12-26-2013 05:33 AM
Hello Everyone, I have been trying to set up a site to site tunnel using CA
and tunnel is not coming up, I am pasting the output of
debug crypto isakmp errors for your reference.
Please give some suggestions.
*Dec 26 18:54:19.071: ISAKMP:(0):No pre-shared key with 10.0.0.2!
*Dec 26 18:54:19.267: ISAKMP:(1056):My ID configured as IPv4 Addr, but Addr
not in Cert!
*Dec 26 18:54:19.267: ISAKMP:(1056):Using FQDN as My ID
r3(config)#
*Dec 26 18:54:30.087: ISAKMP (1056): FSM action returned error: 2
*Dec 26 18:54:30.091: ISAKMP:(1056):deleting SA reason
"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)
*Dec 26 18:54:30.095: ISAKMP (1056): FSM action returned error: 2
*Dec 26 18:54:30.095: ISAKMP:(1056):deleting SA reason
"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)
r3(config)#
*Dec 26 18:55:39.103: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.0.0.2 has
no SA and is not an initialization offer
r3(config)#
*Dec 26 18:55:49.063: ISAKMP:(0):No pre-shared key with 10.0.0.2!
*Dec 26 18:55:49.251: ISAKMP:(1057):My ID configured as IPv4 Addr, but Addr
not in Cert!
*Dec 26 18:55:49.251: ISAKMP:(1057):Using FQDN as My ID
*Dec 26 18:55:49.831: ISAKMP (1057): FSM action returned error: 2
*Dec 26 18:55:49.835: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode
failed with peer at 10.0.0.2
r3(config)#
*Dec 26 18:55:49.839: ISAKMP:(1057):deleting SA reason
"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)
*Dec 26 18:55:49.843: ISAKMP (1057): FSM action returned error: 2
*Dec 26 18:55:49.843: ISAKMP:(1057):deleting SA reason
"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)
12-26-2013 06:02 AM
ok, i figured the problem
need to specify key, even if we are authenticating using CA
crypto isakmp key cisco123 address 10.0.0.2
--
ok, then i figured out the policy number that i m setting is 10
so i changed it to 1
made the authentication as res-sig
and deleted the key, shut and no shut the tunnel
now the tunnel is UP, but i get this error
*Dec 26 19:30:54.431: ISAKMP:(1083):Profile has no keyring, aborting key search
*Dec 26 19:30:54.455: ISAKMP:(1082):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 10.0.0.2)
*Dec 26 19:30:54.455: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Dec 26 19:30:54.475: ISAKMP:(1083):My ID configured as IPv4 Addr, but Addr not in Cert!
*Dec 26 19:30:54.475: ISAKMP:(1083):Using FQDN as My ID
*Dec 26 19:30:54.699: ISAKMP:(1082):deleting SA reason "Receive initial contact" state (R) QM_IDLE (peer 10.0.0.2)
r3(config)#
and the SA state is below, not able to ping packets at the other end of the tunnel.
r3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.0.0.1 10.0.0.2 QM_IDLE 1083 ACTIVE
IPv6 Crypto ISAKMP SA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide