Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1484
Views
0
Helpful
2
Replies

ISAKMP Failure (IKE PHASE 1)

antoinetbridges
Level 1
Level 1

‎04-15-2015 09:01 AM

Hello guys!

I hope this is a simple question that some awesome user can help me with...

 

Overnight I had one of my VPN tunnels fail between my office and a remote office.  My VPN router has several IPsec VPN tunnels setup and the rest of them still work fine.

 

 I keep seeing this in my debug: 

*Apr 15 10:17:57.123: ISAKMP: Error while processing SA request: Failed to initialize SA
*Apr 15 10:17:57.123: ISAKMP: Error while processing KMI message 0, error 2.

...

*Apr 15 10:17:55.847: ISAKMP (0): received packet from x.x.x.x (remote side) dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 15 10:17:55.847: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Apr 15 10:17:55.847: ISAKMP:(0): retransmitting due to retransmit phase 1
*Apr 15 10:17:56.347: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Apr 15 10:17:56.347: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Apr 15 10:17:56.347: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

 

and this repeats over and over again.  I have a suspicion that one of the routers that are out of my control is filtering my outgoing UDP port 500 packets.  The funny thing is that i did a packet capture in my office parallel to the VPN router and i can see UDP 500 packets coming and going from here.  

 

I just cannot verify that the remote side is receiving them as this is whats in its debug:

*Apr 15 12:49:51.067: ISAKMP:(0): beginning Main Mode exchange

*Apr 15 12:49:51.067: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

*Apr 15 12:49:51.067: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Apr 15 12:49:51.879: ISAKMP: set new node 0 to QM_IDLE      

*Apr 15 12:49:51.879: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local x.x.x.x, remote x.x.x.x)

*Apr 15 12:49:51.879: ISAKMP: Error while processing SA request: Failed to initialize SA

*Apr 15 12:49:51.879: ISAKMP: Error while processing KMI message 0, error 2.

 

Does my theory sound right to you all?  I want to call the provider and notify them but i don't want to bother them if I'm missing something else.

 

Any help would be great!

 

Thanks!

 

Labels:
0 Helpful
2 Replies 2

guibarati
Level 4
Level 4

‎04-15-2015 12:37 PM

Yes, seems like the other side is not receiving/responding to the VPN connection.

0 Helpful

antoinetbridges
Level 1
Level 1
In response to guibarati

‎04-15-2015 01:19 PM

Thanks guibarati!  

 

I think you are right... 

 

Tomorrow I'm going to have to ask the remote side to send me some packet captures.

 

Thanks again for your input.  If that turns out to be it, ill come back and hit the correct answer box!

 

Antoine

0 Helpful
Customers Also Viewed These Support Documents