10-24-2013 10:45 PM
Hi,
I have configured simple Site to Site VPN connectivity, but the connection is not establishing..
Tunnel interface is also showing down.
Below is config on my router CISCO3945
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ********* address 115.249.217.155
!
!
crypto ipsec transform-set IMLFEED esp-3des esp-sha-hmac
crypto map IML 1 ipsec-isakmp
set peer 115.249.217.155
set transform-set IMLFEED
match address 140
interface GigabitEthernet0/0
description ***** LAN *****
ip address 10.7.115.6 255.255.255.252
ip pim sparse-mode
duplex auto
speed auto
!
interface GigabitEthernet0/1
description ***** Connected to Reliance Internet *****
ip address 115.254.106.165 255.255.255.252
duplex auto
speed auto
crypto map IML
ip route 0.0.0.0 0.0.0.0 115.254.106.166
!
access-list 140 permit gre host 115.254.106.165 host 115.249.217.155
Config on Remote (Linux Base VPN)
$ cat /etc/ipsec.conf
conn bse
auto=start
type=transport
authby=secret
ike=3des-sha1-modp1024 #3des group2
ikelifetime=8h
esp=3des-sha1
keylife=1h
pfs=no
###our gateway
left=115.249.217.155
leftnexthop=115.249.217.153
leftsubnet=10.0.0.0/16
leftsourceip=10.7.121.2
###remote peer
right=115.254.106.165
rightnexthop=10.0.5.1
rightnexthop=10.7.121.1
rightsubnet=10.7.121.4/30
rightsourceip=10.7.121.1
rightprotoport=47
Below is output on my Router CISCO3945.
ZL1VPN-C3945#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
115.249.217.155 115.254.106.165 MM_NO_STATE 0 ACTIVE
IPv6 Crypto ISAKMP SA
ZL1VPN-C3945#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: 115.249.217.155 port 500
IKEv1 SA: local 115.254.106.165/500 remote 115.249.217.155/500 Inactive
IKEv1 SA: local 115.254.106.165/500 remote 115.249.217.155/500 Inactive
IPSEC FLOW: permit 47 host 115.254.106.165 host 115.249.217.155
Active SAs: 0, origin: crypto map
And also debug on my router CISCO3945
*********************************************************************************************************************
Oct 24 13:55:26.713: ISAKMP: set new node 0 to QM_IDLE
Oct 24 13:55:26.713: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 246B1E0
Oct 24 13:55:26.713: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct 24 13:55:26.713: ISAKMP:(0):found peer pre-shared key matching 115.249.217.155
Oct 24 13:55:26.713: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct 24 13:55:26.713: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct 24 13:55:26.713: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct 24 13:55:26.713: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct 24 13:55:26.713: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct 24 13:55:26.713: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Oct 24 13:55:26.713: ISAKMP:(0): beginning Main Mode exchange
Oct 24 13:55:26.713: ISAKMP:(0): sending packet to 115.249.217.155 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct 24 13:55:26.713: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 24 13:55:26.749: ISAKMP (0): received packet from 115.249.217.155 dport 500 sport 500 Global (I)
MM_NO_STATE
Oct 24 13:55:26.749: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 13:55:26.749: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Oct 24 13:55:26.749: ISAKMP:(0): processing SA payload. message ID = 0
Oct 24 13:55:26.749: ISAKMP:(0): processing vendor id payload
Oct 24 13:55:26.749: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Oct 24 13:55:26.749: ISAKMP:(0): processing vendor id payload
Oct 24 13:55:26.749: ISAKMP:(0): vendor ID is DPD
Oct 24 13:55:26.749: ISAKMP:(0):found peer pre-shared key matching 115.249.217.155
Oct 24 13:55:26.749: ISAKMP:(0): local preshared key found
Oct 24 13:55:26.749: ISAKMP : Scanning profiles for xauth ...
Oct 24 13:55:26.749: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
Oct 24 13:55:26.749: ISAKMP: encryption 3DES-CBC
Oct 24 13:55:26.749: ISAKMP: hash SHA
Oct 24 13:55:26.749: ISAKMP: default group 2
Oct 24 13:55:26.749: ISAKMP: auth pre-share
Oct 24 13:55:26.749: ISAKMP: life type in seconds
Oct 24 13:55:26.749: ISAKMP: life duration (basic) of 3600
Oct 24 13:55:26.749: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 24 13:55:26.749: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 24 13:55:26.749: ISAKMP:(0):Acceptable atts:life: 0
Oct 24 13:55:26.749: ISAKMP:(0):Basic life_in_seconds:3600
Oct 24 13:55:26.749: ISAKMP:(0):Returning Actual lifetime: 3600
Oct 24 13:55:26.749: ISAKMP:(0)::Started lifetime timer: 3600.
Oct 24 13:55:26.749: ISAKMP:(0): processing vendor id payload
Oct 24 13:55:26.749: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Oct 24 13:55:26.749: ISAKMP:(0): processing vendor id payload
Oct 24 13:55:26.749: ISAKMP:(0): vendor ID is DPD
Oct 24 13:55:26.749: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 13:55:26.749: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Oct 24 13:55:26.749: ISAKMP:(0): sending packet to 115.249.217.155 my_port 500 peer_port 500 (I) MM_SA_SETUP
Oct 24 13:55:26.749: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 24 13:55:26.749: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 13:55:26.749: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Oct 24 13:55:26.789: ISAKMP (0): received packet from 115.249.217.155 dport 500 sport 500 Global (I)
MM_SA_SETUP
Oct 24 13:55:26.789: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 13:55:26.789: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Oct 24 13:55:26.789: ISAKMP:(0): processing KE payload. message ID = 0
Oct 24 13:55:26.789: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 24 13:55:26.789: ISAKMP:(0):found peer pre-shared key matching 115.249.217.155
Oct 24 13:55:26.789: ISAKMP:(9145):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 13:55:26.789: ISAKMP:(9145):Old State = IKE_I_MM4 New State = IKE_I_MM4
Oct 24 13:55:26.789: ISAKMP:(9145):Send initial contact
Oct 24 13:55:26.789: ISAKMP:(9145):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 24 13:55:26.789: ISAKMP (9145): ID payload
next-payload : 8
type : 1
address : 115.254.106.165
protocol : 17
port : 500
length : 12
Oct 24 13:55:26.789: ISAKMP:(9145):Total payload length: 12
Oct 24 13:55:26.789: ISAKMP:(9145): sending packet to 115.249.217.155 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Oct 24 13:55:26.789: ISAKMP:(9145):Sending an IKE IPv4 Packet.
Oct 24 13:55:26.789: ISAKMP:(9145):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 13:55:26.789: ISAKMP:(9145):Old State = IKE_I_MM4 New State = IKE_I_MM5
Oct 24 13:55:26.829: ISAKMP (9145): received packet from 115.249.217.155 dport 500 sport 500 Global (I)
MM_KEY_EXCH
Oct 24 13:55:26.829: ISAKMP:(9145): processing ID payload. message ID = 0
Oct 24 13:55:26.829: ISAKMP (9145): ID payload
next-payload : 8
type : 1
address : 115.249.217.155
protocol : 0
port : 0
length : 12
Oct 24 13:55:26.829: ISAKMP:(0):: peer matches *none* of the profiles
Oct 24 13:55:26.829: ISAKMP:(9145): processing HASH payload. message ID = 0
Oct 24 13:55:26.829: ISAKMP:(9145): processing vendor id payload
Oct 24 13:55:26.829: ISAKMP:(9145): vendor ID seems Unity/DPD but major 126 mismatch
Oct 24 13:55:26.829: ISAKMP:(9145):SA authentication status:
authenticated
Oct 24 13:55:26.829: ISAKMP:(9145):SA has been authenticated with 115.249.217.155
Oct 24 13:55:26.829: ISAKMP: Trying to insert a peer 115.254.106.165/115.249.217.155/500/, and inserted
successfully 1448A954.
Oct 24 13:55:26.829: ISAKMP:(9145):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 13:55:26.829: ISAKMP:(9145):Old State = IKE_I_MM5 New State = IKE_I_MM6
Oct 24 13:55:26.829: ISAKMP:(9145):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 13:55:26.829: ISAKMP:(9145):Old State = IKE_I_MM6 New State = IKE_I_MM6
Oct 24 13:55:26.829: ISAKMP:(9145):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 13:55:26.829: ISAKMP:(9145):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Oct 24 13:55:26.829: ISAKMP:(9145):beginning Quick Mode exchange, M-ID of 750208415
Oct 24 13:55:26.829: ISAKMP:(9145):QM Initiator gets spi
Oct 24 13:55:26.829: ISAKMP:(9145): sending packet to 115.249.217.155 my_port 500 peer_port 500 (I) QM_IDLE
Oct 24 13:55:26.829: ISAKMP:(9145):Sending an IKE IPv4 Packet.
Oct 24 13:55:26.829: ISAKMP:(9145):Node 750208415, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Oct 24 13:55:26.829: ISAKMP:(9145):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Oct 24 13:55:26.829: ISAKMP:(9145):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 24 13:55:26.829: ISAKMP:(9145):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Oct 24 13:55:26.841: ISAKMP:(9143):purging SA., sa=12559218, delme=12559218
Oct 24 13:55:26.865: ISAKMP (9145): received packet from 115.249.217.155 dport 500 sport 500 Global (I) QM_IDLE
Oct 24 13:55:26.865: ISAKMP: set new node -1203004786 to QM_IDLE
Oct 24 13:55:26.865: ISAKMP:(9145): processing HASH payload. message ID = 3091962510
Oct 24 13:55:26.865: ISAKMP:(9145): processing NOTIFY INVALID_ID_INFO protocol 1
spi 0, message ID = 3091962510, sa = 0x246B1E0
Oct 24 13:55:26.865: ISAKMP:(9145):peer does not do paranoid keepalives.
Oct 24 13:55:26.865: ISAKMP:(9145):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE
(peer 115.249.217.155)
Oct 24 13:55:26.865: ISAKMP:(9145):deleting node -1203004786 error FALSE reason "Informational (in) state 1"
Oct 24 13:55:26.865: ISAKMP:(9145):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Oct 24 13:55:26.865: ISAKMP:(9145):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Oct 24 13:55:26.865: ISAKMP: set new node 809050989 to QM_IDLE
Oct 24 13:55:26.865: ISAKMP:(9145): sending packet to 115.249.217.155 my_port 500 peer_port 500 (I) QM_IDLE
Oct 24 13:55:26.865: ISAKMP:(9145):Sending an IKE IPv4 Packet.
Oct 24 13:55:26.865: ISAKMP:(9145):purging node 809050989
Oct 24 13:55:26.865: ISAKMP:(9145):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 24 13:55:26.865: ISAKMP:(9145):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Oct 24 13:55:26.865: ISAKMP:(9145):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE
(peer 115.249.217.155)
Oct 24 13:55:26.865: ISAKMP: Unlocking peer struct 0x1448A954 for isadb_mark_sa_deleted(), count 0
Oct 24 13:55:26.865: ISAKMP: Deleting peer node by peer_reap for 115.249.217.155: 1448A954
Oct 24 13:55:26.865: ISAKMP:(9145):deleting node 750208415 error FALSE reason "IKE deleted"
Oct 24 13:55:26.865: ISAKMP:(9145):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 13:55:26.865: ISAKMP:(9145):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Oct 24 13:55:26.865: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 24 13:55:26.901: ISAKMP (9145): received packet from 115.249.217.155 dport 500 sport 500 Global (I)
MM_NO_STATE
Oct 24 13:55:35.921: ISAKMP (0): received packet from 115.249.217.155 dport 500 sport 500 Global (N) NEW SA
Oct 24 13:55:35.921: ISAKMP: Created a peer struct for 115.249.217.155, peer port 500
Oct 24 13:55:35.921: ISAKMP: New peer created peer = 0x1448A954 peer_handle = 0x80000093
Oct 24 13:55:35.921: ISAKMP: Locking peer struct 0x1448A954, refcount 1 for crypto_isakmp_process_block
Oct 24 13:55:35.921: ISAKMP: local port 500, remote port 500
Oct 24 13:55:35.921: ISAKMP:(0):insert sa successfully sa = 12559218
Oct 24 13:55:35.921: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 13:55:35.921: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Oct 24 13:55:35.925: ISAKMP:(0): processing SA payload. message ID = 0
Oct 24 13:55:35.925: ISAKMP:(0): processing vendor id payload
Oct 24 13:55:35.925: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Oct 24 13:55:35.925: ISAKMP:(0): processing vendor id payload
Oct 24 13:55:35.925: ISAKMP:(0): vendor ID is DPD
Oct 24 13:55:35.925: ISAKMP:(0):found peer pre-shared key matching 115.249.217.155
Oct 24 13:55:35.925: ISAKMP:(0): local preshared key found
Oct 24 13:55:35.925: ISAKMP : Scanning profiles for xauth ...
Oct 24 13:55:35.925: ISAKMP:(0):Checking ISAKMP transform 0 against priority 2 policy
Oct 24 13:55:35.925: ISAKMP: life type in seconds
Oct 24 13:55:35.925: ISAKMP: life duration (basic) of 3600
Oct 24 13:55:35.925: ISAKMP: encryption 3DES-CBC
Oct 24 13:55:35.925: ISAKMP: hash SHA
Oct 24 13:55:35.925: ISAKMP: auth pre-share
Oct 24 13:55:35.925: ISAKMP: default group 2
Oct 24 13:55:35.925: ISAKMP:(0):atts are acceptable. Next payload is 0
Oct 24 13:55:35.925: ISAKMP:(0):Acceptable atts:actual life: 0
Oct 24 13:55:35.925: ISAKMP:(0):Acceptable atts:life: 0
Oct 24 13:55:35.925: ISAKMP:(0):Basic life_in_seconds:3600
Oct 24 13:55:35.925: ISAKMP:(0):Returning Actual lifetime: 3600
Oct 24 13:55:35.925: ISAKMP:(0)::Started lifetime timer: 3600.
Oct 24 13:55:35.925: ISAKMP:(0): processing vendor id payload
Oct 24 13:55:35.925: ISAKMP:(0): vendor ID seems Unity/DPD but major 0 mismatch
Oct 24 13:55:35.925: ISAKMP:(0): processing vendor id payload
Oct 24 13:55:35.925: ISAKMP:(0): vendor ID is DPD
Oct 24 13:55:35.925: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 13:55:35.925: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Oct 24 13:55:35.925: ISAKMP:(0): sending packet to 115.249.217.155 my_port 500 peer_port 500 (R) MM_SA_SETUP
Oct 24 13:55:35.925: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct 24 13:55:35.925: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 13:55:35.925: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Oct 24 13:55:35.961: ISAKMP (0): received packet from 115.249.217.155 dport 500 sport 500 Global (R)
MM_SA_SETUP
Oct 24 13:55:35.961: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 13:55:35.961: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Oct 24 13:55:35.961: ISAKMP:(0): processing KE payload. message ID = 0
Oct 24 13:55:35.965: ISAKMP:(0): processing NONCE payload. message ID = 0
Oct 24 13:55:35.965: ISAKMP:(0):found peer pre-shared key matching 115.249.217.155
Oct 24 13:55:35.965: ISAKMP:(9146):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 13:55:35.965: ISAKMP:(9146):Old State = IKE_R_MM3 New State = IKE_R_MM3
Oct 24 13:55:35.965: ISAKMP:(9146): sending packet to 115.249.217.155 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 24 13:55:35.965: ISAKMP:(9146):Sending an IKE IPv4 Packet.
Oct 24 13:55:35.965: ISAKMP:(9146):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 13:55:35.965: ISAKMP:(9146):Old State = IKE_R_MM3 New State = IKE_R_MM4
Oct 24 13:55:36.005: ISAKMP (9146): received packet from 115.249.217.155 dport 500 sport 500 Global (R)
MM_KEY_EXCH
Oct 24 13:55:36.005: ISAKMP:(9146):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Oct 24 13:55:36.005: ISAKMP:(9146):Old State = IKE_R_MM4 New State = IKE_R_MM5
Oct 24 13:55:36.005: ISAKMP:(9146): processing ID payload. message ID = 0
Oct 24 13:55:36.005: ISAKMP (9146): ID payload
next-payload : 8
type : 1
address : 115.249.217.155
protocol : 0
port : 0
length : 12
Oct 24 13:55:36.005: ISAKMP:(0):: peer matches *none* of the profiles
Oct 24 13:55:36.005: ISAKMP:(9146): processing HASH payload. message ID = 0
Oct 24 13:55:36.005: ISAKMP:(9146):SA authentication status:
authenticated
Oct 24 13:55:36.005: ISAKMP:(9146):SA has been authenticated with 115.249.217.155
Oct 24 13:55:36.005: ISAKMP: Trying to insert a peer 115.254.106.165/115.249.217.155/500/, and inserted
successfully 1448A954.
Oct 24 13:55:36.005: ISAKMP:(9146):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Oct 24 13:55:36.005: ISAKMP:(9146):Old State = IKE_R_MM5 New State = IKE_R_MM5
Oct 24 13:55:36.005: ISAKMP:(9146):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Oct 24 13:55:36.005: ISAKMP (9146): ID payload
next-payload : 8
type : 1
address : 115.254.106.165
protocol : 17
port : 500
length : 12
Oct 24 13:55:36.005: ISAKMP:(9146):Total payload length: 12
Oct 24 13:55:36.005: ISAKMP:(9146): sending packet to 115.249.217.155 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Oct 24 13:55:36.005: ISAKMP:(9146):Sending an IKE IPv4 Packet.
Oct 24 13:55:36.005: ISAKMP:(9146):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Oct 24 13:55:36.005: ISAKMP:(9146):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Oct 24 13:55:36.005: ISAKMP:(9146):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Oct 24 13:55:36.005: ISAKMP:(9146):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
***********************************************************************************************************************************************
Any kind of help is appreciated...
Thanx...
10-25-2013 01:14 AM
Is there really a need for GRE? Any logs from the linux box?
Michael
Please rate all helpful posts
10-25-2013 03:48 AM
Hi,
Yes, we required GRE for multicast traffic.
Below is capture from Linux..
hss@trinity ~ ]$ sudo iptunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
bsetun: gre/ip remote 115.254.106.165 local 115.249.217.155 dev em2 ttl 255
[hss@trinity ~ ]$ sudo ifconfig
bsetun Link encap:UNSPEC HWaddr 73-F9-D9-9B-FF-FF-80-CD-00-00-00-00-00-00-00-00
inet addr:10.7.121.2 P-t-P:10.7.121.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:6080 (5.9 KiB)
Also we are getting logs on cisco..
%CRYPTO-4-IKMP_NO_SA: IKE message from 115.249.217.155 has no SA and is not an initialization offer
State is flapping between MM_NO_STATE and QM_IDLE
ZL1VPN-C3945#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
115.249.217.155 115.254.106.165 MM_NO_STATE 11235 ACTIVE (deleted)
115.254.106.165 115.249.217.155 MM_NO_STATE 11234 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
ZL1VPN-C3945#sh crypto session
Crypto session current status
Interface: GigabitEthernet0/1
Session status: DOWN-NEGOTIATING
Peer: 115.249.217.155 port 500
IKEv1 SA: local 115.254.106.165/500 remote 115.249.217.155/500 Inactive
IKEv1 SA: local 115.254.106.165/500 remote 115.249.217.155/500 Inactive
IPSEC FLOW: permit 47 host 115.254.106.165 host 115.249.217.155
Active SAs: 0, origin: crypto map
When we shut the Tunnel interface, state keep QM_IDLE status.
Thanx
Arjun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide