Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1363
Views
0
Helpful
1
Replies

problem with DMVPN

hanyawad
Level 1
Level 1

‎06-24-2013 08:30 AM - edited ‎02-21-2020 06:58 PM

Hello,

i've been implementing our DMVPN tunnels and i have on tunnel doesn't form its crypto sa or peer.

below is the output of some debug regarding the crypto isakmp negotiation to establish IPSEC tunnel.

by the way, before i assigned the tunnel protection command to the interface tunnel i've checked the nhrp peers and made sure that the nhrp peer for that end point has been established successfully. so i think the problem in crypto config. please find the output below of my debug and let me know why they don't form crypto peers. thanks and appreciate your quick response.

rtrq1301#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src                        state          conn-id status

64.x.x.x     24.x.x.x       MM_NO_STATE          0 ACTIVE

65.5.x.x    24.x.x.x         QM_IDLE           1012 ACTIVE

65.5.x.x   24.x.x.x          QM_IDLE           1013 ACTIVE

IPv6 Crypto ISAKMP SA

rtrq1301# debug crypto isakmp

  
Jun 24 11:05:54: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jun 24 11:05:54: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jun 24 11:05:54: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jun 24 11:05:54: ISAKMP:(0): sending packet to 64.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 24 11:05:54: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 24 11:06:04: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jun 24 11:06:04: ISAKMP:(0):peer does not do paranoid keepalives.

Jun 24 11:06:04: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 64.x.x.x)
Jun 24 11:06:04: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 64.x.x.x)
Jun 24 11:06:04: ISAKMP: Unlocking peer struct 0x232134D8 for isadb_mark_sa_deleted(), count 0
Jun 24 11:06:04: ISAKMP: Deleting peer node by peer_reap for 64.x.x.x: 232134D8
Jun 24 11:06:04: ISAKMP:(0):deleting node -1304092906 error FALSE reason "IKE deleted"
Jun 24 11:06:04: ISAKMP:(0):deleting node 132230039 error FALSE reason "IKE deleted"
Jun 24 11:06:04: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 24 11:06:04: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

Jun 24 11:06:05: ISAKMP:(0): SA request profile is (NULL)
Jun 24 11:06:05: ISAKMP: Created a peer struct for 64.x.x.x, peer port 500
Jun 24 11:06:05: ISAKMP: New peer created peer = 0x23222160 peer_handle = 0x800000A5
Jun 24 11:06:05: ISAKMP: Locking peer struct 0x23222160, refcount 1 for isakmp_initiator
Jun 24 11:06:05: ISAKMP: local port 500, remote port 500
Jun 24 11:06:05: ISAKMP: set new node 0 to QM_IDLE     
Jun 24 11:06:05: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 3D973ECC
Jun 24 11:06:05: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jun 24 11:06:05: ISAKMP:(0):found peer pre-shared key matching 64.x.x.x
Jun 24 11:06:05: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 24 11:06:05: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Jun 24 11:06:05: ISAKMP:(0): beginning Main Mode exchange
Jun 24 11:06:05: ISAKMP:(0): sending packet to 64.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 24 11:06:05: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 24 11:06:15: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jun 24 11:06:15: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jun 24 11:06:15: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jun 24 11:06:15: ISAKMP:(0): sending packet to 64.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 24 11:06:15: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 24 11:06:25: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jun 24 11:06:25: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jun 24 11:06:25: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jun 24 11:06:25: ISAKMP:(0): sending packet to 64.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 24 11:06:25: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 24 11:06:35: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jun 24 11:06:35: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jun 24 11:06:35: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jun 24 11:06:35: ISAKMP:(0): sending packet to 64.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 24 11:06:35: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 24 11:06:35: ISAKMP: set new node 0 to QM_IDLE     
Jun 24 11:06:35: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 24.x.x.x, remote 64.x.x.x)
Jun 24 11:06:35: ISAKMP: Error while processing SA request: Failed to initialize SA
Jun 24 11:06:35: ISAKMP: Error while processing KMI message 0, error 2.
Jun 24 11:06:45: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jun 24 11:06:45: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jun 24 11:06:45: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jun 24 11:06:45: ISAKMP:(0): sending packet to 64.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 24 11:06:45: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 24 11:06:54: ISAKMP:(0):purging node -1304092906
Jun 24 11:06:54: ISAKMP:(0):purging node 132230039
Jun 24 11:06:55: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jun 24 11:06:55: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jun 24 11:06:55: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Jun 24 11:06:55: ISAKMP:(0): sending packet to 64.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Jun 24 11:06:55: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 24 11:07:04: ISAKMP:(0):purging SA., sa=22EE34C8, delme=22EE34C8
Jun 24 11:07:05: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Jun 24 11:07:05: ISAKMP:(0):peer does not do paranoid keepalives.

Jun 24 11:07:05: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 64.x.x.x)
Jun 24 11:07:05: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 64.x.x.x)
Jun 24 11:07:05: ISAKMP: Unlocking peer struct 0x23222160 for isadb_mark_sa_deleted(), count 0
Jun 24 11:07:05: ISAKMP: Deleting peer node by peer_reap for 64.x.x.x: 23222160
Jun 24 11:07:05: ISAKMP:(0):deleting node 748913332 error FALSE reason "IKE deleted"
Jun 24 11:07:05: ISAKMP:(0):deleting node 1936642054 error FALSE reason "IKE deleted"
Jun 24 11:07:05: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 24 11:07:05: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-24-2013 10:19 AM

not much to do with DMVPN as such.

IKE retranmiting MM1 and never getting any response back.

Check what's going on on the remote end.

0 Helpful
Customers Also Viewed These Support Documents