08-24-2010 05:56 AM - edited 02-21-2020 04:48 PM
Could someone take a look at the following configs? We're having issues getting a VPN up on two 881 routers and can't figure out what we're missing. Any thoughts are appreciated. I've replaced private info in brackets like <ROUTERA>. Rest assured the IPs for the routers are set properly and not in brackets.
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers
!
hostname <ROUTERA>
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical
!
no aaa new-model
!
!
!
memory-size iomem 10
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 !
crypto pki trustpoint TP-self-signed-4052530123 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4052530123
revocation-check none
rsakeypair TP-self-signed-4052530123
!
!
crypto pki certificate chain TP-self-signed-4052530123 certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303532 35333031 3233301E 170D3130 30373032 31363436
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30353235
33303132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F22D 0AC7AE63 FBA6CF49 40D9C61F 011FDD8E 639F60FC 2B25561A 6A937BDD
A7B536F7 F591C5F0 DB1EF660 8A78A9A3 3D2691D6 CCC36734 5B0EACFF 3788DAB0
2335CE35 53135F2B 2FF130E3 CB8419E7 FCA12958 FA1576FC ABB149F2 0BACC389
D039E324 12A848C1 D712BE68 09A100B3 8E972F9A 89E36682 88B375F0 A3B0805E
BF670203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 11727472 2D796F72 6B2E6266 70642E63 6F6D301F 0603551D
23041830 16801436 AF01335D 581256E3 70C32023 FB4CA008 9ABDF030 1D060355
1D0E0416 041436AF 01335D58 1256E370 C32023FB 4CA0089A BDF0300D 06092A86
4886F70D 01010405 00038181 004ED8A0 19FE1545 31A4D819 39B491EF 0F1E829A
1E2EC1B2 75AEA6F6 F20CD38C C1891C68 87271560 C8AC4561 791CF9EC 48CE9EB0
4977D264 26057C7D D69A69BF 5EB82630 B9BC3249 605D889B 912C2650 20C909BC
D2F2A77B 3AA02C39 90A3E82F 52FC04B9 91F7C194 A09C4E10 E8787538 9C89DFA9
9929FEB7 517DEE55 B7CF0D63 36
quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.199 !
ip dhcp pool ccp-pool1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.4 64.105.179.138 !
!
ip cef
no ip bootp server
ip domain name domain.com
ip name-server <DNS1>
ip name-server <DNS2>
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key ****** address <ROUTERBADDRESS>
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer <ROUTERBADDRESS>
set transform-set esp-aes-sha
match address 101
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address <ROUTERAADDRESS> 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000 !
!
ip nat inside source static tcp 192.168.1.3 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.1 22 interface FastEthernet4 22
ip nat inside source static tcp 192.168.1.3 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.3 47 interface FastEthernet4 47
ip nat inside source static udp 192.168.1.3 67 interface FastEthernet4 67
ip nat inside source static udp 192.168.1.3 68 interface FastEthernet4 68
ip nat inside source static udp 192.168.1.3 500 interface FastEthernet4 500
ip nat inside source static udp 192.168.1.3 4500 interface FastEthernet4 4500
ip nat inside source list 111 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 <GATEWAY>
!
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 69.3.229.0 0.0.0.255 any
access-list 100 permit gre any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers
!
hostname <ROUTERB>
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical
!
no aaa new-model
!
!
!
memory-size iomem 10
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 !
crypto pki trustpoint TP-self-signed-3533576425 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3533576425
revocation-check none
rsakeypair TP-self-signed-3533576425
!
!
crypto pki certificate chain TP-self-signed-3533576425 certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353333 35373634 3235301E 170D3130 30373134 30313239
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35333335
37363432 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B7A1 950DFF3E 1E8A9508 9D9F489D 4E96C2DF 3AD50ACF FB48782C F56B3DBF
B0949CBA CC66EF3E 9F3C863C 4977219F A24E6893 4DCEF376 E663E6A2 3A5EA509
F9974901 9A5F5967 81E61DDB CEFF7B36 802F28AA 3F582903 2228D85B 0FD1269A
7214A404 9AB96F94 31663C9A 14DA8563 1CAA31BF D23BE567 8F1D08D8 A96CA0B0
3C230203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
551D1104 16301482 12727472 2D666F73 7465722E 6266642E 636F6D30 1F060355
1D230418 30168014 47B39DE3 A3E0A4C2 80447A33 95F1ED95 51BC786A 301D0603
551D0E04 16041447 B39DE3A3 E0A4C280 447A3395 F1ED9551 BC786A30 0D06092A
864886F7 0D010104 05000381 81008707 65F450D5 433B5233 0B339846 C0A791D9
DD420C51 2026999B FB4E4F41 CC8F1F5C 447B3C0D 26039E20 EF371E97 6E34CDB9
7C8A4B80 48FA0C00 BF547BF2 2FE638B8 12EB7A8B F64C348C 2902B3EA 17698397
3AB646FF 6668B6A0 15AE8B39 A1076EF5 E8AE68BE 861C93CE 59B57400 D01BB7FE
9E223D22 72F4BD77 3D49C31A 7B6D
quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.4.1 192.168.4.199
!
ip dhcp pool ccp-pool1
import all
network 192.168.4.0 255.255.255.0
dns-server 64.105.189.26 64.105.179.138
default-router 192.168.4.1
!
!
ip cef
no ip bootp server
ip domain name domain.com
ip name-server <DNS1>
ip name-server <DNS2>
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key ****** address <ROUTERAADDRESS>
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer <ROUTERAADDRESS>
set transform-set esp-aes-sha
match address 101
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address <ROUTERBADDRESS> 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.4.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 111 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 <GATEWAY>
!
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 68.166.95.208 0.0.0.7 any
access-list 100 permit gre any any
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 192.168.4.0 0.0.0.255 any no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
08-24-2010 06:03 AM
Configuration looks correct.
Which phase is it failing?
Can you share the output of:
show cry isa sa
show cry ipsec sa
Also, can you pls run the following debug so we know where exactly it's failing:
debug cry isa
debug cry ipsec
I would test to ping 192.168.4.1 sourcing from 192.168.1.1 on Router A, and/OR ping 192.168.1.1 sourcing from 192.168.4.1 from Router B.
08-24-2010 06:42 AM
Thank you for the quick reply. It appears to be failing on phase 1. I've tested the extended pings like you mentioned and they always time out and then the send error counter increments. Below are the outputs you requested. When watching the debug, after doing an extended ping it tries 5 times and then stops.
#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
#sh cry ipsec sa
interface: FastEthernet4
Crypto map tag: vpn, local addr
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
current_peer
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5, #recv errors 0
local crypto endpt.:
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
000091: *Aug 24 08:36:46.095 PCTime: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local=
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
000092: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): SA request profile is (NULL)
000093: *Aug 24 08:36:46.095 PCTime: ISAKMP: Created a peer struct for
000094: *Aug 24 08:36:46.095 PCTime: ISAKMP: New peer created peer = 0x8622F914 peer_handle = 0x80000004
000095: *Aug 24 08:36:46.095 PCTime: ISAKMP: Locking peer struct 0x8622F914, refcount 1 for isakmp_initiator
000096: *Aug 24 08:36:46.095 PCTime: ISAKMP: local port 500, remote port 500
000097: *Aug 24 08:36:46.095 PCTime: ISAKMP: set new node 0 to QM_IDLE
000098: *Aug 24 08:36:46.095 PCTime: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 858A48BC
000099: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000100: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):found peer pre-shared key matching
000101: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000102: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): constructed NAT-T vendor-07 ID
000103: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): constructed NAT-T vendor-03 ID
000104: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): constructed NAT-T vendor-02 ID
000105: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000106: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
000107: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): beginning Main Mode exchange
000108: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): sending packet to
000109: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet..
000110: *Aug 24 08:36:47.987 PCTime: ISAKMP:(0):purging node -280443438
000111: *Aug 24 08:36:47.987 PCTime: ISAKMP:(0):purging node 231817120....
Success rate is 0 percent (0/5)
rtr-york#
000112: *Aug 24 08:36:56.095 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000113: *Aug 24 08:36:56.095 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000114: *Aug 24 08:36:56.095 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000115: *Aug 24 08:36:56.095 PCTime: ISAKMP:(0): sending packet to
000116: *Aug 24 08:36:56.095 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000117: *Aug 24 08:36:57.987 PCTime: ISAKMP:(0):purging SA., sa=862106B0, delme=862106B0
000118: *Aug 24 08:37:06.095 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000119: *Aug 24 08:37:06.095 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000120: *Aug 24 08:37:06.095 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000121: *Aug 24 08:37:06.095 PCTime: ISAKMP:(0): sending packet to
000122: *Aug 24 08:37:06.095 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
#sh crypto session
Crypto session current status
Interface: FastEthernet4
Session status: DOWN
Peer:
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.4.0/255.255.255.0
Active SAs: 0, origin: crypto map
08-26-2010 08:47 AM
Hi,
From the debugs, it looks like ROUTERA never gets a response from ROUTERB. Can you run the same debugs at ROUTERB? We can see if this first exchange is even reaching ROUTERB or if the reply from ROUTERB is not reaching back ROUTERA.
As a side note, while we look at the debugs and troubleshoot this, I would suggest you to confirm with your ISP if UDP 500 is being blocked between these 2 routers.
Regards,
Prapanch
08-26-2010 09:17 AM
Here's what I was seeing after turning on debug on ROUTERB. It started doing this as soon as I turned on debug. I think did a ping from ROUTERA as well. I called the ISP last week and they said they aren't doing any filtering. Is there a way to test remotely if port 500 is accessible through the router by telnet or something else?
000110: *Aug 26 11:13:32.135 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000111: *Aug 26 11:13:41.639 PCTime: ISAKMP (0): received packet from
000112: *Aug 26 11:13:41.639 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000113: *Aug 26 11:13:41.639 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000114: *Aug 26 11:13:42.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000115: *Aug 26 11:13:42.139 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000116: *Aug 26 11:13:42.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000117: *Aug 26 11:13:42.139 PCTime: ISAKMP:(0): sending packet to
000118: *Aug 26 11:13:42.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000119: *Aug 26 11:13:51.639 PCTime: ISAKMP (0): received packet from
000120: *Aug 26 11:13:51.639 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000121: *Aug 26 11:13:51.639 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000122: *Aug 26 11:13:52.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000123: *Aug 26 11:13:52.139 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000124: *Aug 26 11:13:52.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000125: *Aug 26 11:13:52.139 PCTime: ISAKMP:(0): sending packet to
000126: *Aug 26 11:13:52.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000127: *Aug 26 11:14:01.643 PCTime: ISAKMP (0): received packet from
000128: *Aug 26 11:14:01.643 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000129: *Aug 26 11:14:01.643 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000130: *Aug 26 11:14:02.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000131: *Aug 26 11:14:02.143 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
000132: *Aug 26 11:14:02.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000133: *Aug 26 11:14:02.143 PCTime: ISAKMP:(0): sending packet to
000134: *Aug 26 11:14:02.143 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000135: *Aug 26 11:14:11.643 PCTime: ISAKMP (0): received packet from
000136: *Aug 26 11:14:11.643 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000137: *Aug 26 11:14:11.643 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000138: *Aug 26 11:14:12.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000139: *Aug 26 11:14:12.143 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
000140: *Aug 26 11:14:12.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000141: *Aug 26 11:14:12.143 PCTime: ISAKMP:(0): sending packet to
000142: *Aug 26 11:14:12.143 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000143: *Aug 26 11:14:21.643 PCTime: ISAKMP (0): received packet from
000144: *Aug 26 11:14:21.643 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000145: *Aug 26 11:14:21.643 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000146: *Aug 26 11:14:22.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000147: *Aug 26 11:14:22.143 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
000148: *Aug 26 11:14:22.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000149: *Aug 26 11:14:22.143 PCTime: ISAKMP:(0): sending packet to
000150: *Aug 26 11:14:22.143 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000151: *Aug 26 11:14:32.135 PCTime: ISAKMP:(0):purging SA., sa=8625EDAC, delme=8625EDAC
000152: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000153: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.
000154: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer
000155: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer
000156: *Aug 26 11:14:32.143 PCTime: ISAKMP: Unlocking peer struct 0x851932E0 for isadb_mark_sa_deleted(), count 0
000157: *Aug 26 11:14:32.143 PCTime: ISAKMP: Deleting peer node by peer_reap for
000158: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000159: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
000160: *Aug 26 11:14:32.143 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
08-26-2010 05:17 PM
Hi,
Unfortunately the debugs you have posted do not start from the time ROUTERB gets the initial packet, but looking at this line:
000159: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
It looks like ROUTERB gets the initial exchange from ROUTERA and also replies to it, but ROUTERA never gets this 2nd exchange. Do you have any firewall devices between thee 2 routers that could be doing such a thing? If not, it certainly seems like the ISP is blocking this UDP 500 packet from ROUTERB to ROUTERA.Have them cehck again.
If possible, please try capturing packets on UDP 500 before each of the routers and we can then clearly see what is going wrong.
Regards,
Prapanch
08-27-2010 06:32 AM
Prapanch,
Thank you for following up. Below is the complete debug log when pinging from ROUTERA to ROUTERB. Do you have a recommended way of capturing the port 500 packets?
The connection at each site is DSL and the ISP has a bridged modem in front of the routers at each site. They swear there is no stateful packet inspection or port filtering/blocking. I might try talking with someone else there if we can prove it.
000695: *Aug 27 08:28:04.382 PCTime: ISAKMP (0): received packet from
000696: *Aug 27 08:28:04.382 PCTime: ISAKMP: Created a peer struct for
000697: *Aug 27 08:28:04.382 PCTime: ISAKMP: New peer created peer = 0x85192EEC peer_handle = 0x80000669
000698: *Aug 27 08:28:04.382 PCTime: ISAKMP: Locking peer struct 0x85192EEC, refcount 1 for crypto_isakmp_process_block
000699: *Aug 27 08:28:04.382 PCTime: ISAKMP: local port 500, remote port 500
000700: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):insert sa successfully sa = 86203154
000701: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000702: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
000703: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0): processing SA payload. message ID = 0
000704: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):found peer pre-shared key matching
000705: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0): local preshared key found
000706: *Aug 27 08:28:04.382 PCTime: ISAKMP : Scanning profiles for xauth ...
000707: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
000708: *Aug 27 08:28:04.382 PCTime: ISAKMP: encryption AES-CBC
000709: *Aug 27 08:28:04.382 PCTime: ISAKMP: keylength of 128
000710: *Aug 27 08:28:04.382 PCTime: ISAKMP: hash SHA
000711: *Aug 27 08:28:04.382 PCTime: ISAKMP: default group 5
000712: *Aug 27 08:28:04.382 PCTime: ISAKMP: auth pre-share
000713: *Aug 27 08:28:04.382 PCTime: ISAKMP: life type in seconds
000714: *Aug 27 08:28:04.382 PCTime: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
000715: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):atts are acceptable. Next payload is 0
000716: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Acceptable atts:actual life: 0
000717: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Acceptable atts:life: 0
000718: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Fill atts in sa vpi_length:4
000719: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
000720: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Returning Actual lifetime: 86400
000721: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0)::Started lifetime timer: 86400.
000722: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000723: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
000724: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0): sending packet to
000725: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000726: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000727: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
000728: *Aug 27 08:28:14.370 PCTime: ISAKMP (0): received packet from
000729: *Aug 27 08:28:14.370 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000730: *Aug 27 08:28:14.370 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000731: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000732: *Aug 27 08:28:14.870 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000733: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000734: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0): sending packet to
000735: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000736: *Aug 27 08:28:24.374 PCTime: ISAKMP (0): received packet from
000737: *Aug 27 08:28:24.374 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000738: *Aug 27 08:28:24.374 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000739: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000740: *Aug 27 08:28:24.874 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000741: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000742: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0): sending packet to
000743: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000744: *Aug 27 08:28:34.370 PCTime: ISAKMP (0): received packet from
000745: *Aug 27 08:28:34.370 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000746: *Aug 27 08:28:34.370 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000747: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000748: *Aug 27 08:28:34.870 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
000749: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000750: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0): sending packet to
000751: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000752: *Aug 27 08:28:44.374 PCTime: ISAKMP (0): received packet from
000753: *Aug 27 08:28:44.374 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000754: *Aug 27 08:28:44.374 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000755: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000756: *Aug 27 08:28:44.874 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
000757: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000758: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0): sending packet to
000759: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000760: *Aug 27 08:28:54.370 PCTime: ISAKMP (0): received packet from
000761: *Aug 27 08:28:54.370 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000762: *Aug 27 08:28:54.370 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000763: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000764: *Aug 27 08:28:54.870 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
000765: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000766: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0): sending packet to
000767: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000768: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000769: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.
000770: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer
000771: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer
000772: *Aug 27 08:29:04.870 PCTime: ISAKMP: Unlocking peer struct 0x85192EEC for isadb_mark_sa_deleted(), count 0
000773: *Aug 27 08:29:04.870 PCTime: ISAKMP: Deleting peer node by peer_reap for
000774: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000775: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
000776: *Aug 27 08:29:04.870 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000777: *Aug 27 08:30:04.870 PCTime: ISAKMP:(0):purging SA., sa=86203154, delme=86203154
08-27-2010 08:21 AM
Hi,
Looking at the debugs my conclusion would be the same. Well to capture packets on the routers, only way i can think of is using the Embedded packet capture feature:
But you need to be running a version on which it is supported. Hope this helps!!
Regards,
Prapanch
08-30-2010 01:32 PM
Ok, so I put filters on the interface for isakmp and esp traffic. The isakmp traffic is incrementing but nothing from esp:
Extended IP access list 120
10 permit esp host
20 permit udp host
30 permit ip any any (1600060 matches)
Protocol [ip]:
Target IP address: 192.168.4.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
Extended IP access list 120
10 permit esp host
20 permit udp host
30 permit ip any any (1600263 matches)
Extended IP access list 120
10 permit esp host
20 permit udp host
30 permit ip any any (2076362 matches)
Extended IP access list 120
10 permit esp host
20 permit udp host
30 permit ip any any (2076378 matches)
I contacted the ISP and they say something's wrong with the config. They won't say what but they'll gladly charge a huge fee to reconfigure it. Any other thoughts on what would cause the esp to not increment? Would the fact that I'm doing some port forwarding have anything to do with it?
08-26-2010 08:16 AM
Anyone have further thoughts? Still stumped on this one.
08-30-2010 01:46 PM
All fixed, there was a NAT entry forwarding port 500 which was messing it all up. After removing that everything came up properly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide