Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1802
Views
0
Helpful
0
Comments

IPSEC isakmp issues ?

melaniemaillet
Level 1
Level 1

‎10-14-2010 03:05 AM - edited ‎03-01-2019 04:34 PM

Hi


I have an issue, it seems the peers have done the first exchange in aggressive mode, but the SA is not
authenticated.   What could cause the SA to not authenticate ?

I haven 't access to the remote end, only to the CPE router which is a cisco 871 using teh IOS version :c870-adventerprisek9-mz.124-6.t.bin.

My tunnel is actually showing up down, I believe it's because my Ipsec iskamp is not showing QM_IDLE? Am I right?

I capture some debus from the CPE router, but as I cannot access to the remote end, my troubleshooting is based only from the CPE.


RouterH#sh crypto isakmp sa deta
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

0     192.168.8.9     210.10.9.109             ACTIVE           psk  2  0
       Engine-id:Conn-id =  ???

       RouterH#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
210.10.9.109    192.168.8.9     AG_INIT_EXCH         0    0 ACTIVE

      
    AG_INIT_EXCH


RouterH#sh crypto sessio
Crypto session current status

Interface: FastEthernet4
Session status: DOWN-NEGOTIATING
Peer: 210.10.9.109 port 500
  IKE SA: local 192.168.8.9/500 remote 210.10.9.109/500 Inactive
  IKE SA: local 192.168.8.9/500 remote 210.10.9.109/500 Inactive
  IPSEC FLOW: deny ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit 47 host 87.85.32.5 host 87.85.32.6
        Active SAs: 0, origin: crypto map

       
        RouterH#
*Oct 14 09:30:57.615 UTC: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.8.9, remote 210.10.9.109)
*Oct 14 09:30:57.615 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 14 09:30:57.615 UTC: ISAKMP: Error while processing KMI message 0, error 2.
RouterH#


router#
*Oct 14 09:44:57.393 UTC: ISAKMP:(0): SA request profile is (NULL)
*Oct 14 09:44:57.393 UTC: ISAKMP: Created a peer struct for 210.10.9.109, peer port 500
*Oct 14 09:44:57.393 UTC: ISAKMP: New peer created peer = 0x83404108 peer_handle = 0x8000001D
*Oct 14 09:44:57.393 UTC: ISAKMP: Locking peer struct 0x83404108, refcount 1 for isakmp_initiator
*Oct 14 09:44:57.393 UTC: ISAKMP: local port 500, remote port 500
*Oct 14 09:44:57.393 UTC: ISAKMP: set new node 0 to QM_IDLE
*Oct 14 09:44:57.393 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 842679FC
*Oct 14 09:44:57.393 UTC: ISAKMP:(0):SA has tunnel attributes set.
*Oct 14 09:44:57.393 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 14 09:44:57.393 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 14 09:44:57.393 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 14 09:44:57.397 UTC: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_USER_FQDN
*Oct 14 09:44:57.397 UTC: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 3
        USER FQDN    : 212407650-E01
        protocol     : 17
        port         : 0
        length       : 21
*Oct 14 09:44:57.397 UTC: ISAKMP:(0):Total payload length: 21
*Oct 14 09:44:57.397 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
router#
*Oct 14 09:44:57.397 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*Oct 14 09:44:57.397 UTC: ISAKMP:(0): beginning Aggressive Mode exchange
*Oct 14 09:44:57.397 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:07.394 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:07.394 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Oct 14 09:45:07.394 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:07.394 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:17.392 UTC: ISAKMP:(0):purging node 622331625
*Oct 14 09:45:17.392 UTC: ISAKMP:(0):purging node -886217408
*Oct 14 09:45:17.392 UTC: ISAKMP:(0):purging node -365032318
*Oct 14 09:45:17.392 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:17.392 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Oct 14 09:45:17.392 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:17.392 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:27.385 UTC: ISAKMP: set new node 0 to QM_IDLE
*Oct 14 09:45:27.385 UTC: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.8.9, remote 210.10.9.109)
*Oct 14 09:45:27.385 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 14 09:45:27.385 UTC: ISAKMP: Error while processing KMI message 0, error 2.
*Oct 14 09:45:27.405 UTC: ISAKMP:(0):purging SA., sa=83D7F888, delme=83D7F888
*Oct 14 09:45:27.405 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:27.405 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
router#
*Oct 14 09:45:27.405 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:27.405 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:37.402 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:37.402 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 14 09:45:37.402 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:37.402 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:47.400 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:47.400 UTC: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Oct 14 09:45:47.400 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Oct 14 09:45:47.400 UTC: ISAKMP:(0): sending packet to 210.10.9.109 my_port 500 peer_port 500 (I) AG_INIT_EXCH
router#
*Oct 14 09:45:57.377 UTC: ISAKMP: set new node 0 to QM_IDLE
*Oct 14 09:45:57.377 UTC: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.8.9, remote 210.10.9.109)
*Oct 14 09:45:57.377 UTC: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 14 09:45:57.377 UTC: ISAKMP: Error while processing KMI message 0, error 2.
*Oct 14 09:45:57.397 UTC: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):peer does not do paranoid keepalives.

*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 210.10.9.109)
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 210.10.9.109)
*Oct 14 09:45:57.397 UTC: ISAKMP: Unlocking peer struct 0x83404108 for isadb_mark_sa_deleted(), count 0
*Oct 14 09:45:57.397 UTC: ISAKMP: Deleting peer node by peer_reap for 210.10.9.109: 83404108
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting node -1189368726 error FALSE reason "IKE deleted"
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting node -771908059 error FALSE reason "IKE deleted"
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):deleting node 397073023 error FALSE reason "IKE deleted"
router#
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 14 09:45:57.397 UTC: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_DEST_SA

router#
*Oct 14 09:46:27.369 UTC: ISAKMP:(0): SA request profile is (NULL)
*Oct 14 09:46:27.369 UTC: ISAKMP: Created a peer struct for 210.10.9.109, peer port 500
*Oct 14 09:46:27.369 UTC: ISAKMP: New peer created peer = 0x83404108 peer_handle = 0x8000001F
*Oct 14 09:46:27.369 UTC: ISAKMP: Locking peer struct 0x83404108, refcount 1 for isakmp_initiator
*Oct 14 09:46:27.369 UTC: ISAKMP: local port 500, remote port 500
*Oct 14 09:46:27.369 UTC: ISAKMP: set new node 0 to QM_IDLE
*Oct 14 09:46:27.369 UTC: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83D80AB0
*Oct 14 09:46:27.369 UTC: ISAKMP:(0):SA has tunnel attributes set.
*Oct 14 09:46:27.369 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 14 09:46:27.369 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 14 09:46:27.369 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 14 09:46:27.369 UTC: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_USER_FQDN
*Oct 14 09:46:27.369 UTC: ISAKMP (0:0): ID payload

Thanks in advance for your help


Mel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents