Error "Death by retransmission P1" with an IPsec tunnel between two routers

Unanswered Question
Apr 16th, 2009
User Badges:

Hello,


I have a problem with an IPSec tunnel between a 877W router and a 1812 router. Configuration on both routers seems to be OK as soon as the tunnel is going up but goes down after a while. I get those logs :


040687: *Apr 16 10:50:44.415 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer X.X.X.X)

040688: *Apr 16 10:50:57.867 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X)


The 1812 router is ending 2 IPSec tunnel and the second one is working fine. The 877W is behind another router which is performing NAT. Is there something special in this configuration?


Any tips or ideas?


Thanks for your help,


Vincent

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vincent Fortrat Thu, 04/16/2009 - 04:50
User Badges:

The device that is performing is already redirecting every port to the 877W router.

Vincent Fortrat Fri, 04/17/2009 - 00:15
User Badges:

Tunnel has been up during the night but just went down. I join the logs from "debug crypto isakmp".


It appears that the routeur is trying to establish an ISAKMP SA on UDP/500 port even if we're NATed and doesn't try to rebuild it on UDP/4500 port. Both isakmp and non500-isakmp are allowed in the ACL applied on both side's interfaces.



Attachment: 
Vincent Fortrat Fri, 04/17/2009 - 00:45
User Badges:

I checked my configuration and there is a matching isakmp policy. Here is the result of "show crypto isakmp policy" on both routers :


prtratalys01#sh crypto isakmp policy


Global IKE policy

Protection suite of priority 2

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 28800 seconds, no volume limit

Protection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit


--------------------------------------------------


877-StPathus#sh crypto isakmp policy


Global IKE policy

Protection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Vincent Fortrat Fri, 04/17/2009 - 01:35
User Badges:

The 1812 router is in front of Internet and 877 router is passing through a business livebox (from french ISP Orange). I will check if there is any access limitation on this device.

Vincent Fortrat Wed, 04/22/2009 - 08:10
User Badges:

The NAT enabled device between router and internet doesn't filter any kind of traffic. Actually there was another tunnel going through it before configuring this one.

Vincent Fortrat Thu, 04/23/2009 - 07:03
User Badges:

Yes, they are. The first logs I sent to this post was from the remote end :


040687: *Apr 16 10:50:44.415 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer X.X.X.X)

040688: *Apr 16 10:50:57.867 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X)



Vincent Fortrat Mon, 04/27/2009 - 00:55
User Badges:

I just figured it out what the problem was. I added on both routers the global configuration command "crypto ipsec nat-transparency spi-matching". The VPN tunnel is now up since friday without any problem.


Thanks Andrew,


Vincent

Actions

This Discussion