- Cisco Community
- Technology and Support
- Security
- VPN
- IPsec VTI over NAT IKE Phase I Failure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
IPsec VTI over NAT IKE Phase I Failure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-07-2013 01:30 PM - edited 02-21-2020 06:52 PM
Hey everyone,
I have two routers and an ASA with one of the routers sitting behind the ASA. I have a VTI configuration between the two routers, the regular GRE traffic passes through just fine but after applying an IPsec profile to the interfaces, IKE Phase I never completes. I have the configurations and debugs posted below. Thank you in advance for your help. I have confirmed reachability and there are no access list issues.
Router 1:
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto ipsec profile IPSEC
set transform-set SEC
!
!
interface Tunnel2
ip address 172.16.1.1 255.255.255.252
tunnel source 200.1.1.1
tunnel destination 200.1.1.2
tunnel protection ipsec profile IPSEC
!
crypto isakmp key SECURITYKEY address 200.1.1.2
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
ASA:
static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255
Router 2:
interface Tunnel121
ip address 172.16.1.2 255.255.255.252
ip nat inside
ip virtual-reassembly
tunnel source 10.1.1.1
tunnel destination 200.1.1.1
tunnel protection ipsec profile IPSEC
!
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto ipsec profile IPSEC
set transform-set SEC
!
crypto isakmp key SECURITYKEY address 200.1.1.1
!
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
R2#debug crypto isakmp
R2#
R2#
May 7 14:30:35 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:35 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:35 CDT: ISAKMP (0:134218443): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:36 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:36 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 -1092494630 QM_IDLE
May 7 14:30:42 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:30:45 CDT: ISAKMP:(0:716:SW:1): retransmitting due to retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:30:46 CDT: ISAKMP (0:134218444): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:30:46 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP: received ke message (3/1)
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP:(0:715:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): retransmitting phase 2 QM_IDLE -1092494630 ...
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):peer does not do paranoid keepalives.
May 7 14:30:52 CDT: ISAKMP: set new node 1345361410 to QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):purging node 1345361410
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 7 14:30:52 CDT: ISAKMP: Unlocking IKE struct 0x656AA2B0 for isadb_mark_sa_deleted(), count 0
May 7 14:30:52 CDT: ISAKMP: Deleting peer node by peer_reap for 200.1.1.1: 656AA2B0
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):deleting node -1092494630 error FALSE reason "IKE deleted"
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:30:52 CDT: ISAKMP:(0:716:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 7 14:30:55 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:05 CDT: ISAKMP:(0:715:SW:1):purging node 1843499205
May 7 14:31:05 CDT: ISAKMP (0:134218444): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 7 14:31:15 CDT: ISAKMP:(0:715:SW:1):purging SA., sa=64E4AB14, delme=64E4AB14
May 7 14:31:42 CDT: ISAKMP:(0:716:SW:1):purging node -1092494630
May 7 14:31:45 CDT: ISAKMP (0:0): received packet from 200.1.1.1 dport 500 sport 500 Global (N) NEW SA
May 7 14:31:45 CDT: ISAKMP: Created a peer struct for 200.1.1.1, peer port 500
May 7 14:31:45 CDT: ISAKMP: New peer created peer = 0x656AA2B0 peer_handle = 0x80000514
May 7 14:31:45 CDT: ISAKMP: Locking peer struct 0x656AA2B0, IKE refcount 1 for crypto_isakmp_process_block
May 7 14:31:45 CDT: ISAKMP: local port 500, remote port 500
May 7 14:31:45 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 7 14:31:45 CDT: ISAKMP : Scanning profiles for xauth ...
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 1
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption 3DES-CBC
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 2
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 7 14:31:45 CDT: ISAKMP: encryption AES-CBC
May 7 14:31:45 CDT: ISAKMP: keylength of 256
May 7 14:31:45 CDT: ISAKMP: hash SHA
May 7 14:31:45 CDT: ISAKMP: default group 5
May 7 14:31:45 CDT: ISAKMP: auth pre-share
May 7 14:31:45 CDT: ISAKMP: life type in seconds
May 7 14:31:45 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 7 14:31:45 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 7 14:31:45 CDT: ISAKMP (0:134218445): vendor ID is NAT-T v7
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is NAT-T v2
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): constructed NAT-T vendor-07 ID
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing KE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NONCE payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):found peer pre-shared key matching 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SKEYID state generated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is Unity
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): vendor ID is DPD
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing vendor id payload
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): speaking to another IOS box!
May 7 14:31:45 CDT: ISAKMP (0:134218445): NAT found, the node inside NAT
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 7 14:31:45 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing ID payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):: peer matches *none* of the profiles
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing HASH payload. message ID = 0
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.1.1 remote 200.1.1.1 remote port 4500
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA authentication status:
authenticated
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA has been authenticated with 200.1.1.1
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Detected port floating to port = 4500
May 7 14:31:45 CDT: ISAKMP: Trying to insert a peer 10.1.1.1/200.1.1.1/4500/, and inserted successfully 656AA2B0.
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Setting UDP ENC peer struct 0x661D688C sa= 0x64E4AB14
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 7 14:31:45 CDT: ISAKMP (0:134218445): ID payload
next-payload : 8
type : 1
address : 10.1.1.1
protocol : 17
port : 0
length : 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Total payload length: 12
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 7 14:31:45 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 7 14:31:52 CDT: ISAKMP: received ke message (1/1)
May 7 14:31:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):beginning Quick Mode exchange, M-ID of -1201835538
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): retransmitting due to retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE ...
May 7 14:31:56 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 1 QM_IDLE
May 7 14:31:56 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
R2#
R2#
R2#un
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 QM_IDLE -1201835538 ...
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP (0:134218445): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): retransmitting phase 2 -1201835538 QM_IDLE
May 7 14:32:02 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
The specific portion of the debug that has caught my attention is as follows toward the end:
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Node -1201835538, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 7 14:31:52 CDT: ISAKMP:(0:717:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 7 14:31:52 CDT: ISAKMP:(0:716:SW:1):purging SA., sa=64E55FE0, delme=64E55FE0
May 7 14:31:55 CDT: ISAKMP (0:134218445): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 7 14:31:55 CDT: ISAKMP:(0:717:SW:1): phase 1 packet is a duplicate of a previous packet.
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2013 08:13 AM
As an added clue, R1 displays the following message at the console:
*May 8 15:34:28.857: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.1.1.2 has no SA and is not an initialization offer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2013 12:06 PM
Hi,
Can you add 'tunnel mode ipsec ipv4' under both tunnel interfaces?
Since all config is not available on this post (routes/keys etc), here is a link wherein you can match your config:
If you have the above command under both tunnel interfaces and a route for remote subnet pointing to tunnel interface, it should work fine.
If it doesn't please post 'show run' from both routers. Change the external IP's if this is not a lab setup.
-
Sourav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2013 12:21 PM
Good point Sokakkar. Thank you for the reminder. To be honest the config above was an original config, I had since added "tunnel mode ipsec ipv4" as follows:
Router 1:
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto ipsec profile IPSEC
set transform-set SEC
!
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.252
tunnel source 200.1.1.1
tunnel destination 200.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC
!
crypto isakmp key SECURITYKEY address 200.1.1.2
!
crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2
ASA:
static (inside,outside) 200.1.1.2 10.1.1.1 netmask 255.255.255.255
Router 2:
interface Tunnel2
ip address 172.16.1.2 255.255.255.252
tunnel source 10.1.1.1
tunnel destination 200.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC
!
crypto ipsec transform-set SEC esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto ipsec profile IPSEC
set transform-set SEC
!
crypto isakmp key SECURITYKEY address 200.1.1.1
!
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 5
Everything else is the same, the debug was actually applied after the tunnel mode command was added to the config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2013 11:35 AM
Another clue might be that R2 shows the following for several seconds:
10.1.1.1 200.1.1.1 QM_IDLE 1935 0 ACTIVE
While R2 shows:
200.1.1.2 200.1.1.1 MM_KEY_EXCH 5927 0 ACTIVE
After a few seconds both sides revert to MM_NO_STATE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2013 12:46 PM
Ok, is this a production setup? If not, can you do a 'write memory' on both ends, reload the routers and test again?
If that doesn't resolve the issue, please run conditional debugs as follows on both routers:
undebug all debug crypto condition peer ipv4debug crypto isakmp
-
Sourav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2013 01:00 PM
Thank you for the suggestions Sokakkar. I did just what you asked with
undebug all debug crypto condition peer ipv4debug crypto isakmp
this is a production environment and I have altered the information for privacy reasons. So I am not able to reload either of the devices.
The debugs are as follows:
R1 DEBUGS:
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#
*May 8 20:14:18.668: ISAKMP:(6151):purging node -1205767715
*May 8 20:14:28.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:28.144: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:28.144: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FED9E4
*May 8 20:14:28.144: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:28.144: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:28.144: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:28.144: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:28.144: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:28.144: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:28.144: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:28.144: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.356: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:28.356: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.356: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:28.356: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:28.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.356: ISAKMP:(0): local preshared key found
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:28.356: ISAKMP: encryption AES-CBC
*May 8 20:14:28.356: ISAKMP: keylength of 256
*May 8 20:14:28.356: ISAKMP: hash SHA
*May 8 20:14:28.356: ISAKMP: default group 5
*May 8 20:14:28.356: ISAKMP: auth pre-share
*May 8 20:14:28.356: ISAKMP: life type in seconds
*May 8 20:14:28.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:28.360: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:28.360: ISAKMP: encryption AES-CBC
*May 8 20:14:28.360: ISAKMP: keylength of 256
*May 8 20:14:28.360: ISAKMP: hash SHA
*May 8 20:14:28.360: ISAKMP: default group 5
*May 8 20:14:28.360: ISAKMP: auth pre-share
*May 8 20:14:28.360: ISAKMP: life type in seconds
*May 8 20:14:28.360: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:28.360: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:28.360: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:28.360: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:28.360: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:28.360: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:28.360: ISAKMP:(0): processing vendor id payload
*May 8 20:14:28.360: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:28.360: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:28.360: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:28.360: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:28.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:28.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:28.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:28.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:28.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:28.672: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is Unity
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): vendor ID is DPD
*May 8 20:14:28.672: ISAKMP:(6153): processing vendor id payload
*May 8 20:14:28.672: ISAKMP:(6153): speaking to another IOS box!
*May 8 20:14:28.672: ISAKMP (0:6153): NAT found, the node outside NAT
*May 8 20:14:28.672: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:28.672: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:28.672: ISAKMP:(6151):purging SA., sa=45291908, delme=45291908
*May 8 20:14:28.672: ISAKMP:(6153):Send initial contact
*May 8 20:14:28.672: ISAKMP:(6153):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:28.672: ISAKMP (0:6153): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:28.672: ISAKMP:(6153):Total payload length: 12
*May 8 20:14:28.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:28.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
*May 8 20:14:28.676: ISAKMP:(6153):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:28.676: ISAKMP:(6153):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:33.780: %CRYPTO-4-IKMP_NO_SA: IKE message from 200.1.1.2 has no SA and is not an initialization offer
R1#
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:38.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*May 8 20:14:38.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:38.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:48.664: ISAKMP:(6152):purging node 1194713063
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:48.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*May 8 20:14:48.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:48.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R1#
*May 8 20:14:58.140: ISAKMP: local port 500, remote port 500
*May 8 20:14:58.140: ISAKMP: set new node 0 to QM_IDLE
*May 8 20:14:58.140: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45FEE170
*May 8 20:14:58.140: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 8 20:14:58.140: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 8 20:14:58.140: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 8 20:14:58.140: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 8 20:14:58.140: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*May 8 20:14:58.140: ISAKMP:(0): beginning Main Mode exchange
*May 8 20:14:58.140: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*May 8 20:14:58.140: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.352: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_NO_STATE
*May 8 20:14:58.352: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.352: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*May 8 20:14:58.352: ISAKMP:(0): processing SA payload. message ID = 0
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.356: ISAKMP:(0): local preshared key found
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 15 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*May 8 20:14:58.356: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*May 8 20:14:58.356: ISAKMP: encryption AES-CBC
*May 8 20:14:58.356: ISAKMP: keylength of 256
*May 8 20:14:58.356: ISAKMP: hash SHA
*May 8 20:14:58.356: ISAKMP: default group 5
*May 8 20:14:58.356: ISAKMP: auth pre-share
*May 8 20:14:58.356: ISAKMP: life type in seconds
*May 8 20:14:58.356: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*May 8 20:14:58.356: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:actual life: 0
*May 8 20:14:58.356: ISAKMP:(0):Acceptable atts:life: 0
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 8 20:14:58.356: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 8 20:14:58.356: ISAKMP:(0):Returning Actual lifetime: 86400
*May 8 20:14:58.356: ISAKMP:(0)::Started lifetime timer: 86400.
*May 8 20:14:58.356: ISAKMP:(0): processing vendor id payload
*May 8 20:14:58.356: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*May 8 20:14:58.356: ISAKMP (0:0): vendor ID is NAT-T v7
*May 8 20:14:58.356: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.356: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*May 8 20:14:58.356: ISAKMP:(0): sending packet to 200.1.1.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 8 20:14:58.356: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 8 20:14:58.360: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.360: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*May 8 20:14:58.580: ISAKMP (0:0): received packet from 200.1.1.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*May 8 20:14:58.580: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 8 20:14:58.580: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*May 8 20:14:58.580: ISAKMP:(0): processing KE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 8 20:14:58.668: ISAKMP:(0):found peer pre-shared key matching 200.1.1.2
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is Unity
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): vendor ID is DPD
*May 8 20:14:58.668: ISAKMP:(6154): processing vendor id payload
*May 8 20:14:58.668: ISAKMP:(6154): speaking to another IOS box!
*May 8 20:14:58.668: ISAKMP (0:6154): NAT found, the node outside NAT
*May 8 20:14:58.668: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 8 20:14:58.668: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM4
*May 8 20:14:58.668: ISAKMP:(6152):purging SA., sa=45FEB894, delme=45FEB894
*May 8 20:14:58.668: ISAKMP:(6154):Send initial contact
*May 8 20:14:58.668: ISAKMP:(6154):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 8 20:14:58.668: ISAKMP (0:6154): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
*May 8 20:14:58.668: ISAKMP:(6154):Total payload length: 12
*May 8 20:14:58.672: ISAKMP:(6154): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6154):Sending an IKE IPv4 Packet.
*May 8 20:14:58.672: ISAKMP:(6154):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 8 20:14:58.672: ISAKMP:(6154):Old State = IKE_I_MM4 New State = IKE_I_MM5
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH...
*May 8 20:14:58.672: ISAKMP (0:6153): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*May 8 20:14:58.672: ISAKMP:(6153): retransmitting phase 1 MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153): sending packet to 200.1.1.2 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*May 8 20:14:58.672: ISAKMP:(6153):Sending an IKE IPv4 Packet.
R2 DEBUGS:
R2#debug crypto isakmp
Crypto ISAKMP debugging is on
R2#
May 8 15:17:52 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):beginning Quick Mode exchange, M-ID of -1574699992
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Node -1574699992, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:17:52 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:17:52 CDT: ISAKMP:(0:1990:SW:1):purging SA., sa=64E62620, delme=64E62620
May 8 15:17:57 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:17:57 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:17:58 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:17:58 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:02 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:07 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:08 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:08 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 QM_IDLE -1574699992 ...
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP (0:134219719): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): retransmitting phase 2 -1574699992 QM_IDLE
May 8 15:18:12 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP: local port 500, remote port 500
May 8 15:18:17 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:0): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0): local preshared key found
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 1
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption 3DES-CBC
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 2
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Diffie-Hellman group offered does not match policy!
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 5 policy
May 8 15:18:17 CDT: ISAKMP: encryption AES-CBC
May 8 15:18:17 CDT: ISAKMP: keylength of 256
May 8 15:18:17 CDT: ISAKMP: hash SHA
May 8 15:18:17 CDT: ISAKMP: default group 5
May 8 15:18:17 CDT: ISAKMP: auth pre-share
May 8 15:18:17 CDT: ISAKMP: life type in seconds
May 8 15:18:17 CDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 8 15:18:17 CDT: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 69 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
May 8 15:18:17 CDT: ISAKMP (0:134219720): vendor ID is NAT-T v7
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is NAT-T v2
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): constructed NAT-T vendor-07 ID
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing KE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NONCE payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):found peer pre-shared key matching 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SKEYID state generated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is Unity
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): vendor ID is DPD
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing vendor id payload
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): speaking to another IOS box!
May 8 15:18:17 CDT: ISAKMP (0:134219720): NAT found, the node inside NAT
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM3 New State = IKE_R_MM4
May 8 15:18:17 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:17 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM4 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing ID payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 200.1.1.1
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):: peer matches *none* of the profiles
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing HASH payload. message ID = 0
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.64.11.253 remote 200.1.1.1 remote port 4500
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):received initial contact, deleting SA
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):peer does not do paranoid keepalives.
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA authentication status:
authenticated
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA has been authenticated with 200.1.1.1
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Detected port floating to port = 4500
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Setting UDP ENC peer struct 0x0 sa= 0x64E62620
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_R_MM5
May 8 15:18:17 CDT: ISAKMP: set new node 231359858 to QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):purging node 231359858
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
May 8 15:18:17 CDT: ISAKMP (0:134219720): ID payload
next-payload : 8
type : 1
address : 10.64.11.253
protocol : 17
port : 0
length : 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Total payload length: 12
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting SA reason "No reason" state (R) QM_IDLE (peer 200.1.1.1)
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):deleting node -1574699992 error FALSE reason "IKE deleted"
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 8 15:18:17 CDT: ISAKMP:(0:1991:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 8 15:18:17 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
R2#
May 8 15:18:22 CDT: ISAKMP: set new node 0 to QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sitting IDLE. Starting QM immediately (QM_IDLE )
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):beginning Quick Mode exchange, M-ID of 1324849371
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Node 1324849371, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
May 8 15:18:22 CDT: ISAKMP:(0:1992:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
May 8 15:18:27 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:27 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:27 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:28 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:28 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 QM_IDLE 1324849371 ...
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 2 1324849371 QM_IDLE
May 8 15:18:32 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDLE
R2#
May 8 15:18:37 CDT: ISAKMP (0:134219719): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) MM_NO_STATE
May 8 15:18:37 CDT: ISAKMP (0:134219720): received packet from 200.1.1.1 dport 4500 sport 4500 Global (R) QM_IDLE
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): phase 1 packet is a duplicate of a previous packet.
May 8 15:18:37 CDT: ISAKMP:(0:1992:SW:1): retransmitting due to retransmit phase 1
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE ...
May 8 15:18:38 CDT: ISAKMP (0:134219720): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
R2#
R2#
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): retransmitting phase 1 QM_IDLE
May 8 15:18:38 CDT: ISAKMP:(0:1992:SW:1): sending packet to 200.1.1.1 my_port 4500 peer_port 4500 (R) QM_IDL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-08-2013 01:36 PM
Also, output from "show crypto session"
R1:
Interface: Tunnel1
Session status: DOWN
Peer: 200.1.1.2 port 500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Interface: Tunnel1
Session status: DOWN-NEGOTIATING
Peer: 200.1.1.2 port 4500
IKE SA: local 200.1.1.1/4500 remote 200.1.1.2/4500 Inactive
IKE SA: local 200.1.1.1/4500 remote 200.1.1.2/4500 Inactive
R2:
Interface: Tunnel2
Session status: DOWN
Peer: 200.1.1.1 port 500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map
Interface: GigabitEthernet0/1
Session status: UP-IDLE
Peer: 200.1.1.1 port 4500
IKE SA: local 10.1.1.1/4500 remote 200.1.1.1/4500 Active
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: