SITE VPN --- MM_SA_SETUP ERROR

esse-norman · ‎04-04-2012

Hello,

I have an IPSEC tunnel between a cisco 2900 router and an ASA.

The connection has been up for over 10 months but today on the cisco router i have this:

#sh crypto isakmp sadst             src             state          
41.x.y.z     193.108.252      MM_SA_SETUP  


41.x.y.z      193.108.252     MM_NO_STATE
41.x.y.z     193.108.252      MM_NO_STATE
At the other end i have this:


IKE Peer: 41.x.y.z
Type    : user   Role    : initiatorRekey   : no     State   : MM_WAIT_MSG2

I have reconfigured the tunnel but same results, any ideas on how i cld proceed?

I have attached the router debug below

Crypto ISAKMP debugging is on

*Apr 4 08:14:35.648: ISAKMP (0): received packet from 193.108.252.163 dport 500

sport 500 Global (N) NEW SA

*Apr 4 08:14:35.648: ISAKMP: Found a peer struct for 193.108.252.163, peer port

500

*Apr 4 08:14:35.648: ISAKMP: Locking peer struct 0x3123D0E0, refcount 5 for cry

pto_isakmp_process_block

*Apr 4 08:14:35.648: ISAKMP: local port 500, remote port 500

*Apr 4 08:14:35.648: ISAKMP: Find a dup sa in the avl tree during calling isadb

_insert sa = 2A0E4874

*Apr 4 08:14:35.648: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Apr 4 08:14:35.648: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Apr 4 08:14:35.648: ISAKMP:(0): processing SA payload. message ID = 0

*Apr 4 08:14:35.648: ISAKMP:(0): processing vendor id payload

*Apr 4 08:14:35.648: ISAKMP:(0): processing IKE frag vendor id payload

*Apr 4 08:14:35.648: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Apr 4 08:14:35.648: ISAKMP:(0):found peer pre-shared key matching 193.108.252.

163

*Apr 4 08:14:35.648: ISAKMP:(0): local preshared key found

*Apr 4 08:14:35.648: ISAKMP : Scanning profiles for xauth ...

*Apr 4 08:14:35.648: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1

policy

*Apr 4 08:14:35.648: ISAKMP: default group 2

*Apr 4 08:14:35.648: ISAKMP: encryption 3DES-CBC

*Apr 4 08:14:35.648: ISAKMP: hash SHA

*Apr 4 08:14:35.648: ISAKMP: auth pre-share

*Apr 4 08:14:35.648: ISAKMP: life type in seconds

*Apr 4 08:14:35.648: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

*Apr 4 08:14:35.648: ISAKMP:(0):Hash algorithm offered does not match policy!

*Apr 4 08:14:35.648: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr 4 08:14:35.648: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1

policy

*Apr 4 08:14:35.648: ISAKMP: default group 2

*Apr 4 08:14:35.648: ISAKMP: encryption AES-CBC

*Apr 4 08:14:35.648: ISAKMP: keylength of 256

*Apr 4 08:14:35.648: ISAKMP: hash SHA

*Apr 4 08:14:35.648: ISAKMP: auth pre-share

*Apr 4 08:14:35.648: ISAKMP: life type in seconds

*Apr 4 08:14:35.648: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

*Apr 4 08:14:35.648: ISAKMP:(0):Encryption algorithm offered does not match pol

icy!

*Apr 4 08:14:35.648: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr 4 08:14:35.648: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1

policy

*Apr 4 08:14:35.648: ISAKMP: default group 2

*Apr 4 08:14:35.648: ISAKMP: encryption AES-CBC

*Apr 4 08:14:35.648: ISAKMP: keylength of 192

*Apr 4 08:14:35.648: ISAKMP: hash SHA

*Apr 4 08:14:35.648: ISAKMP: auth pre-share

*Apr 4 08:14:35.648: ISAKMP: life type in seconds

*Apr 4 08:14:35.648: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Apr 4 08:14:35.648: ISAKMP:(0):Encryption algorithm offered does not match pol

icy!

*Apr 4 08:14:35.652: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr 4 08:14:35.652: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1

policy

*Apr 4 08:14:35.652: ISAKMP: default group 2

*Apr 4 08:14:35.652: ISAKMP: encryption AES-CBC

*Apr 4 08:14:35.652: ISAKMP: keylength of 256

*Apr 4 08:14:35.652: ISAKMP: hash SHA

*Apr 4 08:14:35.652: ISAKMP: auth pre-share

*Apr 4 08:14:35.652: ISAKMP: life type in seconds

*Apr 4 08:14:35.652: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Apr 4 08:14:35.652: ISAKMP:(0):Encryption algorithm offered does not match pol

icy!

*Apr 4 08:14:35.652: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Apr 4 08:14:35.652: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1

policy

*Apr 4 08:14:35.652: ISAKMP: default group 2

*Apr 4 08:14:35.652: ISAKMP: encryption 3DES-CBC

*Apr 4 08:14:35.652: ISAKMP: hash SHA

*Apr 4 08:14:35.652: ISAKMP: auth pre-share

*Apr 4 08:14:35.652: ISAKMP: life type in seconds

*Apr 4 08:14:35.652: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Apr 4 08:14:35.652: ISAKMP:(0):Hash algorithm offered does not match policy!

*Apr 4 08:14:35.652: ISAKMP:(0):atts are not acceptable. Next payload is 0

*Apr 4 08:14:35.652: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2

policy

*Apr 4 08:14:35.652: ISAKMP: default group 2

*Apr 4 08:14:35.652: ISAKMP: encryption 3DES-CBC

*Apr 4 08:14:35.652: ISAKMP: hash SHA

*Apr 4 08:14:35.652: ISAKMP: auth pre-share

*Apr 4 08:14:35.652: ISAKMP: life type in seconds

*Apr 4 08:14:35.652: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

*Apr 4 08:14:35.652: ISAKMP:(0):atts are acceptable. Next payload is 3

*Apr 4 08:14:35.652: ISAKMP:(0):Acceptable atts:actual life: 0

*Apr 4 08:14:35.652: ISAKMP:(0):Acceptable atts:life: 0

*Apr 4 08:14:35.652: ISAKMP:(0):Fill atts in sa vpi_length:4

*Apr 4 08:14:35.652: ISAKMP:(0):Fill atts in sa life_in_seconds:28800

*Apr 4 08:14:35.652: ISAKMP:(0):Returning Actual lifetime: 28800

*Apr 4 08:14:35.652: ISAKMP:(0)::Started lifetime timer: 28800.

*Apr 4 08:14:35.652: ISAKMP:(0): processing vendor id payload

*Apr 4 08:14:35.652: ISAKMP:(0): processing IKE frag vendor id payload

*Apr 4 08:14:35.652: ISAKMP:(0):Support for IKE Fragmentation not enabled

BKM-KMP-IRTR-01#

*Apr 4 08:14:35.652: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD

E

*Apr 4 08:14:35.652: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Apr 4 08:14:35.652: ISAKMP:(0): sending packet to 193.108.252.163 my_port 500

peer_port 500 (R) MM_SA_SETUP

*Apr 4 08:14:35.652: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Apr 4 08:14:35.652: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Apr 4 08:14:35.652: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Apr 4 08:14:38.008: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Apr 4 08:14:38.008: ISAKMP (0): incrementing error counter on sa, attempt 4 of

5: retransmit phase 1

*Apr 4 08:14:38.008: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

*Apr 4 08:14:38.008: ISAKMP:(0): sending packet to 193.108.252.163 my_port 500

peer_port 500 (R) MM_SA_SETUP

*Apr 4 08:14:38.008: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Apr 4 08:14:43.648: ISAKMP (0): received packet from 193.108.252.163 dport 500

sport 500 Global (R) MM_SA_SETUP

*Apr 4 08:14:43.648: ISAKMP:(0): phase 1 packet is a duplicate of a previous pa

cket.

*Apr 4 08:14:43.648: ISAKMP:(0): retransmitting due to retransmit phase 1

*Apr 4 08:14:44.148: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Apr 4 08:14:44.148: ISAKMP (0): incrementing error counter on sa, attempt 1 of

5: retransmit phase 1

*Apr 4 08:14:44.148: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

*Apr 4 08:14:44.148: ISAKMP:(0): sending packet to 193.108.252.163 my_port 500

peer_port 500 (R) MM_SA_SETUP

*Apr 4 08:14:44.148: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aaron King · ‎11-21-2012

Just work an issue like this, try doing a clear route command or a reload of router.

olpeleri · ‎11-21-2012

Hello,

At 99% it looks like a path issue [ UDP 500 dropped in the path unidirectionnaly from this router to the remote peer].

The rtr sends MM2, but the asa displays MM_WAIT_MSG2. So the messsage never arrived.

Cheers