Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN - need help

Hello to all nice ppl here who is always willing to help

I have some problem with Cisco 1841 sec router and PIX515E VPN configuration. I will try to not to waste your time, so what is problem.

When I debug with debug crypto isakmp in Phase I, step 6, I get Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE, and that spouse to mean phase one is OK.

After that I receive many “delete message” and VPN status is down-negotiate. Can anyone help me how to find out where is problem?

This is part of debug log

*Dec 21 14:40:08.011: ISAKMP (0:134217780): received packet from XXXXXXXXXXXX dport 500 sport 500 Global (I) QM_IDLE    

*Dec 21 14:40:08.011: ISAKMP: set new node 1393030965 to QM_IDLE    

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1): processing HASH payload. message ID = 1393030965

*Dec 21 14:40:08.011: ISAKMP:received payload type 18

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1): processing DELETE_WITH_REASON payload, message ID = 1393030965, reason: Unknown delete reason!

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1):peer does not do paranoid keepalives.

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1):deleting SA reason "IKE SA Lifetime Exceeded" state (I) QM_IDLE       (peer 80.87.245.3)

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1):deleting node 1393030965 error FALSE reason "Informational (in) state 1"

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 80.87.245.3)

*Dec 21 14:40:08.015: ISAKMP: Unlocking IKE struct 0x6412C6E4 for isadb_mark_sa_deleted(), count 0

*Dec 21 14:40:08.015: ISAKMP: Deleting peer node by peer_reap XXXXXXXXXXXX: 6412C6E4

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):deleting node -768789008 error FALSE reason "IKE deleted"

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):deleting node 697700968 error FALSE reason "IKE deleted"

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):deleting node 1393030965 error FALSE reason "IKE deleted"

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Dec 21 14:40:08.015: ISAKMP:(0:52:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Thanks in advance…

14 REPLIES

Cisco VPN - need help

Would be better if you paste both end configuration.

Thanks

Ajay

New Member

Cisco VPN - need help

I don't have access to PIX, and 1841 have lot of configuration... maybe to paste some debug ?

New Member

Cisco VPN - need help

I keep receiving this ISKAMP error

*Dec 23 10:51:08.215: ISAKMP:(0:18:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer xxx.xxx.xxx.xxx)

Any idea ?

Cisco VPN - need help

Please post your router config lets see if i can find something.Somtimes its real tuff to comment based on debug.

Thanks

Ajay

New Member

Re: Cisco VPN - need help

***

Cisco VPN - need help

One quick test you can do just disable "ip virtual-reassembly" on interfaces and try once.

Thanks

Ajay

New Member

Cisco VPN - need help

Yes I will, but i think there si some problem with nat and ACL. No I HAVE status IP-Active but, no traffic...

Cisco VPN - need help

Traffic can be checked with hitcounts on acl . if tunnel shows UP also check show crypto ipsec sa .

New Member

Re: Cisco VPN - need help

this is two access list which I use.

Extended IP access list lista1

    10 permit ip 192.168.234.0 0.0.1.255 host 172.28.152.11 (12 matches)

Extended IP access list lan2nat

    10 deny ip 192.168.234.0 0.0.1.255 172.28.0.0 0.0.255.255 (3 matches)

    20 permit ip 192.168.234.0 0.0.1.255 any (31 matches)

The propblem is that I can't exlude thsi adress from NAT 172.28.152.11 whatever I do, always trace trought NAT and public If.. 

Re: Cisco VPN - need help

It will only do NAT Exempt and pass traffic over vpn only for one IP address-172.28.152.11. Rest should ofcourse uses NAT IP address as configured.

Just make sure remote end has got the same crypto acl list configured.

New Member

Cisco VPN - need help

Maybe you should check phase 2 messages as well if any.

A phase 2 failure could also be the reason for clearing the successfull phase 1 SA.

New Member

Cisco VPN - need help

Bojan,

Base on your debug log, i saw these two lines:

*Dec 21 14:40:08.011: ISAKMP:(0:52:SW:1):peer does not do paranoid keepalives.

*Dec  21 14:40:08.011: ISAKMP:(0:52:SW:1):deleting SA reason "IKE SA Lifetime  Exceeded" state (I) QM_IDLE       (peer 80.87.245.3)

In the past i had the same issue and it was due to IKE Lifetime negotization. Check that on both of the peers you have the same IKE Lifetime:

(Sample config) 

******************************************

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

In addition, make sure you have your keepalives set the same on both peers:

and that your Crypto mode is set to "aggressive"

See if that resolves your issue.

New Member

Re: Cisco VPN - need help

Thanks all. Problem is solved. There was ACL mismatch, and now all works fine.

BR

Re: Cisco VPN - need help

Good to know that.

Just want to add - phase 1 timers has nothing to do with teardown of tunnel .These values are always negotiated and set to the lower one .

Thanks

Ajay

2369
Views
10
Helpful
14
Replies
CreatePlease login to create content