cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
624
Views
0
Helpful
3
Replies

IPSec S2S tunnel can not up

m1xed0s
Spotlight
Spotlight

We have about 9 1900 routers and 1 ASA 5510 for partail mesh VPN network. So 8 1900 connect to 1 1900 and ASA located in HQ and datacenter. All worked well however there is one site running really strange. The tunnel between 1900 is up for a while and down. Reboot router seems to be the only fix. But tunnel to ASA does not seem to be down at all.

The issue happened again today, we rebooted the router on site but tunnel still not up. DEBUG shows:

deleting SA reason "Death by retransmission P1 "

I can see alot of

Apr 24 19:57:55.271: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

To me it seems like the IDE packet sent but never got reply and timed out. I did also check on the other end, the HQ. All other tunnels are still running fine on that router, just this remote site. Plus I got the similiar output when debugging on HQ router.

One thing do notice though, there was no match on both router for the ACL to match/permit ESP traffic... I asked on-site staff to reboot the modem used in remote site.

But I still want to ask here to see if you guys there is also other things I also would need to check.

Thanks,

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Shuai,

On the ASA create a capture for the outside interface and try to capture packets on port UDP 500 going out and going in.

This because as we can see there is no state for phase one so lets make sure they are exchanging Isakamp packets

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

The issue was between 2 1900 routers.

I called Cisco TAC and the guy on phone did not fixed the issue but saying zone based firewall is the cause. I removed ICMP from inspect rule under in-out policy and added a pass rule for ICMP under the same in-out policy, then the ping start working between 2 sites.

However, my other 6 tunnels (all use the same 1900 model) can send ICMP through even I leave the ICMP under inspect rule. Now I start wondering what is really the difference between inspect and pass for each class/traffic map!?

Hello,

The Inspect rule instruct the traffic for that class to be inspected by the router, (the router creates inspection table). this inspection table matches the outgoing traffic and directly permits return traffic for that class. So if your inspecting ICMP, your router should directly permits ICMP replies.

However, with the Pass rule, you would need to policies, the first one matches outging traffic class and the second policy permits the inbound traffic or whether permiting one of the two. The Pass rule means to pass traffic inbound or outbound but it doesnt creats any inspection. As you know , once you create ZBF, each traffic between Zone members is denied by default unless you explicitly permit traffic from one zone to another using the "pass" rule or "inspect" rule under the required policy.

Regards,

Mohamed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: