01-30-2018 05:01 AM - edited 03-12-2019 04:58 AM
Hi,
I have now been troubleshooting for the last couple of days, to get a VPN tunnel (Site - to - Site) up and run again. (it have worked before)
But it is not working what ever I have done.
Reboot the site B router
Taken all configuration down on Site A and B and up again
Debuging and show commands..
Here is debug site B (cisco 1921):
006092: Jan 30 13:34:48 CET: ISAKMP:(0):purging SA., sa=302FE2F0, delme=302FE2F0
006093: Jan 30 13:34:49 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
006094: Jan 30 13:34:49 CET: ISAKMP:(0):peer does not do paranoid keepalives.
006095: Jan 30 13:34:49 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)
006096: Jan 30 13:34:49 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)
006097: Jan 30 13:34:49 CET: ISAKMP: Unlocking peer struct 0x3126F7EC for isadb_mark_sa_deleted(), count 0
006098: Jan 30 13:34:49 CET: ISAKMP: Deleting peer node by peer_reap for x.x.x.x (public IP): 3126F7EC
006099: Jan 30 13:34:49 CET: ISAKMP:(0):deleting node 1176037716 error FALSE reason "IKE deleted"
006100: Jan 30 13:34:49 CET: ISAKMP:(0):deleting node -25181712 error FALSE reason "IKE deleted"
006101: Jan 30 13:34:49 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
006102: Jan 30 13:34:49 CET: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
006103: Jan 30 13:34:49 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
006104: Jan 30 13:34:49 CET: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.80.239.116:0, remote= x.x.x.x:0,
local_proxy= 10.54.73.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
006105: Jan 30 13:34:49 CET: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.80.239.116:500, remote= x.x.x.x:500,
local_proxy= 10.54.73.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
006106: Jan 30 13:34:49 CET: ISAKMP:(0): SA request profile is TC_profile
006107: Jan 30 13:34:49 CET: ISAKMP: Created a peer struct for x.x.x.x, peer port 500
006108: Jan 30 13:34:49 CET: ISAKMP: New peer created peer = 0x3126F7EC peer_handle = 0x800002E6
006109: Jan 30 13:34:49 CET: ISAKMP: Locking peer struct 0x3126F7EC, refcount 1 for isakmp_initiator
006110: Jan 30 13:34:49 CET: ISAKMP: local port 500, remote port 500
006111: Jan 30 13:34:49 CET: ISAKMP: set new node 0 to QM_IDLE
006112: Jan 30 13:34:49 CET: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 302FE2F0
006113: Jan 30 13:34:49 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
006114: Jan 30 13:34:49 CET: ISAKMP:(0):Found ADDRESS key in keyring TC_keyring
006115: Jan 30 13:34:49 CET: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
006116: Jan 30 13:34:49 CET: ISAKMP:(0): constructed NAT-T vendor-07 ID
006117: Jan 30 13:34:49 CET: ISAKMP:(0): constructed NAT-T vendor-03 ID
006118: Jan 30 13:34:49 CET: ISAKMP:(0): constructed NAT-T vendor-02 ID
006119: Jan 30 13:34:49 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
006120: Jan 30 13:34:49 CET: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
I can ping and traceroute both directions:
149999-002-rtr01#ping x.x.x.x source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
Packet sent with a source address of 10.80.239.116
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms
149999-002-rtr01#
and the other direction:
no-sfd6-VPN01#ping 10.80.239.116
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.80.239.116, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/10 ms
no-sfd6-VPN01#
We have a lot of VPN's terminated on the router no-sfd6-VPN01, and they work fine.
The configuration site-A: (Main site)
crypto map crypto 1750 ipsec-isakmp
description 104290-XXX TEST lab
set peer 10.80.239.116
set transform-set 3des-md5
set isakmp-profile 104290_TEST_access_profile_test
match address TEST_lab_access-list
!
crypto isakmp profile 104290_TEST_access_profile_test
vrf 104290_TEST_access
keyring 104290_TEST_access_keyring_test
match identity address 10.80.239.116 255.255.255.255
!
crypto keyring 104290_TEST_access_keyring_test
pre-shared-key address 10.80.239.116 key xxxxxx
!
ip access-list extended hoegh_lab_access-list
permit ip any 10.54.73.0 0.0.0.255
!
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
The configuration site-B (1921 router)
crypto keyring TC_keyring
pre-shared-key address x.x.x.x key xxxxxxx
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile TC_profile
vrf 104290_TEST_access
keyring TC_keyring
match identity address x.x.x.x 255.255.255.255
!
!
crypto ipsec transform-set IKE-3DES-MD5 esp-3des esp-md5-hmac
!
crypto map TC_VPN local-address Loopback0
crypto map TC_VPN 1 ipsec-isakmp
description Tunnel SF x.x.x.x
set peer x.x.x.x
set transform-set IKE-3DES-MD5
set isakmp-profile TC_profile
match address VPN
Crypto map is configured on the outbound interface.
149999-002-rtr01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.x.x 10.80.239.116 MM_NO_STATE 0 ACTIVE
x.x.x.x 10.80.239.116 MM_NO_STATE 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
149999-002-rtr01#
And from Site A:
no-sfd6-VPN01#show crypto isakmp sa vrf 104290_TEST_access
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.80.239.116 x.x.x.x MM_NO_STATE 0 ACTIVE
10.80.239.116 x.x.x.x MM_NO_STATE 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
no-sfd6-VPN01#
01-30-2018 05:52 AM
Hi,
It's required troubleshooting. there are many possibilities as
1. If there is any NAT device then it's not configured properly. Please forward UDP 500 and 4500 ports to ASA.
2. If there is no NAT device then run a command
"crypto ipsec nat-transparency spi-matching"
Regards,
Deepak Kumar
01-30-2018 10:12 PM
Hi,
There is no NAT at all.
I ran your command, and now "NAT is removed from the debug"
007314: Jan 31 07:06:13 CET: ISAKMP:(0):purging SA., sa=302FE2F0, delme=302FE2F0
007315: Jan 31 07:06:13 CET: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.80.239.116:0, remote= x.x.x.x:0,
local_proxy= 10.54.73.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
007316: Jan 31 07:06:13 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
007317: Jan 31 07:06:13 CET: ISAKMP:(0):peer does not do paranoid keepalives.
007318: Jan 31 07:06:13 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)
007319: Jan 31 07:06:13 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)
007320: Jan 31 07:06:13 CET: ISAKMP: Unlocking peer struct 0x3126F7EC for isadb_mark_sa_deleted(), count 0
007321: Jan 31 07:06:13 CET: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 3126F7EC
007322: Jan 31 07:06:13 CET: ISAKMP:(0):deleting node -1022601771 error FALSE reason "IKE deleted"
007323: Jan 31 07:06:13 CET: ISAKMP:(0):deleting node -217688678 error FALSE reason "IKE deleted"
007324: Jan 31 07:06:13 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
007325: Jan 31 07:06:13 CET: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
007326: Jan 31 07:06:13 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
007327: Jan 31 07:06:13 CET: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.80.239.116:500, remote= x.x.x.x:500,
local_proxy= 10.54.73.0/255.255.255.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
007328: Jan 31 07:06:13 CET: ISAKMP:(0): SA request profile is TC_profile
007329: Jan 31 07:06:13 CET: ISAKMP: Created a peer struct for x.x.x.x, peer port 500
007330: Jan 31 07:06:13 CET: ISAKMP: New peer created peer = 0x3126F7EC peer_handle = 0x800006F8
007331: Jan 31 07:06:13 CET: ISAKMP: Locking peer struct 0x3126F7EC, refcount 1 for isakmp_initiator
007332: Jan 31 07:06:13 CET: ISAKMP: local port 500, remote port 500
007333: Jan 31 07:06:13 CET: ISAKMP: set new node 0 to QM_IDLE
007334: Jan 31 07:06:13 CET: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 3123E800
007335: Jan 31 07:06:13 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
007336: Jan 31 07:06:13 CET: ISAKMP:(0):Found ADDRESS key in keyring TC_keyring
007337: Jan 31 07:06:13 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
007338: Jan 31 07:06:13 CET: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
007339: Jan 31 07:06:13 CET: ISAKMP:(0): beginning Main Mode exchange
007340: Jan 31 07:06:13 CET: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
007341: Jan 31 07:06:13 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide