Re: VPN site-to-site issues

Erik Jacobsen · ‎01-30-2018

Hi,

I have now been troubleshooting for the last couple of days, to get a VPN tunnel (Site - to - Site) up and run again. (it have worked before)

But it is not working what ever I have done.

Reboot the site B router

Taken all configuration down on Site A and B and up again

Debuging and show commands..

Here is debug site B (cisco 1921):

006092: Jan 30 13:34:48 CET: ISAKMP:(0):purging SA., sa=302FE2F0, delme=302FE2F0

006093: Jan 30 13:34:49 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

006094: Jan 30 13:34:49 CET: ISAKMP:(0):peer does not do paranoid keepalives.

006095: Jan 30 13:34:49 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)

006096: Jan 30 13:34:49 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)

006097: Jan 30 13:34:49 CET: ISAKMP: Unlocking peer struct 0x3126F7EC for isadb_mark_sa_deleted(), count 0

006098: Jan 30 13:34:49 CET: ISAKMP: Deleting peer node by peer_reap for x.x.x.x (public IP): 3126F7EC

006099: Jan 30 13:34:49 CET: ISAKMP:(0):deleting node 1176037716 error FALSE reason "IKE deleted"

006100: Jan 30 13:34:49 CET: ISAKMP:(0):deleting node -25181712 error FALSE reason "IKE deleted"

006101: Jan 30 13:34:49 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

006102: Jan 30 13:34:49 CET: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

006103: Jan 30 13:34:49 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

006104: Jan 30 13:34:49 CET: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.80.239.116:0, remote= x.x.x.x:0,

local_proxy= 10.54.73.0/255.255.255.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)

006105: Jan 30 13:34:49 CET: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.80.239.116:500, remote= x.x.x.x:500,

local_proxy= 10.54.73.0/255.255.255.0/0/0 (type=4),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

006106: Jan 30 13:34:49 CET: ISAKMP:(0): SA request profile is TC_profile

006107: Jan 30 13:34:49 CET: ISAKMP: Created a peer struct for x.x.x.x, peer port 500

006108: Jan 30 13:34:49 CET: ISAKMP: New peer created peer = 0x3126F7EC peer_handle = 0x800002E6

006109: Jan 30 13:34:49 CET: ISAKMP: Locking peer struct 0x3126F7EC, refcount 1 for isakmp_initiator

006110: Jan 30 13:34:49 CET: ISAKMP: local port 500, remote port 500

006111: Jan 30 13:34:49 CET: ISAKMP: set new node 0 to QM_IDLE

006112: Jan 30 13:34:49 CET: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 302FE2F0

006113: Jan 30 13:34:49 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

006114: Jan 30 13:34:49 CET: ISAKMP:(0):Found ADDRESS key in keyring TC_keyring

006115: Jan 30 13:34:49 CET: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

006116: Jan 30 13:34:49 CET: ISAKMP:(0): constructed NAT-T vendor-07 ID

006117: Jan 30 13:34:49 CET: ISAKMP:(0): constructed NAT-T vendor-03 ID

006118: Jan 30 13:34:49 CET: ISAKMP:(0): constructed NAT-T vendor-02 ID

006119: Jan 30 13:34:49 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

006120: Jan 30 13:34:49 CET: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

I can ping and traceroute both directions:

149999-002-rtr01#ping x.x.x.x source loopback 0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:

Packet sent with a source address of 10.80.239.116

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms

149999-002-rtr01#

and the other direction:

no-sfd6-VPN01#ping 10.80.239.116

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.80.239.116, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/10 ms

no-sfd6-VPN01#

We have a lot of VPN's terminated on the router no-sfd6-VPN01, and they work fine.

The configuration site-A: (Main site)

crypto map crypto 1750 ipsec-isakmp

description 104290-XXX TEST lab

set peer 10.80.239.116

set transform-set 3des-md5

set isakmp-profile 104290_TEST_access_profile_test

match address TEST_lab_access-list

!

crypto isakmp profile 104290_TEST_access_profile_test

vrf 104290_TEST_access

keyring 104290_TEST_access_keyring_test

match identity address 10.80.239.116 255.255.255.255

!

crypto keyring 104290_TEST_access_keyring_test

pre-shared-key address 10.80.239.116 key xxxxxx

!

ip access-list extended hoegh_lab_access-list

permit ip any 10.54.73.0 0.0.0.255

!

crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac

The configuration site-B (1921 router)

crypto keyring TC_keyring

pre-shared-key address x.x.x.x key xxxxxxx

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp profile TC_profile

vrf 104290_TEST_access

keyring TC_keyring

match identity address x.x.x.x 255.255.255.255

!

crypto ipsec transform-set IKE-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map TC_VPN local-address Loopback0

crypto map TC_VPN 1 ipsec-isakmp

description Tunnel SF x.x.x.x

set peer x.x.x.x

set transform-set IKE-3DES-MD5

set isakmp-profile TC_profile

match address VPN

Crypto map is configured on the outbound interface.

149999-002-rtr01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

x.x.x.x 10.80.239.116 MM_NO_STATE 0 ACTIVE

x.x.x.x 10.80.239.116 MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

149999-002-rtr01#

And from Site A:

no-sfd6-VPN01#show crypto isakmp sa vrf 104290_TEST_access

IPv4 Crypto ISAKMP SA

dst src state conn-id status

10.80.239.116 x.x.x.x MM_NO_STATE 0 ACTIVE

10.80.239.116 x.x.x.x MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

no-sfd6-VPN01#

Deepak Kumar · ‎01-30-2018

Hi,

It's required troubleshooting. there are many possibilities as

1. If there is any NAT device then it's not configured properly. Please forward UDP 500 and 4500 ports to ASA.

2. If there is no NAT device then run a command

"crypto ipsec nat-transparency spi-matching"

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Erik Jacobsen · ‎01-30-2018

Hi,

There is no NAT at all.

I ran your command, and now "NAT is removed from the debug"

007314: Jan 31 07:06:13 CET: ISAKMP:(0):purging SA., sa=302FE2F0, delme=302FE2F0
007315: Jan 31 07:06:13 CET: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.80.239.116:0, remote= x.x.x.x:0,
local_proxy= 10.54.73.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
007316: Jan 31 07:06:13 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
007317: Jan 31 07:06:13 CET: ISAKMP:(0):peer does not do paranoid keepalives.

007318: Jan 31 07:06:13 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)
007319: Jan 31 07:06:13 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)
007320: Jan 31 07:06:13 CET: ISAKMP: Unlocking peer struct 0x3126F7EC for isadb_mark_sa_deleted(), count 0
007321: Jan 31 07:06:13 CET: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 3126F7EC
007322: Jan 31 07:06:13 CET: ISAKMP:(0):deleting node -1022601771 error FALSE reason "IKE deleted"
007323: Jan 31 07:06:13 CET: ISAKMP:(0):deleting node -217688678 error FALSE reason "IKE deleted"
007324: Jan 31 07:06:13 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
007325: Jan 31 07:06:13 CET: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

007326: Jan 31 07:06:13 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
007327: Jan 31 07:06:13 CET: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.80.239.116:500, remote= x.x.x.x:500,
local_proxy= 10.54.73.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
007328: Jan 31 07:06:13 CET: ISAKMP:(0): SA request profile is TC_profile
007329: Jan 31 07:06:13 CET: ISAKMP: Created a peer struct for x.x.x.x, peer port 500
007330: Jan 31 07:06:13 CET: ISAKMP: New peer created peer = 0x3126F7EC peer_handle = 0x800006F8
007331: Jan 31 07:06:13 CET: ISAKMP: Locking peer struct 0x3126F7EC, refcount 1 for isakmp_initiator
007332: Jan 31 07:06:13 CET: ISAKMP: local port 500, remote port 500
007333: Jan 31 07:06:13 CET: ISAKMP: set new node 0 to QM_IDLE
007334: Jan 31 07:06:13 CET: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 3123E800
007335: Jan 31 07:06:13 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
007336: Jan 31 07:06:13 CET: ISAKMP:(0):Found ADDRESS key in keyring TC_keyring
007337: Jan 31 07:06:13 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
007338: Jan 31 07:06:13 CET: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

007339: Jan 31 07:06:13 CET: ISAKMP:(0): beginning Main Mode exchange
007340: Jan 31 07:06:13 CET: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
007341: Jan 31 07:06:13 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.