Solved: Can anyone explain what this debug is telling me (ISAKMP related)?

mshaw · ‎10-08-2003

This is from an 803 router. I have a second 803 that dials this one through the internet with no problems. If I set up my own VPN I can connect from my office.

However, I have a remote user that is trying to dialin using a laptop and he keeps getting the message that 'the remote peer is no longer responding' or words to that effect. I've debugged the crypto isakmp while the guy was dialing in and got the following:

4w0d: ISAKMP (0:20): Checking ISAKMP transform 11 against priority 10 policy

4w0d: ISAKMP: encryption 3DES-CBC

4w0d: ISAKMP: hash SHA

4w0d: ISAKMP: default group 2

4w0d: ISAKMP: auth pre-share

4w0d: ISAKMP: life type in seconds

4w0d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

4w0d: ISAKMP (0:20): atts are acceptable. Next payload is 3

4w0d: ISAKMP (0:20): processing KE payload. message ID = 0

4w0d: ISAKMP (0:20): processing NONCE payload. message ID = 0

4w0d: ISAKMP (0:20): processing vendor id payload

4w0d: ISAKMP (0:20): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

4w0d: ISAKMP: got callback 1

4w0d: ISAKMP (0:20): SKEYID state generated

4w0d: ISAKMP (0:20): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

4w0d: ISAKMP (20): ID payload

next-payload : 10

type : 1

protocol : 17

port : 500

length : 8

4w0d: ISAKMP (20): Total payload length: 12

4w0d: ISAKMP (0:20): sending packet to ****** (R) AG_INIT_EXCH

4w0d: ISAKMP (0:20): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

4w0d: ISAKMP (0:19): purging SA., sa=2E3BD30, delme=2E3BD30

4w0d: ISAKMP: Unlocking CONFIG struct 0x2DDB564 on return of attributes, count 2

4w0d: ISAKMP (0:20): received packet from ****** (R) AG_INIT_EXCH

4w0d: ISAKMP (0:20): phase 1 packet is a duplicate of a previous packet.

4w0d: ISAKMP (0:20): retransmitting due to retransmit phase 1

4w0d: ISAKMP (0:20): retransmitting phase 1 AG_INIT_EXCH...

4w0d: ISAKMP (0:20): incrementing error counter on sa: retransmit phase 1

4w0d: ISAKMP (0:20): retransmitting phase 1 AG_INIT_EXCH

4w0d: ISAKMP (0:20): sending packet to ****** (R) AG_INIT_EXCH

4w0d: ISAKMP (0:20): received packet from ****** (R) AG_INIT_EXCH

4w0d: ISAKMP (0:20): phase 1 packet is a duplicate of a previous packet.

4w0d: ISAKMP (0:20): retransmitting due to retransmit phase 1

4w0d: ISAKMP (0:20): retransmitting phase 1 AG_INIT_EXCH...

4w0d: ISAKMP (0:20): incrementing error counter on sa: retransmit phase 1

4w0d: ISAKMP (0:20): retransmitting phase 1 AG_INIT_EXCH

4w0d: ISAKMP (0:20): sending packet to ****** (R) AG_INIT_EXCH

4w0d: ISAKMP (0:20): received packet from ****** (R) AG_INIT_EXCH

4w0d: ISAKMP (0:20): phase 1 packet is a duplicate of a previous packet.

4w0d: ISAKMP (0:20): retransmitting due to retransmit phase 1

4w0d: ISAKMP (0:20): retransmitting phase 1 AG_INIT_EXCH...

4w0d: ISAKMP (0:20): incrementing error counter on sa: retransmit phase 1

4w0d: ISAKMP (0:20): retransmitting phase 1 AG_INIT_EXCH

4w0d: ISAKMP (0:20): sending packet to ****** (R) AG_INIT_EXCH

4w0d: ISAKMP (0:20): retransmitting phase 1 AG_INIT_EXCH...

4w0d: ISAKMP (0:20): incrementing error counter on sa: retransmit phase 1

4w0d: ISAKMP (0:20): retransmitting phase 1 AG_INIT_EXCH

4w0d: ISAKMP (0:20): sending packet to ****** (R) AG_INIT_EXCH

4w0d: ISAKMP (0:17): purging SA., sa=2E431DC, delme=2E431DC

4w0d: ISAKMP: Unlocking CONFIG struct 0x2D5ABE8 on return of attributes, count 2

4w0d: ISAKMP (0:0): received packet from ****** (N) NEW SA

Any help would be greatly appreciated, and please be gentle, VPN's are reletivly new to me.

Thanks in advance.

patrick.cannon · ‎10-13-2003

Did you change any of your modem connection settings recently?

Maybe your dialup provider is filtering something you need?

View solution in original post

ptran · ‎10-11-2003

is there any firewall in between the device, if it does then check your fw rule/policy to see if udp/tcp port 500 is allow thru your firewall.

mshaw · ‎10-13-2003

Thanks for replying.

There is no Firewall involved.

What I find strange is that all the other devices connect with no problems and the Laptop (56k Dialin) has managed to connect on the odd occasion.

However, I haven't changed the config at all and the Laptop refuses to connect. All other devices connect first time. I thought the fault therefore must be local to the laptop, but I'm using the same version of software (Cisco VPN Client) and settings as in the office and the office connects each time.

patrick.cannon · ‎10-13-2003

Did you change any of your modem connection settings recently?

Maybe your dialup provider is filtering something you need?

mshaw · ‎10-15-2003

No changes have been made to any equipment.

This problem seems to be quite intermittant. I managed to connect again yesterday (once only) before it stopped working again.

Can someone tell which port number ISAKMP uses?

Is it 500? It's strange how this manages to negotiate the pre-shared key and then fails on AG_INIT_EXCH

Can anyone elaborate on what this "AG_INIT_EXCH" is?

mshaw · ‎10-15-2003

Managed to fix this fault today.

It turns out that VPN client software 3.63a works correctly whereas 4.02a does not.

Strange...

Thanks all for your replies, I do value your comments.