Solved: MM_NO_STATE 0 ACTIVE (deleted) in IPsec Site-to-Site VPN

Kenneth Goh · ‎03-26-2024

CSR router R9 and R10 are suppose to form site to site IPsec VPN using digital certificate where R12 is the CA Server.

R10#ping 40.0.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 40.0.1.1, timeout is 2 seconds:
Packet sent with a source address of 40.0.2.1

Mar 26 09:16:21.217: ISAKMP: (0):SA request profile is ISAKMP-PROFILE
Mar 26 09:16:21.217: ISAKMP: (0):Created a peer struct for 30.1.2.2, peer port 500
Mar 26 09:16:21.217: ISAKMP: (0):New peer created peer = 0x80007F1CE9E4EFB0 peer_handle = 0x8000000040000006
Mar 26 09:16:21.217: ISAKMP: (0):Locking peer struct 0x80007F1CE9E4EFB0, refcount 1 for isakmp_initiator
Mar 26 09:16:21.217: ISAKMP: (0):local port 500, remote port 500
Mar 26 09:16:21.217: ISAKMP: (0):set new node 0 to QM_IDLE
Mar 26 09:16:21.217: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 80007F1CE9E3AB80
Mar 26 09:16:21.217: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
Mar 26 09:16:21.217: ISAKMP-ERROR: (0):Profile has no keyring, aborting key search
Mar 26 09:16:21.218: ISAKMP-ERROR: (0):Profile has no keyring, aborting host key search
Mar 26 09:16:21.218: ISAKMP: (0):IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 30.1.2.2)
Mar 26 09:16:21.218: ISAKMP: (0):PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 30.1.2.2)
Mar 26 09:16:21.219: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
Mar 26 09:16:21.219: ISAKMP: (0):constructed NAT-T vendor-07 ID
Mar 26 09:16:21.219: ISAKMP: (0):constructed NAT-T vendor-03 ID
Mar 26 09:16:21.219: ISAKMP: (0):constructed NAT-T vendor-02 ID
Mar 26 09:16:21.219: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 26 09:16:21.219: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

Mar 26 09:16:21.219: ISAKMP: (0):beginning Main Mode exchange
Mar 26 09:16:21.219: ISAKMP-PAK: (0):sending packet to 30.1.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 26 09:16:21.219: ISAKMP: (0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R10#
Mar 26 09:16:31.220: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 26 09:16:31.220: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 26 09:16:31.220: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 26 09:16:31.220: ISAKMP-PAK: (0):sending packet to 30.1.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 26 09:16:31.220: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 26 09:16:41.221: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 26 09:16:41.221: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 26 09:16:41.221: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 26 09:16:41.221: ISAKMP-PAK: (0):sending packet to 30.1.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 26 09:16:41.221: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 26 09:16:51.216: ISAKMP: (0):set new node 0 to QM_IDLE
Mar 26 09:16:51.216: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 30.1.2.1, remote 30.1.2.2)
Mar 26 09:16:51.217: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
Mar 26 09:16:51.217: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
Mar 26 09:16:51.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 26 09:16:51.222: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Mar 26 09:16:51.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 26 09:16:51.222: ISAKMP-PAK: (0):sending packet to 30.1.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 26 09:16:51.222: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 26 09:16:55.285: ISAKMP: (0):purging node 1753877759
Mar 26 09:16:55.285: ISAKMP: (0):purging node 1668408196
Mar 26 09:17:01.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 26 09:17:01.223: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 26 09:17:01.223: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 26 09:17:01.223: ISAKMP-PAK: (0):sending packet to 30.1.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 26 09:17:01.223: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 26 09:17:05.285: ISAKMP: (0):purging SA., sa=80007F1CE5794A50, delme=80007F1CE5794A50
Mar 26 09:17:11.223: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 26 09:17:11.223: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 26 09:17:11.223: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
Mar 26 09:17:11.223: ISAKMP-PAK: (0):sending packet to 30.1.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 26 09:17:11.223: ISAKMP: (0):Sending an IKE IPv4 Packet.
Mar 26 09:17:21.222: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
Mar 26 09:17:21.222: ISAKMP: (0):peer does not do paranoid keepalives.
Mar 26 09:17:21.222: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 30.1.2.2)
Mar 26 09:17:21.223: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 30.1.2.2)
Mar 26 09:17:21.223: ISAKMP: (0):Unlocking peer struct 0x80007F1CE9E4EFB0 for isadb_mark_sa_deleted(), count 0
Mar 26 09:17:21.223: ISAKMP: (0):Deleting peer node by peer_reap for 30.1.2.2: 80007F1CE9E4EFB0
Mar 26 09:17:21.224: ISAKMP: (0):deleting node 2381461363 error FALSE reason "IKE deleted"
Mar 26 09:17:21.224: ISAKMP: (0):deleting node 3149378801 error FALSE reason "IKE deleted"
Mar 26 09:17:21.224: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 26 09:17:21.224: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Mar 26 09:18:11.223: ISAKMP: (0):purging node 2381461363
Mar 26 09:18:11.224: ISAKMP: (0):purging node 3149378801
Mar 26 09:18:21.224: ISAKMP: (0):purging SA., sa=80007F1CE9E3AB80, delme=80007F1CE9E3AB80

R9#sh run
Building configuration...

Current configuration : 11678 bytes
!
! Last configuration change at 08:57:40 UTC Tue Mar 26 2024
!
version 17.2
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R9
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip domain name networkwizkid.com
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4291921536
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4291921536
revocation-check none
rsakeypair TP-self-signed-4291921536
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1:80
serial-number
subject-name cn=r9.networkwizkid.com
subject-alt-name r9.networkwizkid.com
revocation-check none
rsakeypair r9.networkwizkid.com
hash sha256
!
!
!
crypto pki certificate map IKEV2-CERT-MAP 1
issuer-name co networkwizkid.com
!
crypto pki certificate chain TP-self-signed-4291921536
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323931 39323135 3336301E 170D3234 30333236 30353139
35305A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32393139
32313533 36308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100AB66 13CA910A 11D19F8D 76A86057 6DE69EAD 2D77085B 25207433
35AED9B4 19C705F7 191829CC 5EFD5D77 BC10154D 03FB3045 A896249E C006B6EC
CBCB89FA 2E93F9BB 1155DF24 E9697DA1 94F91034 9EA9E135 704E7211 7807D864
BE48C674 791473B9 4ED71BE2 4370501B 26AD4C62 BADB13E7 F8F67990 97F7F9A9
8E570434 B28D4C4C 60263CD5 7ED9674D 8BE10B70 C39A0194 F690C377 A92D9B52
32A0B3F3 B137B7E9 53567F66 2CC9E4D9 BEF8C17E 9494347F A1769CD2 02B6AE03
07AFC6F5 95E9C945 1B829F8F A459DC08 0BFC008C 3AE8B7E2 E043EECE 1509E37D
549EF1DD 31A12D02 CA40450D 284700A7 CA526C79 A5D6DD08 292502B8 13C95962
0847481B AC250203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 143166F8 AE3175C3 E430F8F1 6CE81097 39B85087
B3301D06 03551D0E 04160414 3166F8AE 3175C3E4 30F8F16C E8109739 B85087B3
300D0609 2A864886 F70D0101 05050003 82010100 47343B37 88CE8C3A F9CB1B83
ACE00143 82855392 B1BDFE25 A45F9631 3839D722 34B71716 23A8AA53 9A56F03F
7EE47437 E8506995 EFAE9FFA BEE51D32 F6DF1F89 754DAE94 390120F5 7F7A8C3B
0C33C7CF 5B9CF5D6 4B13FE21 96ADBC07 06DE7EDE 908E072D C89676F2 7B44FDD2
01FF2AE2 CBE438D1 92E8384C 39C0A8E2 CC306892 50B6621E EA4A050C B37E9DE4
6C7B0115 838F0982 36DE6703 250D4561 D5597E7F D660CBF0 D6062587 951F095F
A5484D79 37E28F1F 53535935 AC0E7A5E 39D0AE03 6FBE348F 231D978E 4676B502
1931F1AB 43C238AB 3A94CF68 7E4B8083 1CF47307 032A54EC CFA514D0 C775835F
74C88A3F 2800205B EB89A84B 14D5C374 866333D8
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain CA-SERVER
certificate 02
30820456 3082033E A0030201 02020102 300D0609 2A864886 F70D0101 0B050030
34310B30 09060355 04061302 53473117 30150603 55040A13 0E4E6574 776F726B
2057697A 6B696431 0C300A06 03550403 13035231 32301E17 0D323430 33323630
35343334 345A170D 32353033 32363035 34333434 5A305831 1D301B06 03550403
13147239 2E6E6574 776F726B 77697A6B 69642E63 6F6D3137 30120603 55040513
0B394A48 52425141 44464D36 30210609 2A864886 F70D0109 02161452 392E6E65
74776F72 6B77697A 6B69642E 636F6D30 82022230 0D06092A 864886F7 0D010101
05000382 020F0030 82020A02 82020100 C831E1B3 647EB8E6 8293A785 C26028A8
23D49B9D FF91B1B0 1E0E03C1 B47616A5 CCE1D249 325C8D8E 285E0622 4FF04327
6C3AFEC4 5290F153 FFB2CC94 8ECB586C 9962D605 F90CF98E AD1CF6FE E62FCD8A
DBC92105 52235117 1DC12804 33D1F10A FF6697E7 E1E3E7F2 AABE407A 89AB6ACF
1EE1D7F4 95652D08 8C4F27C0 943FB30E 492813AA 1E05C02B 0EB5F542 FA604C4B
63858390 568277B0 7600A663 51C27F73 C63C0590 45F87EAE 91365E60 8C9B8FAD
2DDC3CBC 8252D1F9 7997CF42 C8CC7B51 C40C9F58 82A28C15 89F1A1CD 321B89CF
1E5B8D0D 4BC5357A 1C49974B 8976970D D0823201 624E3554 598353AD 0B0321D4
124BB602 7F196E5C 896C3DB5 67A53D73 27F6A0FD 9E8416E9 58C2739D B235658B
B6099C7E FB8E76AD FEB893EA FA7744BB 584D2764 66BE9C46 8899CDC8 F2375B4D
6FCA3E7F 3863EAE4 C6631B15 E1F7E909 D5FA8818 05B92E87 5A33C588 002B5453
3793D8A0 88480758 F59D43D2 2960CB87 5A6B2504 C39CE865 F6525936 CCC51D9E
CF150036 8A8197F8 30C659F3 0FB57CFC EAAC8B1B 4A95A4E1 FD52735E ABCCBF2E
F595882B D16C6A1E 8F4B0846 BD74852F F5F89B16 643A554D 69900C2B C8133D79
F5CD804C BFB90EC2 EBC0BA85 9560D927 32FBD7EC 70CF66B4 8B263D90 2C4C4B5B
06DDA321 A78E63DF 6B561590 0471C9DF D451AEFD 62E801D5 9110FCDE 97ECD96B
B6596929 13155CA7 0ED8DB9B 9D99E2DD 02030100 01A34F30 4D300B06 03551D0F
04040302 05A0301F 0603551D 23041830 168014CF 56E56277 F84E4373 4809F660
63F7D513 5AE09F30 1D060355 1D0E0416 04145924 CBF7A207 6BFC95B9 81773032
AFAE5380 19F8300D 06092A86 4886F70D 01010B05 00038201 01004A83 BA1F6A45
1C7D3891 1B4338EB 5AD3EAB0 A303AA76 333A7A1E 659B0340 23809C9A 08A42448
1904A1DB 521AB0AB 0D21B9C9 C6AA60DC 1C855E01 65DFC2A8 CB568FAB 233FB7A8
D610AAFC 65861D81 7E258F56 89BEAC82 62445213 B7530010 6EB393D3 877A78C6
7C0608B6 9631B901 DDB5DEE0 9F00CDD2 60563EB6 F0DBDE78 D5B920CF FD190199
5DAD5E09 105BB065 38BC727C AFE162C5 2B033353 144978D9 A9AE0AEA 4441CCDB
778AD2CE 224DBA2E 2C499F60 8C34B4BD 23BEEC04 288BF027 CCEEB64F 11E6CBFC
7D26D970 A446A3AA 292325EC 801F6303 6FD1428F 70C37FA2 258BDCF8 CBB73402
89246E15 F7403E0D 90C1FFE7 007A4FBD 3DA692CB B3C3BAF4 323E
quit
certificate ca 01
30820346 3082022E A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
34310B30 09060355 04061302 53473117 30150603 55040A13 0E4E6574 776F726B
2057697A 6B696431 0C300A06 03550403 13035231 32301E17 0D323430 33323630
35323833 345A170D 32373033 32363035 32383334 5A303431 0B300906 03550406
13025347 31173015 06035504 0A130E4E 6574776F 726B2057 697A6B69 64310C30
0A060355 04031303 52313230 82012230 0D06092A 864886F7 0D010101 05000382
010F0030 82010A02 82010100 9C9AE09B 2100BC6F 11FA10CD 46AB5A87 F381120F
DA2F5346 7B2CDBDE 60F5CD85 AF5FC42D 78EE1AE2 1088A4D5 3DF72CCC 66412A08
8D891CA6 61C488AE 3AF5D1D3 298C1A8F 5D43D3D8 5F2B095B AB3F2065 3EE4109F
06B53AEF 160409FF 9C16DA43 1921D560 F5B2C20F 30077150 31CA6934 C15A8D16
6696D5DF 340A1807 15C5F636 3303957B 0D1137BD 13201DD6 29C0C4BA 732E4B76
E9DCB00F 8DD1C77A 84F18858 EA7B2FC9 99A8718F BDF6BE98 70563F7B B08C18B3
B9EE7CEA E1F21347 6C75AB46 81F21AEF D04E0339 73BA3548 59AD00F2 9CD0A141
F879810A CE1B73B6 1AC1BB98 5F6CFAA8 E34FE65D 1912A4D1 C2808C65 10E16B82
0531058B B94A004E C9EABF15 02030100 01A36330 61300F06 03551D13 0101FF04
05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
168014CF 56E56277 F84E4373 4809F660 63F7D513 5AE09F30 1D060355 1D0E0416
0414CF56 E56277F8 4E437348 09F66063 F7D5135A E09F300D 06092A86 4886F70D
01010B05 00038201 01005161 B5909E6A 79F6824C 9545008B 7E64CA35 91D5DE56
6F2C5435 41DECB0D B75EEA41 8957E00B 3958AF7A EAA50CC4 47E24DD4 10934714
7E3CEC2C 84169447 922D49E0 E8A7B7B5 84208FE7 9E210E89 D6A97150 2015BBC1
F2786AB8 A9092601 561A4149 86940A6D 420E8579 F3B07532 F7C87D70 8E544C73
A8DD475D 7C7F78BB EA65085D BB1FA1C3 18B32260 E5A452C9 1A2A0DB3 265E148A
20F22687 4F221BCE FE6E750C 88956FB5 E5C1F461 053A617C 71B2FE3B 0260721B
82D7428C 46E0C84C 9EADA140 5DAFC248 886EFF96 68DFD4C3 73E07261 698DF190
E4377DFE AB239651 5BE75408 2923CC1D 0D1CCB0C F828B2C8 84A7DDCF EC70B223
70F3BCCC 983700D0 89D2
quit
!
license udi pid CSR1000V sn 9JHRBQADFM6
diagnostic bootup level minimal
memory free low-watermark processor 71873
!
!
spanning-tree extend system-id
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 5
hash sha256
crypto isakmp profile ISAKMP-PROFILE
match certificate IKEV2-CERT-MAP
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TRANSFORM-SET
set isakmp-profile ISAKMP-PROFILE
!
!
!
crypto map CRYPTO-MAP 10 ipsec-isakmp
set peer 30.1.1.2
set transform-set TRANSFORM-SET
set isakmp-profile ISAKMP-PROFILE
match address CRYPTO-ACL
!
!
!
!
!
!
!
!
interface Loopback0
ip address 40.0.1.1 255.255.255.0
!
interface GigabitEthernet1
ip address 30.1.1.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
crypto map CRYPTO-MAP
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 30.1.1.2
!
ip access-list extended CRYPTO-ACL
10 permit ip host 40.0.1.1 host 40.0.2.1 log
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp trusted-key 1
ntp server 30.1.3.1
!
!
!
!
!
end

R9#

--------------------------------------------------------------------------------------------------------------

R10#show run
Building configuration...

Current configuration : 11532 bytes
!
! Last configuration change at 08:57:33 UTC Tue Mar 26 2024
!
version 17.2
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform console serial
!
hostname R10
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
!
!
ip name-server 8.8.8.8
ip domain name networkwizkid.com
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1863072464
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1863072464
revocation-check none
rsakeypair TP-self-signed-1863072464
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint CA-SERVER
enrollment url http://30.1.3.1:80
serial-number
revocation-check none
rsakeypair r10.networkwizkid.com
hash sha256
!
!
!
crypto pki certificate map IKEV2-CERT-MAP 1
issuer-name co networkwizkid.com
!
crypto pki certificate chain TP-self-signed-1863072464
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383633 30373234 3634301E 170D3234 30333236 30363136
35305A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38363330
37323436 34308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100D242 0DDFEE17 BD800405 75C6992B 9B8BB039 FB02E40B CA02B6A0
816CC5B0 190FD50B 31367E20 2C5B58B7 D7F80628 0AEA2F16 50088599 C60D4B53
6B14B753 26104D74 27B77012 15CBA6E3 5C3B8C25 2258636B 0E5CB883 48611858
12BC5592 A1974571 7B7322FC 70615233 172DBCAF C38AAE3F 592BDEFF 788A7BFE
7DE1E016 EF453305 27928546 24C38B8D 2ED4FECF 24CA4247 0BE40603 0C492F19
49EA2F9D E4677852 F886841E 72F8E213 ECFEC492 6F3775AD DD70E49D 50FF4EBA
A6186E5C ADBA4460 016B692D CB280FF4 A72B8F58 3F90ECBB 14DA42BE 4F27D3EB
38A326AE F378186F 89FE094B 3D2864D0 ECC163D8 ED767E42 91F78639 DBD0FD29
624B6265 F98D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 14A6AAA9 A82095A6 6DCF6CBB 5395B386 42D08900
8E301D06 03551D0E 04160414 A6AAA9A8 2095A66D CF6CBB53 95B38642 D089008E
300D0609 2A864886 F70D0101 05050003 82010100 397F7024 69F51863 0769E9B6
D06D5E7A A6653974 54C48666 C7AF6F1E 692B9378 519DD2E5 024D0132 593BC09F
67414F58 46DA6B2B 2E9546C0 C539B821 E7C059ED B527169B 21A2072D 91747A00
5DA95A88 207B6A91 797C0B48 A3F212EA 3798DDBE 1F17184A A6288025 026161A6
2EFFD90C 0D20D03E CA2186A4 31C803A5 41FC730F 0B96BBB5 B8C498EA 18FEC3D1
395EE847 10E30F33 E6621E6A DA0173C3 DF1981B9 0A1C5325 5326D86F E30B30C4
3A6668FB 31DD357C BF004444 0A0DF9CD F6B519F6 FF8452B9 C6B5D7CA 366EBF59
995A6703 4DF5FB6B 1D07B45E 88303479 ABA51918 D998B642 8D68FB62 A353B999
F0BCF7A6 E2ACE45B D0AE249F 08849CB8 154D8B56
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain CA-SERVER
certificate 03
30820438 30820320 A0030201 02020103 300D0609 2A864886 F70D0101 0B050030
34310B30 09060355 04061302 53473117 30150603 55040A13 0E4E6574 776F726B
2057697A 6B696431 0C300A06 03550403 13035231 32301E17 0D323430 33323630
36323234 325A170D 32353033 32363036 32323432 5A303A31 38301206 03550405
130B3954 31475951 42565939 33302206 092A8648 86F70D01 09021615 5231302E
6E657477 6F726B77 697A6B69 642E636F 6D308202 22300D06 092A8648 86F70D01
01010500 0382020F 00308202 0A028202 01009663 59353774 E490B044 58B22B58
A4A47405 6F5DF23F BEF0FECC 4A512DA1 D0910535 F9B4BD61 0D76D151 0C46DC76
FDC90EFC A7C2BCFD 43602C7A 2456C574 E163DD23 B32B3072 E23CFFBA 0D065522
4AF9B774 0ABE0F76 AC62622D 45FB5CE8 7E0AEC9A 72D602B0 9B3F936C 69B8DFB1
9433D87C E07F2290 C00CA4BF 7689A9E5 43592885 2E9D9FFA 954EDD55 F438CCD0
76DB633F 07142187 B2405264 E1A14E74 D788CCC6 270B17D6 0EF9E751 FC4445EE
14DBCCCE 23CAE53D FFDB606F 262C05AB AF60B8C0 7950A61B E33278D2 B36B93FD
8691479B 65CF3BDA 2A62067A 6503C2DA DC7AD6B9 BD9213B2 038EE1C9 262B008D
DB0F7C2A 9105D2F3 3CD02F67 4D52E4D9 0253382E EBA77064 A17DC82D 88F1C7F1
48576FB4 EF8A8313 6C72761E 9E14B182 712B3539 9B370C9B 8F39F77D FACF9DCC
60A45F75 8ACA4003 8A18D3FD 54D71258 ED6CD91D 42D05DAC 47447269 EC12B62E
D1F2BDC1 75CFFB98 3FA00297 5480E477 E8E4BF38 FEEB34B0 445B2054 A0D05D56
0E218930 3D143BAB E8F5945A 9AFA31B2 01D42FA5 5CD05CE5 C1ACC405 BFC5349B
3B01BD5C CC98EB32 67539E21 9DF2D566 5157C81B 859EFAAA 2EEA5939 D5F7C705
8A6F1AEF FD07B5AC 23ABA522 87570334 7A3D7F60 AB889BEF 5BD37C34 6842AD55
2253FFE2 EC082303 F6F80204 5A9D47ED 878EC515 4A5B3EA2 A96C0B65 DB5EA137
69F6B0EA 865C9413 68960248 2585B907 B15B0203 010001A3 4F304D30 0B060355
1D0F0404 030205A0 301F0603 551D2304 18301680 14CF56E5 6277F84E 43734809
F66063F7 D5135AE0 9F301D06 03551D0E 04160414 98258D49 9E0F1FC1 FE44B14B
CB3B6DAA 655C5487 300D0609 2A864886 F70D0101 0B050003 82010100 540F8F88
1154C222 9184B425 1E6D4F3A FC5EC851 E3930BC8 55F10A5B 9587EF84 9E0C84F8
690C7401 7E0821F7 552E7ECE 11F83277 4CBA4798 202F29FC EA869195 3EB92F22
A8BB7CF6 32E32913 A1BC02AD 9F503F98 3187196A E58D1701 EAEB4220 DF66239F
703F850D 9CE4C62B E78355BB A13349DF 9018AEDF 824B8EF7 F6AFA537 16BF099D
4507072A AB3E086E 9840F4FB 5081233D 4BE06A8F 3D995E48 6EE13433 2C1E7A27
84F4CA57 B3AEC463 0EBFD84F 1481A108 64F7FFE5 269A4199 7293CB9F 6D09AFCB
6B9F4568 395F88E5 2DCCCC59 364178D8 EF7FA0D4 9926CBDF 29E1DEFB 4B9D8F33
024E0B35 CA0712C4 4B886E7E DA5F002B 600FAC1E 67EB4B4C BCF0CC48
quit
certificate ca 01
30820346 3082022E A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
34310B30 09060355 04061302 53473117 30150603 55040A13 0E4E6574 776F726B
2057697A 6B696431 0C300A06 03550403 13035231 32301E17 0D323430 33323630
35323833 345A170D 32373033 32363035 32383334 5A303431 0B300906 03550406
13025347 31173015 06035504 0A130E4E 6574776F 726B2057 697A6B69 64310C30
0A060355 04031303 52313230 82012230 0D06092A 864886F7 0D010101 05000382
010F0030 82010A02 82010100 9C9AE09B 2100BC6F 11FA10CD 46AB5A87 F381120F
DA2F5346 7B2CDBDE 60F5CD85 AF5FC42D 78EE1AE2 1088A4D5 3DF72CCC 66412A08
8D891CA6 61C488AE 3AF5D1D3 298C1A8F 5D43D3D8 5F2B095B AB3F2065 3EE4109F
06B53AEF 160409FF 9C16DA43 1921D560 F5B2C20F 30077150 31CA6934 C15A8D16
6696D5DF 340A1807 15C5F636 3303957B 0D1137BD 13201DD6 29C0C4BA 732E4B76
E9DCB00F 8DD1C77A 84F18858 EA7B2FC9 99A8718F BDF6BE98 70563F7B B08C18B3
B9EE7CEA E1F21347 6C75AB46 81F21AEF D04E0339 73BA3548 59AD00F2 9CD0A141
F879810A CE1B73B6 1AC1BB98 5F6CFAA8 E34FE65D 1912A4D1 C2808C65 10E16B82
0531058B B94A004E C9EABF15 02030100 01A36330 61300F06 03551D13 0101FF04
05300301 01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830
168014CF 56E56277 F84E4373 4809F660 63F7D513 5AE09F30 1D060355 1D0E0416
0414CF56 E56277F8 4E437348 09F66063 F7D5135A E09F300D 06092A86 4886F70D
01010B05 00038201 01005161 B5909E6A 79F6824C 9545008B 7E64CA35 91D5DE56
6F2C5435 41DECB0D B75EEA41 8957E00B 3958AF7A EAA50CC4 47E24DD4 10934714
7E3CEC2C 84169447 922D49E0 E8A7B7B5 84208FE7 9E210E89 D6A97150 2015BBC1
F2786AB8 A9092601 561A4149 86940A6D 420E8579 F3B07532 F7C87D70 8E544C73
A8DD475D 7C7F78BB EA65085D BB1FA1C3 18B32260 E5A452C9 1A2A0DB3 265E148A
20F22687 4F221BCE FE6E750C 88956FB5 E5C1F461 053A617C 71B2FE3B 0260721B
82D7428C 46E0C84C 9EADA140 5DAFC248 886EFF96 68DFD4C3 73E07261 698DF190
E4377DFE AB239651 5BE75408 2923CC1D 0D1CCB0C F828B2C8 84A7DDCF EC70B223
70F3BCCC 983700D0 89D2
quit
!
license udi pid CSR1000V sn 9T1GYQBVY93
diagnostic bootup level minimal
memory free low-watermark processor 71873
!
!
spanning-tree extend system-id
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 5
hash sha256
crypto isakmp profile ISAKMP-PROFILE
match certificate IKEV2-CERT-MAP
!
!
crypto ipsec transform-set TRANSFORM-SET esp-aes esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TRANSFORM-SET
set isakmp-profile ISAKMP-PROFILE
!
!
!
crypto map CRYPTO-MAP 10 ipsec-isakmp
set peer 30.1.2.2
set transform-set TRANSFORM-SET
set isakmp-profile ISAKMP-PROFILE
match address CRYPTO-ACL
!
!
!
!
!
!
!
!
interface Loopback0
ip address 40.0.2.1 255.255.255.0
!
interface GigabitEthernet1
ip address 30.1.2.1 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
crypto map CRYPTO-MAP
!
interface GigabitEthernet2
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet3
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
no mop enabled
no mop sysid
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 30.1.2.2
!
ip access-list extended CRYPTO-ACL
10 permit ip host 40.0.2.1 host 40.0.1.1 log
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp trusted-key 1
ntp server 30.1.3.1
!
!
!
!
!
end

R10#

Giuseppe Larosa · ‎03-26-2024

Hello @Kenneth Goh ,

you need to fix the configuration of the IPSec peers based on your network diagram:

on R9

set peer 30.1.2.1

on R10

set peer 30.1.1.1

You need to use the final destination address of the router you would like to build a site to site VPN with. You have used as remote peer the IP address of the adiacent IP next-hop that is not speaking IKE or ISAKMP this is why you see MM_NO_STATE.

Hope to help

Giuseppe

View solution in original post

Gopinath_Pigili · ‎03-26-2024

Hello Kenneth Goh,

The MM_NO_STATE means Main Mode No State. In this state machine is still in the initial state because it hasn't received any response from the peer.

This seems to indicate that this router is sending IKE data to the peer, but the peer is not responding. You should verify that the peers are configured correctly or not.

Best regards
******* If This Helps, Please Rate *******

MHM Cisco World · ‎03-26-2024

Ping from LAN to LAN

Share the

Debug crypto isakmp

MHM

Giuseppe Larosa · ‎03-26-2024