IKE Phase 1 not completing due to changed port

Unanswered Question
Apr 13th, 2009

I think I posted this in the wrong forum initially. I hope I have better luck here.

I'm attempting to implement DMVPN between a 2621(12.3(26); spoke) and a 3640(12.4(23); hub) over the Internet. I'm currently seeing an issue when the 2621 initiates the ISAKMP SA, the 3640 receives the correct packet, but the wrong sport is indicated.

received packet from X.X.X.X dport 500 sport 1 Global (R) MM_SA_SETUP

...output truncated...

sending packet to X.X.X.X my_port 500 peer_port 1 (R) MM_SA_SETUP

The 2621 is specifying a dport of 500 with a sport of 500 in the debug output. The 3640 continues with the next few steps of the ISAKMP negotiation, but sends the reply back to the 2621 on port 1 instead of port 500.

Has anyone seen this and/or can assist with this? I've looked around a bit and I've not found another similar instance of this issue. Any assistance is appreciated. Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ryanbark Mon, 04/13/2009 - 22:19

Hmm... Very odd, but apparently a reboot and a day give it enough time to allow this to correct itself. I'd like to say that it has something to do with the NAT-T ACL line I added, but I don't see any hits for it. So, it's working now, but I'm sorry I don't have a more technical answer as to why or exactly how the issue was resolved. Thank you.


This Discussion