VPN Error

Answered Question
Jun 28th, 2010
User Badges:

Hi


recently I started getting following Error after rebooting the router all works ok for sometime and back to problem



VC_RTR#
*Jun 27 08:57:51.717: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
        connection id=1059, sequence number=58152


VC_RTR#
*Jun 27 08:57:52.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 27 08:57:52.325: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 27 08:57:52.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 27 08:57:52.325: ISAKMP:(0): sending packet to 68.8.56.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 27 08:57:52.325: ISAKMP:(0):Sending an IKE IPv4 Packet.


VC_RTR#
*Jun 27 08:58:02.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 27 08:58:02.325: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jun 27 08:58:02.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 27 08:58:02.325: ISAKMP:(0): sending packet to 68.8.56.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 27 08:58:02.325: ISAKMP:(0):Sending an IKE IPv4 Packet.
VC_RTR#
*Jun 27 08:58:12.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 27 08:58:12.325: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jun 27 08:58:12.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 27 08:58:12.325: ISAKMP:(0): sending packet to 68.8.56.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 27 08:58:12.325: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 27 08:58:12.709: ISAKMP: set new node 0 to QM_IDLE     
*Jun 27 08:58:12.709: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 77.89.11.2, remote 68.8.56.2)
VC_RTR#
*Jun 27 08:58:12.709: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jun 27 08:58:12.709: ISAKMP: Error while processing KMI message 0, error 2.
VC_RTR#
*Jun 27 08:58:22.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 27 08:58:22.325: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jun 27 08:58:22.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 27 08:58:22.325: ISAKMP:(0): sending packet to 68.8.56.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 27 08:58:22.325: ISAKMP:(0):Sending an IKE IPv4 Packet.


VC_RTR#
*Jun 27 08:58:31.825: ISAKMP:(0):purging node 1113748185
*Jun 27 08:58:31.825: ISAKMP:(0):purging node 491812622
*Jun 27 08:58:32.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jun 27 08:58:32.325: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jun 27 08:58:32.325: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jun 27 08:58:32.325: ISAKMP:(0): sending packet to 68.8.56.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jun 27 08:58:32.325: ISAKMP:(0):Sending an IKE IPv4 Packet.

Correct Answer by Richard Burts about 6 years 8 months ago

Saquib


The debug output shows that you are transmitting ISAKMP but are not receiving any ISAKMP response. Can you verify that you have connectivity to the peer at 68.8.56.2?


Can you verify that the peer at 68.8.56.2 is receiving your ISAKMP attempts to negotiate? Does the peer believe that it is sending to you?


It is a possibility that there is some issue on the other device or it may be that there is some problem in between that is disrupting the ISAKMP negotiations.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
spremkumar Mon, 06/28/2010 - 07:04
User Badges:
  • Red, 2250 points or more

Hi


Can you post more info about your setup where you are getting this error message?


have you changed something recently with respect to the isp connection or configuration or hardware ?


also since when you are getting this error (from the beginning of this connection or after any changes in the network)?


Do provide more info on the connectivity which you are using for this vpn connectivity.



regds

Correct Answer
Richard Burts Mon, 06/28/2010 - 08:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Saquib


The debug output shows that you are transmitting ISAKMP but are not receiving any ISAKMP response. Can you verify that you have connectivity to the peer at 68.8.56.2?


Can you verify that the peer at 68.8.56.2 is receiving your ISAKMP attempts to negotiate? Does the peer believe that it is sending to you?


It is a possibility that there is some issue on the other device or it may be that there is some problem in between that is disrupting the ISAKMP negotiations.


HTH


Rick

saquib.tandel Mon, 06/28/2010 - 11:27
User Badges:

Hi Rick,


IPSEC traffic was having issue with One Service Provider, moving to another Service Provider resolved the issue.

Its not easy to analyze an issue when all was well and no changes done.  (( OR )) there is some simple troubleshooting tips for IPSEC


:-)  Thanks Rick



Regards

ST

Actions

This Discussion