Cisco VPN - need help

bojan.vujic · ‎12-21-2011

Hello to all nice ppl here who is always willing to help

I have some problem with Cisco 1841 sec router and PIX515E VPN configuration. I will try to not to waste your time, so what is problem.

When I debug with debug crypto isakmp in Phase I, step 6, I get Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE, and that spouse to mean phase one is OK.

After that I receive many “delete message” and VPN status is down-negotiate. Can anyone help me how to find out where is problem?

This is part of debug log

*Dec 21 14:40:08.011: ISAKMP (0:134217780): received packet from XXXXXXXXXXXX dport 500 sport 500 Global (I) QM_IDLE

*Dec 21 14:40:08.011: ISAKMP: set new node 1393030965 to QM_IDLE

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1): processing HASH payload. message ID = 1393030965

*Dec 21 14:40:08.011: ISAKMP:received payload type 18

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1): processing DELETE_WITH_REASON payload, message ID = 1393030965, reason: Unknown delete reason!

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1):peer does not do paranoid keepalives.

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1):deleting SA reason "IKE SA Lifetime Exceeded" state (I) QM_IDLE (peer 80.87.245.3)

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1):deleting node 1393030965 error FALSE reason "Informational (in) state 1"

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):deleting SA reason "No reason" state (I) QM_IDLE (peer 80.87.245.3)

*Dec 21 14:40:08.015: ISAKMP: Unlocking IKE struct 0x6412C6E4 for isadb_mark_sa_deleted(), count 0

*Dec 21 14:40:08.015: ISAKMP: Deleting peer node by peer_reap XXXXXXXXXXXX: 6412C6E4

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):deleting node -768789008 error FALSE reason "IKE deleted"

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):deleting node 697700968 error FALSE reason "IKE deleted"

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):deleting node 1393030965 error FALSE reason "IKE deleted"

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Thanks in advance…

ajay chauhan · ‎12-21-2011

Would be better if you paste both end configuration.

Thanks

Ajay

bojan.vujic · ‎12-21-2011

I don't have access to PIX, and 1841 have lot of configuration... maybe to paste some debug ?

bojan.vujic · ‎12-23-2011

I keep receiving this ISKAMP error

*Dec 23 10:51:08.215: ISAKMP:(0:18:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer xxx.xxx.xxx.xxx)

Any idea ?

ajay chauhan · ‎12-23-2011

Please post your router config lets see if i can find something.Somtimes its real tuff to comment based on debug.

Thanks

Ajay

bojan.vujic · ‎12-23-2011

***

ajay chauhan · ‎12-23-2011

One quick test you can do just disable "ip virtual-reassembly" on interfaces and try once.

Thanks

Ajay

bojan.vujic · ‎12-23-2011

Yes I will, but i think there si some problem with nat and ACL. No I HAVE status IP-Active but, no traffic...

ajay chauhan · ‎12-23-2011

Traffic can be checked with hitcounts on acl . if tunnel shows UP also check show crypto ipsec sa .

bojan.vujic · ‎12-23-2011

this is two access list which I use.

Extended IP access list lista1

10 permit ip 192.168.234.0 0.0.1.255 host 172.28.152.11 (12 matches)

Extended IP access list lan2nat

10 deny ip 192.168.234.0 0.0.1.255 172.28.0.0 0.0.255.255 (3 matches)

20 permit ip 192.168.234.0 0.0.1.255 any (31 matches)

The propblem is that I can't exlude thsi adress from NAT 172.28.152.11 whatever I do, always trace trought NAT and public If..

ajay chauhan · ‎12-23-2011

It will only do NAT Exempt and pass traffic over vpn only for one IP address-172.28.152.11. Rest should ofcourse uses NAT IP address as configured.

Just make sure remote end has got the same crypto acl list configured.

sourabh.naik · ‎12-23-2011

Maybe you should check phase 2 messages as well if any.

A phase 2 failure could also be the reason for clearing the successfull phase 1 SA.

dgarcia · ‎12-23-2011

Bojan,

Base on your debug log, i saw these two lines:

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1):peer does not do paranoid keepalives.

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1):deleting SA reason "IKE SA Lifetime Exceeded" state (I) QM_IDLE (peer 80.87.245.3)

In the past i had the same issue and it was due to IKE Lifetime negotization. Check that on both of the peers you have the same IKE Lifetime:

(Sample config)

******************************************

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

In addition, make sure you have your keepalives set the same on both peers:

and that your Crypto mode is set to "aggressive"

See if that resolves your issue.

bojan.vujic · ‎12-23-2011

Thanks all. Problem is solved. There was ACL mismatch, and now all works fine.

BR

ajay chauhan · ‎12-23-2011

Good to know that.

Just want to add - phase 1 timers has nothing to do with teardown of tunnel .These values are always negotiated and set to the lower one .

Thanks

Ajay