08-20-2013 10:36 AM
For the life of me, I can't come up with an answer to this... We have a working vpn tunnel using our old configuration between an 831 and a 2821. The 831 is running IOS v12.4(25d). However, when we try changing the remote configuration with a replacement startup-config, the VPN tunnel never comes up, and in fact, it seems to be failing in isakmp phase 1.
The "new" config is based on a template that we've used at nearly 200 stores with no problems at all. These templates give us identical configs on all our 831s, with the exception of site names and IP addresses. The configs are using gre tunnels and ipsec in transport mode. We've replaced the 831, and tried building new configs from the template, but it never works. Again, the VPN tunnel comes up using the "old configuration," while we get "Tunnel100 up down" with the new configs.
The isakmp settings match, and I've checked the keys (however it never even gets to the key exchange.) If anyone can give me a hint on where to start from some debug logs, I'd REALLY appreciate it. The system only seems to get as far as MM_NO_STATE, though there are a few IPSEC attempts too.
Here is some output from the C831, with "debug crypt isakmp" and "debug crypt ipsec" There are 2 tunnels, 1 to our main site (208.XXX.76,XXX), one to our DR site (208.XXX.78.XXX), and the remote site is 207.XXX.125.XXX.
03:16:51: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
03:16:51: ISAKMP: Created a peer struct for 208.XXX.176.XXX, peer port 500
03:16:51: ISAKMP: New peer created peer = 0x81D39808 peer_handle = 0x8000018B
03:16:51: ISAKMP: Locking peer struct 0x81D39808, IKE refcount 1 for isakmp_initiator
03:16:51: ISAKMP: local port 500, remote port 500
03:16:51: ISAKMP: set new node 0 to QM_IDLE
03:16:51: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8240619C
03:16:51: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
03:16:51: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 208.XXX.176.XXX
03:16:51: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
03:16:51: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
03:16:51: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
03:16:51: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
03:16:51: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
03:16:51: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
03:16:51: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.176.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
03:16:51: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 207.XXX.125.XXX, remote= 208.XXX.178.XXX,
local_proxy= 207.XXX.125.XXX/255.255.255.255/47/0 (type=1),
remote_proxy= 208.XXX.178.XXX/255.255.255.255/47/0 (type=1)
03:16:51: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 207.XXX.125.XXX, remote= 208.XXX.178.XXX,
local_proxy= 207.XXX.125.XXX/255.255.255.255/47/0 (type=1),
remote_proxy= 208.XXX.178.XXX/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0xC32D1D73(3274513779), conn_id= 0, keysize= 0, flags= 0x400C
03:16:51: ISAKMP: received ke message (3/1)
03:16:51: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
03:16:51: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 208.XXX.178.XXX)
03:16:51: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
03:16:51: ISAKMP: received ke message (1/1)
03:16:51: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
03:16:51: ISAKMP: Created a peer struct for 208.XXX.178.XXX, peer port 500
03:16:51: ISAKMP: New peer created peer = 0x820B4594 peer_handle = 0x80000188
03:16:51: ISAKMP: Locking peer struct 0x820B4594, IKE refcount 1 for isakmp_initiator
03:16:51: ISAKMP: local port 500, remote port 500
03:16:51: ISAKMP: set new node 0 to QM_IDLE
03:16:51: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 81FE84BC
03:16:51: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
03:16:51: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 208.XXX.178.XXX
03:16:51: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
03:16:51: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
03:16:51: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
03:16:51: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
03:16:51: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
03:16:51: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
03:16:51: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.178.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
03:16:51: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:16:51: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
03:16:51: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:16:51: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.178.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
03:16:51: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 208.XXX.178.XXX)
03:16:51: ISAKMP: Unlocking IKE struct 0x823F763C for isadb_mark_sa_deleted(), count 0
03:16:51: ISAKMP: Deleting peer node by peer_reap for 208.XXX.178.XXX: 823F763C
03:16:51: ISAKMP:(0:0:N/A:0):deleting node 1411118997 error FALSE reason "IKE deleted"
03:16:51: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
03:16:51: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Site-122-831#
03:16:51: IPSEC(key_engine): got a queue event with 1 kei messages
Site-122-831#
03:17:01: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:01: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
03:17:01: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:17:01: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.176.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
03:17:01: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:01: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
03:17:01: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:17:01: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.178.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Site-122-831#
03:17:11: ISAKMP:(0:0:N/A:0):purging node 1970597449
03:17:11: ISAKMP:(0:0:N/A:0):purging node -1846751793
03:17:11: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:11: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
03:17:11: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:17:11: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.176.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
03:17:11: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:11: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
03:17:11: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
Site-122-831#
03:17:11: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.178.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Site-122-831#
03:17:17: ISAKMP:(0:0:N/A:0):purging node 287336448
03:17:17: ISAKMP:(0:0:N/A:0):purging node 737849712
03:17:17: ISAKMP:(0:0:N/A:0):purging node 2027546432
Site-122-831#
03:17:21: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 207.XXX.125.XXX, remote= 208.XXX.176.XXX,
local_proxy= 207.XXX.125.XXX/255.255.255.255/47/0 (type=1),
remote_proxy= 208.XXX.176.XXX/255.255.255.255/47/0 (type=1)
03:17:21: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 207.XXX.125.XXX, remote= 208.XXX.176.XXX,
local_proxy= 207.XXX.125.XXX/255.255.255.255/47/0 (type=1),
remote_proxy= 208.XXX.176.XXX/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x57800B38(1468009272), conn_id= 0, keysize= 0, flags= 0x400C
03:17:21: ISAKMP: received ke message (1/1)
03:17:21: ISAKMP: set new node 0 to QM_IDLE
03:17:21: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 207.XXX.125.XXX, remote 208.XXX.176.XXX)
03:17:21: ISAKMP:(0:0:N/A:0):purging SA., sa=81FE76D0, delme=81FE76D0
03:17:21: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:21: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
03:17:21: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:17:21: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.176.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
03:17:21: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 207.XXX.125.XXX, remote= 208.XXX.178.XXX,
local_proxy= 207.XXX.125.XXX/255.255.255.255/47/0 (type=1),
remote_proxy= 208.XXX.178.XXX/255.255.255.255/47/0 (type=1)
03:17:21: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 207.XXX.125.XXX, remote= 208.XXX.178.XXX,
local_proxy= 207.XXX.125.XXX/255.255.255.255/47/0 (type=1),
remote_proxy= 208.XXX.178.XXX/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x5D806AAE(1568697006), conn_id= 0, keysize= 0, flags= 0x400C
Site-122-831#
03:17:21: ISAKMP: received ke message (1/1)
03:17:21: ISAKMP: set new node 0 to QM_IDLE
03:17:21: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 207.XXX.125.XXX, remote 208.XXX.178.XXX)
03:17:21: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:21: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
03:17:21: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:17:21: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.178.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Site-122-831#
03:17:27: ISAKMP:(0:0:N/A:0):purging SA., sa=82415E80, delme=82415E80
Site-122-831#
03:17:31: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:31: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
03:17:31: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:17:31: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.176.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
03:17:31: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:31: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
03:17:31: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:17:31: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.178.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Site-122-831#
03:17:41: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:41: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
03:17:41: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:17:41: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.176.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
03:17:41: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
03:17:41: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
03:17:41: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
03:17:41: ISAKMP:(0:0:N/A:0): sending packet to 208.XXX.178.XXX my_port 500 peer_port 500 (I) MM_NO_STATE
Site-122-831#
03:17:41: ISAKMP:(0:0:N/A:0):purging node 1411118997
Site-122-831#
03:17:51: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 207.XXX.125.XXX, remote= 208.XXX.176.XXX,
local_proxy= 207.XXX.125.XXX/255.255.255.255/47/0 (type=1),
remote_proxy= 208.XXX.176.XXX/255.255.255.255/47/0 (type=1)
03:17:51: ISAKMP: received ke message (3/1)
03:17:51: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
03:17:51: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 208.XXX.176.XXX)
03:17:51: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 207.XXX.125.XXX, remote= 208.XXX.176.XXX,
local_proxy= 207.XXX.125.XXX/255.255.255.255/47/0 (type=1),
remote_proxy= 208.XXX.176.XXX/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0xA11A155D(2702841181), conn_id= 0, keysize= 0, flags= 0x400C
03:17:51: ISAKMP: received ke message (1/1)
Any help interpreting this, and any ideas on anything else to check would be very much appreciated!
Thanks in advance,
Mark
08-21-2013 07:43 AM
The problem is solved.
From the debug, it just looks like the initial transfers for ISAKMP simply aren't happening. So, I thought I'd give a new config one more try...
Although we had used multiple config templates, and a couple of replacement 831s, it just never would come up. I suspected that it had something to do with notepad and how it was substituting values into the template. As I said, there are over 200 of these 831s running happily, having used the template method of configuration, but this time rather than copying values from a file holding configuration information, I copied the information I needed directly from the running router (using the old config) into the template.
And this time, the tunnels magically came up.
Had there been a "fat finger" moment where a non-printable character was embedded in the config, I couldn't see it using a binary compare. Plus, even though the tunnels were down, I was still able to get into the public IP address on the 831 using the new config.
Anyway, I guess that's it.
Mark
08-21-2013 07:49 AM
I'm afraid that there doesn't seem to be a "correct answer" button that I can find, as described in the help...
So if there's a moderator out there, can you please flag this thread as "answered?"
Thanks!
Mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide