Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17526
Views
0
Helpful
4
Replies

VPN AG_INIT_EXCH problem

binelipetrov
Level 1
Level 1

‎08-26-2010 12:29 AM

Hi to all!! I have a strange problem with Remote VPN to IOS router. Everything worked just fine till 2 days ago, and after that Remote VPN is not working. This is debug crypto isakmp output, with AAA address of remote PC. Config output of interest is showned below

Phase 1 is not finished as it supposed to be, stuck in AG_INIT_EXCH.

Aug 25 13:51:38.518: ISAKMP (0:0): received packet from AAA.AAA.AAA.AAA dport 500 sport 44736 Global (N) NEW SA
Aug 25 13:51:38.518: ISAKMP: Created a peer struct for AAA.AAA.AAA.AAA, peer port 44736
Aug 25 13:51:38.518: ISAKMP: New peer created peer = 0x461ADB20 peer_handle = 0x80000624
Aug 25 13:51:38.518: ISAKMP: Locking peer struct 0x461ADB20, refcount 1 for crypto_isakmp_process_block
Aug 25 13:51:38.518: ISAKMP:(0):Setting client config settings 44FBF74C
Aug 25 13:51:38.518: ISAKMP:(0):(Re)Setting client xauth list  and state
Aug 25 13:51:38.522: ISAKMP/xauth: initializing AAA request
Aug 25 13:51:38.522: ISAKMP: local port 500, remote port 44736
Aug 25 13:51:38.522: insert sa successfully sa = 44FC7DE0
Aug 25 13:51:38.522: ISAKMP:(0): processing SA payload. message ID = 0
Aug 25 13:51:38.522: ISAKMP:(0): processing ID payload. message ID = 0
Aug 25 13:51:38.522: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : GROUP_ADMIN
        protocol     : 17
        port         : 500
        length       : 21
Aug 25 13:51:38.522: ISAKMP:(0):: peer matches *none* of the profiles
Aug 25 13:51:38.522: ISAKMP:(0): processing vendor id payload
Aug 25 13:51:38.522: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
Aug 25 13:51:38.522: ISAKMP:(0): vendor ID is XAUTH
Aug 25 13:51:38.526: ISAKMP:(0): processing vendor id payload
Aug 25 13:51:38.526: ISAKMP:(0): vendor ID is DPD
Aug 25 13:51:38.526: ISAKMP:(0): processing vendor id payload
Aug 25 13:51:38.526: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
Aug 25 13:51:38.526: ISAKMP:(0): processing vendor id payload
Aug 25 13:51:38.526: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Aug 25 13:51:38.526: ISAKMP:(0): vendor ID is NAT-T v2
Aug 25 13:51:38.526: ISAKMP:(0): processing vendor id payload
Aug 25 13:51:38.526: ISAKMP:(0): vendor ID is Unity
Aug 25 13:51:38.526: ISAKMP:(0): Authentication by xauth preshared
Aug 25 13:51:38.526: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Aug 25 13:51:38.526: ISAKMP:      encryption AES-CBC
Aug 25 13:51:38.526: ISAKMP:      hash SHA
Aug 25 13:51:38.526: ISAKMP:      default group 2
Aug 25 13:51:38.526: ISAKMP:      auth XAUTHInitPreShared
Aug 25 13:51:38.526: ISAKMP:      life type in seconds
Aug 25 13:51:38.526: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Aug 25 13:51:38.526: ISAKMP:      keylength of 256
Aug 25 13:51:38.526: ISAKMP:(0):atts are acceptable. Next payload is 3
Aug 25 13:51:38.526: ISAKMP:(0): processing KE payload. message ID = 0
Aug 25 13:51:38.530: ISAKMP:(0): processing NONCE payload. message ID = 0
Aug 25 13:51:38.530: ISAKMP:(0): vendor ID is NAT-T v2
Aug 25 13:51:38.530: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Aug 25 13:51:38.530: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

Aug 25 13:51:38.538: ISAKMP:(5620): constructed NAT-T vendor-02 ID
Aug 25 13:51:38.538: ISAKMP:(5620):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
Aug 25 13:51:38.538: ISAKMP (0:5620): ID payload
        next-payload : 10
        type         : 1
        address      : IP ADDRESS OF THE ROUTER INTERFACE FACING INTERNET

        protocol     : 17
        port         : 0
        length       : 12
Aug 25 13:51:38.538: ISAKMP:(5620):Total payload length: 12
Aug 25 13:51:38.538: ISAKMP:(5620): sending packet to AAA.AAA.AAA.AAA my_port 500 peer_port 44736 (R) AG_INIT_EXCH
Aug 25 13:51:38.538: ISAKMP:(5620):Sending an IKE IPv4 Packet.
Aug 25 13:51:38.542: ISAKMP:(5620):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
Aug 25 13:51:38.542: ISAKMP:(5620):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2
ug 25 13:51:43.390: ISAKMP (0:5620): received packet from AAA.AAA.AAA.AAA dport 500 sport 44736 Global (R) AG_INIT_EXCH
Aug 25 13:51:43.390: ISAKMP:(5620): phase 1 packet is a duplicate of a previous packet.
Aug 25 13:51:43.390: ISAKMP:(5620): retransmitting due to retransmit phase 1
Aug 25 13:51:43.890: ISAKMP:(5620): retransmitting phase 1 AG_INIT_EXCH...
Aug 25 13:51:43.890: ISAKMP (0:5620): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Aug 25 13:51:43.890: ISAKMP:(5620): retransmitting phase 1 AG_INIT_EXCH
Aug 25 13:51:43.890: ISAKMP:(5620): sending packet to AAA.AAA.AAA.AAA my_port 500 peer_port 44736 (R) AG_INIT_EXCH
Aug 25 13:51:43.890: ISAKMP:(5620):Sending an IKE IPv4 Packet.
Aug 25 13:51:48.527: ISAKMP (0:5620): received packet from AAA.AAA.AAA.AAA dport 500 sport 44736 Global (R) AG_INIT_EXCH
Aug 25 13:51:48.527: ISAKMP:(5620): phase 1 packet is a duplicate of a previous packet.
Aug 25 13:51:48.527: ISAKMP:(5620): retransmitting due to retransmit phase 1
Aug 25 13:51:49.027: ISAKMP:(5620): retransmitting phase 1 AG_INIT_EXCH...
Aug 25 13:51:49.027: ISAKMP (0:5620): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Aug 25 13:51:49.027: ISAKMP:(5620): retransmitting phase 1 AG_INIT_EXCH
Aug 25 13:51:49.027: ISAKMP:(5620): sending packet to AAA.AAA.AAA.AAA my_port 500 peer_port 44736 (R) AG_INIT_EXCH
Aug 25 13:51:49.027: ISAKMP:(5620):Sending an IKE IPv4 Packet.
Aug 25 13:51:49.551: ISAKMP:(5604):purging node 587808772
Aug 25 13:51:53.523: ISAKMP (0:5620): received packet from AAA.AAA.AAA.AAA dport 500 sport 44736 Global (R) AG_INIT_EXCH
Aug 25 13:51:53.523: ISAKMP:(5620): phase 1 packet is a duplicate of a previous packet.
Aug 25 13:51:53.523: ISAKMP:(5620): retransmitting due to retransmit phase 1
Aug 25 13:51:54.023: ISAKMP:(5620): retransmitting phase 1 AG_INIT_EXCH...
Aug 25 13:51:54.023: ISAKMP (0:5620): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Aug 25 13:51:54.023: ISAKMP:(5620): retransmitting phase 1 AG_INIT_EXCH
Aug 25 13:51:54.023: ISAKMP:(5620): sending packet to AAA.AAA.AAA.AAA my_port 500 peer_port 44736 (R) AG_INIT_EXCH

aaa authentication login vpn_logovanje group ACS local

aaa authorization network vpn_autorizacija local

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group GROUP_ADMIN

key ***

dns BBB
pool mbadmin_adrese
max-users 5
max-logins 2

crypto ipsec transform-set kriptovanje_3DES esp-3des esp-sha-hmac
crypto ipsec transform-set kriptovanje_AES esp-aes 256 esp-sha-hmac
!
crypto dynamic-map mapa_AESi3DES 10
set transform-set kriptovanje_AES
reverse-route
crypto dynamic-map mapa_AESi3DES 20
set transform-set kriptovanje_3DES
reverse-route
!
!
!
!
crypto map CryMap_RA client authentication list vpn_logovanje
crypto map CryMap_RA isakmp authorization list vpn_autorizacija
crypto map CryMap_RA client configuration address respond
crypto map CryMap_RA 10 ipsec-isakmp dynamic mapa_AESi3DES

Int f 0/0

crypto map CryMap_RA

Router has two links to the Internet. One IPS1 link is dedicated to receve VPN packets (backup link, no other traffic), and another one ISP2 is dedicated for Internet access. After traceroute to AAA.AAA.AAA.AA adress (VPN clinet) it goes through the IPS 2 link, but AAA address is public address, and there is no any IOS FW configured on the router. so that should not be a problem.

Thanks in advance

Vlada

Labels:
0 Helpful
4 Replies 4

binelipetrov
Level 1
Level 1

‎08-26-2010 12:40 AM

12.4(15)T1 IOS version on 2811 router, and VPN client version

4.8.02.0010

0 Helpful

praprama
Cisco Employee
Cisco Employee

‎08-26-2010 01:10 AM

Hi,

From the debugs it looks like the router is responding to the initial packet from the VPN client but the client never receives this packet. We can see the VPn client continuously re-transmitting nthe initial exchange.

Aug 25 13:51:38.538: ISAKMP:(5620):Sending an IKE IPv4 Packet.

Aug 25 13:51:38.542: ISAKMP:(5620):Old State = IKE_R_AM_AAA_AWAIT  New  State = IKE_R_AM2

ug 25 13:51:43.390: ISAKMP (0:5620): received packet from  AAA.AAA.AAA.AAA dport 500 sport 44736 Global (R) AG_INIT_EXCH
Aug 25  13:51:43.390: ISAKMP:(5620): phase 1 packet is a duplicate of a previous  packet.
Aug 25 13:51:43.390: ISAKMP:(5620): retransmitting due to  retransmit phase 1

I would suggest you to check with the ISP and see if UDP port 500 is blocked somewhere between the router's IP and the client's IP.

As a workaround, you can also try enabling IPSec over TCP (cTCP) on the router and specify on the VPN client to connect using TCP:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1305478

Hope this helps! let me know how it goes. All the best.

Regards,

Prapanch

0 Helpful

binelipetrov
Level 1
Level 1
In response to praprama

‎08-31-2010 05:26 AM

After solving this problem, I noticed strange problem. I  have appliaed local policy routing for ESP and ISAKMP packets, but after tranfering packet to tunnel and after encapsulating the same with Public IP address header, router was looking IP routing table and not local policy routing and I could not get any encapsulated packet in the right direction because the routing table is showing something else, no metter to local policy routing route-map.

0 Helpful

1StopBloke
Level 1
Level 1
In response to binelipetrov

‎02-14-2012 09:11 PM

Do you remember the solution to the original problem?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents