Issue in VPN tunnels between 1700 (hub) and 1700 and PIX (spokes)

curhed · ‎03-03-2005

One tunnel endpoint (10.7.7.7) doesn't come up (PIX 501). IKE Phase 1 fails.

<#debug crypto isakmp> on 1700 (which is a hub with VPN accelerator card, and connected to 10 other tunnel endpoins) show following:

01:25:53: ISAKMP (0:90): deleting node 1453655805 error FALSE reason "quick mode

done (await()"

01:25:56: ISAKMP (0:89): retransmitting phase 1 MM_NO_STATE...

01:25:56: ISAKMP (0:89): incrementing error counter on sa: retransmit phase 1

01:25:56: ISAKMP (0:89): retransmitting phase 1 MM_NO_STATE

01:25:56: ISAKMP (0:89): sending packet to 10.7.7.7 (I) MM_NO_STATE

01:26:06: ISAKMP: received ke message (1/1)

01:26:06: ISAKMP (0:89): SA is still budding. Attached new ipsec request to it.

01:26:06: ISAKMP (0:89): retransmitting phase 1 MM_NO_STATE...

01:26:06: ISAKMP (0:89): incrementing error counter on sa: retransmit phase 1

01:26:06: ISAKMP (0:89): retransmitting phase 1 MM_NO_STATE

01:26:06: ISAKMP (0:89): sending packet to 10.7.7.7 (I) MM_NO_STATE

01:26:16: ISAKMP (0:89): retransmitting phase 1 MM_NO_STATE...

01:26:16: ISAKMP (0:89): incrementing error counter on sa: retransmit phase 1

01:26:16: ISAKMP (0:89): retransmitting phase 1 MM_NO_STATE

01:26:16: ISAKMP (0:89): sending packet to 10.7.7.7 (I) MM_NO_STATE

01:26:18: ISAKMP (0:90): received packet from 10.1.1.1 (R) QM_IDLE

01:26:18: ISAKMP (0:90): processing HASH payload. message ID = -339408301

01:26:18: ISAKMP (0:90): processing DELETE payload. message ID = -339408301

01:26:18: ISAKMP (0:90): peer does not do paranoid keepalives.

01:26:18: ISAKMP (0:90): deleting node -339408301 error FALSE reason "informatio

nal (in) state 1"

01:26:25: ISAKMP (0:88): purging node 1313647512

01:26:25: ISAKMP (0:88): purging node 17748111

01:26:26: ISAKMP (0:89): retransmitting phase 1 MM_NO_STATE...

01:26:26: ISAKMP (0:89): incrementing error counter on sa: retransmit phase 1

01:26:26: ISAKMP (0:89): retransmitting phase 1 MM_NO_STATE

01:26:26: ISAKMP (0:89): sending packet to 10.7.7.7 (I) MM_NO_STATE

01:26:35: ISAKMP (0:88): purging SA., sa=8119C3F4, delme=8119C3F4

01:26:36: ISAKMP: received ke message (3/1)

01:26:36: ISAKMP (0:89): ignoring request to send delete notify (sa not authenti

cated) src 10.2.2.2 dst 10.7.7.7

01:26:36: ISAKMP (0:89): retransmitting phase 1 MM_NO_STATE...

01:26:36: ISAKMP (0:89): peer does not do paranoid keepalives.

01:26:36: ISAKMP (0:89): deleting SA reason "death by retransmission P1" state (

I) MM_NO_STATE (peer 10.7.7.7) input queue 0

01:26:36: ISAKMP (0:89): deleting node -310053878 error TRUE reason "death by re

transmission P1"

01:26:36: ISAKMP (0:89): deleting node 2111359840 error TRUE reason "death by re

transmission P1"

01:26:39: ISAKMP (0:73): purging SA., sa=812D3108, delme=812D3108

01:26:39: ISAKMP: received ke message (1/1)

gfullage · ‎03-06-2005

The "retransmitting" messages indicate that the 1700 has sent a reply to the 501's negotiation request, but has not received anything back. It waits a while then retransmits the reply. This generally means that something is filtering the ISAKMP messages from getting to the 501, so the 501 is sending requests out, but not receiving anything back either.

Since the 1700 has 10 other tunnels that are working fine, nothing is obviously being filtered at that end. You need to look at the 501 end and see why the UDP/500 packets aren't making it to the 501.

curhed · ‎03-06-2005

Yes, thanks for the reply. It was exactly what I asked from the ISP, but they denied that anything were filtered.

Can I test it somehow?