02-13-2013 11:59 AM - edited 02-21-2020 06:42 PM
I'm having an issue with the Phase 1 and Phase 2 for a VPN connection for a customer. I've verified that the phase 1 and phase 2 settings are correct with the vendor at the other endpoint, but i'm still failing during phase 1. I've attached the config of my router at this end, along with the debug info below that I'm getting. I've searched hi and low, but haven't been able to come up with any answers. We are using a Cisco 1921, and they have a Watchguard at the other end. ANY help would be greatly appreciated.
Feb 13 18:00:13.642: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= x.x.x.26:500, remote= x.x.x.68:500,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.200.1.112/255.255.255.248/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Feb 13 18:00:13.642: ISAKMP:(0): SA request profile is (NULL)
Feb 13 18:00:13.642: ISAKMP: Created a peer struct for x.x.x.68, peer port 500
Feb 13 18:00:13.642: ISAKMP: New peer created peer = 0x290E0910 peer_handle = 0x80000029
Feb 13 18:00:13.642: ISAKMP: Locking peer struct 0x290E0910, refcount 1 for isakmp_initiator
Feb 13 18:00:13.642: ISAKMP: local port 500, remote port 500
Feb 13 18:00:13.642: ISAKMP: set new node 0 to QM_IDLE
Feb 13 18:00:13.642: ISAKMP:(0):insert sa successfully sa = 3183CCCC
Feb 13 18:00:13.642: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Feb 13 18:00:13.642: ISAKMP:(0):found peer pre-shared key matching x.x.x.68
Feb 13 18:00:13.642: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 13 18:00:13.642: ISAKMP:(0): constructed NAT-T vendor-07 ID
Feb 13 18:00:13.642: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 13 18:00:13.642: ISAKMP:(0): constructed NAT-T vendor-02 ID
Feb 13 18:00:13.642: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Feb 13 18:00:13.642: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Feb 13 18:00:13.642: ISAKMP:(0): beginning Main Mode exchange
Feb 13 18:00:13.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 13 18:00:13.642: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 13 18:00:13.714: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE
Feb 13 18:00:13.714: ISAKMP:(0):Notify has no hash. Rejected.
Feb 13 18:00:13.714: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Feb 13 18:00:13.714: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 13 18:00:13.714: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
Feb 13 18:00:13.714: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at x.x.x.68
Feb 13 18:00:23.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 13 18:00:23.642: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Feb 13 18:00:23.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 13 18:00:23.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 13 18:00:23.642: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 13 18:00:23.710: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE
Feb 13 18:00:23.710: ISAKMP:(0):Notify has no hash. Rejected.
Feb 13 18:00:23.710: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Feb 13 18:00:23.710: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 13 18:00:23.710: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
Feb 13 18:00:33.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 13 18:00:33.642: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Feb 13 18:00:33.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 13 18:00:33.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 13 18:00:33.642: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 13 18:00:33.710: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE
Feb 13 18:00:33.710: ISAKMP:(0):Notify has no hash. Rejected.
Feb 13 18:00:33.710: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Feb 13 18:00:33.710: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 13 18:00:33.710: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
Feb 13 18:00:43.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 13 18:00:43.642: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Feb 13 18:00:43.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 13 18:00:43.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 13 18:00:43.642: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 13 18:00:43.642: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= x.x.x.26:0, remote= x.x.x.68:0,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.200.1.112/255.255.255.248/0/0 (type=4)
Feb 13 18:00:43.642: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= x.x.x.26:500, remote= x.x.x.68:500,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.200.1.112/255.255.255.248/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Feb 13 18:00:43.642: ISAKMP: set new node 0 to QM_IDLE
Feb 13 18:00:43.642: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local x.x.x.26, remote x.x.x.68)
Feb 13 18:00:43.642: ISAKMP: Error while processing SA request: Failed to initialize SA
Feb 13 18:00:43.642: ISAKMP: Error while processing KMI message 0, error 2.
Feb 13 18:00:43.714: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE
Feb 13 18:00:43.714: ISAKMP:(0):Notify has no hash. Rejected.
Feb 13 18:00:43.714: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Feb 13 18:00:43.714: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 13 18:00:43.714: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
Feb 13 18:00:53.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 13 18:00:53.642: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Feb 13 18:00:53.642: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 13 18:00:53.642: ISAKMP:(0): sending packet to x.x.x.68 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 13 18:00:53.642: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 13 18:00:53.710: ISAKMP (0): received packet from x.x.x.68 dport 500 sport 500 Global (I) MM_NO_STATE
Feb 13 18:00:53.710: ISAKMP:(0):Notify has no hash. Rejected.
Feb 13 18:00:53.710: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Feb 13 18:00:53.710: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 13 18:00:53.710: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
02-13-2013 06:36 PM
Hello Crystal,
Doesn't seem that the devices are getting past phase 1.
Could you specify the hash in the ISAKMP policies you're using? I believe it defaults to MD5, but I would go ahead and add that to your configuration (matching whatever the Watchguard is set for).
-Gabriel
02-13-2013 08:03 PM
Here is the policy. The watchguard has phase 1 set to SHA1-3DES.
bfccrtr#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 3600 seconds, no volume limit
This is why I'm so confused with this. It appears to me that everything is matched up. The watchguard has multiple other VPN tunnels configured on it, but none with a Cisco device on the other end, so I'm not getting much help from that vendor. Unfortunately, I'm not familiar with the watchguard device.
02-13-2013 08:26 PM
Hello Crystal,
Strange problem indeed. I still believe this is a phase 1 issue due to something being different between the two sides.
Please be sure to specifiy the hash in your configuration
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
lifetime 3600
Also are you sure that watchguard is using group 2?
02-14-2013 06:37 AM
Yes, I've specifically added the command 'hash sha' under the policy. I also have screen shots from the vendor that show that they are using key group 2.
The router at my end is a 1921 with the security license upgrade. Is there a possibility there is an issue withe the firmware version on this router?
02-15-2013 05:56 AM
Hello Crystal,
There is a bug for the issue you are having but it was in the 12.2 code. I doubt that's what you're having.
I would reach out to the guy using the watchguard device and ask them to switch the hash to MD5. Make a ISAKMP policy with md5 and test again.
02-15-2013 12:20 PM
Ok, I think we've tried that already, but I've requested that he changes it to MD5 so we can test that way. I will reply with the results as soon as I have them.
02-15-2013 01:47 PM
Ok, we've modified to MD5, and that's doing the exact same thing. Is there anything else I can check?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide