Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
0
Helpful
3
Replies

DMVPN Problem-VPN at a particular time will be disconnected

zengkai1988
Level 1
Level 1

‎10-10-2013 10:57 PM - edited ‎02-21-2020 07:13 PM

Topo:

spoke - NAT device - Internet - Hub

spoke:

Debug crypto isakmp:

Oct 11 09:34:19.135: ISAKMP (2037): received packet from 61.143.52.242 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 11 09:34:19.135: ISAKMP:(2037): phase 1 packet is a duplicate of a previous packet.
Oct 11 09:34:19.135: ISAKMP:(2037): retransmitting due to retransmit phase 1
Oct 11 09:34:19.635: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH...
Oct 11 09:34:19.635: ISAKMP (2037): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct 11 09:34:19.635: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH

Oct 11 09:34:19.635: ISAKMP:(2037): sending packet to 61.143.52.242 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Oct 11 09:34:19.635: ISAKMP:(2037):Sending an IKE IPv4 Packet.
Oct 11 09:34:21.607: ISAKMP:(2001):purging node 1079219314

Oct 11 09:34:29.135: ISAKMP (2037): received packet from 61.143.52.242 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 11 09:34:29.139: ISAKMP:(2037): phase 1 packet is a duplicate of a previous packet.
Oct 11 09:34:29.139: ISAKMP:(2037): retransmitting due to retransmit phase 1
Oct 11 09:34:29.639: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH...
Oct 11 09:34:29.639: ISAKMP (2037): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct 11 09:34:29.639: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH

Oct 11 09:34:29.639: ISAKMP:(2037): sending packet to 61.143.52.242 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Oct 11 09:34:29.639: ISAKMP:(2037):Sending an IKE IPv4 Packet.

Oct 11 09:34:39.135: ISAKMP (2037): received packet from 61.143.52.242 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 11 09:34:39.139: ISAKMP:(2037): phase 1 packet is a duplicate of a previous packet.
Oct 11 09:34:39.139: ISAKMP:(2037): retransmitting due to retransmit phase 1
Oct 11 09:34:39.279: ISAKMP: set new node 0 to QM_IDLE     
Oct 11 09:34:39.279: ISAKMP:(2037):SA is still budding. Attached new ipsec request to it. (local 10.2.2.128, remote 61.143.52.242)
Oct 11 09:34:39.279: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 11 09:34:39.279: ISAKMP: Error while processing KMI message 0, error 2.
Oct 11 09:34:39.639: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH...
Oct 11 09:34:39.639: ISAKMP (2037): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct 11 09:34:39.639: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH
Oct 11 09:34:39.639: ISAKMP:(2037): sending packet to 61.143.52.242 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Oct 11 09:34:39.639: ISAKMP:(2037):Sending an IKE IPv4 Packet.
Oct 11 09:34:42.415: ISAKMP:(2036):purging node -2047781981
Oct 11 09:34:42.415: ISAKMP:(2036):purging node -1809050916
Oct 11 09:34:49.139: ISAKMP (2037): received packet from 61.143.52.242 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 11 09:34:49.139: ISAKMP:(2037): phase 1 packet is a duplicate of a previous packet.
Oct 11 09:34:49.139: ISAKMP:(2037): retransmitting due to retransmit phase 1
Oct 11 09:34:49.639: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH...
Oct 11 09:34:49.639: ISAKMP (2037): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct 11 09:34:49.639: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH
Oct 11 09:34:49.639: ISAKMP:(2037): sending packet to 61.143.52.242 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Oct 11 09:34:49.639: ISAKMP:(2037):Sending an IKE IPv4 Packet.
Oct 11 09:34:52.415: ISAKMP:(2036):purging SA., sa=8521E8A4, delme=8521E8A4
Oct 11 09:34:52.415: ISAKMP:(2001):purging SA., sa=87F437D0, delme=87F437D0
Oct 11 09:34:59.139: ISAKMP (2037): received packet from 61.143.52.242 dport 500 sport 500 Global (I) MM_KEY_EXCH
Oct 11 09:34:59.139: ISAKMP:(2037): phase 1 packet is a duplicate of a previous packet.
Oct 11 09:34:59.139: ISAKMP:(2037): retransmitting due to retransmit phase 1
Oct 11 09:34:59.639: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH...
Oct 11 09:34:59.639: ISAKMP (2037): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct 11 09:34:59.639: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH
Oct 11 09:34:59.639: ISAKMP:(2037): sending packet to 61.143.52.242 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
Oct 11 09:34:59.639: ISAKMP:(2037):Sending an IKE IPv4 Packet.
Oct 11 09:35:09.279: ISAKMP: set new node 0 to QM_IDLE     
Oct 11 09:35:09.279: ISAKMP:(2037):SA is still budding. Attached new ipsec request to it. (local 10.2.2.128, remote 61.143.52.242)
Oct 11 09:35:09.279: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct 11 09:35:09.279: ISAKMP: Error while processing KMI message 0, error 2.
Oct 11 09:35:09.639: ISAKMP:(2037): retransmitting phase 1 MM_KEY_EXCH...
Oct 11 09:35:09.639: ISAKMP:(2037):peer does not do paranoid keepalives.

Oct 11 09:35:09.639: ISAKMP:(2037):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 61.143.52.242)
Oct 11 09:35:09.639: ISAKMP:(2037):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 61.143.52.242)
Oct 11 09:35:09.639: ISAKMP: Unlocking peer struct 0x87CDB1E8 for isadb_mark_sa_deleted(), count 0
Oct 11 09:35:09.639: ISAKMP: Deleting peer node by peer_reap for 61.143.52.242: 87CDB1E8
Oct 11 09:35:09.639: ISAKMP:(2037):deleting node -1015617237 error FALSE reason "IKE deleted"
Oct 11 09:35:09.639: ISAKMP:(2037):deleting node 723673323 error FALSE reason "IKE deleted"
Oct 11 09:35:09.639: ISAKMP:(2037):deleting node -1116747973 error FALSE reason "IKE deleted"
Oct 11 09:35:09.639: ISAKMP:(2037):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct 11 09:35:09.639: ISAKMP:(2037):Old State = IKE_I_MM5  New State = IKE_DEST_SA

spokerouter#show udp       

Proto        Remote      Port      Local       Port  In Out  Stat TTY OutputIF

17     255.255.255.255    68 10.2.2.128         67   0   0 1002211   0

17     10.0.1.46       49274 10.60.106.1       161   0   0 1001001   0

17       --listen--          10.2.2.128        162   0   0 1001011   0

17       --listen--          10.2.2.128      53526   0   0 1001011   0

17(v6)   --listen--          --any--           161   0   0 1020001   0

17(v6)   --listen--          --any--           162   0   0 1020011   0

17(v6)   --listen--          --any--         50187   0   0 1020011   0

17       --listen--          10.2.2.128        500   0   0 1001011   0

17(v6)   --listen--          --any--           500   0   0 1020011   0

17       --listen--          10.2.2.128       4500   0   0 1001011   0

17(v6)   --listen--          --any--          4500   0   0 1020011   0

17     61.143.52.242    1967 10.60.106.1     59232   0   0   241   0

Why wil bel disconnected in particular time?

Where is the problem?

How to solve?

Thanks for your sharing

Labels:
0 Helpful
3 Replies 3

zengkai1988
Level 1
Level 1

‎10-13-2013 06:19 PM

somebody help me ?

0 Helpful

Patrick Moubarak
Level 4
Level 4
In response to zengkai1988

‎10-14-2013 01:22 PM

Hi,

are your phase1 and 2 lifetimes the same on both devices?

can you post your configs?

Patrick

0 Helpful

zengkai1988
Level 1
Level 1
In response to Patrick Moubarak

‎10-14-2013 06:03 PM

xxx#show run
Building configuration...

Current configuration : 7750 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxx

!
boot-start-marker
boot-end-marker
!
!
enable secret 4 WGYprJfYDEUX1XUe9W/pu23QZ3c78ArqFLQMY.GWq0o
!
aaa new-model
!
!
aaa authentication login default local
!
!
!        
!
!
aaa session-id common
!
no errdisable detect cause udld
no errdisable detect cause bpduguard
no errdisable detect cause rootguard
no errdisable detect cause pagp-flap
no errdisable detect cause dtp-flap
no errdisable detect cause link-flap
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 10.60.106.1 10.60.106.10
ip dhcp excluded-address 10.60.106.60 10.60.106.254
!
ip dhcp pool StoreLan
network 10.60.106.0 255.255.255.0
default-router 10.60.106.1
!        
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script hspaplus "" "AT!SCACT=1,1" TIMEOUT 60 "OK"
!
!
!
controller VDSL 0
!
controller Cellular 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key BP@baby address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set baby-transet esp-3des esp-sha-hmac
!
crypto ipsec profile BABY-IPSec-Pro
set transform-set baby-transet
!
crypto ipsec profile BABY-IPSec-Pro-DSL
set transform-set baby-transet
!
!
!
!
!
!
interface Tunnel1

bandwidth 1000
ip address 172.18.16.46 255.255.248.0
no ip redirects
ip mtu 1400
ip nhrp authentication babyADSL
ip nhrp map 172.18.16.1 61.143.52.242
ip nhrp map multicast 61.143.52.242
ip nhrp network-id 1
ip nhrp nhs 172.18.16.1
ip tcp adjust-mss 1360
load-interval 30
keepalive 10 3
tunnel source Vlan2
tunnel mode gre multipoint
tunnel key 10000
tunnel protection ipsec profile BABY-IPSec-Pro-DSL
!
interface Tunnel2

bandwidth 1000
ip address 172.17.16.46 255.255.248.0
no ip redirects
ip mtu 1400
ip nhrp authentication baby3G
ip nhrp map 172.17.16.1 192.10.36.82
ip nhrp map multicast 192.10.36.82
ip nhrp network-id 2
ip nhrp nhs 172.17.16.1
ip tcp adjust-mss 1360
no ip split-horizon
load-interval 30
keepalive 10 3
tunnel source Cellular0
tunnel mode gre multipoint
tunnel key 20000
tunnel protection ipsec profile BABY-IPSec-Pro
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
snmp trap link-status
pvc 8/35
  pppoe-client dial-pool-number 1
!
!        
interface FastEthernet0
switchport access vlan 2
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Cellular0
ip address negotiated
encapsulation slip
dialer in-band
dialer string hspaplus
dialer-group 1
async mode interactive
!
interface Vlan1
ip address 10.60.106.1 255.255.255.0
ip tcp adjust-mss 1452
ip policy route-map clean-df
!
interface Vlan2
ip address 10.2.2.128 255.255.0.0
!
!
router eigrp 100
distribute-list 1 out
network 10.0.0.0
network 172.17.0.0
network 172.18.0.0
offset-list 2 in 5000 Tunnel2
offset-list 2 out 5000 Tunnel2
passive-interface default
no passive-interface Tunnel1
no passive-interface Tunnel2
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 61.143.52.242 255.255.255.255 10.2.2.1
ip route 192.10.36.82 255.255.255.255 Cellular0
!
ip access-list standard rem-telnet

!
ip sla 99
icmp-echo 192.10.36.82
frequency 30
ip sla schedule 99 life forever start-time now
ip sla 100
udp-echo 61.143.52.242 500
frequency 10
ip sla schedule 100 life forever start-time now
access-list 1 permit 10.60.106.0 0.0.0.255
access-list 2 permit any
access-list 103 permit tcp any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map clean-df permit 10
match ip address 103
set ip df 0

!
!
control-plane
!

This is spoke configuration

Hub configuration should be no problem,because there are multiple spoke already established connection

Thank you for sharing

0 Helpful
Customers Also Viewed These Support Documents