Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

site to site tunnel using CA - error

Hello Everyone, I have been trying to set up a site to site tunnel using CA

and tunnel is not coming up, I am pasting the output of

debug crypto isakmp errors for your reference.

Please give some suggestions.

*Dec 26 18:54:19.071: ISAKMP:(0):No pre-shared key with 10.0.0.2!

*Dec 26 18:54:19.267: ISAKMP:(1056):My ID configured as IPv4 Addr, but Addr

not in Cert!

*Dec 26 18:54:19.267: ISAKMP:(1056):Using FQDN as My ID

r3(config)#

*Dec 26 18:54:30.087: ISAKMP (1056): FSM action returned error: 2

*Dec 26 18:54:30.091: ISAKMP:(1056):deleting SA reason

"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)

*Dec 26 18:54:30.095: ISAKMP (1056): FSM action returned error: 2

*Dec 26 18:54:30.095: ISAKMP:(1056):deleting SA reason

"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)

r3(config)#

*Dec 26 18:55:39.103: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.0.0.2 has

no SA and is not an initialization offer

r3(config)#

*Dec 26 18:55:49.063: ISAKMP:(0):No pre-shared key with 10.0.0.2!

*Dec 26 18:55:49.251: ISAKMP:(1057):My ID configured as IPv4 Addr, but Addr

not in Cert!

*Dec 26 18:55:49.251: ISAKMP:(1057):Using FQDN as My ID

*Dec 26 18:55:49.831: ISAKMP (1057): FSM action returned error: 2

*Dec 26 18:55:49.835: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode

failed with peer at 10.0.0.2

r3(config)#

*Dec 26 18:55:49.839: ISAKMP:(1057):deleting SA reason

"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)

*Dec 26 18:55:49.843: ISAKMP (1057): FSM action returned error: 2

*Dec 26 18:55:49.843: ISAKMP:(1057):deleting SA reason

"IKMP_ERR_NO_RETRANS" state (I) MM_KEY_EXCH (peer 10.0.0.2)

1 REPLY

Re: site to site tunnel using CA - error

ok, i figured the problem

need to specify key, even if we are authenticating using CA

crypto isakmp key cisco123 address 10.0.0.2

--

ok, then i figured out the policy number that i m setting is 10

so i changed it to 1

made the authentication as res-sig

and deleted the key, shut and no shut the tunnel

now the tunnel is UP, but i get this error

*Dec 26 19:30:54.431: ISAKMP:(1083):Profile has no keyring, aborting key search

*Dec 26 19:30:54.455: ISAKMP:(1082):deleting SA reason "Receive initial contact" state (R) QM_IDLE       (peer 10.0.0.2)

*Dec 26 19:30:54.455: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.

*Dec 26 19:30:54.475: ISAKMP:(1083):My ID configured as IPv4 Addr, but Addr not in Cert!

*Dec 26 19:30:54.475: ISAKMP:(1083):Using FQDN as My ID

*Dec 26 19:30:54.699: ISAKMP:(1082):deleting SA reason "Receive initial contact" state (R) QM_IDLE       (peer 10.0.0.2)

r3(config)#

and the SA state is below, not able to ping packets at the other end of the tunnel.

r3#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

10.0.0.1        10.0.0.2        QM_IDLE           1083 ACTIVE

IPv6 Crypto ISAKMP SA

257
Views
0
Helpful
1
Replies
CreatePlease to create content