Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5357
Views
0
Helpful
1
Replies

VPN Status=MM_NO_STATE but GRE tunnel Stuck on UP-UP why?

blackhat2020
Level 1
Level 1

‎01-31-2010 10:31 PM

Hi every one, i have strange problem with my vpn connections,we are using GRE over IPSEC in our branches. some time in some branches for some odd reason when i do show crypto isakmp sa i see lots of MM_NO_STATE and ACTIVE (not deleted) and when i shut my GRE tunnel and again no shut it or do clear crypto isakmp,it became QM_IDLE and every thing works fine,but in that situation (MM_NO_STATE) my GRE tunnel stucks on UP_UP state even i have configured keepalive for my GRE tunnel and for my ISAKMP. i couldnt find why some times ISAKMP stays in MM_NO_STATE(even every thing is ok)  but i want to bring down the GRE tunnel when ISAKMP is not QM_IDLE? thanks

NOTICE:the vpn works fine for example for 1 day and then this problem happens and then i have to shut and no shut the gre tunnel

THIS is branch vpn configuration :

crypto isakmp policy 1
encr 3des
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 periodic
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set TRANS esp-3des esp-sha-hmac
!
crypto ipsec profile SEC
set transform-set TRANS
!
!
interface Tunnel520
ip unnumbered Loopback0
no ip redirects
no ip proxy-arp
ip mtu 1400
qos pre-classify
keepalive 20 3
tunnel source X.X.X.X
tunnel destination Y.Y.Y.Y
tunnel mode ipsec ipv4
tunnel protection ipsec profile SEC

THIS is when error happens:

#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE

Labels:
0 Helpful
1 Reply 1

Laurent Aubert
Cisco Employee
Cisco Employee

‎02-01-2010 08:30 AM

Hi,

Are you aware of this security notice about IKE:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml

HTH

Laurent.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents