cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10464
Views
0
Helpful
13
Replies

Vpn site-to-site phase2 fail

Hi everyone,  I Have two sites in HQ I have a C2801 as Hub, and in the remote side I have a C1861 as spoke that is getting the Ip through an ADSL , after I configured both rtrs, all Steps in Phase1 are complete, at the next Phase, I get the error IKMP_ERR_NO_RETRANS, I read a lot of entries here, but none is like the one I have.

Please can check if I missed some in the configuration. Another thing is that in the same C2801 I got a VPN Client and another vpn site to site, with fixed IP address and work perfect.

Network in Remote Side: 192.168.225.0/24 and 192.168.226.0/24

Networks in HQ: 192.168.0.0


I attached the configs and debugs.

1 Accepted Solution

Accepted Solutions

Attaching working (for me) configuration + debugs.

Both hub and spoke are 12.4(22)T1

View solution in original post

13 Replies 13

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Cesar,

HQ debugs.

*Jul  9 01:16:29.106: ISAKMP:(1268):Need XAUTH
*Jul  9 01:16:29.106: ISAKMP: set new node 1016726530 to CONF_XAUTH  
*Jul  9 01:16:29.110: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Jul  9 01:16:29.110: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

REMOTE:

*Jul  9 01:28:38.615: ISAKMP (2186): received packet from 20x.11y.15z.19w dport 500 sport 500 Global (I) QM_IDLE     
*Jul  9 01:28:38.615: ISAKMP:(2186):processing transaction payload from 20x.11y.15z.19w. message ID = 969023304
*Jul  9 01:28:38.615: ISAKMP: Config payload REQUEST
*Jul  9 01:28:38.615: ISAKMP:(2186): No provision for the request
*Jul  9 01:28:38.615: ISAKMP: Invalid config REQUEST

HQ wants to do xauth for that peer :-)

Is that a clue enough?

Yes, but I did the configuration of the line "crypto isakmp key abc address 0.0.0.0 0.0.0.0 no-xauth" but this cause conflict with the connection of the user of the VPN Client, until I quit the line the VPN client is connected as always, I do not find any other form to keep the no-xauth, this is a peer with no fixed IP.

I get this error in the debug when I tried to connect the VPN Client:

*Jul  9 17:17:54.674: ISAKMP : Scanning profiles for xauth ...
*Jul  9 17:17:54.674: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jul  9 17:17:54.674: ISAKMP:      encryption AES-CBC
*Jul  9 17:17:54.674: ISAKMP:      hash SHA
*Jul  9 17:17:54.674: ISAKMP:      default group 2
*Jul  9 17:17:54.674: ISAKMP:      auth XAUTHInitPreShared
*Jul  9 17:17:54.674: ISAKMP:      life type in seconds
*Jul  9 17:17:54.674: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul  9 17:17:54.674: ISAKMP:      keylength of 256
*Jul  9 17:17:54.674: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul  9 17:17:54.674: ISAKMP:(0):atts are not acceptable. Next payload is 3

.

.

.

.

*Jul  9 17:17:54.674: ISAKMP : Scanning profiles for xauth ...
*Jul  9 17:17:54.674: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jul  9 17:17:54.674: ISAKMP:      encryption AES-CBC
*Jul  9 17:17:54.674: ISAKMP:      hash SHA
*Jul  9 17:17:54.674: ISAKMP:      default group 2
*Jul  9 17:17:54.674: ISAKMP:      auth XAUTHInitPreShared
*Jul  9 17:17:54.674: ISAKMP:      life type in seconds
*Jul  9 17:17:54.674: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul  9 17:17:54.674: ISAKMP:      keylength of 256
*Jul  9 17:17:54.674: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul  9 17:17:54.674: ISAKMP:(0):atts are not acceptable. Next payload is 3

*Jul  9 17:17:54.686: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer x01.y55.z30.w45)

Cesar,

crypto dynamic-map dynmap 10
set transform-set myset
crypto dynamic-map dynmap 15
set transform-set myset
set isakmp-profile L2L

Please note that enrty number 15 will never be checked... since everything can land on number 10.

Can you try:

Adding entry number 5 with:

set isakmp profile

AND

match address for the L2L tunnel

AND set for transform set?

Now I'm not sure it will work but it's a good start.


Using identity address I'm not sure if it will not screw up RA anyway, but it will be one step closer

Marcin

Hi Marcin,

     Before thanks for answer, unfortunately after the changes that you suggest I do not see any change, but the good news is when I remove all the configuration about the profile, the keyring and the crypto 5, and only put the line "crypto isakmp key abc address 0.0.0.0 0.0.0.0 no-xauth" is working, yesterday it was not work in that way I dont know if all the other config was making some trouble, but the bad thing is that the VPN  Clients stills outs, now my cuestion is, is there any way to make that both configs work together?.

Config in HQ

!

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key notnow address 187.92.54.114 no-xauth
crypto isakmp key crazyvpn address 0.0.0.0 0.0.0.0 no-xauth
!
crypto isakmp client configuration group VPN-CLIENT
key Avayawork
dns 192.168.210.10 192.168.210.20
pool mypool
acl 110
!
crypto isakmp client configuration group VPNJF
key sunwork
dns 192.168.210.10 192.168.210.20
pool mypool
acl 110
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
!
crypto map mymap client authentication list userauthen
crypto map mymap isakmp authorization list groupauthor
crypto map mymap client configuration address respond
crypto map mymap 5 ipsec-isakmp
set peer 1x7.y2.z4.w14
set transform-set myset
match address 120
crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

INTERNET_TMX#SH CRYpto SESsion
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE    
Peer: 1X7.Y2.Z4.W14 port 500
  IKE SA: local X01.Y16.Z53.W94/500 remote X87.Y2.Z4.W14/500 Active
  IPSEC FLOW: permit ip 192.168.208.0/255.255.240.0 192.168.240.0/255.255.252.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 192.168.224.0/255.255.240.0 192.168.240.0/255.255.252.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 192.168.32.0/255.255.247.0 192.168.240.0/255.255.252.0
        Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0
Session status: UP-ACTIVE <------------------- is this one !   
Peer: X89.Y52.Z8.W31 port 500
  IKE SA: local X01.Y16.Z53.W94/500 remote S89.Y52.Z8.W31/500 Active
  IPSEC FLOW: permit ip 192.168.0.0/255.255.0.0 192.168.225.0/255.255.255.0
        Active SAs: 2, origin: dynamic crypto map
  IPSEC FLOW: permit ip 192.168.0.0/255.255.0.0 192.168.226.0/255.255.255.0
        Active SAs: 2, origin: dynamic crypto map

any idea???

Cesar

Cesar,

We may need to change identity but it should work (ie. use identity hostname for example?)

Can you show me the config you used and which failed?

The above will not work for sure in all three cases.

Config should look like this;

1) static entries in crypto map for all your IPsec peers with static IP addresses containing:

a) set peer

b) match for traffic

c) set for transform-set

2) first dynamic entries should contain (each entry separate, for every dynamic peer)

a) transform set

b) isakmp profile (matching identity, even if it's hostname)

c) match for traffic that is supposed be put into the tunnel.

3) last entry in dynamic crypto map for all vpn peers

a) Only set transform-set

There are of course other ways, since it's routers in question here:

- ezvpn HW client with NEM on remote end + split tunneling.

- initiating aggressive mode instead of main mode

- DMVPN?

I'll review debugs again and edit this post if needed.

post edited.

Cesar, can you also please add no-xauth at the end of the PSK on remote end?

Ok, this is the config that is working right now (but the vpn clients doesnt);

In the other hand, actually I do not have any configuration for the other dynamic peer. I missing that?, (sorry, this is my first time that I have to configure a Vpn site to site, a vpn client, and a vpn site to site with dynamic IPs besides each other).

*********************************HQ************************************

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ABC address 18.9.5.4 no-xauth
crypto isakmp key abc address 0.0.0.0 0.0.0.0 no-xauth
!
crypto isakmp client configuration group VPN-CLIENT
key abc
dns 192.168.210.10 192.168.210.20
pool mypool
acl 110
!
crypto isakmp client configuration group VPNJF
key abc
dns 192.168.210.10 192.168.210.20
pool mypool
acl 110
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
!
crypto map mymap client authentication list userauthen
crypto map mymap isakmp authorization list groupauthor
crypto map mymap client configuration address respond
crypto map mymap 5 ipsec-isakmp
set peer 18.2.5.14
set transform-set myset
match address 120
crypto map mymap 10 ipsec-isakmp dynamic dynmap

*For this config I do not put any match address because are learning from the other side.

----------------------------This do not work--------------------------------

********** HQ *********

crypto keyring spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key abc
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ABC address 7.2.4.4 no-xauth
!
crypto isakmp client configuration group VPN-CLIENT
key abc
dns 192.168.210.10 192.168.210.20
pool mypool
acl 110
!
crypto isakmp client configuration group VPNJF
key xyz
dns 192.168.210.10 192.168.210.20
pool mypool
acl 110
crypto isakmp profile L2L
   keyring spokes
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile L2L
match address mtmorelos
crypto dynamic-map dynmap 10
set transform-set myset

!

ip access-list extended mtmorelos
permit ip 192.168.0.0 0.0.255.255 192.168.225.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 192.168.226.0 0.0.0.255

******************************Remote Side*******************************

*The same config in both cases.

!

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key Citro2008 address 1.6.3.4 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!        
crypto map lan2lan 1 ipsec-isakmp
description ## Hacia Citro Corp ##
set peer 1.6.3.4
set transform-set ESP-3DES-SHA
match address lan2lan

!

ip access-list extended lan2lan
permit ip 192.168.225.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.226.0 0.0.0.255 192.168.0.0 0.0.255.255

!

Cesar

El mensaje fue editado por: Cesar Garza

Cesar,

I did it a few years back. I will probably have even lab setup somewhere.

In my case I had a mixture of static, dynamic L2L (both routers and PIXes) and vpn client ... and webvpn (this part was easy).

I'll try to dig it up, but  tomorrow. Send the software versions involved.

Marcin

In the remote side: c1861-advipservicesk9-mz.124-22.T4.bin

In the hub side: c2801-advsecurityk9-mz.124-20.T5.bin


I just tried with a DMVPN configuration but none, I just get this;

*********HUB***********

Nothing !°!

*******SPOKE*******

GW_MONMORELOS#ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:

*Jul  9 21:54:12.958: ISAKMP:(0): SA request profile is (NULL)
*Jul  9 21:54:12.958: ISAKMP: Created a peer struct for 201.116.153.194, peer port 500
*Jul  9 21:54:12.958: ISAKMP: New peer created peer = 0x8825CA7C peer_handle = 0x800000FB
*Jul  9 21:54:12.958: ISAKMP: Locking peer struct 0x8825CA7C, refcount 1 for isakmp_initiator
*Jul  9 21:54:12.958: ISAKMP: local port 500, remote port 500
*Jul  9 21:54:12.958: ISAKMP: set new node 0 to QM_IDLE     
*Jul  9 21:54:12.958: ISAKMP:(0):insert sa successfully sa = 87B03520
*Jul  9 21:54:12.958: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jul  9 21:54:12.958: ISAKMP:(0):found peer pre-shared key matching 201.116.153.194
*Jul  9 21:54:12.958: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jul  9 21:54:12.958: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jul  9 21:54:12.958: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jul  9 21:54:12.958: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jul  9 21:54:12.958: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jul  9 21:54:12.958: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Jul  9 21:54:12.958: ISAKMP:(0): beginning Main Mode exchange
*Jul  9 21:54:12.958: ISAKMP:(0): sending packet to 201.116.153.194 my_port 500 peer_port 500 (I) MM_NO_STATE
*Jul  9 21:54:12.958: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul  9 21:54:12.978: ISAKMP (0): received packet from 201.116.153.194 dport 500 sport 500 Global (I) MM_NO_STATE
*Jul  9 21:54:12.978: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul  9 21:54:12.978: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Jul  9 21:54:12.978: ISAKMP:(0): processing SA payload. message ID = 0
*Jul  9 21:54:12.978: ISAKMP:(0): processing vendor id payload
*Jul  9 21:54:12.978: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul  9 21:54:12.9.78: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul  9 21:54:12.978: ISAKMP:(0):found peer pre-shared key matching 201.116.153.194
*Jul  9 21:54:12.978: ISAKMP:(0): local preshared key found
*Jul  9 21:54:12.978: ISAKMP : Scanning profiles for xauth ...
*Jul  9 21:54:12.978: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jul  9 21:54:12.978: ISAKMP:      encryption 3DES-CBC
*Jul  9 21:54:12.978: ISAKMP:      hash MD5
*Jul  9 21:54:12.978: ISAKMP:      default group 2
*Jul  9 21:54:12.978: ISAKMP:      auth pre-share
*Jul  9 21:54:12.978: ISAKMP:      life type in seconds
*Jul  9 21:54:12.978: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Jul  9 21:54:12.982: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jul  9 21:54:12.982: ISAKMP:(0):Acceptable atts:actual life: 0
*Jul  9 21:54:12.982: ISAKMP:(0):Acceptable atts:life: 0
*Jul  9 21:54:12.982: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jul  9 21:54:12.982: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Jul  9 21:54:12.982: ISAKMP:(0):Returning Actual lifetime: 86400
*Jul  9 21:54:12.982: ISAKMP:(0)::Started lifetime timer: 86400.

*Jul  9 21:54:12.982: ISAKMP:(0): processing vendor id payload
*Jul  9 21:54:12.982: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jul  9 21:54:12.982: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jul  9 21:54:12.982: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul  9 21:54:12.982: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Jul  9 21:54:12.982: ISAKMP:(0): sending packet to 201.116.153.194 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jul  9 21:54:12.982: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jul  9 21:54:12.982: ISAKMP:(0):Input = IKE_M.ESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul  9 21:54:12.982: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Jul  9 21:54:13.074: ISAKMP (0): received packet from 201.116.153.194 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jul  9 21:54:13.074: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul  9 21:54:13.074: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Jul  9 21:54:13.074: ISAKMP:(0): processing KE payload. message ID = 0
*Jul  9 21:54:13.098: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jul  9 21:54:13.098: ISAKMP:(0):found peer pre-shared key matching 201.116.153.194
*Jul  9 21:54:13.098: ISAKMP:(2239): processing vendor id payload
*Jul  9 21:54:13.098: ISAKMP:(2239): vendor ID is Unity
*Jul  9 21:54:13.098: ISAKMP:(2239): processing vendor id payload
*Jul  9 21:54:13.098: ISAKMP:(2239): vendor ID is DPD
*Jul  9 21:54:13.098: ISAKMP:(2239): processing vendor id payload
*Jul  9 21:54:13.098: ISAKMP:(2239): speaking to another IOS box!
*Jul  9 21:54:13.098: ISAKMP:received payload type 20
*Jul  9 21:54:13.098: ISAKMP (2239): His hash no match - this node outside NAT
*Jul  9 21:54:13.098: ISAKMP:received payload type 20
*Jul  9 21:54:13.098: ISAKMP (2239): No NAT Found for self or peer
*Jul  9 21:54:13.098: ISAKMP:(2239):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul  9 21:54:13.098: ISAKMP:(2239):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Jul  9 21:54:13.098: ISAKMP:(2239):Send initial contact
*Jul  9 21:54:13.098: ISAKMP:(2239):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jul  9 21:54:13.098: ISAKMP (2239): ID payload
        next-payload : 8
        type         : 1
        address      : 189.152.38.131
        protocol     : 17
        por.t         : 500
        length       : 12
*Jul  9 21:54:13.098: ISAKMP:(2239):Total payload length: 12
*Jul  9 21:54:13.098: ISAKMP:(2239): sending packet to 201.116.153.194 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jul  9 21:54:13.098: ISAKMP:(2239):Sending an IKE IPv4 Packet.
*Jul  9 21:54:13.102: ISAKMP:(2239):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul  9 21:54:13.102: ISAKMP:(2239):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Jul  9 21:54:13.118: ISAKMP (2239): received packet from 201.116.153.194 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jul  9 21:54:13.118: ISAKMP:(2239): processing ID payload. message ID = 0
*Jul  9 21:54:13.118: ISAKMP (2239): ID payload
        next-payload : 8
        type         : 1
        address      : 201.116.153.194
        protocol     : 17
        port         : 500
        length       : 12
*Jul  9 21:54:13.122: ISAKMP:(0):: peer matches *none* of the profiles
*Jul  9 21:54:13.122: ISAKMP:(2239): processing HASH payload. message ID = 0
*Jul  9 21:54:13.122: ISAKMP:(2239):SA authentication status:
        authenticated
*Jul  9 21:54:13.122: ISAKMP:(2239):SA has been authenticated with 201.116.153.194
*Jul  9 21:54:13.122: ISAKMP: Trying to insert a peer 189.152.38.131/201.116.153.194/500/,  and inserted successfully 8825CA7C.
*Jul  9 21:54:13.122: ISAKMP:(2239):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul  9 21:54:13.122: ISAKMP:(2239):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Jul  9 21:54:13.122: ISAKMP:(2239):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jul  9 21:54:13.122: ISAKMP:(2239):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Jul  9 21:54:13.122: ISAKMP (2239): received packet from 201.116.153.194 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jul  9 21:54:13.122:. ISAKMP: set new node 781795278 to QM_IDLE     
*Jul  9 21:54:13.122: ISAKMP:(2239):processing transaction payload from 201.116.153.194. message ID = 781795278
*Jul  9 21:54:13.122: ISAKMP: Config payload REQUEST
*Jul  9 21:54:13.122: ISAKMP (2239): Unknown Input IKE_MESG_FROM_PEER, IKE_CFG_REQUEST:  state = IKE_I_MM6
*Jul  9 21:54:13.122: ISAKMP:(2239):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Jul  9 21:54:13.122: ISAKMP:(2239):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Jul  9 21:54:13.122: ISAKMP:(2239):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jul  9 21:54:13.122: ISAKMP:(2239):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Jul  9 21:54:13.122: ISAKMP:(2239):beginning Quick Mode exchange, M-ID of -1234842268
*Jul  9 21:54:13.126: ISAKMP:(2239):QM Initiator gets spi
*Jul  9 21:54:13.126: ISAKMP:(2239): sending packet to 201.116.153.194 my_port 500 peer_port 500 (I) QM_IDLE     
*Jul  9 21:54:13.126: ISAKMP:(2239):Sending an IKE IPv4 Packet.
*Jul  9 21:54:13.126: ISAKMP:(2239):Node -1234842268, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul  9 21:54:13.126: ISAKMP:(2239):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Jul  9 21:54:13.126: ISAKMP:(2239):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul  9 21:54:13.126: ISAKMP:(2239):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
.
Success rate is 0 percent (0/5)
GW_MONMORELOS#
*Jul  9 21:54:23.126: ISAKMP:(2239): retransmitting phase 2 QM_IDLE       -1234842268 ...
*Jul  9 21:54:23.126: ISAKMP (2239): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Jul  9 21:54:23.126: ISAKMP (2239): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Jul  9 21:54:23.126: ISAKMP:(2239): retransmitting phase 2 -1234842268 QM_IDLE     
*Jul  9 21:54:23.126: ISAKMP:(2239): sending packet to 201.116.153.194 my_port 500 peer_port 500 (I) QM_IDLE     
*Jul  9 21:54:23.126: ISAKMP:(2239):Sending an IKE IPv4 Packet.
GW_MONMORELOS#
GW_MONMORELOS#
GW_MONMORELOS#
GW_MONMORELOS#
*Jul  9 21:54:28.118: ISAKMP (2239): received packet from 201.116.153.194 dport 500 sport 500 Global (I) QM_IDLE     
*Jul  9 21:54:28.118: ISAKMP:(2239):processing transaction payload from 201.116.153.194. message ID = 781795278
*Jul  9 21:54:28.118: ISAKMP: Config payload REQUEST
*Jul  9 21:54:28.118: ISAKMP:(2239): No provision for the request
*Jul  9 21:54:28.118: ISAKMP: Invalid config REQUEST
*Jul  9 21:54:28.118: ISAKMP (2239): FSM action returned error: 2
*Jul  9 21:54:28.118: ISAKMP:(2239):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Jul  9 21:54:28.118: ISAKMP:(2239):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jul  9 21:54:28.118: ISAKMP:(2239):peer does not do paranoid keepalives.

*Jul  9 21:54:28.118: ISAKMP:(2239):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) QM_IDLE       (peer 201.116.153.194)
*Jul  9 21:54:28.118: ISAKMP: set new node -1734963281 to QM_IDLE     
*Jul  9 21:54:28.118: ISAKMP:(2239): sending packet to 201.116.153.19
GW_MONMORELOS#4 my_port 500 peer_port 500 (I) QM_IDLE     
*Jul  9 21:54:28.118: ISAKMP:(2239):Sending an IKE IPv4 Packet.
*Jul  9 21:54:28.118: ISAKMP:(2239):purging node -1734963281
*Jul  9 21:54:28.118: ISAKMP:(2239):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jul  9 21:54:28.118: ISAKMP:(2239):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Jul  9 21:54:28.122: ISAKMP:(2239):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) QM_IDLE       (peer 201.116.153.194)
*Jul  9 21:54:28.122: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
*Jul  9 21:54:28.122: ISAKMP: Unlocking peer struct 0x8825CA7C for isadb_mark_sa_deleted(), count 0
*Jul  9 21:54:28.122: ISAKMP: Deleting peer node by peer_reap for 201.116.153.194: 8825CA7C
*Jul  9 21:54:28.122: ISAKMP:(2239):deleting node -1234842268 error FALSE reason "IKE deleted"
*Jul  9 21:54:28.122: ISAKMP:(2239):deleting node 781795278 error FALSE reason "IKE deleted"
*Jul  9 21:54:28.122: ISAKMP:(2239):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul  9 21:54:28.122: ISAKMP:(2239):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Im lost !

Cesar

Cesar ... it's the same old symptom ;-)

... standby for my lab ... if I can find it I'll post it tomorrow.

It will be done on a MUCH older software though.

Marcin

Attaching working (for me) configuration + debugs.

Both hub and spoke are 12.4(22)T1

Cesar,

Did you have any luck or lack thereof with this setup?

Marcin

Hi Marcin, yes but theres something strange, because the configs are almost the same, the way that I have to force to work is, I erase all the configuration and re-enter, and automatically work, before I did this I force to activate the tunnel and I was working through the vpn, and the vpn client was working too, and the other VPN to Brasil too. But when I tested as if the DSL is down, the trouble comes again, because the Vpn seems to ask the XAUTH, I put the XAUTH line and work, but the vpn client didnt, I quit the xauth and the vpn client starts works. I mean the only way that the vpn set up automatically was if I erased all the config and put it again. But the VPN tunnel is working in the way that the traffic is passing through.

Cesar

Cesar,

Odd indeed. Sounds like a bug even if it's reproducible by changing DSL state.

Marcin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: