10-16-2007 07:55 AM - edited 02-21-2020 03:19 PM
I got a calling saying a site to site vpn went down at lunch time. here is the output from
debug crypto map iskamp
anyone got any ideas why phase 1 wont establish. apparently the config has not changed
004135: Oct 16 15:46:18.252 GMT: ISAKMP:(0): SA request profile is (NULL)
004136: Oct 16 15:46:18.252 GMT: ISAKMP: Created a peer struct for 1.2.3.4, peer port 500
004137: Oct 16 15:46:18.252 GMT: ISAKMP: New peer created peer = 0x66987258 peer_handle = 0x80000091
004138: Oct 16 15:46:18.252 GMT: ISAKMP: Locking peer struct 0x66987258, refcount 1 for isakmp_initiator
004139: Oct 16 15:46:18.252 GMT: ISAKMP:(0):Setting client config settings 648D8E78
004140: Oct 16 15:46:18.252 GMT: ISAKMP: local port 500, remote port 500
004141: Oct 16 15:46:18.252 GMT: ISAKMP: set new node 0 to QM_IDLE
004142: Oct 16 15:46:18.252 GMT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 642FE3D4
004143: Oct 16 15:46:18.252 GMT: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
004144: Oct 16 15:46:18.252 GMT: ISAKMP:(0):found peer pre-shared key matching 1.2.3.4
004145: Oct 16 15:46:18.252 GMT: ISAKMP:(0): constructed NAT-T vendor-07 ID
004146: Oct 16 15:46:18.252 GMT: ISAKMP:(0): constructed NAT-T vendor-03 ID
004147: Oct 16 15:46:18.252 GMT: ISAKMP:(0): constructed NAT-T vendor-02 ID
004148: Oct 16 15:46:18.252 GMT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
004149: Oct 16 15:46:18.252 GMT: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
004150: Oct 16 15:46:18.252 GMT: ISAKMP:(0): beginning Main Mode exchange
004151: Oct 16 15:46:18.252 GMT: ISAKMP:(0): sending packet to 1.2.3.4 my_port 500 peer_port 500 (I) MM_NO_STATE
Hestia#
Hestia#
Hestia#
004152: Oct 16 15:46:28.251 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
004153: Oct 16 15:46:28.251 GMT: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
004154: Oct 16 15:46:28.251 GMT: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
004155: Oct 16 15:46:28.251 GMT: ISAKMP:(0): sending packet to 1.2.3.4 my_port 500 peer_port 500 (I) MM_NO_STATE
10-22-2007 10:55 AM
Try the commands 'clear crypto sa' and 'clear crypto isakmp' to clear and bring up the tunnel. Refer to URL
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide