Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5793
Views
5
Helpful
1
Replies

Problem with site-to-site connection

Piotr Pawlowski
Level 1
Level 1

‎02-13-2014 04:57 AM

Guys,

I have a problem with establishing site-to-site vpn connection between my 2911 and remote router.

I have different site-to-site vpn on second WAN interface and it works like a charm. I performed same steps in order to configure new VPN to different location, on first WAN interface, and I am not able to connect two locations.

I've enabled debug and this is what I get:

*Feb 13 13:23:51.221: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 13 13:23:51.221: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Feb 13 13:23:51.221: IPSEC(key_engine_delete_sas): delete SA with spi 0x6B76A5F1 proto 50 for xxx_remote_IP_xxx
*Feb 13 13:23:51.221:  ISAKMP: Failed to find peer index node to update peer_info_list
*Feb 13 13:23:51.221: IPSEC(update_current_outbound_sa): updated peer xxx_remote_IP_xxx current outbound sa to SPI 0
*Feb 13 13:23:51.221: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= xxx_my_WAN_IP_xxx, sa_proto= 50, 
    sa_spi= 0x8901AFF3(2298589171), 
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2603
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= xxx_my_WAN_IP_xxx:0, remote= xxx_remote_IP_xxx:0,
    local_proxy= 10.0.0.0/255.255.254.0/256/0,
    remote_proxy= 192.168.220.0/255.255.255.0/256/0
*Feb 13 13:23:51.221: IPSEC(update_current_outbound_sa): updated peer xxx_remote_IP_xxx current outbound sa to SPI 0
*Feb 13 13:23:51.221: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= xxx_remote_IP_xxx, sa_proto= 50, 
    sa_spi= 0x6B76A5F1(1802937841), 
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2604
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= xxx_my_WAN_IP_xxx:0, remote= xxx_remote_IP_xxx:0,
    local_proxy= 10.0.0.0/255.255.254.0/256/0,
    remote_proxy= 192.168.220.0/255.255.255.0/256/0
*Feb 13 13:24:00.289: ISAKMP (1224): received packet from xxx_remote_IP_xxx dport 500 sport 500 Global (R) QM_IDLE      
*Feb 13 13:24:00.289: ISAKMP: set new node -556398406 to QM_IDLE      
*Feb 13 13:24:00.289: ISAKMP:(1224): processing HASH payload. message ID = 3738568890
*Feb 13 13:24:00.289: ISAKMP:(1224): processing SA payload. message ID = 3738568890
*Feb 13 13:24:00.289: ISAKMP:(1224):Checking IPSec proposal 0
*Feb 13 13:24:00.289: ISAKMP: transform 0, ESP_3DES
*Feb 13 13:24:00.289: ISAKMP:   attributes in transform:
*Feb 13 13:24:00.289: ISAKMP:      encaps is 1 (Tunnel)
*Feb 13 13:24:00.289: ISAKMP:      SA life type in seconds
*Feb 13 13:24:00.289: ISAKMP:      SA life duration (basic) of 28800
*Feb 13 13:24:00.289: ISAKMP:      authenticator is HMAC-MD5
*Feb 13 13:24:00.289: ISAKMP:(1224):atts are acceptable.
*Feb 13 13:24:00.289: IPSEC(validate_proposal_request): proposal part #1
*Feb 13 13:24:00.289: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= xxx_my_WAN_IP_xxx:0, remote= xxx_remote_IP_xxx:0,
    local_proxy= 10.0.0.0/255.255.254.0/256/0,
    remote_proxy= 192.168.220.0/255.255.255.0/256/0,
    protocol= ESP, transform= NONE  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Feb 13 13:24:00.289: Crypto mapdb : proxy_match
        src addr     : 10.0.0.0
        dst addr     : 192.168.220.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Feb 13 13:24:00.289: ISAKMP:(1224): processing NONCE payload. message ID = 3738568890
*Feb 13 13:24:00.289: ISAKMP:(1224): processing ID payload. message ID = 3738568890
*Feb 13 13:24:00.289: ISAKMP:(1224): processing ID payload. message ID = 3738568890
*Feb 13 13:24:00.289: ISAKMP:(1224):QM Responder gets spi
*Feb 13 13:24:00.289: ISAKMP:(1224):Node 3738568890, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Feb 13 13:24:00.289: ISAKMP:(1224):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Feb 13 13:24:00.289: ISAKMP:(1224):Node 3738568890, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Feb 13 13:24:00.289: ISAKMP:(1224):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Feb 13 13:24:00.289: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 13 13:24:00.289: Crypto mapdb : proxy_match
        src addr     : 10.0.0.0
        dst addr     : 192.168.220.0
        protocol     : 256
        src port     : 0
        dst port     : 0
*Feb 13 13:24:00.289: IPSEC(crypto_ipsec_create_ipsec_sas): Map found 1stCentral-map
*Feb 13 13:24:00.289: IPSEC(create_sa): sa created,
  (sa) sa_dest= xxx_my_WAN_IP_xxx, sa_proto= 50, 
    sa_spi= 0xFA7FC4AF(4202677423), 
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2605
    sa_lifetime(k/sec)= (4608000/3600)
*Feb 13 13:24:00.289: IPSEC(create_sa): sa created,
  (sa) sa_dest= xxx_remote_IP_xxx, sa_proto= 50, 
    sa_spi= 0x6D266D67(1831234919), 
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2606
    sa_lifetime(k/sec)= (4608000/3600)
*Feb 13 13:24:00.293:  ISAKMP: Failed to find peer index node to update peer_info_list
*Feb 13 13:24:00.293: ISAKMP:(1224):Received IPSec Install callback... proceeding with the negotiation
*Feb 13 13:24:00.297: ISAKMP:(1224): sending packet to xxx_remote_IP_xxx my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 13 13:24:00.297: ISAKMP:(1224):Sending an IKE IPv4 Packet.
*Feb 13 13:24:00.297: ISAKMP:(1224):Node 3738568890, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Feb 13 13:24:00.297: ISAKMP:(1224):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
*Feb 13 13:24:10.053: ISAKMP (1224): received packet from xxx_remote_IP_xxx dport 500 sport 500 Global (R) QM_IDLE      
*Feb 13 13:24:10.053: ISAKMP:(1224): phase 2 packet is a duplicate of a previous packet.
*Feb 13 13:24:10.053: ISAKMP:(1224): retransmitting due to retransmit phase 2
*Feb 13 13:24:10.053: ISAKMP:(1224): retransmitting phase 2 QM_IDLE       -556398406 ...
*Feb 13 13:24:10.553: ISAKMP:(1224): retransmitting phase 2 QM_IDLE       -556398406 ...
*Feb 13 13:24:10.553: ISAKMP (1224): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Feb 13 13:24:10.553: ISAKMP (1224): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Feb 13 13:24:10.553: ISAKMP:(1224): retransmitting phase 2 -556398406 QM_IDLE      
*Feb 13 13:24:10.553: ISAKMP:(1224): sending packet to xxx_remote_IP_xxx my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 13 13:24:10.553: ISAKMP:(1224):Sending an IKE IPv4 Packet.
*Feb 13 13:24:20.553: ISAKMP:(1224): retransmitting phase 2 QM_IDLE       -556398406 ...
*Feb 13 13:24:20.553: ISAKMP (1224): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Feb 13 13:24:20.553: ISAKMP (1224): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Feb 13 13:24:20.553: ISAKMP:(1224): retransmitting phase 2 -556398406 QM_IDLE      
*Feb 13 13:24:20.553: ISAKMP:(1224): sending packet to xxx_remote_IP_xxx my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 13 13:24:20.553: ISAKMP:(1224):Sending an IKE IPv4 Packet.
*Feb 13 13:24:29.997: ISAKMP (1224): received packet from xxx_remote_IP_xxx dport 500 sport 500 Global (R) QM_IDLE      
*Feb 13 13:24:29.997: ISAKMP:(1224): phase 2 packet is a duplicate of a previous packet.
*Feb 13 13:24:29.997: ISAKMP:(1224): retransmitting due to retransmit phase 2
*Feb 13 13:24:29.997: ISAKMP:(1224): retransmitting phase 2 QM_IDLE       -556398406 ...
*Feb 13 13:24:30.497: ISAKMP:(1224): retransmitting phase 2 QM_IDLE       -556398406 ...
*Feb 13 13:24:30.497: ISAKMP (1224): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
*Feb 13 13:24:30.497: ISAKMP (1224): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
*Feb 13 13:24:30.497: ISAKMP:(1224): retransmitting phase 2 -556398406 QM_IDLE      
*Feb 13 13:24:30.497: ISAKMP:(1224): sending packet to xxx_remote_IP_xxx my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 13 13:24:30.497: ISAKMP:(1224):Sending an IKE IPv4 Packet.
*Feb 13 13:24:31.725: %SYS-5-CONFIG_I: Configured from console by gyadmin on vty0 (10.0.1.12)
*Feb 13 13:24:40.497: ISAKMP:(1224): retransmitting phase 2 QM_IDLE       -556398406 ...
*Feb 13 13:24:40.497: ISAKMP (1224): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
*Feb 13 13:24:40.497: ISAKMP (1224): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
*Feb 13 13:24:40.497: ISAKMP:(1224): retransmitting phase 2 -556398406 QM_IDLE      
*Feb 13 13:24:40.497: ISAKMP:(1224): sending packet to xxx_remote_IP_xxx my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 13 13:24:40.497: ISAKMP:(1224):Sending an IKE IPv4 Packet.
*Feb 13 13:24:41.221: ISAKMP:(1224):purging node -932969703
*Feb 13 13:24:50.497: ISAKMP:(1224): retransmitting phase 2 QM_IDLE       -556398406 ...
*Feb 13 13:24:50.497: ISAKMP (1224): incrementing error counter on node, attempt 5 of 5: retransmit phase 2
*Feb 13 13:24:50.497: ISAKMP (1224): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
*Feb 13 13:24:50.497: ISAKMP:(1224): retransmitting phase 2 -556398406 QM_IDLE      
*Feb 13 13:24:50.497: ISAKMP:(1224): sending packet to xxx_remote_IP_xxx my_port 500 peer_port 500 (R) QM_IDLE      
*Feb 13 13:24:50.497: ISAKMP:(1224):Sending an IKE IPv4 Packet.
*Feb 13 13:25:00.497: ISAKMP:(1224): retransmitting phase 2 QM_IDLE       -556398406 ...
*Feb 13 13:25:00.497: ISAKMP:(1224):deleting node -556398406 error TRUE reason "Phase 2 err count exceeded"
*Feb 13 13:25:00.497: ISAKMP:(1224):peer does not do paranoid keepalives.

Any ideas what is the cause? I must add, that right now I do not have access to remote router.

Thank you in advance for any help.

Labels:
0 Helpful
1 Reply 1

Piotr Pawlowski
Level 1
Level 1

‎02-15-2014 06:21 AM

I finally figured out, that problem was with defaulr gateway on my router. Case closed.

Customers Also Viewed These Support Documents