP:      keylength of 256

May  8 15:18:17 CDT: ISAKMP:      hash SHA

May  8 15:18:17 CDT: ISAKMP:      default group 5

May  8 15:18:17 CDT: ISAKMP:      auth pre-share

May  8 15:18:17 CDT: ISAKMP:      life type in seconds

May  8 15:18:17 CDT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

May  8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 69 mismatch

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

May  8 15:18:17 CDT: ISAKMP (0:134219720): vendor ID is NAT-T v7

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 157 mismatch

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v3

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 123 mismatch

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v2

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM1

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): constructed NAT-T vendor-07 ID

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1  New State = IKE_R_MM2

May  8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM2  New State = IKE_R_MM3

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing KE payload. message ID = 0

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NONCE payload. message ID = 0

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):found peer pre-shared key matching 200.1.1.1

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SKEYID state generated

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is Unity

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is DPD

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): speaking to another IOS box!

May  8 15:18:17 CDT: ISAKMP (0:134219720): NAT found, the node inside NAT

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM3

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3  New State = IKE_R_MM4

May  8 15:18:17 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1

May  8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM4  New State = IKE_R_MM5

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing ID payload. message ID = 0

May  8 15:18:17 CDT: ISAKMP (0:134219720): ID payload

        next-payload : 8

        type         : 1

        address      : 200.1.1.1

        protocol     : 17

        port         : 0

        length       : 12

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):: peer matches *none* of the profiles

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing HASH payload. message ID = 0

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1

        spi 0, message ID = 0, sa = 64E62620

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:

        authenticated

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): Process initial contact,

bring down existing phase 1 and 2 SA's with local 10.64.11.253 remote 200.1.1.1 remote port 4500

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):received initial contact, deleting SA

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):peer does not do paranoid keepalives.

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "Receive initial contact" state (R) QM_IDLE       (peer 200.1.1.1)

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:

        authenticated

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA has been authenticated with 200.1.1.1

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Detected port floating to port = 4500

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Setting UDP ENC peer struct 0x0 sa= 0x64E62620

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5  New State = IKE_R_MM5

May  8 15:18:17 CDT: ISAKMP: set new node 231359858 to QM_IDLE

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):purging node 231359858

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

May  8 15:18:17 CDT: ISAKMP (0:134219720): ID payload

        next-payload : 8

        type         : 1

        address      : 10.64.11.253

        protocol     : 17

        port         : 0

        length       : 12

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Total payload length: 12

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "No reason" state (R) QM_IDLE       (peer 200.1.1.1)

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting node -1574699992 error FALSE reason "IKE deleted"

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

May  8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

May  8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

R2#

May  8 15:18:22 CDT: ISAKMP: set new node 0 to QM_IDLE

May  8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE      )

May  8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):beginning Quick Mode exchange, M-ID of 1324849371

May  8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

May  8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Node 1324849371, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

May  8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

May  8 15:18:27 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE

May  8 15:18:27 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE

May  8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.

May  8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1

May  8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE      ...

May  8 15:18:28 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May  8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE

May  8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

R2#

May  8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 QM_IDLE       1324849371 ...

May  8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on node, attempt 1 of 5: retransmit phase 2

May  8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2

May  8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 1324849371 QM_IDLE

May  8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE

R2#

May  8 15:18:37 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE

May  8 15:18:37 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE

May  8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.

May  8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1

May  8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE      ...

May  8 15:18:38 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

R2#

R2#

May  8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE

May  8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDL

0 Helpful
Ali Razavi
Beginner
Beginner
In response to Ali Razavi
‎05-08-2013 01:36 PM
‎05-08-2013 01:36 PM

Also, output from "show crypto session"

R1:

Interface: Tunnel1

Session status: DOWN

Peer: 200.1.1.2 port 500

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 0, origin: crypto map

Interface: Tunnel1

Session status: DOWN-NEGOTIATING

Peer: 200.1.1.2 port 4500

  IKE SA: local 200.1.1.1/4500 remote 200.1.1.2/4500 Inactive

  IKE SA: local 200.1.1.1/4500 remote 200.1.1.2/4500 Inactive

R2:

Interface: Tunnel2

Session status: DOWN

Peer: 200.1.1.1 port 500

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 0, origin: crypto map

Interface: GigabitEthernet0/1

Session status: UP-IDLE

Peer: 200.1.1.1 port 4500

  IKE SA: local 10.1.1.1/4500 remote 200.1.1.1/4500 Active

0 Helpful
Latest Contents
Earn $100! Interview with Cisco on Network Risk, Compliance ...
Created by S Nath on 06-27-2022 01:56 PM
0
0
0
0
Are you responsible for risk management, compliance management and auditing of a network?    If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ... view more
Converting Cisco Secure Endpoint Connectors from Audit to Pr...
Created by Sohaib Ahmed on 06-23-2022 05:19 PM
0
0
0
0
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari... view more
🧦💚 Tell us about your ZTNA journey in exchange for a pair ...
Created by betswang on 06-23-2022 03:05 PM
0
15
0
15
  Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ... view more
Cisco ASA Access-list ACL using network object
Created by Meddane on 06-23-2022 06:59 AM
0
0
0
0
  A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se... view more
How To: Cisco ISE Captive Portals with Aruba Wireless
Created by ahollifield on 06-22-2022 06:23 PM
4
10
4
10
How To: Cisco ISE Captive Portals with Aruba Wireless Authors: Adam Hollifield, Brad Johnson IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad