03-13-2012 06:01 AM - edited 02-21-2020 05:56 PM
Hi..
I have around 100 sites that all connect to my HUB dmvpn router and all work fine except one.. heh.
here is the debug
I am sure the configs are the same as I use it in like 100 other sites so everything else works great and this one worked great but now it doesn't.
I have pings on both ends so that's fine too.
r0#debug crypto isakmp
Crypto ISAKMP debugging is on
milwaukee-rtr0#u all
Mar 13 07:52:48.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 13 07:52:48.496: ISAKMP (0:134219236): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 13 07:52:48.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 13 07:52:48.496: ISAKMP:(0:1508:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Mar 13 07:52:48.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 13 07:52:48.500: ISAKMP (0:134219237): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 13 07:52:48.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 13 07:52:48.500: ISAKMP:(0:1509:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Mar 13 07:52:58.344: ISAKMP:(0:1507:SW:1):purging node 1384246893
Mar 13 07:52:58.344: ISAKMP:(0:1506:SW:1):purging node -169644745
Mar 13 07:52:58.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 13 07:52:58.496: ISAKMP (0:134219236): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 13 07:52:58.496: ISAKMP:(0:1508:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 13 07:52:58.496: ISAKMP:(0:1508:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Mar 13 07:52:58.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 13 07:52:58.500: ISAKMP (0:134219237): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 13 07:52:58.500: ISAKMP:(0:1509:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 13 07:52:58.500: ISAKMP:(0:1509:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Mar 13 07:53:08.343: ISAKMP:(0:1507:SW:1):purging SA., sa=65155984, delme=65155984
Mar 13 07:53:08.343: ISAKMP:(0:1506:SW:1):purging SA., sa=66D59880, delme=66D59880
Mar 13 07:53:08.343: ISAKMP: received ke message (3/1)
Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):peer does not do paranoid keepalives.
Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)
Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):peer does not do paranoid keepalives.
Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)
Mar 13 07:53:08.343: ISAKMP: received ke message (1/1)
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Mar 13 07:53:08.343: ISAKMP: Created a peer struct for 70.236.111.11, peer port 500
Mar 13 07:53:08.343: ISAKMP: New peer created peer = 0x6514EEA0 peer_handle = 0x800051ED
Mar 13 07:53:08.343: ISAKMP: Locking peer struct 0x6514EEA0, IKE refcount 1 for isakmp_initiator
Mar 13 07:53:08.343: ISAKMP: local port 500, remote port 500
Mar 13 07:53:08.343: ISAKMP: set new node 0 to QM_IDLE
Mar 13 07:53:08.343: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65154190
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 70.236.111.11
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Mar 13 07:53:08.343: ISAKMP:(0:0:N/A:0): sending packet to 70.236.111.11 my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)
Mar 13 07:53:08.343: ISAKMP: Unlocking IKE struct 0x65155608 for isadb_mark_sa_deleted(), count 0
Mar 13 07:53:08.343: ISAKMP: Deleting peer node by peer_reap for 70.236.111.11: 65155608
Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):deleting node -816338854 error FALSE reason "IKE deleted"
Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 13 07:53:08.343: ISAKMP:(0:1509:SW:1):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):deleting SA reason "P1 delete notify (in)" state (I) MM_KEY_EXCH (peer 70.236.111.11)
Mar 13 07:53:08.343: ISAKMP: Unlocking IKE struct 0x65153588 for isadb_mark_sa_deleted(), count 0
Mar 13 07:53:08.343: ISAKMP: Deleting peer node by peer_reap for 70.236.111.11: 65153588
Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):deleting node 648673899 error FALSE reason "IKE deleted"
Mar 13 07:53:08.343: ISAKMP:(0:1508:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 13 07:53:08.347: ISAKMP:(0:1508:SW:1):Old State = IKE_I_MM5 New State = IKE_DEST_SA
Mar 13 07:53:08.383: ISAKMP (0:0): received packet from 70.236.111.11 dport 500 sport 500 Global (I) MM_NO_STATE
Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): processing vendor id payload
Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
Mar 13 07:53:08.383: ISAKMP (0:0): vendor ID is NAT-T v7
Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 70.236.111.11
Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0): local preshared key found
Mar 13 07:53:08.383: ISAKMP : Scanning profiles for xauth ...
Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 2 policy
Mar 13 07:53:08.383: ISAKMP: encryption 3DES-CBC
Mar 13 07:53:08.383: ISAKMP: hash SHA
Mar 13 07:53:08.383: ISAKMP: default group 2
Mar 13 07:53:08.383: ISAKMP: auth pre-share
Mar 13 07:53:08.383: ISAKMP: life type in seconds
Mar 13 07:53:08.383: ISAKMP: life duration (basic) of 28800
Mar 13 07:53:08.383: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1): processing vendor id payload
Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
Mar 13 07:53:08.399: ISAKMP (0:134219238): vendor ID is NAT-T v7
Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 500 peer_port 500 (I) MM_SA_SETUP
Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 13 07:53:08.399: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 13 07:53:08.475: ISAKMP (0:134219238): received packet from 70.236.111.11 dport 500 sport 500 Global (I) MM_SA_SETUP
Mar 13 07:53:08.475: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 13 07:53:08.475: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 13 07:53:08.479: ISAKMP:(0:1510:SW:1): processing KE payload. message ID = 0
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing NONCE payload. message ID = 0
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):found peer pre-shared key matching 70.236.111.11
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):SKEYID state generated
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing vendor id payload
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): vendor ID is Unity
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing vendor id payload
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): vendor ID is DPD
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): processing vendor id payload
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1): speaking to another IOS box!
Mar 13 07:53:08.495: ISAKMP (0:134219238): NAT found, the node inside NAT
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Send initial contact
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Mar 13 07:53:08.495: ISAKMP (0:134219238): ID payload
next-payload : 8
type : 1
address : 192.168.3.100
protocol : 17
port : 0
length : 12
Mar 13 07:53:08.495: ISAKMP:(0:1510:SW:1):Total payload length: 12
Mar 13 07:53:08.499: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Mar 13 07:53:08.499: ISAKMP:(0:1510:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 13 07:53:08.499: ISAKMP:(0:1510:SW:1):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 13 07:53:18.499: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 13 07:53:18.499: ISAKMP (0:134219238): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 13 07:53:18.499: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 13 07:53:18.499: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Mar 13 07:53:28.498: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Mar 13 07:53:28.498: ISAKMP (0:134219238): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 13 07:53:28.498: ISAKMP:(0:1510:SW:1): retransmitting phase 1 MM_KEY_EXCH
Mar 13 07:53:28.498: ISAKMP:(0:1510:SW:1): sending packet to 70.236.111.11 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
All possible debugging has been turned off
03-13-2012 12:32 PM
I would confirm whether both client and server have phase 1 policy in placed.
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
10-15-2012 11:30 AM
I was having a similar issue. My problem was that there was an ACL on the tunnel source that was was not permitting the Public IP of the HUB.
10-16-2012 02:18 AM
You might want to check your NAT-T configuration, because it looks like that your VPN has problem with NAT-T, it can be seen from the port number(4500), the good news is that it succeded on negotiating ISAKMP attributes.
02-02-2016 01:46 PM
I realise this was 3 years ago, but did you manage to find a fix for this? I'm coming up against a similar problem and can't get to the bottom of it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide