Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC VPN Down.Want to know why?

Hi,

We have setup in our customer as below

Cisco7200----->NAT-T FW------>Endrian Virtual Server

In Firewall they have only NATing enabled and no policy restriction.

All of a sudden the VPNs went down and after deleting and creating the ISPEC- VPN configurations the issue was resolved.

Below is the debug log....Can any one help me in identifing what could have caused the issue?

And also the debug from 26 Sep:

Sep 26 16:13:36.235: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= A.B.C.D, remote= 10X.16Y.17Z.10X,

    local_proxy= 10.10.0.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.1.251.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

Sep 26 16:13:36.235: ISAKMP: local port 500, remote port 500

Sep 26 16:13:36.239: ISAKMP: set new node 0 to QM_IDLE

Sep 26 16:13:36.239: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = A34D778

Sep 26 16:13:36.239: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

Sep 26 16:13:36.239: ISAKMP:(0):Found ADDRESS key in keyring Denso

Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-07 ID

Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-03 ID

Sep 26 16:13:36.239: ISAKMP:(0): constructed NAT-T vendor-02 ID

Sep 26 16:13:36.239: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Sep 26 16:13:36.239: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Sep 26 16:13:36.239: ISAKMP:(0): beginning Main Mode exchange

Sep 26 16:13:36.239: ISAKMP:(0): sending packet to 10X.16Y.17Z.10X my_port 500 peer_port 500 (I) MM_NO_STATE

Sep 26 16:13:36.239: ISAKMP:(0):Sending an IKE IPv4 Packet....

Sep 26 16:13:40.727: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

Sep 26 16:13:40.727: IPSEC(key_engine_enable_outbound): enable SA with spi 313148564/50 ..

Success rate is 0 percent (0/5)

phub1-kna1#

Sep 26 16:13:46.239: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

Sep 26 16:13:46.239: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Sep 26 16:13:46.239: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Sep 26 16:13:46.239: ISAKMP:(0): sending packet to 10X.16Y.17Z.10X my_port 500 peer_port 500 (I) MM_NO_STATE

Sep 26 16:13:46.239: ISAKMP:(0):Sending an IKE IPv4 Packet.

phub1-kna1#

Sep 26 16:13:53.372: ISAKMP (16576): received packet from 10X.16Y.17Z.10X dport 4500 sport 4500 Global (R) MM_NO_STATE

phub1-kna1#

Sep 26 16:13:55.632: ISAKMP (16587): FSM action returned error: 2

Sep 26 16:13:55.632: ISAKMP:(16587):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.632: ISAKMP (16587): FSM action returned error: 2

Sep 26 16:13:55.632: ISAKMP:(16587):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.636: ISAKMP (16588): FSM action returned error: 2

Sep 26 16:13:55.636: ISAKMP:(16588):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.636: ISAKMP (16588): FSM action returned error: 2

Sep 26 16:13:55.636: ISAKMP:(16588):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.644: ISAKMP (16589): FSM action returned error: 2

Sep 26 16:13:55.644: ISAKMP:(16589):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.644: ISAKMP (16589): FSM action returned error: 2

Sep 26 16:13:55.644: ISAKMP:(16589):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Sep 26 16:13:55.648: ISAKMP (16590): FSM action returned error: 2

Sep 26 16:13:55.648: ISAKMP:(16590):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) MM_KEY_EXCH (peer 10X.16Y.17Z.02A)

Any help would be highly appreciated.

Regards,

Ethi

Everyone's tags (4)
341
Views
0
Helpful
0
Replies
CreatePlease login to create content