Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7765
Views
0
Helpful
2
Replies

VPN not up, MM_KEY_EXCH and MM_NO_STATE

Kris McCormick
Level 1
Level 1

‎07-31-2013 02:06 PM

My DMVPN will not come up. The results of sho crypto isakmp sa are:

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

206.82.221.xxx  50.59.179.yyy   MM_KEY_EXCH       1143 ACTIVE

206.82.221.xxx  50.59.179.yyy   MM_NO_STATE       1142 ACTIVE (deleted)

I also ran debug crypto isakmp and here is the output:

003357: Jul 31 13:54:57.736 PDT: ISAKMP:(0): SA request profile is (NULL)

003358: Jul 31 13:54:57.736 PDT: ISAKMP: Created a peer struct for 206.82.221.xxx, peer port 500

003359: Jul 31 13:54:57.736 PDT: ISAKMP: New peer created peer = 0x22E64C88 peer_handle = 0x8000008E

003360: Jul 31 13:54:57.736 PDT: ISAKMP: Locking peer struct 0x22E64C88, refcount 1 for isakmp_initiator

003361: Jul 31 13:54:57.736 PDT: ISAKMP: local port 500, remote port 500

003362: Jul 31 13:54:57.736 PDT: ISAKMP: set new node 0 to QM_IDLE     

003363: Jul 31 13:54:57.736 PDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 3D5A3A60

003364: Jul 31 13:54:57.736 PDT: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

003365: Jul 31 13:54:57.736 PDT: ISAKMP:(0):found peer pre-shared key matching 206.82.221.xxx

003366: Jul 31 13:54:57.736 PDT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

003367: Jul 31 13:54:57.736 PDT: ISAKMP:(0): constructed NAT-T vendor-07 ID

003368: Jul 31 13:54:57.736 PDT: ISAKMP:(0): constructed NAT-T vendor-03 ID

003369: Jul 31 13:54:57.736 PDT: ISAKMP:(0): constructed NAT-T vendor-02 ID

003370: Jul 31 13:54:57.736 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

003371: Jul 31 13:54:57.736 PDT: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

003372: Jul 31 13:54:57.736 PDT: ISAKMP:(0): beginning Main Mode exchange

003373: Jul 31 13:54:57.736 PDT: ISAKMP:(0): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_NO_STATE

003374: Jul 31 13:54:57.736 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.

003375: Jul 31 13:54:57.748 PDT: ISAKMP (0): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_NO_STATE

003376: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

003377: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

003378: Jul 31 13:54:57.748 PDT: ISAKMP:(0): processing SA payload. message ID = 0

003379: Jul 31 13:54:57.748 PDT: ISAKMP:(0): processing vendor id payload

003380: Jul 31 13:54:57.748 PDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

003381: Jul 31 13:54:57.748 PDT: ISAKMP (0): vendor ID is NAT-T RFC 3947

003382: Jul 31 13:54:57.748 PDT: ISAKMP:(0):found peer pre-shared key matching 206.82.221.xxx

003383: Jul 31 13:54:57.748 PDT: ISAKMP:(0): local preshared key found

003384: Jul 31 13:54:57.748 PDT: ISAKMP : Scanning profiles for xauth ...

003385: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

003386: Jul 31 13:54:57.748 PDT: ISAKMP:      encryption 3DES-CBC

003387: Jul 31 13:54:57.748 PDT: ISAKMP:      hash SHA

003388: Jul 31 13:54:57.748 PDT: ISAKMP:      default group 2

003389: Jul 31 13:54:57.748 PDT: ISAKMP:      auth pre-share

003390: Jul 31 13:54:57.748 PDT: ISAKMP:      life type in seconds

003391: Jul 31 13:54:57.748 PDT: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

003392: Jul 31 13:54:57.748 PDT: ISAKMP:(0):atts are acceptable. Next payload is 0

003393: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Acceptable atts:actual life: 0

003394: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Acceptable atts:life: 0

003395: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Fill atts in sa vpi_length:4

003396: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

003397: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Returning Actual lifetime: 86400

003398: Jul 31 13:54:57.748 PDT: ISAKMP:(0)::Started lifetime timer: 86400.

003399: Jul 31 13:54:57.748 PDT: ISAKMP:(0): processing vendor id payload

003400: Jul 31 13:54:57.748 PDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

003401: Jul 31 13:54:57.748 PDT: ISAKMP (0): vendor ID is NAT-T RFC 3947

003402: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

003403: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

003404: Jul 31 13:54:57.748 PDT: ISAKMP:(0): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_SA_SETUP

003405: Jul 31 13:54:57.752 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.

003406: Jul 31 13:54:57.752 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

003407: Jul 31 13:54:57.752 PDT: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

003408: Jul 31 13:54:57.836 PDT: ISAKMP (0): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_SA_SETUP

003409: Jul 31 13:54:57.836 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

003410: Jul 31 13:54:57.836 PDT: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

003411: Jul 31 13:54:57.836 PDT: ISAKMP:(0): processing KE payload. message ID = 0

003412: Jul 31 13:54:57.860 PDT: ISAKMP:(0): processing NONCE payload. message ID = 0

003413: Jul 31 13:54:57.860 PDT: ISAKMP:(0):found peer pre-shared key matching 206.82.221.xxx

003414: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): processing vendor id payload

003415: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): vendor ID is Unity

003416: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): processing vendor id payload

003417: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): vendor ID is DPD

003418: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): processing vendor id payload

003419: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): speaking to another IOS box!

003420: Jul 31 13:54:57.860 PDT: ISAKMP:received payload type 20

003421: Jul 31 13:54:57.860 PDT: ISAKMP (1138): His hash no match - this node outside NAT

003422: Jul 31 13:54:57.860 PDT: ISAKMP:received payload type 20

003423: Jul 31 13:54:57.860 PDT: ISAKMP (1138): No NAT Found for self or peer

003424: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

003425: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Old State = IKE_I_MM4  New State = IKE_I_MM4

003426: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Send initial contact

003427: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

003428: Jul 31 13:54:57.860 PDT: ISAKMP (1138): ID payload

        next-payload : 8

        type         : 1

        address      : 50.59.179.yyy

        protocol     : 17

        port         : 500

        length       : 12

003429: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Total payload length: 12

003430: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH

003431: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Sending an IKE IPv4 Packet.

003432: Jul 31 13:54:57.864 PDT: ISAKMP:(1138):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

003433: Jul 31 13:54:57.864 PDT: ISAKMP:(1138):Old State = IKE_I_MM4  New State = IKE_I_MM5

003434: Jul 31 13:54:58.872 PDT: ISAKMP (1138): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH

003435: Jul 31 13:54:58.872 PDT: ISAKMP:(1138): phase 1 packet is a duplicate of a previous packet.

003436: Jul 31 13:54:58.872 PDT: ISAKMP:(1138): retransmitting due to retransmit phase 1

003437: Jul 31 13:54:59.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH...

003438: Jul 31 13:54:59.372 PDT: ISAKMP (1138): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

003439: Jul 31 13:54:59.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH

003440: Jul 31 13:54:59.372 PDT: ISAKMP:(1138): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH

003441: Jul 31 13:54:59.372 PDT: ISAKMP:(1138):Sending an IKE IPv4 Packet.

003442: Jul 31 13:55:09.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH...

003443: Jul 31 13:55:09.372 PDT: ISAKMP (1138): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

003444: Jul 31 13:55:09.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH

003445: Jul 31 13:55:09.372 PDT: ISAKMP:(1138): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH

003446: Jul 31 13:55:09.372 PDT: ISAKMP:(1138):Sending an IKE IPv4 Packet.

003447: Jul 31 13:55:09.376 PDT: ISAKMP (1138): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH

003448: Jul 31 13:55:09.376 PDT: ISAKMP:(1138): phase 1 packet is a duplicate of a previous packet.

003449: Jul 31 13:55:09.376 PDT: ISAKMP:(1138): retransmission skipped for phase 1 (time since last transmission 4)

003451: Jul 31 13:55:19.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH...

003452: Jul 31 13:55:19.372 PDT: ISAKMP (1138): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

003453: Jul 31 13:55:19.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH

003454: Jul 31 13:55:19.372 PDT: ISAKMP:(1138): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH

003455: Jul 31 13:55:19.372 PDT: ISAKMP:(1138):Sending an IKE IPv4 Packet.

003456: Jul 31 13:55:19.880 PDT: ISAKMP (1138): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH

003457: Jul 31 13:55:19.880 PDT: ISAKMP:(1138): phase 1 packet is a duplicate of a previous packet.

003458: Jul 31 13:55:19.880 PDT: ISAKMP:(1138): retransmission skipped for phase 1 (time since last transmission 508)nodebug crypto isakmp

003459: Jul 31 13:55:27.736 PDT: ISAKMP: set new node 0 to QM_IDLE     

003460: Jul 31 13:55:27.736 PDT: ISAKMP:(1138):SA is still budding. Attached new ipsec request to it. (local 50.59.179.yyy, remote 206.82.221.xxx)

003461: Jul 31 13:55:27.736 PDT: ISAKMP: Error while processing SA request: Failed to initialize SA

003462: Jul 31 13:55:27.736 PDT: ISAKMP: Error while processing KMI message 0, error 2. debug crypto isakmp

Crypto ISAKMP debugging is off

I have verified the isakmp settignsbu tlooking at other routers within the network that are successfully using the VPN. Any ideas why this is not working? Is the ZBFW blocking something? I can provide a router config if necessary.

2 people had this problem
Labels:
0 Helpful
2 Replies 2

deanayres
Level 1
Level 1

‎10-12-2013 04:51 PM

try opening up UDP port 4500 through PAT.

0 Helpful

ssikder
Level 1
Level 1

‎08-17-2018 11:58 AM

Anybody has the solution for it. It is urgent for a Hospital. Please help.

0 Helpful
Customers Also Viewed These Support Documents