07-31-2013 02:06 PM
My DMVPN will not come up. The results of sho crypto isakmp sa are:
IPv4 Crypto ISAKMP SA
dst src state conn-id status
206.82.221.xxx 50.59.179.yyy MM_KEY_EXCH 1143 ACTIVE
206.82.221.xxx 50.59.179.yyy MM_NO_STATE 1142 ACTIVE (deleted)
I also ran debug crypto isakmp and here is the output:
003357: Jul 31 13:54:57.736 PDT: ISAKMP:(0): SA request profile is (NULL)
003358: Jul 31 13:54:57.736 PDT: ISAKMP: Created a peer struct for 206.82.221.xxx, peer port 500
003359: Jul 31 13:54:57.736 PDT: ISAKMP: New peer created peer = 0x22E64C88 peer_handle = 0x8000008E
003360: Jul 31 13:54:57.736 PDT: ISAKMP: Locking peer struct 0x22E64C88, refcount 1 for isakmp_initiator
003361: Jul 31 13:54:57.736 PDT: ISAKMP: local port 500, remote port 500
003362: Jul 31 13:54:57.736 PDT: ISAKMP: set new node 0 to QM_IDLE
003363: Jul 31 13:54:57.736 PDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 3D5A3A60
003364: Jul 31 13:54:57.736 PDT: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
003365: Jul 31 13:54:57.736 PDT: ISAKMP:(0):found peer pre-shared key matching 206.82.221.xxx
003366: Jul 31 13:54:57.736 PDT: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
003367: Jul 31 13:54:57.736 PDT: ISAKMP:(0): constructed NAT-T vendor-07 ID
003368: Jul 31 13:54:57.736 PDT: ISAKMP:(0): constructed NAT-T vendor-03 ID
003369: Jul 31 13:54:57.736 PDT: ISAKMP:(0): constructed NAT-T vendor-02 ID
003370: Jul 31 13:54:57.736 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
003371: Jul 31 13:54:57.736 PDT: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
003372: Jul 31 13:54:57.736 PDT: ISAKMP:(0): beginning Main Mode exchange
003373: Jul 31 13:54:57.736 PDT: ISAKMP:(0): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_NO_STATE
003374: Jul 31 13:54:57.736 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
003375: Jul 31 13:54:57.748 PDT: ISAKMP (0): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_NO_STATE
003376: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
003377: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
003378: Jul 31 13:54:57.748 PDT: ISAKMP:(0): processing SA payload. message ID = 0
003379: Jul 31 13:54:57.748 PDT: ISAKMP:(0): processing vendor id payload
003380: Jul 31 13:54:57.748 PDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
003381: Jul 31 13:54:57.748 PDT: ISAKMP (0): vendor ID is NAT-T RFC 3947
003382: Jul 31 13:54:57.748 PDT: ISAKMP:(0):found peer pre-shared key matching 206.82.221.xxx
003383: Jul 31 13:54:57.748 PDT: ISAKMP:(0): local preshared key found
003384: Jul 31 13:54:57.748 PDT: ISAKMP : Scanning profiles for xauth ...
003385: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
003386: Jul 31 13:54:57.748 PDT: ISAKMP: encryption 3DES-CBC
003387: Jul 31 13:54:57.748 PDT: ISAKMP: hash SHA
003388: Jul 31 13:54:57.748 PDT: ISAKMP: default group 2
003389: Jul 31 13:54:57.748 PDT: ISAKMP: auth pre-share
003390: Jul 31 13:54:57.748 PDT: ISAKMP: life type in seconds
003391: Jul 31 13:54:57.748 PDT: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
003392: Jul 31 13:54:57.748 PDT: ISAKMP:(0):atts are acceptable. Next payload is 0
003393: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Acceptable atts:actual life: 0
003394: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Acceptable atts:life: 0
003395: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Fill atts in sa vpi_length:4
003396: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
003397: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Returning Actual lifetime: 86400
003398: Jul 31 13:54:57.748 PDT: ISAKMP:(0)::Started lifetime timer: 86400.
003399: Jul 31 13:54:57.748 PDT: ISAKMP:(0): processing vendor id payload
003400: Jul 31 13:54:57.748 PDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
003401: Jul 31 13:54:57.748 PDT: ISAKMP (0): vendor ID is NAT-T RFC 3947
003402: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
003403: Jul 31 13:54:57.748 PDT: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
003404: Jul 31 13:54:57.748 PDT: ISAKMP:(0): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_SA_SETUP
003405: Jul 31 13:54:57.752 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
003406: Jul 31 13:54:57.752 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
003407: Jul 31 13:54:57.752 PDT: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
003408: Jul 31 13:54:57.836 PDT: ISAKMP (0): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_SA_SETUP
003409: Jul 31 13:54:57.836 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
003410: Jul 31 13:54:57.836 PDT: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
003411: Jul 31 13:54:57.836 PDT: ISAKMP:(0): processing KE payload. message ID = 0
003412: Jul 31 13:54:57.860 PDT: ISAKMP:(0): processing NONCE payload. message ID = 0
003413: Jul 31 13:54:57.860 PDT: ISAKMP:(0):found peer pre-shared key matching 206.82.221.xxx
003414: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): processing vendor id payload
003415: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): vendor ID is Unity
003416: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): processing vendor id payload
003417: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): vendor ID is DPD
003418: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): processing vendor id payload
003419: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): speaking to another IOS box!
003420: Jul 31 13:54:57.860 PDT: ISAKMP:received payload type 20
003421: Jul 31 13:54:57.860 PDT: ISAKMP (1138): His hash no match - this node outside NAT
003422: Jul 31 13:54:57.860 PDT: ISAKMP:received payload type 20
003423: Jul 31 13:54:57.860 PDT: ISAKMP (1138): No NAT Found for self or peer
003424: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
003425: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Old State = IKE_I_MM4 New State = IKE_I_MM4
003426: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Send initial contact
003427: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
003428: Jul 31 13:54:57.860 PDT: ISAKMP (1138): ID payload
next-payload : 8
type : 1
address : 50.59.179.yyy
protocol : 17
port : 500
length : 12
003429: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Total payload length: 12
003430: Jul 31 13:54:57.860 PDT: ISAKMP:(1138): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH
003431: Jul 31 13:54:57.860 PDT: ISAKMP:(1138):Sending an IKE IPv4 Packet.
003432: Jul 31 13:54:57.864 PDT: ISAKMP:(1138):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
003433: Jul 31 13:54:57.864 PDT: ISAKMP:(1138):Old State = IKE_I_MM4 New State = IKE_I_MM5
003434: Jul 31 13:54:58.872 PDT: ISAKMP (1138): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH
003435: Jul 31 13:54:58.872 PDT: ISAKMP:(1138): phase 1 packet is a duplicate of a previous packet.
003436: Jul 31 13:54:58.872 PDT: ISAKMP:(1138): retransmitting due to retransmit phase 1
003437: Jul 31 13:54:59.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH...
003438: Jul 31 13:54:59.372 PDT: ISAKMP (1138): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
003439: Jul 31 13:54:59.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH
003440: Jul 31 13:54:59.372 PDT: ISAKMP:(1138): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH
003441: Jul 31 13:54:59.372 PDT: ISAKMP:(1138):Sending an IKE IPv4 Packet.
003442: Jul 31 13:55:09.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH...
003443: Jul 31 13:55:09.372 PDT: ISAKMP (1138): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
003444: Jul 31 13:55:09.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH
003445: Jul 31 13:55:09.372 PDT: ISAKMP:(1138): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH
003446: Jul 31 13:55:09.372 PDT: ISAKMP:(1138):Sending an IKE IPv4 Packet.
003447: Jul 31 13:55:09.376 PDT: ISAKMP (1138): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH
003448: Jul 31 13:55:09.376 PDT: ISAKMP:(1138): phase 1 packet is a duplicate of a previous packet.
003449: Jul 31 13:55:09.376 PDT: ISAKMP:(1138): retransmission skipped for phase 1 (time since last transmission 4)
003451: Jul 31 13:55:19.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH...
003452: Jul 31 13:55:19.372 PDT: ISAKMP (1138): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
003453: Jul 31 13:55:19.372 PDT: ISAKMP:(1138): retransmitting phase 1 MM_KEY_EXCH
003454: Jul 31 13:55:19.372 PDT: ISAKMP:(1138): sending packet to 206.82.221.xxx my_port 500 peer_port 500 (I) MM_KEY_EXCH
003455: Jul 31 13:55:19.372 PDT: ISAKMP:(1138):Sending an IKE IPv4 Packet.
003456: Jul 31 13:55:19.880 PDT: ISAKMP (1138): received packet from 206.82.221.xxx dport 500 sport 500 Global (I) MM_KEY_EXCH
003457: Jul 31 13:55:19.880 PDT: ISAKMP:(1138): phase 1 packet is a duplicate of a previous packet.
003458: Jul 31 13:55:19.880 PDT: ISAKMP:(1138): retransmission skipped for phase 1 (time since last transmission 508)nodebug crypto isakmp
003459: Jul 31 13:55:27.736 PDT: ISAKMP: set new node 0 to QM_IDLE
003460: Jul 31 13:55:27.736 PDT: ISAKMP:(1138):SA is still budding. Attached new ipsec request to it. (local 50.59.179.yyy, remote 206.82.221.xxx)
003461: Jul 31 13:55:27.736 PDT: ISAKMP: Error while processing SA request: Failed to initialize SA
003462: Jul 31 13:55:27.736 PDT: ISAKMP: Error while processing KMI message 0, error 2. debug crypto isakmp
Crypto ISAKMP debugging is off
I have verified the isakmp settignsbu tlooking at other routers within the network that are successfully using the VPN. Any ideas why this is not working? Is the ZBFW blocking something? I can provide a router config if necessary.
10-12-2013 04:51 PM
try opening up UDP port 4500 through PAT.
08-17-2018 11:58 AM
Anybody has the solution for it. It is urgent for a Hospital. Please help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide