Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN problem MM_KEY_Exch

Hi..

I have around 100 sites that all connect to my HUB dmvpn router and all work fine except one.. heh.

here is the debug

I am sure the configs are the same as I use it in like 100 other sites so everything else works great and this one worked great but now it doesn't.

I have pings on both ends so that's fine too.

r0#debug crypto isakmp

Crypto ISAKMP debugging is on

milwaukee-rtr0#u all             

Mar 13 07:52:48.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:52:48.496: ISAKMP (0:134219236): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Mar 13 07:52:48.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:52:48.496: ISAKMP:(0:1508:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:52:48.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:52:48.500: ISAKMP (0:134219237): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Mar 13 07:52:48.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:52:48.500: ISAKMP:(0:1509:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:52:58.344: ISAKMP:(0:1507:SW:1):purging node 1384246893

Mar 13 07:52:58.344: ISAKMP:(0:1506:SW:1):purging node -169644745

Mar 13 07:52:58.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:52:58.496: ISAKMP (0:134219236): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

Mar 13 07:52:58.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:52:58.496: ISAKMP:(0:1508:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:52:58.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:52:58.500: ISAKMP (0:134219237): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Mar 13 07:52:58.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:52:58.500: ISAKMP:(0:1509:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:53:08.343: ISAKMP:(0:1507:SW:1):purging SA., sa=65155984, delme=65155984

Mar 13 07:53:08.343: ISAKMP:(0:1506:SW:1):purging SA., sa=66D59880, delme=66D59880

Mar 13 07:53:08.343: ISAKMP: received ke message (3/1)

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):peer does not do paranoid keepalives.

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):peer does not do paranoid keepalives.

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)

Mar 13 07:53:08.343: ISAKMP: received ke message (1/1)

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

Mar 13 07:53:08.343: ISAKMP: Created a peer struct for 70.236.111.11, peer port 500

Mar 13 07:53:08.343: ISAKMP: New peer created peer = 0x6514EEA0 peer_handle = 0x800051ED

Mar 13 07:53:08.343: ISAKMP: Locking peer struct 0x6514EEA0, IKE refcount 1 for isakmp_initiator

Mar 13 07:53:08.343: ISAKMP: local port 500, remote port 500

Mar 13 07:53:08.343: ISAKMP: set new node 0 to QM_IDLE     

Mar 13 07:53:08.343: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65154190

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 70.236.111.11

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): sending packet to 70.236.111.11 my_port 500 peer_port 500 (I) MM_NO_STATE

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)

Mar 13 07:53:08.343: ISAKMP: Unlocking IKE struct 0x65155608 for isadb_mark_sa_deleted(), count 0

Mar 13 07:53:08.343: ISAKMP: Deleting peer node by peer_reap for 70.236.111.11: 65155608

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):deleting node -816338854 error FALSE reason "IKE deleted"

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):Old State = IKE_I_MM5  New State = IKE_DEST_SA

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)

Mar 13 07:53:08.343: ISAKMP: Unlocking IKE struct 0x65153588 for isadb_mark_sa_deleted(), count 0

Mar 13 07:53:08.343: ISAKMP: Deleting peer node by peer_reap for 70.236.111.11: 65153588

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):deleting node 648673899 error FALSE reason "IKE deleted"

Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Mar 13 07:53:08.347: ISAKMP:(0:1508:SW:1):Old State = IKE_I_MM5  New State = IKE_DEST_SA

Mar 13 07:53:08.383: ISAKMP (0:0): received packet from 70.236.111.11 dport 500 sport 500 Global (I) MM_NO_STATE

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): processing vendor id payload

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch

Mar 13 07:53:08.383: ISAKMP (0:0): vendor ID is NAT-T v7

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 70.236.111.11

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): local preshared key found

Mar 13 07:53:08.383: ISAKMP : Scanning profiles for xauth ...

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 2 policy

Mar 13 07:53:08.383: ISAKMP:      encryption 3DES-CBC

Mar 13 07:53:08.383: ISAKMP:      hash SHA

Mar 13 07:53:08.383: ISAKMP:      default group 2

Mar 13 07:53:08.383: ISAKMP:      auth pre-share

Mar 13 07:53:08.383: ISAKMP:      life type in seconds

Mar 13 07:53:08.383: ISAKMP:      life duration (basic) of 28800

Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1): processing vendor id payload

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1): vendor ID seems Unity/DPD but major 245 mismatch

Mar 13 07:53:08.399: ISAKMP (0:134219238): vendor ID is NAT-T v7

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 500 peer_port 500 (I) MM_SA_SETUP

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

Mar 13 07:53:08.475: ISAKMP (0:134219238): received packet from 70.236.111.11 dport 500 sport 500 Global (I) MM_SA_SETUP

Mar 13 07:53:08.475: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Mar 13 07:53:08.475: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

Mar 13 07:53:08.479: ISAKMP:(0:1510:SW:1): processing KE payload. message ID = 0

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing NONCE payload. message ID = 0

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):found peer pre-shared key matching 70.236.111.11

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):SKEYID state generated

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing vendor id payload

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): vendor ID is Unity

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing vendor id payload

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): vendor ID is DPD

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing vendor id payload

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): speaking to another IOS box!

Mar 13 07:53:08.495: ISAKMP (0:134219238): NAT found, the node inside NAT

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Send initial contact

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

Mar 13 07:53:08.495: ISAKMP (0:134219238): ID payload

        next-payload : 8

        type         : 1

        address      : 192.168.3.100

        protocol     : 17

        port         : 0

        length       : 12

Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Total payload length: 12

Mar 13 07:53:08.499: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:53:08.499: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Mar 13 07:53:08.499: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

Mar 13 07:53:18.499: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:53:18.499: ISAKMP (0:134219238): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Mar 13 07:53:18.499: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:53:18.499: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

Mar 13 07:53:28.498: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH...

Mar 13 07:53:28.498: ISAKMP (0:134219238): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Mar 13 07:53:28.498: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH

Mar 13 07:53:28.498: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

All possible debugging has been turned off

4 REPLIES

DMVPN problem MM_KEY_Exch

I would confirm whether both client and server have phase 1 policy in placed.

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

New Member

DMVPN problem MM_KEY_Exch

I was having a similar issue. My problem was that there was an ACL on the tunnel source that was was not permitting the Public IP of the HUB.

DMVPN problem MM_KEY_Exch

You might want to check your NAT-T configuration, because it looks like that your VPN has problem with NAT-T, it can be seen from the port number(4500), the good news is that it succeded on negotiating ISAKMP attributes.

New Member

I realise this was 3 years

I realise this was 3 years ago, but did you manage to find a fix for this? I'm coming up against a similar problem and can't get to the bottom of it.

3645
Views
0
Helpful
4
Replies
CreatePlease login to create content