Solved: Re: Config Router site AI want to

shodan524 · ‎01-23-2015

Hi everyone,

I have a problem with site to site vpn between two cisco routers. Here are the configurations:

Site A

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 86000
crypto isakmp key secrettestkey address x.x.x.x
!
!
crypto ipsec transform-set S2S esp-3des esp-sha-hmac
!
crypto map S2S 10 ipsec-isakmp
set peer x.x.x.x
set transform-set S2S
match address S2S

interface FastEthernet4
ip address y.y.y.y 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map S2S
!
!
interface Vlan1
no ip address
!
!
interface Vlan12
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 y.y.y.x
ip route 192.168.14.0 255.255.255.0 y.y.y.x
!
ip access-list extended S2S
permit ip 192.168.100.0 0.0.0.255 192.168.14.0 0.0.0.255
!
access-list 100 deny ip 192.168.100.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 any

Site B

crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 86000

crypto isakmp key secrettestkey address x.x.x.x

crypto ipsec transform-set testS2S esp-3des esp-sha-hmac

crypto map DCMAP 20 ipsec-isakmp
description test tunnel
set peer x.x.x.x
set transform-set testS2S
match address testS2S

interface GigabitEthernet0/0
description .:: Outside ::.
ip address y.y.y.y 255.255.255.224
ip access-group OUTSIDE2INSIDE in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
crypto map DCMAP

ip route 192.168.100.0 255.255.255.0 y.y.y.x

ip access-list extended testS2S
permit ip 192.168.14.0 0.0.0.255 192.168.100.0 0.0.0.255

Also there is NAT-T configuration on this site

Tunnel is not coming up. The status is MM_NO_STATE

What can cause the problem? Please advise.

Poonam Garg · ‎01-26-2015

Hi,

Refer the link. Its for IPSec remote access. Try to remove the configuration and reapply the crypto map.

Second in the debug you can see router is going for x-auth.

Jan 26 04:35:44.707: ISAKMP: Config payload REQUEST
Jan 26 04:35:44.707: ISAKMP:(2083): No provision for the request
Jan 26 04:35:44.707: ISAKMP: Invalid config REQUEST
Jan 26 04:35:44.707: ISAKMP (2083): FSM action returned error: 2
Jan 26 04:35:44.707: ISAKMP:(2083):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

You can disable to using no-xauth in the end of isakmp key statement.

# crypto isakmp key 0 abc address x.x.x.x no-xauth

HTH

View solution in original post

Poonam Garg · ‎01-24-2015

Hi,

Configuration is ok except the 2 routes.

ip route 192.168.14.0 255.255.255.0 y.y.y.x on Site A

ip route 192.168.100.0 255.255.255.0 y.y.y.x on Site B need not to be given.

On site B just give the default route towards the internet.

HTH

"Please rate helpful posts and mark the answer correct if it solves your issue."

shodan524 · ‎01-25-2015

Hi Poonam,

I tried that, but doesn't help.

here is the some debug output:

Jan 26 04:35:34.679: ISAKMP:(2081):purging node 613514273
Jan 26 04:35:34.679: ISAKMP:(2081):purging node -156888705
Jan 26 04:35:39.707: ISAKMP:(2083): retransmitting phase 2 QM_IDLE -300411047 ...
Jan 26 04:35:39.707: ISAKMP (2083): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Jan 26 04:35:39.707: ISAKMP (2083): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
Jan 26 04:35:39.707: ISAKMP:(2083): retransmitting phase 2 -300411047 QM_IDLE
Jan 26 04:35:39.707: ISAKMP:(2083): sending packet to 37.98.152.210 my_port 500 peer_port 500 (I) QM_IDLE
Jan 26 04:35:39.707: ISAKMP:(2083):Sending an IKE IPv4 Packet.
Jan 26 04:35:44.679: ISAKMP:(2081):purging SA., sa=85041290, delme=85041290
Jan 26 04:35:44.707: ISAKMP (2083): received packet from 37.98.152.210 dport 500 sport 500 Global (I) QM_IDLE
Jan 26 04:35:44.707: ISAKMP:(2083):processing transaction payload from 37.98.152.210. message ID = 300501939
Jan 26 04:35:44.707: ISAKMP: Config payload REQUEST
Jan 26 04:35:44.707: ISAKMP:(2083): No provision for the request
Jan 26 04:35:44.707: ISAKMP: Invalid config REQUEST
Jan 26 04:35:44.707: ISAKMP (2083): FSM action returned error: 2
Jan 26 04:35:44.707: ISAKMP:(2083):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Jan 26 04:35:44.707: ISAKMP:(2083):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jan 26 04:35:44.707: ISAKMP:(2083):peer does not do paranoid keepalives.

Jan 26 04:35:44.707: ISAKMP:(2083):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) QM_IDLE (peer 37.98.152.210)
Jan 26 04:35:44.707: ISAKMP: set new node 1764500205 to QM_IDLE
Jan 26 04:35:44.707: ISAKMP:(2083): sending packet to 37.98.152.210 my_port 500 peer_port 500 (I) QM_IDLE
Jan 26 04:35:44.707: ISAKMP:(2083):Sending an IKE IPv4 Packet.
Jan 26 04:35:44.707: ISAKMP:(2083):purging node 1764500205
Jan 26 04:35:44.707: ISAKMP:(2083):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jan 26 04:35:44.707: ISAKMP:(2083):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Jan 26 04:35:44.707: ISAKMP:(2083):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) QM_IDLE (peer 37.98.152.210)
Jan 26 04:35:44.707: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
Jan 26 04:35:44.707: ISAKMP: Unlocking peer struct 0x8646741C for isadb_mark_sa_deleted(), count 0
Jan 26 04:35:44.707: ISAKMP: Deleting peer node by peer_reap for 37.98.152.210: 8646741C
Jan 26 04:35:44.707: ISAKMP:(2083):deleting node -300411047 error FALSE reason "IKE deleted"
Jan 26 04:35:44.707: ISAKMP:(2083):deleting node 300501939 error FALSE reason "IKE deleted"
Jan 26 04:35:44.707: ISAKMP:(2083):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 26 04:35:44.707: ISAKMP:(2083):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Jan 26 04:35:44.711: ISAKMP (2083): received packet from 37.98.152.210 dport 500 sport 500 Global (I) MM_NO_STATE
Jan 26 04:35:49.675: ISAKMP:(2082):purging node -127959513
Jan 26 04:35:59.655: ISAKMP:(0): SA request profile is (NULL)
Jan 26 04:35:59.655: ISAKMP: Created a peer struct for 37.98.152.210, peer port 500
Jan 26 04:35:59.655: ISAKMP: New peer created peer = 0x858D6A78 peer_handle = 0x80000057
Jan 26 04:35:59.655: ISAKMP: Locking peer struct 0x858D6A78, refcount 1 for isakmp_initiator
Jan 26 04:35:59.655: ISAKMP: local port 500, remote port 500
Jan 26 04:35:59.655: ISAKMP: set new node 0 to QM_IDLE
Jan 26 04:35:59.655: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 86163B08
Jan 26 04:35:59.655: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jan 26 04:35:59.655: ISAKMP:(0):found peer pre-shared key matching 37.98.152.210
Jan 26 04:35:59.655: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jan 26 04:35:59.655: ISAKMP:(0): constructed NAT-T vendor-07 ID
Jan 26 04:35:59.655: ISAKMP:(0): constructed NAT-T vendor-03 ID
Jan 26 04:35:59.655: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jan 26 04:35:59.655: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jan 26 04:35:59.655: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Jan 26 04:35:59.655: ISAKMP:(0): beginning Main Mode exchange
Jan 26 04:35:59.655: ISAKMP:(0): sending packet to 37.98.152.210 my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 26 04:35:59.655: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jan 26 04:35:59.659: ISAKMP (0): received packet from 37.98.152.210 dport 500 sport 500 Global (I) MM_NO_STATE
Jan 26 04:35:59.659: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 26 04:35:59.659: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

Jan 26 04:35:59.659: ISAKMP:(0): processing SA payload. message ID = 0
Jan 26 04:35:59.659: ISAKMP:(0): processing vendor id payload
Jan 26 04:35:59.659: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jan 26 04:35:59.659: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jan 26 04:35:59.659: ISAKMP:(0):found peer pre-shared key matching 37.98.152.210
Jan 26 04:35:59.659: ISAKMP:(0): local preshared key found
Jan 26 04:35:59.659: ISAKMP : Scanning profiles for xauth ...
Jan 26 04:35:59.659: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jan 26 04:35:59.659: ISAKMP: encryption 3DES-CBC
Jan 26 04:35:59.659: ISAKMP: hash SHA
Jan 26 04:35:59.659: ISAKMP: default group 2
Jan 26 04:35:59.659: ISAKMP: auth pre-share
Jan 26 04:35:59.659: ISAKMP: life type in seconds
Jan 26 04:35:59.659: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jan 26 04:35:59.663: ISAKMP:(0):atts are acceptable. Next payload is 0
Jan 26 04:35:59.663: ISAKMP:(0):Acceptable atts:actual life: 0
Jan 26 04:35:59.663: ISAKMP:(0):Acceptable atts:life: 0
Jan 26 04:35:59.663: ISAKMP:(0):Fill atts in sa vpi_length:4
Jan 26 04:35:59.663: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jan 26 04:35:59.663: ISAKMP:(0):Returning Actual lifetime: 86400
Jan 26 04:35:59.663: ISAKMP:(0)::Started lifetime timer: 86400.

Jan 26 04:35:59.663: ISAKMP:(0): processing vendor id payload
Jan 26 04:35:59.663: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jan 26 04:35:59.663: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jan 26 04:35:59.663: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 26 04:35:59.663: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

Jan 26 04:35:59.663: ISAKMP:(0): sending packet to 37.98.152.210 my_port 500 peer_port 500 (I) MM_SA_SETUP
Jan 26 04:35:59.663: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jan 26 04:35:59.663: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 26 04:35:59.663: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

Jan 26 04:35:59.671: ISAKMP (0): received packet from 37.98.152.210 dport 500 sport 500 Global (I) MM_SA_SETUP
Jan 26 04:35:59.671: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 26 04:35:59.671: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

Jan 26 04:35:59.671: ISAKMP:(0): processing KE payload. message ID = 0
Jan 26 04:35:59.699: ISAKMP:(0): processing NONCE payload. message ID = 0
Jan 26 04:35:59.699: ISAKMP:(0):found peer pre-shared key matching 37.98.152.210
Jan 26 04:35:59.699: ISAKMP:(2084): processing vendor id payload
Jan 26 04:35:59.699: ISAKMP:(2084): vendor ID is Unity
Jan 26 04:35:59.699: ISAKMP:(2084): processing vendor id payload
Jan 26 04:35:59.699: ISAKMP:(2084): vendor ID is DPD
Jan 26 04:35:59.699: ISAKMP:(2084): processing vendor id payload
Jan 26 04:35:59.699: ISAKMP:(2084): speaking to another IOS box!
Jan 26 04:35:59.699: ISAKMP:received payload type 20
Jan 26 04:35:59.699: ISAKMP (2084): His hash no match - this node outside NAT
Jan 26 04:35:59.699: ISAKMP:received payload type 20
Jan 26 04:35:59.703: ISAKMP (2084): No NAT Found for self or peer
Jan 26 04:35:59.703: ISAKMP:(2084):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 26 04:35:59.703: ISAKMP:(2084):Old State = IKE_I_MM4 New State = IKE_I_MM4

Jan 26 04:35:59.703: ISAKMP:(2084):Send initial contact
Jan 26 04:35:59.703: ISAKMP:(2084):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Jan 26 04:35:59.703: ISAKMP (2084): ID payload
next-payload : 8
type : 1
address : 217.11.177.6
protocol : 17
port : 500
length : 12
Jan 26 04:35:59.703: ISAKMP:(2084):Total payload length: 12
Jan 26 04:35:59.703: ISAKMP:(2084): sending packet to 37.98.152.210 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Jan 26 04:35:59.703: ISAKMP:(2084):Sending an IKE IPv4 Packet.
Jan 26 04:35:59.703: ISAKMP:(2084):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 26 04:35:59.703: ISAKMP:(2084):Old State = IKE_I_MM4 New State = IKE_I_MM5

Jan 26 04:35:59.707: ISAKMP (2084): received packet from 37.98.152.210 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 26 04:35:59.707: ISAKMP:(2084): processing ID payload. message ID = 0
Jan 26 04:35:59.707: ISAKMP (2084): ID payload
next-payload : 8
type : 1
address : 37.98.152.210
protocol : 17
port : 500
length : 12
Jan 26 04:35:59.707: ISAKMP:(0):: peer matches *none* of the profiles
Jan 26 04:35:59.707: ISAKMP:(2084): processing HASH pundeb alayload. message ID = 0
Jan 26 04:35:59.707: ISAKMP:(2084):SA authentication status:
authenticated
Jan 26 04:35:59.711: ISAKMP:(2084):SA has been authenticated with 37.98.152.210
Jan 26 04:35:59.711: ISAKMP: Trying to insert a peer 217.11.177.6/37.98.152.210/500/, and inserted successfully 858D6A78.
Jan 26 04:35:59.711: ISAKMP:(2084):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 26 04:35:59.711: ISAKMP:(2084):Old State = IKE_I_MM5 New State = IKE_I_MM6

Jan 26 04:35:59.711: ISAKMP:(2084):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jan 26 04:35:59.711: ISAKMP:(2084):Old State = IKE_I_MM6 New State = IKE_I_MM6

Jan 26 04:35:59.711: ISAKMP (2084): received packet from 37.98.152.210 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 26 04:35:59.711: ISAKMP: set new node -42470932 to QM_IDLE
Jan 26 04:35:59.711: ISAKMP:(2084):l
All possible debugging has been turned off
Router# processing HASH payload. message ID = -42470932
Jan 26 04:35:59.711: ISAKMP:(2084): processing NOTIFY RESPONDER_LIFETIME protocol 1
spi 0, message ID = -42470932, sa = 86163B08
Jan 26 04:35:59.711: ISAKMP:(2084):SA authentication status:
authenticated
Jan 26 04:35:59.711: ISAKMP:(2084): processing responder lifetime
Jan 26 04:35:59.711: ISAKMP:(2084): start processing isakmp responder lifetime
Jan 26 04:35:59.711: ISAKMP:(2084):Returning Actual lifetime: 86400
Jan 26 04:35:59.711: ISAKMP:(2084): restart ike sa timer to 86000 secs
Jan 26 04:35:59.711: ISAKMP:(2084):Started lifetime timer: 0.

Jan 26 04:35:59.711: ISAKMP:(2084):deleting node -42470932 error FALSE reason "Informational (in) state 1"
Jan 26 04:35:59.711: ISAKMP:(2084):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jan 26 04:35:59.711: ISAKMP:(2084):Old State = IKE_I_MM6 New State = IKE_I_MM6

Jan 26 04:35:59.711: ISAKMP (2084): received packet from 37.98.152.210 dport 500 sport 500 Global (I) MM_KEY_EXCH
Jan 26 04:35:59.711: ISAKMP: set new node -987474156 to QM_IDLE
Jan 26 04:35:59.715: ISAKMP:(2084):processing transaction payload from 37.98.152.210. message ID = -987474156
Jan 26 04:35:59.715: ISAKMP: Config payload REQUEST
Jan 26 04:35:59.715: ISAKMP (2084): Unknown Input IKE_MESG_FROM_PEER, IKE_CFG_REQUEST: state = IKE_I_MM6
Jan 26 04:35:59.715: ISAKMP:(2084):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Jan 26 04:35:59.715: ISAKMP:(2084):Old State = IKE_I_MM6 New State = IKE_I_MM6

Jan 26 04:35:59.715: ISAKMP:(2084):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jan 26 04:35:59.715: ISAKMP:(2084):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

Jan 26 04:35:59.715: ISAKMP:(2084):beginning Quick Mode exchange, M-ID of 888747111
Jan 26 04:35:59.715: ISAKMP:(2084):QM Initiator gets spi
Jan 26 04:35:59.715: ISAKMP:(2084): sending packet to 37.98.152.210 my_port 500 peer_port 500 (I) QM_IDLE
Jan 26 04:35:59.715: ISAKMP:(2084):Sending an IKE IPv4 Packet.
Jan 26 04:35:59.715: ISAKMP:(2084):Node 888747111, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jan 26 04:35:59.715: ISAKMP:(2084):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jan 26 04:35:59.715: ISAKMP:(2084):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Jan 26 04:35:59.715: ISAKMP:(2084):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Jan 26 04:36:04.675: ISAKMP:(2082):purging node -837200826
Jan 26 04:36:04.675: ISAKMP:(2082):purging node -932992150
Router#

Poonam Garg · ‎01-26-2015

Hi,

Refer the link. Its for IPSec remote access. Try to remove the configuration and reapply the crypto map.

Second in the debug you can see router is going for x-auth.

Jan 26 04:35:44.707: ISAKMP: Config payload REQUEST
Jan 26 04:35:44.707: ISAKMP:(2083): No provision for the request
Jan 26 04:35:44.707: ISAKMP: Invalid config REQUEST
Jan 26 04:35:44.707: ISAKMP (2083): FSM action returned error: 2
Jan 26 04:35:44.707: ISAKMP:(2083):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

You can disable to using no-xauth in the end of isakmp key statement.

# crypto isakmp key 0 abc address x.x.x.x no-xauth

HTH

shodan524 · ‎01-29-2015

Hi Poonam,

that works, thank you for help.

vcapeci46 · ‎09-21-2015

Config Router site A
I want to set up 2 tunnels
From Site A to Site B
From Site A to Site C

pseudowire-class PW_2
encapsulation l2tpv3
protocol l2tpv3 tunel
ip local interface GigabitEthernet0
!

crypto keyring key_tunel_UNION_T2370
pre-shared-key address {Ip address site B} key {random key}

crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
encryption 3des

crypto isakmp profile profile_tunel_UNION_T2370
keyring key_tunel_UNION_T2370
match identity address {ip address site B}{mask site B}
!
!

crypto ipsec transform-set strong ah-sha-hmac esp-3des
mode tunnel
!

!
crypto map ipsec-maps 10 ipsec-isakmp
set peer {ip address site B}
set transform-set strong
set isakmp-profile profile_tunel_UNION_T2370
match address acl_tunel_UNION_T2370
crypto map ipsec-maps 20 ipsec-isakmp
description ** tunel_ALU_T2371 **
set peer {ip address site C}
set transform-set strong
set isakmp-profile profile_tunel_ALU_T2371
match address acl_tunel_ALU_T2371
!
!
!

interface FastEthernet5
switchport access vlan 4
no ip address
!
interface FastEthernet6
switchport access vlan 3
no ip address
!

interface GigabitEthernet0
ip address {ip address site A} {mask site B}
ip access-group 1 in
duplex auto
speed auto
dot1q tunneling ethertype 0x9100
vlan-id dot1q 3
exit-vlan-config
!
vlan-id dot1q 4
exit-vlan-config
!
crypto map ipsec-maps
!

interface Vlan3
no ip address
xconnect {ip address site B} 3 encapsulation l2tpv3 pw-class PW_2
!
interface Vlan4
no ip address
xconnect {ip address site C} 4 encapsulation l2tpv3 pw-class PW_2

ip access-list extended acl_tunel_ALU_T2371
permit ip any any
ip access-list extended acl_tunel_UNION_T2370
permit ip any any

On router B I have the same configuration except the crypto map of site C because I do not need connection between Site B and site C
When I execute debug isakmp I get the following messages

*Sep 21 15:20:27.548: ISAKMP (0): received packet from {IP Site B} dport 500 sport 500 Global (N) NEW SA
*Sep 21 15:20:27.548: ISAKMP: Created a peer struct for {IP Site B}, peer port 500
*Sep 21 15:20:27.548: ISAKMP: New peer created peer = 0x8C0EDDB4 peer_handle = 0x800000A4
*Sep 21 15:20:27.548: ISAKMP: Locking peer struct 0x8C0EDDB4, refcount 1 for crypto_isakmp_process_block
*Sep 21 15:20:27.548: ISAKMP: local port 500, remote port 500
*Sep 21 15:20:27.548: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8C1EF404
*Sep 21 15:20:27.548: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 21 15:20:27.548: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Sep 21 15:20:27.548: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 21 15:20:27.548: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 21 15:20:27.548: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 21 15:20:27.548: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Sep 21 15:20:27.548: ISAKMP (0): vendor ID is NAT-T v7
*Sep 21 15:20:27.548: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID is NAT-T v3
*Sep 21 15:20:27.548: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 21 15:20:27.548: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 21 15:20:27.548: ISAKMP:(0):found peer pre-shared key matching {IP Site B}
*Sep 21 15:20:27.548: ISAKMP:(0): local preshared key found
*Sep 21 15:20:27.548: ISAKMP : Scanning profiles for xauth ... profile_tunel_ALU_T2371 profile_tunel_UNION_T2370
*Sep 21 15:20:27.548: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 21 15:20:27.548: ISAKMP: encryption 3DES-CBC
*Sep 21 15:20:27.548: ISAKMP: hash SHA
*Sep 21 15:20:27.548: ISAKMP: default group 2
*Sep 21 15:20:27.548: ISAKMP: auth pre-share
*Sep 21 15:20:27.548: ISAKMP: life type in seconds
*Sep 21 15:20:27.548: ISAKMP: life duration (basic) of 3600
*Sep 21 15:20:27.552: ISAKMP:(0):atts are acceptable. Next payload is 0
*Sep 21 15:20:27.552: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 21 15:20:27.552: ISAKMP:(0):Acceptable atts:life: 0
*Sep 21 15:20:27.552: ISAKMP:(0):Basic life_in_seconds:3600
*Sep 21 15:20:27.552: ISAKMP:(0):Returning Actual lifetime: 3600
*Sep 21 15:20:27.552: ISAKMP:(0)::Started lifetime timer: 3600.
*Sep 21 15:20:27.552: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Sep 21 15:20:27.552: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Sep 21 15:20:27.552: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Sep 21 15:20:27.552: ISAKMP (0): vendor ID is NAT-T v7
*Sep 21 15:20:27.552: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID is NAT-T v3
*Sep 21 15:20:27.552: ISAKMP:(0): processing vendor id payload
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 21 15:20:27.552: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 21 15:20:27.552: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 21 15:20:27.552: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Sep 21 15:20:27.552: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Sep 21 15:20:27.552: ISAKMP:(0): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_SA_SETUP
*Sep 21 15:20:27.552: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 21 15:20:27.552: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 21 15:20:27.552: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Sep 21 15:20:27.560: ISAKMP (0): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_SA_SETUP
*Sep 21 15:20:27.560: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 21 15:20:27.560: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Sep 21 15:20:27.560: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 21 15:20:27.576: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 21 15:20:27.576: ISAKMP:(0):found peer pre-shared key matching {IP Site B}
*Sep 21 15:20:27.576: ISAKMP:(2083): processing vendor id payload
*Sep 21 15:20:27.576: ISAKMP:(2083): vendor ID is DPD
*Sep 21 15:20:27.576: ISAKMP:(2083): processing vendor id payload
*Sep 21 15:20:27.576: ISAKMP:(2083): speaking to another IOS box!
*Sep 21 15:20:27.576: ISAKMP:(2083): processing vendor id payload
*Sep 21 15:20:27.576: ISAKMP:(2083): vendor ID seems Unity/DPD but major 213 mismatch
*Sep 21 15:20:27.576: ISAKMP:(2083): vendor ID is XAUTH
*Sep 21 15:20:27.576: ISAKMP:received payload type 20
*Sep 21 15:20:27.576: ISAKMP (2083): His hash no match - this node outside NAT
*Sep 21 15:20:27.576: ISAKMP:received payload type 20
*Sep 21 15:20:27.576: ISAKMP (2083): No NAT Found for self or peer
*Sep 21 15:20:27.576: ISAKMP:(2083):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 21 15:20:27.576: ISAKMP:(2083):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Sep 21 15:20:27.580: ISAKMP:(2083): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 21 15:20:27.580: ISAKMP:(2083):Sending an IKE IPv4 Packet.
*Sep 21 15:20:27.580: ISAKMP:(2083):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 21 15:20:27.580: ISAKMP:(2083):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Sep 21 15:20:27.604: ISAKMP (2083): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_KEY_EXCH
*Sep 21 15:20:27.604: ISAKMP: reserved not zero on ID payload!
*Sep 21 15:20:27.604: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from {IP Site B} failed its sanity check or is malformed
*Sep 21 15:20:27.604: ISAKMP (2083): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
*Sep 21 15:20:28.604: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:28.604: ISAKMP (2083): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Sep 21 15:20:28.604: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:28.604: ISAKMP:(2083): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 21 15:20:28.604: ISAKMP:(2083):Sending an IKE IPv4 Packet.
*Sep 21 15:20:29.108: ISAKMP (2083): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_KEY_EXCH
*Sep 21 15:20:29.108: ISAKMP:(2083): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:29.108: ISAKMP:(2083): retransmission skipped for phase 1 (time since last transmission 504)
*Sep 21 15:20:31.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:31.436: ISAKMP (2082): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Sep 21 15:20:31.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:31.436: ISAKMP:(2082): sending packet to {IP Site B} my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Sep 21 15:20:31.436: ISAKMP:(2082):Sending an IKE IPv4 Packet.
*Sep 21 15:20:31.440: ISAKMP (2082): received packet from {IP Site B} dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 21 15:20:31.440: ISAKMP:(2082): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:31.440: ISAKMP:(2082): retransmission skipped for phase 1 (time since last transmission 4)
*Sep 21 15:20:39.108: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:39.108: ISAKMP (2083): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Sep 21 15:20:39.108: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:39.108: ISAKMP:(2083): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 21 15:20:39.108: ISAKMP:(2083):Sending an IKE IPv4 Packet.
*Sep 21 15:20:39.108: ISAKMP (2083): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_KEY_EXCH
*Sep 21 15:20:39.108: ISAKMP:(2083): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:39.108: ISAKMP:(2083): retransmission skipped for phase 1 (time since last transmission 0)
*Sep 21 15:20:41.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:41.436: ISAKMP (2082): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Sep 21 15:20:41.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:41.436: ISAKMP:(2082): sending packet to {IP Site B} my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Sep 21 15:20:41.436: ISAKMP:(2082):Sending an IKE IPv4 Packet.
*Sep 21 15:20:41.440: ISAKMP (2082): received packet from {IP Site B} dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 21 15:20:41.440: ISAKMP:(2082): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:41.440: ISAKMP:(2082): retransmission skipped for phase 1 (time since last transmission 4)
*Sep 21 15:20:49.108: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:49.108: ISAKMP (2083): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Sep 21 15:20:49.108: ISAKMP:(2083): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:49.108: ISAKMP:(2083): sending packet to {IP Site B} my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 21 15:20:49.108: ISAKMP:(2083):Sending an IKE IPv4 Packet.
*Sep 21 15:20:49.108: ISAKMP (2083): received packet from {IP Site B} dport 500 sport 500 Global (R) MM_KEY_EXCH
*Sep 21 15:20:49.108: ISAKMP:(2083): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:49.108: ISAKMP:(2083): retransmission skipped for phase 1 (time since last transmission 0)
*Sep 21 15:20:49.876: ISAKMP: set new node 0 to QM_IDLE
*Sep 21 15:20:49.876: ISAKMP:(2082):SA is still budding. Attached new ipsec request to it. (local 190.64.91.235, remote {IP Site B})
*Sep 21 15:20:49.876: ISAKMP: Error while processing SA request: Failed to initialize SA
*Sep 21 15:20:49.876: ISAKMP: Error while processing KMI message 0, error 2.
*Sep 21 15:20:51.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH...
*Sep 21 15:20:51.436: ISAKMP (2082): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Sep 21 15:20:51.436: ISAKMP:(2082): retransmitting phase 1 MM_KEY_EXCH
*Sep 21 15:20:51.436: ISAKMP:(2082): sending packet to {IP Site B} my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Sep 21 15:20:51.436: ISAKMP:(2082):Sending an IKE IPv4 Packet.
*Sep 21 15:20:51.440: ISAKMP (2082): received packet from {IP Site B} dport 500 sport 500 Global (I) MM_KEY_EXCH
*Sep 21 15:20:51.440: ISAKMP:(2082): phase 1 packet is a duplicate of a previous packet.
*Sep 21 15:20:51.440: ISAKMP:(2082): retransmission skipped for phase 1 (time since last transmission 4)
Router_GC2#no debug crypto isakmp
Crypto ISAKMP debugging is off

Do you guys have an idea of what I´m doing wrong? Thanks in advance for your repplies

CiscoBrownBelt · ‎07-01-2020

Appears you have a problem with your Key Ring configs since it is failing at MM4. Is it possible to actually post the configs for the peer device?

Site to site vpn problem