cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5587
Views
0
Helpful
10
Replies

Trouble With 881 IPSEC VPN

blueccarthur
Level 1
Level 1

Could someone take a look at the following configs? We're having issues getting a VPN up on two 881 routers and can't figure out what we're missing. Any thoughts are appreciated. I've replaced private info in brackets like <ROUTERA>. Rest assured the IPs for the routers are set properly and not in brackets.

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers

!

hostname <ROUTERA>

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical

!

no aaa new-model

!

!

!

memory-size iomem 10

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 !

crypto pki trustpoint TP-self-signed-4052530123  enrollment selfsigned  subject-name cn=IOS-Self-Signed-Certificate-4052530123

revocation-check none

rsakeypair TP-self-signed-4052530123

!

!

crypto pki certificate chain TP-self-signed-4052530123  certificate self-signed 01

  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34303532 35333031 3233301E 170D3130 30373032 31363436

  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30353235

  33303132 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100F22D 0AC7AE63 FBA6CF49 40D9C61F 011FDD8E 639F60FC 2B25561A 6A937BDD

  A7B536F7 F591C5F0 DB1EF660 8A78A9A3 3D2691D6 CCC36734 5B0EACFF 3788DAB0

  2335CE35 53135F2B 2FF130E3 CB8419E7 FCA12958 FA1576FC ABB149F2 0BACC389

  D039E324 12A848C1 D712BE68 09A100B3 8E972F9A 89E36682 88B375F0 A3B0805E

  BF670203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603

  551D1104 15301382 11727472 2D796F72 6B2E6266 70642E63 6F6D301F 0603551D

  23041830 16801436 AF01335D 581256E3 70C32023 FB4CA008 9ABDF030 1D060355

  1D0E0416 041436AF 01335D58 1256E370 C32023FB 4CA0089A BDF0300D 06092A86

  4886F70D 01010405 00038181 004ED8A0 19FE1545 31A4D819 39B491EF 0F1E829A

  1E2EC1B2 75AEA6F6 F20CD38C C1891C68 87271560 C8AC4561 791CF9EC 48CE9EB0

  4977D264 26057C7D D69A69BF 5EB82630 B9BC3249 605D889B 912C2650 20C909BC

  D2F2A77B 3AA02C39 90A3E82F 52FC04B9 91F7C194 A09C4E10 E8787538 9C89DFA9

  9929FEB7 517DEE55 B7CF0D63 36

        quit

no ip source-route

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.199 !

ip dhcp pool ccp-pool1

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 192.168.1.4 64.105.179.138 !

!

ip cef

no ip bootp server

ip domain name domain.com

ip name-server <DNS1>

ip name-server <DNS2>

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn

!

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

crypto isakmp key ****** address <ROUTERBADDRESS>

!

!

crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer <ROUTERBADDRESS>

set transform-set esp-aes-sha

match address 101

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address <ROUTERAADDRESS> 255.255.255.248 

no ip redirects 

no ip unreachables 

no ip proxy-arp 

ip flow ingress 

ip nat outside 

ip virtual-reassembly 

duplex auto 

speed auto 

crypto map vpn 

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ 

ip address 192.168.1.1 255.255.255.0 

no ip redirects 

no ip unreachables 

no ip proxy-arp 

ip flow ingress 

ip nat inside 

ip virtual-reassembly 

ip tcp adjust-mss 1452 

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000 !

!

ip nat inside source static tcp 192.168.1.3 1723 interface FastEthernet4 1723

ip nat inside source static tcp 192.168.1.1 22 interface FastEthernet4 22

ip nat inside source static tcp 192.168.1.3 80 interface FastEthernet4 80

ip nat inside source static tcp 192.168.1.3 3389 interface FastEthernet4 3389

ip nat inside source static tcp 192.168.1.3 47 interface FastEthernet4 47

ip nat inside source static udp 192.168.1.3 67 interface FastEthernet4 67

ip nat inside source static udp 192.168.1.3 68 interface FastEthernet4 68

ip nat inside source static udp 192.168.1.3 500 interface FastEthernet4 500

ip nat inside source static udp 192.168.1.3 4500 interface FastEthernet4 4500

ip nat inside source list 111 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 <GATEWAY>

!

logging trap debugging

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 69.3.229.0 0.0.0.255 any

access-list 100 permit gre any any

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any no cdp run

!

!

!

!

!

control-plane

!

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers

!

hostname <ROUTERB>

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical

!

no aaa new-model

!

!

!

memory-size iomem 10

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 !

crypto pki trustpoint TP-self-signed-3533576425  enrollment selfsigned  subject-name cn=IOS-Self-Signed-Certificate-3533576425

revocation-check none

rsakeypair TP-self-signed-3533576425

!

!

crypto pki certificate chain TP-self-signed-3533576425  certificate self-signed 01

  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33353333 35373634 3235301E 170D3130 30373134 30313239

  31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35333335

  37363432 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B7A1 950DFF3E 1E8A9508 9D9F489D 4E96C2DF 3AD50ACF FB48782C F56B3DBF

  B0949CBA CC66EF3E 9F3C863C 4977219F A24E6893 4DCEF376 E663E6A2 3A5EA509

  F9974901 9A5F5967 81E61DDB CEFF7B36 802F28AA 3F582903 2228D85B 0FD1269A

  7214A404 9AB96F94 31663C9A 14DA8563 1CAA31BF D23BE567 8F1D08D8 A96CA0B0

  3C230203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603

  551D1104 16301482 12727472 2D666F73 7465722E 6266642E 636F6D30 1F060355

  1D230418 30168014 47B39DE3 A3E0A4C2 80447A33 95F1ED95 51BC786A 301D0603

  551D0E04 16041447 B39DE3A3 E0A4C280 447A3395 F1ED9551 BC786A30 0D06092A

  864886F7 0D010104 05000381 81008707 65F450D5 433B5233 0B339846 C0A791D9

  DD420C51 2026999B FB4E4F41 CC8F1F5C 447B3C0D 26039E20 EF371E97 6E34CDB9

  7C8A4B80 48FA0C00 BF547BF2 2FE638B8 12EB7A8B F64C348C 2902B3EA 17698397

  3AB646FF 6668B6A0 15AE8B39 A1076EF5 E8AE68BE 861C93CE 59B57400 D01BB7FE

  9E223D22 72F4BD77 3D49C31A 7B6D

        quit

no ip source-route

!

!

ip dhcp excluded-address 192.168.4.1 192.168.4.199

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.4.0 255.255.255.0

   dns-server 64.105.189.26 64.105.179.138

   default-router 192.168.4.1

!

!

ip cef

no ip bootp server

ip domain name domain.com

ip name-server <DNS1>

ip name-server <DNS2>

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn

!

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 5

crypto isakmp key ****** address <ROUTERAADDRESS>

!

!

crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac

!

crypto map vpn 10 ipsec-isakmp

set peer <ROUTERAADDRESS>

set transform-set esp-aes-sha

match address 101

!

!

!

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address <ROUTERBADDRESS> 255.255.255.248 

no ip redirects 

no ip unreachables

no ip proxy-arp 

ip flow ingress 

ip nat outside 

ip virtual-reassembly 

duplex auto 

speed auto  

crypto map vpn 

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ 

ip address 192.168.4.1 255.255.255.0 

no ip redirects 

no ip unreachables 

no ip proxy-arp 

ip flow ingress 

ip nat inside 

ip virtual-reassembly 

ip tcp adjust-mss 1452 

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 111 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 <GATEWAY>

!

logging trap debugging

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 68.166.95.208 0.0.0.7 any

access-list 100 permit gre any any

access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 deny   ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 permit ip 192.168.4.0 0.0.0.255 any no cdp run

!

!

!

!

!

control-plane

!

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

Configuration looks correct.

Which phase is it failing?

Can you share the output of:

show cry isa sa

show cry ipsec sa

Also, can you pls run the following debug so we know where exactly it's failing:

debug cry isa

debug cry ipsec

I would test to ping 192.168.4.1 sourcing from 192.168.1.1 on Router A, and/OR ping 192.168.1.1 sourcing from 192.168.4.1 from Router B.

Thank you for the quick reply. It appears to be failing on phase 1. I've tested the extended pings like you mentioned and they always time out and then the send error counter increments. Below are the outputs you requested. When watching the debug, after doing an extended ping it tries 5 times and then stops.

#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

#sh cry ipsec sa

interface: FastEthernet4
    Crypto map tag: vpn, local addr

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)
   current_peer port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: , remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1

000091: *Aug 24 08:36:46.095 PCTime: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= , remote= ,
    local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.4.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 86400s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
000092: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): SA request profile is (NULL)
000093: *Aug 24 08:36:46.095 PCTime: ISAKMP: Created a peer struct for , peer port 500
000094: *Aug 24 08:36:46.095 PCTime: ISAKMP: New peer created peer = 0x8622F914 peer_handle = 0x80000004
000095: *Aug 24 08:36:46.095 PCTime: ISAKMP: Locking peer struct 0x8622F914, refcount 1 for isakmp_initiator
000096: *Aug 24 08:36:46.095 PCTime: ISAKMP: local port 500, remote port 500
000097: *Aug 24 08:36:46.095 PCTime: ISAKMP: set new node 0 to QM_IDLE
000098: *Aug 24 08:36:46.095 PCTime: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 858A48BC
000099: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
000100: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):found peer pre-shared key matching
000101: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
000102: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): constructed NAT-T vendor-07 ID
000103: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): constructed NAT-T vendor-03 ID
000104: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): constructed NAT-T vendor-02 ID
000105: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000106: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

000107: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): beginning Main Mode exchange
000108: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
000109: *Aug 24 08:36:46.095 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet..
000110: *Aug 24 08:36:47.987 PCTime: ISAKMP:(0):purging node -280443438
000111: *Aug 24 08:36:47.987 PCTime: ISAKMP:(0):purging node 231817120....
Success rate is 0 percent (0/5)
rtr-york#
000112: *Aug 24 08:36:56.095 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000113: *Aug 24 08:36:56.095 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000114: *Aug 24 08:36:56.095 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000115: *Aug 24 08:36:56.095 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
000116: *Aug 24 08:36:56.095 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000117: *Aug 24 08:36:57.987 PCTime: ISAKMP:(0):purging SA., sa=862106B0, delme=862106B0
000118: *Aug 24 08:37:06.095 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
000119: *Aug 24 08:37:06.095 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000120: *Aug 24 08:37:06.095 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
000121: *Aug 24 08:37:06.095 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
000122: *Aug 24 08:37:06.095 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.

#sh crypto session

Crypto session current status

Interface: FastEthernet4

Session status: DOWN

Peer: port 500

  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.4.0/255.255.255.0

        Active SAs: 0, origin: crypto map

Hi,

From the debugs, it looks like ROUTERA never gets a response from ROUTERB. Can you run the same debugs at ROUTERB? We can see if this first exchange is even reaching ROUTERB or if the reply from ROUTERB is not reaching back ROUTERA.

As a side note, while we look at the debugs and troubleshoot this, I would suggest you to confirm with your ISP if UDP 500 is being blocked between these 2 routers.

Regards,

Prapanch

Here's what I was seeing after turning on debug on ROUTERB. It started doing this as soon as I turned on debug. I think did a ping from ROUTERA as well. I called the ISP last week and they said they aren't doing any filtering. Is there a way to test remotely if port 500 is accessible through the router by telnet or something else?

000110: *Aug 26 11:13:32.135 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000111: *Aug 26 11:13:41.639 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000112: *Aug 26 11:13:41.639 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000113: *Aug 26 11:13:41.639 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000114: *Aug 26 11:13:42.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000115: *Aug 26 11:13:42.139 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000116: *Aug 26 11:13:42.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000117: *Aug 26 11:13:42.139 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000118: *Aug 26 11:13:42.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000119: *Aug 26 11:13:51.639 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000120: *Aug 26 11:13:51.639 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000121: *Aug 26 11:13:51.639 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000122: *Aug 26 11:13:52.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000123: *Aug 26 11:13:52.139 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000124: *Aug 26 11:13:52.139 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000125: *Aug 26 11:13:52.139 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000126: *Aug 26 11:13:52.139 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000127: *Aug 26 11:14:01.643 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000128: *Aug 26 11:14:01.643 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000129: *Aug 26 11:14:01.643 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000130: *Aug 26 11:14:02.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000131: *Aug 26 11:14:02.143 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
000132: *Aug 26 11:14:02.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000133: *Aug 26 11:14:02.143 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000134: *Aug 26 11:14:02.143 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000135: *Aug 26 11:14:11.643 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000136: *Aug 26 11:14:11.643 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000137: *Aug 26 11:14:11.643 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000138: *Aug 26 11:14:12.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000139: *Aug 26 11:14:12.143 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
000140: *Aug 26 11:14:12.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000141: *Aug 26 11:14:12.143 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000142: *Aug 26 11:14:12.143 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000143: *Aug 26 11:14:21.643 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000144: *Aug 26 11:14:21.643 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000145: *Aug 26 11:14:21.643 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000146: *Aug 26 11:14:22.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000147: *Aug 26 11:14:22.143 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
000148: *Aug 26 11:14:22.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000149: *Aug 26 11:14:22.143 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000150: *Aug 26 11:14:22.143 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000151: *Aug 26 11:14:32.135 PCTime: ISAKMP:(0):purging SA., sa=8625EDAC, delme=8625EDAC
000152: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000153: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.

000154: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer )
000155: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer )
000156: *Aug 26 11:14:32.143 PCTime: ISAKMP: Unlocking peer struct 0x851932E0 for isadb_mark_sa_deleted(), count 0
000157: *Aug 26 11:14:32.143 PCTime: ISAKMP: Deleting peer node by peer_reap for : 851932E0
000158: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000159: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_DEST_SA

000160: *Aug 26 11:14:32.143 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Hi,

Unfortunately the debugs you have posted do not start from the time ROUTERB gets the initial packet, but looking at this line:

000159: *Aug 26 11:14:32.143 PCTime: ISAKMP:(0):Old State = IKE_R_MM2   New State = IKE_DEST_SA

It looks like ROUTERB gets the initial exchange from ROUTERA and also replies to it, but ROUTERA never gets this 2nd exchange. Do you have any firewall devices between thee 2 routers that could be doing such a thing? If not,  it certainly seems like the ISP is blocking this UDP 500 packet from  ROUTERB to ROUTERA.Have them cehck again.

If possible, please try capturing packets on UDP 500 before each of the routers and we can then clearly see what is going wrong.

Regards,

Prapanch

Prapanch,

Thank you for following up. Below is the complete debug log when pinging from ROUTERA to ROUTERB. Do you have a recommended way of capturing the port 500 packets?

The connection at each site is DSL and the ISP has a bridged modem in front of the routers at each site. They swear there is no stateful packet inspection or port filtering/blocking. I might try talking with someone else there if we can prove it.

000695: *Aug 27 08:28:04.382 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
000696: *Aug 27 08:28:04.382 PCTime: ISAKMP: Created a peer struct for , peer port 500
000697: *Aug 27 08:28:04.382 PCTime: ISAKMP: New peer created peer = 0x85192EEC peer_handle = 0x80000669
000698: *Aug 27 08:28:04.382 PCTime: ISAKMP: Locking peer struct 0x85192EEC, refcount 1 for crypto_isakmp_process_block
000699: *Aug 27 08:28:04.382 PCTime: ISAKMP: local port 500, remote port 500
000700: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):insert sa successfully sa = 86203154
000701: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000702: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

000703: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0): processing SA payload. message ID = 0
000704: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):found peer pre-shared key matching
000705: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0): local preshared key found
000706: *Aug 27 08:28:04.382 PCTime: ISAKMP : Scanning profiles for xauth ...
000707: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
000708: *Aug 27 08:28:04.382 PCTime: ISAKMP:      encryption AES-CBC
000709: *Aug 27 08:28:04.382 PCTime: ISAKMP:      keylength of 128
000710: *Aug 27 08:28:04.382 PCTime: ISAKMP:      hash SHA
000711: *Aug 27 08:28:04.382 PCTime: ISAKMP:      default group 5
000712: *Aug 27 08:28:04.382 PCTime: ISAKMP:      auth pre-share
000713: *Aug 27 08:28:04.382 PCTime: ISAKMP:      life type in seconds
000714: *Aug 27 08:28:04.382 PCTime: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
000715: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):atts are acceptable. Next payload is 0
000716: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Acceptable atts:actual life: 0
000717: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Acceptable atts:life: 0
000718: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Fill atts in sa vpi_length:4
000719: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
000720: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Returning Actual lifetime: 86400
000721: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0)::Started lifetime timer: 86400.

000722: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000723: *Aug 27 08:28:04.382 PCTime: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

000724: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000725: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000726: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000727: *Aug 27 08:28:04.386 PCTime: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

000728: *Aug 27 08:28:14.370 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000729: *Aug 27 08:28:14.370 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000730: *Aug 27 08:28:14.370 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000731: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000732: *Aug 27 08:28:14.870 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000733: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000734: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000735: *Aug 27 08:28:14.870 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000736: *Aug 27 08:28:24.374 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000737: *Aug 27 08:28:24.374 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000738: *Aug 27 08:28:24.374 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000739: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000740: *Aug 27 08:28:24.874 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000741: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000742: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000743: *Aug 27 08:28:24.874 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000744: *Aug 27 08:28:34.370 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000745: *Aug 27 08:28:34.370 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000746: *Aug 27 08:28:34.370 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000747: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000748: *Aug 27 08:28:34.870 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
000749: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000750: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000751: *Aug 27 08:28:34.870 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000752: *Aug 27 08:28:44.374 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000753: *Aug 27 08:28:44.374 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000754: *Aug 27 08:28:44.374 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000755: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000756: *Aug 27 08:28:44.874 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
000757: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000758: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000759: *Aug 27 08:28:44.874 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000760: *Aug 27 08:28:54.370 PCTime: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
000761: *Aug 27 08:28:54.370 PCTime: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
000762: *Aug 27 08:28:54.370 PCTime: ISAKMP:(0): retransmitting due to retransmit phase 1
000763: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000764: *Aug 27 08:28:54.870 PCTime: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
000765: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
000766: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
000767: *Aug 27 08:28:54.870 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
000768: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
000769: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.

000770: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer )
000771: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer )
000772: *Aug 27 08:29:04.870 PCTime: ISAKMP: Unlocking peer struct 0x85192EEC for isadb_mark_sa_deleted(), count 0
000773: *Aug 27 08:29:04.870 PCTime: ISAKMP: Deleting peer node by peer_reap for : 85192EEC
000774: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000775: *Aug 27 08:29:04.870 PCTime: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_DEST_SA

000776: *Aug 27 08:29:04.870 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000777: *Aug 27 08:30:04.870 PCTime: ISAKMP:(0):purging SA., sa=86203154, delme=86203154

Hi,

Looking at the debugs my conclusion would be the same. Well to capture packets on the routers, only way i can think of is using the Embedded packet capture feature:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html

But you need to be running a version on which it is supported. Hope this helps!!

Regards,

Prapanch

Ok, so I put filters on the interface for isakmp and esp traffic. The isakmp traffic is incrementing but nothing from esp:

#show access-lists 120
Extended IP access list 120
    10 permit esp host any log
    20 permit udp host any eq isakmp log (13813 matches)
    30 permit ip any any (1600060 matches)
#ping
Protocol [ip]:
Target IP address: 192.168.4.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.....
Success rate is 0 percent (0/5)
#show access-lists 120
Extended IP access list 120
    10 permit esp host any log
    20 permit udp host any eq isakmp log (13820 matches)
    30 permit ip any any (1600263 matches)
#

# sh access-lists 120
Extended IP access list 120
    10 permit esp host any log
    20 permit udp host any eq isakmp log (12091 matches)
    30 permit ip any any (2076362 matches)
# sh access-lists 120
Extended IP access list 120
    10 permit esp host any log
    20 permit udp host any eq isakmp log (12100 matches)
    30 permit ip any any (2076378 matches)
#

I contacted the ISP and they say something's wrong with the config.  They won't say what but they'll gladly charge a huge fee to reconfigure  it. Any other thoughts on what would cause the esp to not increment?  Would the fact that I'm doing some port forwarding have anything to do  with it?

blueccarthur
Level 1
Level 1

Anyone have further thoughts? Still stumped on this one.

blueccarthur
Level 1
Level 1

All fixed, there was a NAT entry forwarding port 500 which was messing it all up. After removing that everything came up properly.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: