04-04-2012 07:19 AM
Hello,
I have an IPSEC tunnel between a cisco 2900 router and an ASA.
The connection has been up for over 10 months but today on the cisco router i have this:
#sh crypto isakmp sadst src state41.x.y.z 193.108.252 MM_SA_SETUP41.x.y.z 193.108.252 MM_NO_STATEI have attached the router debug below41.x.y.z 193.108.252 MM_NO_STATEAt the other end i have this:
IKE Peer: 41.x.y.z
Type : user Role : initiatorRekey : no State : MM_WAIT_MSG2
I have reconfigured the tunnel but same results, any ideas on how i cld proceed?
Crypto ISAKMP debugging is on
*Apr 4 08:14:35.648: ISAKMP (0): received packet from 193.108.252.163 dport 500
sport 500 Global (N) NEW SA
*Apr 4 08:14:35.648: ISAKMP: Found a peer struct for 193.108.252.163, peer port
500
*Apr 4 08:14:35.648: ISAKMP: Locking peer struct 0x3123D0E0, refcount 5 for cry
pto_isakmp_process_block
*Apr 4 08:14:35.648: ISAKMP: local port 500, remote port 500
*Apr 4 08:14:35.648: ISAKMP: Find a dup sa in the avl tree during calling isadb
_insert sa = 2A0E4874
*Apr 4 08:14:35.648: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 4 08:14:35.648: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Apr 4 08:14:35.648: ISAKMP:(0): processing SA payload. message ID = 0
*Apr 4 08:14:35.648: ISAKMP:(0): processing vendor id payload
*Apr 4 08:14:35.648: ISAKMP:(0): processing IKE frag vendor id payload
*Apr 4 08:14:35.648: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Apr 4 08:14:35.648: ISAKMP:(0):found peer pre-shared key matching 193.108.252.
163
*Apr 4 08:14:35.648: ISAKMP:(0): local preshared key found
*Apr 4 08:14:35.648: ISAKMP : Scanning profiles for xauth ...
*Apr 4 08:14:35.648: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1
policy
*Apr 4 08:14:35.648: ISAKMP: default group 2
*Apr 4 08:14:35.648: ISAKMP: encryption 3DES-CBC
*Apr 4 08:14:35.648: ISAKMP: hash SHA
*Apr 4 08:14:35.648: ISAKMP: auth pre-share
*Apr 4 08:14:35.648: ISAKMP: life type in seconds
*Apr 4 08:14:35.648: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Apr 4 08:14:35.648: ISAKMP:(0):Hash algorithm offered does not match policy!
*Apr 4 08:14:35.648: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Apr 4 08:14:35.648: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1
policy
*Apr 4 08:14:35.648: ISAKMP: default group 2
*Apr 4 08:14:35.648: ISAKMP: encryption AES-CBC
*Apr 4 08:14:35.648: ISAKMP: keylength of 256
*Apr 4 08:14:35.648: ISAKMP: hash SHA
*Apr 4 08:14:35.648: ISAKMP: auth pre-share
*Apr 4 08:14:35.648: ISAKMP: life type in seconds
*Apr 4 08:14:35.648: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Apr 4 08:14:35.648: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Apr 4 08:14:35.648: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Apr 4 08:14:35.648: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1
policy
*Apr 4 08:14:35.648: ISAKMP: default group 2
*Apr 4 08:14:35.648: ISAKMP: encryption AES-CBC
*Apr 4 08:14:35.648: ISAKMP: keylength of 192
*Apr 4 08:14:35.648: ISAKMP: hash SHA
*Apr 4 08:14:35.648: ISAKMP: auth pre-share
*Apr 4 08:14:35.648: ISAKMP: life type in seconds
*Apr 4 08:14:35.648: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 4 08:14:35.648: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Apr 4 08:14:35.652: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Apr 4 08:14:35.652: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1
policy
*Apr 4 08:14:35.652: ISAKMP: default group 2
*Apr 4 08:14:35.652: ISAKMP: encryption AES-CBC
*Apr 4 08:14:35.652: ISAKMP: keylength of 256
*Apr 4 08:14:35.652: ISAKMP: hash SHA
*Apr 4 08:14:35.652: ISAKMP: auth pre-share
*Apr 4 08:14:35.652: ISAKMP: life type in seconds
*Apr 4 08:14:35.652: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 4 08:14:35.652: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
*Apr 4 08:14:35.652: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Apr 4 08:14:35.652: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1
policy
*Apr 4 08:14:35.652: ISAKMP: default group 2
*Apr 4 08:14:35.652: ISAKMP: encryption 3DES-CBC
*Apr 4 08:14:35.652: ISAKMP: hash SHA
*Apr 4 08:14:35.652: ISAKMP: auth pre-share
*Apr 4 08:14:35.652: ISAKMP: life type in seconds
*Apr 4 08:14:35.652: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 4 08:14:35.652: ISAKMP:(0):Hash algorithm offered does not match policy!
*Apr 4 08:14:35.652: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Apr 4 08:14:35.652: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2
policy
*Apr 4 08:14:35.652: ISAKMP: default group 2
*Apr 4 08:14:35.652: ISAKMP: encryption 3DES-CBC
*Apr 4 08:14:35.652: ISAKMP: hash SHA
*Apr 4 08:14:35.652: ISAKMP: auth pre-share
*Apr 4 08:14:35.652: ISAKMP: life type in seconds
*Apr 4 08:14:35.652: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Apr 4 08:14:35.652: ISAKMP:(0):atts are acceptable. Next payload is 3
*Apr 4 08:14:35.652: ISAKMP:(0):Acceptable atts:actual life: 0
*Apr 4 08:14:35.652: ISAKMP:(0):Acceptable atts:life: 0
*Apr 4 08:14:35.652: ISAKMP:(0):Fill atts in sa vpi_length:4
*Apr 4 08:14:35.652: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
*Apr 4 08:14:35.652: ISAKMP:(0):Returning Actual lifetime: 28800
*Apr 4 08:14:35.652: ISAKMP:(0)::Started lifetime timer: 28800.
*Apr 4 08:14:35.652: ISAKMP:(0): processing vendor id payload
*Apr 4 08:14:35.652: ISAKMP:(0): processing IKE frag vendor id payload
*Apr 4 08:14:35.652: ISAKMP:(0):Support for IKE Fragmentation not enabled
BKM-KMP-IRTR-01#
BKM-KMP-IRTR-01#
*Apr 4 08:14:35.652: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
*Apr 4 08:14:35.652: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Apr 4 08:14:35.652: ISAKMP:(0): sending packet to 193.108.252.163 my_port 500
peer_port 500 (R) MM_SA_SETUP
*Apr 4 08:14:35.652: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 4 08:14:35.652: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 4 08:14:35.652: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Apr 4 08:14:38.008: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Apr 4 08:14:38.008: ISAKMP (0): incrementing error counter on sa, attempt 4 of
5: retransmit phase 1
*Apr 4 08:14:38.008: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Apr 4 08:14:38.008: ISAKMP:(0): sending packet to 193.108.252.163 my_port 500
peer_port 500 (R) MM_SA_SETUP
*Apr 4 08:14:38.008: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 4 08:14:43.648: ISAKMP (0): received packet from 193.108.252.163 dport 500
sport 500 Global (R) MM_SA_SETUP
*Apr 4 08:14:43.648: ISAKMP:(0): phase 1 packet is a duplicate of a previous pa
cket.
*Apr 4 08:14:43.648: ISAKMP:(0): retransmitting due to retransmit phase 1
*Apr 4 08:14:44.148: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Apr 4 08:14:44.148: ISAKMP (0): incrementing error counter on sa, attempt 1 of
5: retransmit phase 1
*Apr 4 08:14:44.148: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Apr 4 08:14:44.148: ISAKMP:(0): sending packet to 193.108.252.163 my_port 500
peer_port 500 (R) MM_SA_SETUP
*Apr 4 08:14:44.148: ISAKMP:(0):Sending an IKE IPv4 Packet.
11-21-2012 05:07 AM
Just work an issue like this, try doing a clear route command or a reload of router.
11-21-2012 11:48 PM
Hello,
At 99% it looks like a path issue [ UDP 500 dropped in the path unidirectionnaly from this router to the remote peer].
The rtr sends MM2, but the asa displays MM_WAIT_MSG2. So the messsage never arrived.
Cheers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: