×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Require isakmp tunnel assistance....

Unanswered Question
Aug 14th, 2013
User Badges:

Hi,


I have a VPN tunnel set up from one location to another, it's a bgp failover on my mpls network over a dsl line. I've checked policy, they all match and all my keys but I am getting the following in debug:



Aug 14 20:31:28.870: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer xxx.xxx.xxx.xxx)

Aug 14 20:31:28.870: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer

xxx.xxx.xxx.xxx

)

Aug 14 20:31:28.870: ISAKMP: Unlocking peer struct 0x65C0390C for isadb_mark_sa_deleted(), count 0

Aug 14 20:31:28.870: ISAKMP: Deleting peer node by peer_reap for 74.94.42.153: 65C0390C

Aug 14 20:31:28.870: ISAKMP:(0):deleting node -1073969683 error FALSE reason "IKE deleted"

Aug 14 20:31:28.870: ISAKMP:(0):deleting node 1457398188 error FALSE reason "IKE deleted"

Aug 14 20:31:28.870: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Aug 14 20:31:28.870: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA



Aug 14 20:31:28.874: ISAKMP:(0): SA request profile is (NULL)

Aug 14 20:31:28.874: ISAKMP: Created a peer struct for 74.94.42.153, peer port 500

Aug 14 20:31:28.874: ISAKMP: New peer created peer = 0x65C0390C peer_handle = 0x800845EA

Aug 14 20:31:28.874: ISAKMP: Locking peer struct 0x65C0390C, refcount 1 for isakmp_initiator

Aug 14 20:31:28.874: ISAKMP: local port 500, remote port 500

Aug 14 20:31:28.874: ISAKMP: set new node 0 to QM_IDLE

Aug 14 20:31:28.874: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65C01674

Aug 14 20:31:28.874: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Aug 14 20:31:28.874: ISAKMP:(0):found peer pre-shared key matching 74.94.42.153

Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-07 ID

Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-03 ID

Aug 14 20:31:28.874: ISAKMP:(0): constructed NAT-T vendor-02 ID

Aug 14 20:31:28.874: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Aug 14 20:31:28.874: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1



Aug 14 20:31:28.874: ISAKMP:(0): beginning Main Mode exchange

Aug 14 20:31:28.874: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:31:28.874: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:31:38.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:31:38.873: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Aug 14 20:31:38.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:31:38.873: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:31:38.873: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:31:48.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:31:48.872: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Aug 14 20:31:48.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:31:48.872: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:31:48.872: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:31:58.866: ISAKMP: set new node 0 to QM_IDLE

Aug 14 20:31:58.866: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 67.40.110.170, remote 74.94.42.153)

Aug 14 20:31:58.866: ISAKMP: Error while processing SA request: Failed to initialize SA

Aug 14 20:31:58.866: ISAKMP: Error while processing KMI message 0, error 2.

Aug 14 20:31:58.870: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:31:58.870: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Aug 14 20:31:58.870: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:31:58.870: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:31:58.870: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:32:08.869: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:32:08.869: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Aug 14 20:32:08.869: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:32:08.869: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:32:08.869: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:32:18.864: ISAKMP:(0):purging node -1073969683

Aug 14 20:32:18.864: ISAKMP:(0):purging node 1457398188

Aug 14 20:32:18.868: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:32:18.868: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Aug 14 20:32:18.868: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Aug 14 20:32:18.868: ISAKMP:(0): sending packet to

xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) MM_NO_STATE

Aug 14 20:32:18.868: ISAKMP:(0):Sending an IKE IPv4 Packet.

Aug 14 20:32:28.863: ISAKMP:(0):purging SA., sa=667CC534, delme=667CC534

Aug 14 20:32:28.863: ISAKMP: set new node 0 to QM_IDLE

Aug 14 20:32:28.863: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 67.40.110.170, remote 74.94.42.153)

Aug 14 20:32:28.863: ISAKMP: Error while processing SA request: Failed to initialize SA

Aug 14 20:32:28.863: ISAKMP: Error while processing KMI message 0, error 2.

Aug 14 20:32:28.867: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Aug 14 20:32:28.867: ISAKMP:(0):peer does not do paranoid keepalives.


So with that I began chasing the "Aggressive mode" knowing that without it you cannot have a pre-share therefore more than likely dumping my MM_NO_STATE.


So instead of using just a crypto isakmp key xxxx address xxxxx  I tried :


A


crypto isakmp peer address 14.38.69.71


set aggressive-mode password cisco123


set aggressive-mode client-endpoint ipv4-address 14.38.69.70




B


crypto isakmp key cisco123 address 67.40.110.170


Added on both sides. This got me from MM_NO_STATE to the AG_EX one but I still could not get the tunnel up.




Here is a full config from the outlying router, calling it A for troubleshooting:




crypto isakmp policy 1


encr aes 256


authentication pre-share


group 2


crypto isakmp key Clear address xxx.xxx.xxx


!


crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac comp-lzs


mode transport


!


crypto map aesmap 10 ipsec-isakmp


set peer 7xxxxxx


set security-association lifetime kilobytes 40960000


set transform-set aesset


match address Voorhees_VPN_1


!


controller T1 0/1/0


framing esf


linecode b8zs


channel-group 0 timeslots 1-24


!


ip tcp synwait-time 10


ip ftp username sa_cisco_backup


ip ftp password 7 00071A150754


!


interface Tunnel1


description To Voorhees


bandwidth 1500


ip address 10.0.1.10 255.255.255.252


keepalive 10 5


tunnel source xxxxx


tunnel destination xxxxxx


!

interface FastEthernet0/1


description Qwest DSL


ip address xxxxxxxx 255.255.255.248


no ip redirects


no ip unreachables


no ip proxy-arp


no ip mroute-cache


duplex auto


speed auto


crypto map aesmap


!


router bgp 65001


no synchronization


bgp log-neighbor-changes


neighbor 10.0.1.9 remote-as 65001


neighbor 10.0.1.9 next-hop-self


neighbor 10.0.1.9 send-community


neighbor 10.0.1.9 soft-reconfiguration inbound


neighbor 10.0.1.9 route-map vpn_bgp out


no auto-summary


!


ip forward-protocol nd


ip route xxxxx 255.255.255.255 xxxxx


ip route 192.168.0.0 255.255.0.0 Null0


!


ip access-list extended Voorhees_VPN_1


permit gre host xxxxx host xxxxxx


!


ip prefix-list lan seq 10 permit 10.10.128.0/24


!


route-map vpn_bgp permit 10


match ip address prefix-list lan


set local-preference 90


set community 65001:90


!


route-map qwest permit 10


match ip address prefix-list lan


set community 209:100





Any assistance would be appreciated.. I have 34 successful tunnels from other sites but for some reason this won't work, its also running ios 12.4(15). Thanks....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Lei Tian Wed, 08/14/2013 - 19:11
User Badges:
  • Cisco Employee,

Hi Matt,

Your peer IP in config is different compare the peer IP in the debug. Is NAT device in between?

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

Matthew Brennan Thu, 08/15/2013 - 05:21
User Badges:

I just copied and pasted the IP config from another sheet for this post, it's not the real config they do match. There is no NAT as well, I am more interested in deciphering what is going on in that debug as I don't get it.

Actions

This Discussion