IKE Phase 1 not completing due to changed port

ryanbark · ‎04-11-2009

I'm currently attempting to implement DMVPN between a 2621(12.3(26)) and a 3640(12.4(23); head-end) over the Internet. I'm currently seeing an issue when the 2621 initiates the ISAKMP SA, the 3640 receives the correct packet, but the wrong sport is indicated.

received packet from X.X.X.X dport 500 sport 1 Global (R) MM_SA_SETUP

...output truncated...

sending packet to X.X.X.X my_port 500 peer_port 1 (R) MM_SA_SETUP

The 2621 is specifying a dport of 500 with a sport of 500 in the debug output. The 3640 continues with the next few steps of the ISAKMP negotiation, but sends the reply back to the 2621 on port 1 instead of port 500.

Has anyone seen this and/or can assist with this? I've looked around a bit and I've not found another similar instance of this issue. Any assistance is appreciated. Thank you.

ryanbark · ‎04-13-2009

Hmm... Very odd, but apparently a reboot and a day give it enough time to allow this to correct itself. I'd like to say that it has something to do with the NAT-T ACL line I added, but I don't see any hits for it. So, it's working now, but I'm sorry I don't have a more technical answer as to why or exactly how the issue was resolved. Thank you.

eng.taher_gabr · ‎04-14-2009

hi ryanbark

please provide us with more information so may be some one can help

thanks a lot

taher

ryanbark · ‎04-14-2009

My previous post on Apr 13, 2009 at 11:19PM notes that the issue has been solved with a reboot and a little bit of patience. Thank you for your response, however.