cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1539
Views
0
Helpful
3
Replies

VPN issue

Gatling_uk
Level 1
Level 1

Hello all,

I have a very strange VPN issue that I cannot get to the bottom of... Hopefully someone can provide some assistance.

The tunnel comes up fine, phase 1 and phase 2 complete successfully, but no traffic passes over the tunnel. This has been an intermittent problem for some time, but the tunnel has now not been passing traffic for the last 24 hours. I can see in the IPsec SA that the packets are being encrypted, but they never reach the other end.

I can verify that all details match exactly on both ends phase 1 and phase 2 encryption methods the same, isakmp policies identical, same keys, definitely no pfs set at one end or anything silly like that. As I mentioned, this is an intermittent problem, and the tunnel comes up fine, but traffic doesnt always reach the remote destination.

Here's the SA from one end:

    Crypto map tag: outside_map, seq num: 20, local addr:

      access-list outside_20_cryptomap extended permit ip 192.168.42.0 255.255.255.0 10.20.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (192.168.42.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
      current_peer:

      #pkts encaps: 574, #pkts encrypt: 574, #pkts digest: 574
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 574, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: , remote crypto endpt.:

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 031A699D
      current inbound spi : 07DB85CB

    inbound esp sas:
      spi: 0x07DB85CB (131827147)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 20480, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/27416)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x031A699D (52062621)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 20480, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373959/27416)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 20, local addr:

      access-list outside_20_cryptomap extended permit ip 192.168.42.0 255.255.255.0 10.18.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (192.168.42.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.18.0.0/255.255.0.0/0/0)
      current_peer:

      #pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 22, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: , remote crypto endpt.:

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: E1DC892F
      current inbound spi : C39A46F9

    inbound esp sas:
      spi: 0xC39A46F9 (3281667833)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 20480, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/27475)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xE1DC892F (3789326639)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 20480, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373998/27473)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Here's some releavnt debugging information from tunnel establishment:

Apr 09 01:21:09 [IKEv1]: IP = "Remote IP", Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 09 01:21:09 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 09 01:21:09 [IKEv1]: IP = "Remote IP", Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 09 01:21:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 09 01:21:10 [IKEv1]: IP = "Remote IP", Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 09 01:21:11 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 09 01:21:11 [IKEv1]: IP = "Remote IP", Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 09 01:21:11 [IKEv1]: IP = "Remote IP", IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Apr 09 01:21:11 [IKEv1]: IP = "Remote IP", IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Apr 09 01:21:11 [IKEv1]: IP = "Remote IP", IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Apr 09 01:21:11 [IKEv1]: IP = "Remote IP", Received an un-encrypted INVALID_COOKIE notify message, dropping
Apr 09 01:21:11 [IKEv1]: IP = "Remote IP", Information Exchange processing failed
Apr 09 01:21:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 09 01:21:12 [IKEv1]: IP = "Remote IP", Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 09 01:21:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Apr 09 01:21:12 [IKEv1]: IP = "Remote IP", Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Apr 09 01:21:12 [IKEv1]: IP = "Remote IP", IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 336
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing SA payload
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Oakley proposal is acceptable
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Received NAT-Traversal ver 02 VID
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Received NAT-Traversal ver 03 VID
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Received Fragmentation VID
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing IKE SA payload
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", constructing ISAKMP SA payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", constructing Fragmentation VID + extended capabilities payload
Apr 09 01:21:12 [IKEv1]: IP = "Remote IP", IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Apr 09 01:21:12 [IKEv1]: IP = "Remote IP", IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing ke payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing ISA_KE payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing nonce payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Received Cisco Unity client VID
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Received xauth V6 VID
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", processing VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", constructing ke payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", constructing nonce payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", constructing Cisco Unity VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", constructing xauth V6 VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Send IOS VID
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", constructing VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 09 01:21:12 [IKEv1]: IP = "Remote IP", Connection landed on tunnel_group "Remote IP"
Apr 09 01:21:12 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Generating keys for Responder...
Apr 09 01:21:12 [IKEv1]: IP = "Remote IP", IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Apr 09 01:21:12 [IKEv1]: IP = "Remote IP", IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Apr 09 01:21:12 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing ID payload
Apr 09 01:21:12 [IKEv1 DECODE]: Group = "Remote IP", IP = "Remote IP", ID_IPV4_ADDR ID received
"Remote IP"
Apr 09 01:21:12 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing hash payload
Apr 09 01:21:12 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Computing hash for ISAKMP
Apr 09 01:21:12 [IKEv1 DEBUG]: IP = "Remote IP", Processing IOS keep alive payload: proposal=32767/32767 sec.
Apr 09 01:21:12 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing VID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Received DPD VID
Apr 09 01:21:12 [IKEv1]: IP = "Remote IP", Connection landed on tunnel_group "Remote IP"
Apr 09 01:21:12 [IKEv1]: Group = "Remote IP", IP = "Remote IP", Freeing previously allocated memory for authorization-dn-attributes
Apr 09 01:21:12 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", constructing ID payload
Apr 09 01:21:12 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", constructing hash payload
Apr 09 01:21:12 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Computing hash for ISAKMP
Apr 09 01:21:13 [IKEv1 DEBUG]: IP = "Remote IP", Constructing IOS keep alive payload: proposal=32767/32767 sec.
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", constructing dpd vid payload
Apr 09 01:21:13 [IKEv1]: IP = "Remote IP", IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", PHASE 1 COMPLETED
Apr 09 01:21:13 [IKEv1]: IP = "Remote IP", Keep-alive type for this connection: DPD
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Starting P1 rekey timer: 82080 seconds.
Apr 09 01:21:13 [IKEv1 DECODE]: IP = "Remote IP", IKE Responder starting QM: msg id = 725b37af
Apr 09 01:21:13 [IKEv1]: IP = "Remote IP", IKE_DECODE RECEIVED Message (msgid=725b37af) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 196
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing hash payload
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing SA payload
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing nonce payload
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing ID payload
Apr 09 01:21:13 [IKEv1 DECODE]: Group = "Remote IP", IP = "Remote IP", ID_IPV4_ADDR_SUBNET ID received--10.20.0.0--255.255.0.0
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", Received remote IP Proxy Subnet data in ID Payload:   Address 10.20.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing ID payload
Apr 09 01:21:13 [IKEv1 DECODE]: Group = "Remote IP", IP = "Remote IP", ID_IPV4_ADDR_SUBNET ID received--192.168.42.0--255.255.255.0
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", Received local IP Proxy Subnet data in ID Payload:   Address 192.168.42.0, Mask 255.255.255.0, Protocol 0, Port 0
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing notify payload
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", QM IsRekeyed old sa not found by addr
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", Static Crypto Map check, checking map = outside_map, seq = 20...
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", Static Crypto Map check, map outside_map, seq = 20 is a successful match
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", IKE Remote Peer configured for crypto map: outside_map
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing IPSec SA payload
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global IPSec SA entry # 20
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", IKE: requesting SPI!
Apr 09 01:21:13 [IKEv1 DEBUG]: IP = "Remote IP", IKE SA MM:e91450a7 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Apr 09 01:21:13 [IKEv1 DEBUG]: IP = "Remote IP", sending delete/delete with reason message
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", IKE got SPI from key engine: SPI = 0x0241c8d3
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", oakley constucting quick mode
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", constructing blank hash payload
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", constructing IPSec SA payload
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", constructing IPSec nonce payload
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", constructing proxy ID
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Transmitting Proxy Id:
  Remote subnet: 10.20.0.0  Mask 255.255.0.0 Protocol 0  Port 0
  Local subnet:  192.168.42.0  mask 255.255.255.0 Protocol 0  Port 0
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", constructing qm hash payload
Apr 09 01:21:13 [IKEv1 DECODE]: Group = "Remote IP", IP = "Remote IP", IKE Responder sending 2nd QM pkt: msg id = 725b37af
Apr 09 01:21:13 [IKEv1]: IP = "Remote IP", IKE_DECODE SENDING Message (msgid=725b37af) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
Apr 09 01:21:13 [IKEv1]: IP = "Remote IP", IKE_DECODE RECEIVED Message (msgid=725b37af) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", processing hash payload
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", loading all IPSEC SAs
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Generating Quick Mode Key!
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", NP encrypt rule look up for crypto map outside_map 20 matching ACL outside_20_cryptomap: returned cs_id=d5e41a50; rule=d3e1cce8
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Generating Quick Mode Key!
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", NP encrypt rule look up for crypto map outside_map 20 matching ACL outside_20_cryptomap: returned cs_id=d5e41a50; rule=d3e1cce8
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", Security negotiation complete for LAN-to-LAN Group ("Remote IP")  Responder, Inbound SPI = 0x0241c8d3, Outbound SPI = 0xc40740ac
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", IKE got a KEY_ADD msg for SA: SPI = 0xc40740ac
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Pitcher: received KEY_UPDATE, spi 0x241c8d3
Apr 09 01:21:13 [IKEv1 DEBUG]: Group = "Remote IP", IP = "Remote IP", Starting P2 rekey timer: 27360 seconds.
Apr 09 01:21:13 [IKEv1]: Group = "Remote IP", IP = "Remote IP", PHASE 2 COMPLETED (msgid=725b37af)

Can anyone see anything wrong with this tunnel establishment at all? Everything looks fine as far as I can tell. There is also 2 other VPNs configured on this firewall, and 1 of them has also had this issue for around an hour yesterday, the other 1 has functioned correctly all the time. ISPs at both end insist there is no connectivity problems between the 2 remote networks, and I'm inclined to believe them because the tunnel connects fine, and I can connect to resources on public address at either end from both networks.

I don't see how this can be a config issue, because it has been working 90% of the time until the last 24 hours. Totally out of ideas, anyone else got any?

Thanks in advance.

Gat

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Based on the SAs, traffic are being encrypted, but this end never got the reply back from the other end.

You might want to check the output of "show crypto ipsec sa" from the other end. If it's showing decrypts, but no encrypts, it can mean 2 things:

1) NAT exemptions are probably not configured correctly

2) Potentially there are outbound ACL that might block the traffic

I would start checking config on the other end.

Hi thanks for the reply. Config on the other end is good, the sa looks exactly the same with encrypts but no decrypts.

The correct no nat are definitely in place both ends, aswell as everything else that is required. I've reconfigured it many times at both ends, and just doing that sometimes makes the tunnel start passing traffic again (unless just coincidence...) and then stops again a while later (after 20 minutes last time).

Both devices on 8.0(5).

Looks like ESP packets are not getting to either sides if you just have encrypt packets but no decrypts on both sides.

By any chance there is anything between the path that might block ESP packet?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: