Isakmp lifetime ???
Hi guys, I am trying to understand how vpn works and I came accross with this question.
If we select preshared keys for authentication during the isakmp phase 1 and set the lifetime to 24 hours, then what is going to happen after 24 hours and the key lifetime expires? Do we have to manually go to each router and change the keys?
Hi Biruk,
By default the Router is supposed to re-key Phase I every 86400 seconds (24 hours), but this does not mean that the PSK is going to change.
Please check this out:
lifetime (IKE policy)
Usage Guidelines
Use this command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire.
So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is shorter than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be longer and the responding peer's lifetime must be shorter, and the shorter lifetime will be used.
http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-k1.html#GUID-DF77C04E-484D-4A53-82EF-7909AED20CDA
Keep me posted.
Portu.
Please rate any post you find useful.
Similar Messages
-
IPSec VPN Resets before Isakmp Lifetime Expires
Hi,
I have a IPSec tunnel between ASA5520 and 1841. The ISAKMP lifetime is set to the default 24 hours on both end. No volume limit is configured. But the tunnel resets itself 1.5 hours ahead every day. I need to keep the resetting at night so that my special application won't be broken during work hours.
I thougt the premature resetting was due to IOS version on the router. I upgraded to a new version but did not fix the problem.
Besides the resetting, everything else is working fine.
Any ideas are appreciated.Hi,
One on my logs in ASA is as follows. (IP address is modified.)
Apr 16 2009 00:52:16: %ASA-4-113019: Group = ABC.ABC.177.202, Username = ABC.ABC.177.202, IP = NZ_Router, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 22h:48m:33s, Bytes xmt: 983291523, Bytes rcv: 982279579, Reason: Idle Timeout
Apr 16 2009 23:40:50: %ASA-3-713902: Group = ABC.ABC.177.202, IP = ABC.ABC.177.202, Removing peer from peer table failed, no match!
Apr 16 2009 23:40:50: %ASA-3-713902: Group = ABC.ABC.177.202, IP = ABC.ABC.177.202, Removing peer from peer table failed, no match!
Apr 16 2009 23:40:50: %ASA-4-713903: Group = ABC.ABC.177.202, IP = ABC.ABC.177.202, Error: Unable to remove PeerTblEntry
Apr 16 2009 23:40:50: %ASA-4-113019: Group = ABC.ABC.177.202, Username = ABC.ABC.177.202, IP = NZ_Router, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 22h:48m:32s, Bytes xmt: 751281811, Bytes rcv: 1447481492, Reason: User Requested
The disconnection reason can be either 'User Requested' or 'Idle Timeout'. When 'Idle Timeout', the application won't get dropped; when 'User Requested', the application gets dropped.
Thanks. -
Hi,
I have a question. I have DMVPN configured in our network. Normally every 24 hours the isakmp SA would expire and re-build automatically. Then we will have some seconds downtime in our network.
Does anyone know how to avoid this? TIA.
EdHi,
I have a question. I have DMVPN configured in our network. Normally every 24 hours the isakmp SA would expire and re-build automatically. Then we will have some seconds downtime in our network.
Does anyone know how to avoid this? TIA.
Ed -
The peer die after lifetime is over.
Hi, sorry for my poor english.
I have a problem with VPN on Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(3f), RELEASE SOFTWARE (fc3).
VPN is working proberly, but at some time http service from peer network "die".
I see that
1) The ping of web server is OK.
2) I dont think that is df-bit problem becouse:
a) ping -n -s 1490 192.168.202.29
PING 192.168.202.29 (192.168.202.29) 1490(1518) bytes of data.
1498 bytes from 192.168.202.29: icmp_seq=1 ttl=62 time=30.5 ms
1498 bytes from 192.168.202.29: icmp_seq=2 ttl=62 time=31.2 ms
1498 bytes from 192.168.202.29: icmp_seq=3 ttl=62 time=31.7 ms
tcpdump -n host 192.168.202.29
tcpdump: listening on eth0
09:59:53.966392 192.168.0.99 > 192.168.202.29: icmp: echo request (frag 30507:14 80@0+)
09:59:53.966406 192.168.0.99 > 192.168.202.29: icmp (frag 30507:18@1480)
09:59:53.995124 192.168.202.29 > 192.168.0.99: icmp: echo reply (frag 37884:744@ 0+)
b) telnet 192.168.202.29 80 cant connect:
see SYN packets, but no SYN ACK
3) show crypto ipsec sa details -
many #pkts no sa (send) erros on peer
and show there is no active sa:
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/6/0)
remote ident (addr/mask/prot/port): (192.168.202.29/255.255.255.255/6/80)
current_peer 222.111.111.111 port 500
PERMIT, flags={}
#pkts encaps: 63507, #pkts encrypt: 63507, #pkts digest: 63507
#pkts decaps: 76488, #pkts decrypt: 76488, #pkts verify: 76488
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 75, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 111.111.111.111, remote crypto endpt.: 222.222.222.222
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
4) clear crypto sa (or reload) resolve a problem.
5) if any traffic exists in isakmp lifetime (bash telnet 192.168.202.29 90 nightly in crontab every 15 min) - there is no problem with peer.Sundar, thank you for your answer.
>> had indicated you can ping but http doesn't work
Just look for a part of the crypto-map access list:
permit icmp 192.168.0.0 0.0.0.255 host 192.168.202.29 log
permit tcp 192.168.0.0 0.0.0.255 host 192.168.202.29 eq www 443 log
and see that i have 2 peer - 1 for icmp packets and 1 for http/https packets. So, when "icmp peer" is working, the "http peer" is not.
show crypto ipsec sa details say -
"no outbound esp sa" for http - peer.
>>If that doesn't help you may have to run crypto debug(s) to troubleshoot the problem.
Yes, i do it in my prev.post:
debug crypto isakmp
debug crypto ipsec
term mon
and see many messages:
"IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. "pak->cryptoflags=0x820
I think, that is a some kind of IOS bug - "we have SA but couldn't find current outbound SA. dropping pak." So, the packets is dropping (SYN packets don't send, no HTTP connection)
PS
I can't find this "we have SA but couldn't find current" in cisco.com -
VPN Between Cisco ASA 5505 and Cisco Router 881
Hi All,
I want to interconnect two office to each other but i have trouble: Please see below my configuration: What is missing to finalize the configuration properly?
Cisco ASA 5505.
Version 8.4(3)
HQ-ASA5505(config)# crypto ikev1 policy 888
HQ-ASA5505(config-ikev1-policy)# authentication pre-share
HQ-ASA5505(config-ikev1-policy)# encryption 3des
HQ-ASA5505(config-ikev1-policy)# hash md5
HQ-ASA5505(config-ikev1-policy)# lifetime 86400
HQ-ASA5505(config-ikev1-policy)# group 2
HQ-ASA5505(config)# tunnel-group 1.1.1.1 type ipsec-l2l
HQ-ASA5505(config)# tunnel-group 1.1.1.1 ipsec-attributes
HQ-ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key test
HQ-ASA5505(config)#object network HQ-Users
HQ-ASA5505(config-network-object)#subnet 10.48.0.0 255.255.255.0
HQ-ASA5505(config)# object-group network HQ.grp
HQ-ASA5505(config-network-object-group)# network-object object HQ-Users
HQ-ASA5505(config)#object network FSP_DATA
HQ-ASA5505(config-network-object)#subnet 10.48.12.0 255.255.255.0
HQ-ASA5505(config)#object-group network FSP.grp
HQ-ASA5505(config-network-object-group)#network-object object FSP_DATA
HQ-ASA5505(config)#access-list VPN_to_FSP extended permit ip object-group HQ.grp object-group FSP.grp
HQ-ASA5505(config)# crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac
HQ-ASA5505(config)# crypto map ouside_map 888 set ikev1 transform-set TS
HQ-ASA5505(config)# crypto map ouside_map 888 match address VPN_to_FSP
HQ-ASA5505(config)# crypto map ouside_map 888 set peer 1.1.1.1
HQ-ASA5505(config)# crypto map ouside_map 888 set pfs group2
HQ-ASA5505(config)# crypto ikev1 enable outside
HQ-ASA5505(config)# crypto map ouside_map interface outside
Router 881
Version 12.4
License Information for 'c880-data'
License Level: advipservices Type: Permanent
Next reboot license Level: advipservices
LAB_ROuter(config)#object-group network HQ
LAB_ROuter(config-network-group)#10.48.0.0 255.255.255.0
LAB_ROuter(config)#object-group network FSP
LAB_ROuter(config-network-group)#10.48.12.0 255.255.255.0
ip access-list extended FSP_VPN
permit ip object-group FSP object-group HQ
LAB_ROuter(config)#crypto isakmp policy 888
LAB_ROuter(config-isakmp)#encryption 3des
LAB_ROuter(config-isakmp)#authentication pre-share
LAB_ROuter(config-isakmp)#hash md5
LAB_ROuter(config-isakmp)#group 2
LAB_ROuter(config-isakmp)#lifetime 86400
LAB_ROuter(config)#crypto isakmp key test address 2.2.2.2
LAB_ROuter(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map outside_map 888 ipsec-isakmp
set peer 2.2.2.2
set transform-set TS
match address FSP_VPN
interface fast4 --> Outside Interface (where public IP address is assigned)
crypto map outside_map
Thank you in advance for your prompt advice!If you do a show crypto map in the router you will see the VPN traffic to be "any to any".
This is due a known bug on Cisco routers. The router does not support object-groups network for the VPN traffic. Use a regular ACL instead. -
Troubleshooting VPN drops between 871 client and 2811
My small company uses a 2811 ISR for VPN services (among other tasks such as internet access, p2p circuits to a second site, etc). I have a couple of remote users that have 871 routers that have occasional problems with their routers dropping their VPN tunnels to the 2811. I'm not really sure where to start with the troubleshooting. There are other clients (such as my own 871W) that seem to maintain a connection for weeks. These remote routers that do drop the connection usually reconnect at their next schedule attempt (180 seconds or so.)
Most of the previous questions I've seen similar to this involve software clients but these are hardware routers as the clients and as such I'm not sure how to enable or retrieve logs for the VPN sessions.As expected, the isakmp lifetime is 86400, but for ipsec it merely reports how much time is left in the current sa.
For example:
router#show crypto isakmp policy
Global IKE policy
Protection suite of priority 3
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
router#show crypto ipsec sa
interface: Virtual-Access4
Crypto map tag: Virtual-Access4-head-0, local addr 209.XXX.XXX.82
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 75.XXX.XXX.179 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 681527, #pkts encrypt: 681527, #pkts digest: 681527
#pkts decaps: 670316, #pkts decrypt: 670316, #pkts verify: 670316
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 209.XXX.XXX.82, remote crypto endpt.: 75.XXX.XXX.179
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xF0C2D65C(4039300700)
inbound esp sas:
spi: 0x2A7171E4(712077796)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4093, flow_id: NETGX:2093, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4577435/1047)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF0C2D65C(4039300700)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4094, flow_id: NETGX:2094, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4572865/1027)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas: -
Isakmp error major 69,245,157,123 mismatch
Hello,
I am doing a test lab for dmvpn and I couldn't find out the problem for one of the spoke's isakmp error. The Interesting part is I have done same for another spoke and which has successfully create VPN with the hub. There is no firewall between these two routers or any ACL. I would appreciate for any assist. I have uploaded hub and spoke configuration and the error messages at hub and spoke are given below:
Debug isakmp error at Hub Side:
*Jan 27 15:13:00.523: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (N) NEW SA
*Jan 27 15:13:00.523: ISAKMP: Created a peer struct for 80.x.x.x, peer port 500
*Jan 27 15:13:00.523: ISAKMP: New peer created peer = 0x2B96890 peer_handle = 0x80002A44
*Jan 27 15:13:00.523: ISAKMP: Locking peer struct 0x2B96890, refcount 1 for crypto_isakmp_process_block
*Jan 27 15:13:00.523: ISAKMP: local port 500, remote port 500
*Jan 27 15:13:00.523: ISAKMP:(0):insert sa successfully sa = 10BB3F84
*Jan 27 15:13:00.523: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:13:00.523: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 27 15:13:00.523: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 15:13:00.523: ISAKMP:(0): pro
xnw0252#cessing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:13:00.523: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:13:00.523: ISAKMP:(0): local preshared key found
*Jan 27 15:13:00.523: ISAKMP : Scanning profiles for xauth ...
*Jan 27 15:13:00.523: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 15:13:00.523: ISAKMP: encryption AES-CBC
*Jan 27 15:13:00.523: ISAKMP: keylength of 256
*Jan 27 15:13:00.523: ISAKMP: hash SHA
*Jan 27 15:13:00.523: ISAKMP: default group 5
*Jan 27 15:13:00.523: ISAKMP: auth pre-share
*Jan 27 15:13:00.523: ISAKMP: life type in seconds
*Jan 27 15:13:00.523: ISAKMP: life duration (basic) of 3600
*Jan 27 15:13:00.523: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 15:13:00.523: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 15:13:00.523: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 15:13:00.523: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 15:13:00.523: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 15:13:00.523: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:13:00.527: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:13:00.527: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:13:00.527: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jan 27 15:13:00.527: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 27 15:13:00.527: ISAKMP:(0): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jan 27 15:13:00.527: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jan 27 15:13:00.527: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jan 27 15:13:00.527: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 27 15:13:00.531: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 27 15:13:00.531: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID is DPD
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): speaking to another IOS box!
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID seems Unity/DPD but major 196 mismatch
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID is XAUTH
*Jan 27 15:13:00.531: ISAKMP:received payload type 20
*Jan 27 15:13:00.531: ISAKMP (14514): His hash no match - this node outside NAT
*Jan 27 15:13:00.531: ISAKMP:received payload type 20
*Jan 27 15:13:00.531: ISAKMP (14514): No NAT Found for self or peer
*Jan 27 15:13:00.531: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 15:13:00.531: ISAKMP:(14514):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jan 27 15:13:00.531: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 27 15:13:00.531: ISAKMP:(14514):Sending an IKE IPv4 Packet.
*Jan 27 15:13:00.531: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 15:13:00.531: ISAKMP:(14514):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jan 27 15:13:00.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:00.607: ISAKMP: reserved not zero on ID payload!
*Jan 27 15:13:00.607: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 80.x.x.x failed its sanity check or is malformed
*Jan 27 15:13:00.607: ISAKMP (14514): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
*Jan 27 15:13:01.607: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:01.607: ISAKMP (14514): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 27 15:13:01.607: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:01.607: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 27 15:13:01.607: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
xnw0252#
*Jan 27 15:13:10.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:10.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:10.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:11.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:11.107: ISAKMP (14514): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 15:13:11.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:11.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:11.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:20.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:20.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:20.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:21.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:21.107: ISAKMP (14514): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 15:13:21.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:21.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:21.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:30.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:30.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:30.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:31.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:31.107: ISAKMP (14514): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 27 15:13:31.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:31.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:31.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:40.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:40.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:40.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:41.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:41.107: ISAKMP:(14514):peer does not do paranoid keepalives.
*Jan 27 15:13:41.107: ISAKMP:(14514):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.x.x.x)
xnw0252#
*Jan 27 15:13:41.107: ISAKMP:(14514):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.x.x.x)
*Jan 27 15:13:41.107: ISAKMP: Unlocking peer struct 0x2B96890 for isadb_mark_sa_deleted(), count 0
*Jan 27 15:13:41.107: ISAKMP: Deleting peer node by peer_reap for 80.x.x.x: 2B96890
*Jan 27 15:13:41.107: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 27 15:13:41.107: ISAKMP:(14514):Old State = IKE_R_MM4 New State = IKE_DEST_SA
xnw0252#
*Jan 27 15:13:50.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_NO_STATE
xnw0252#
*Jan 27 15:14:01.439: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (N) NEW SA
*Jan 27 15:14:01.439: ISAKMP: Created a peer struct for 80.x.x.x, peer port 500
*Jan 27 15:14:01.439: ISAKMP: New peer created peer = 0x14BDDFFC peer_handle = 0x80002A46
*Jan 27 15:14:01.439: ISAKMP: Locking peer struct 0x14BDDFFC, refcount 1 for crypto_isakmp_process_block
*Jan 27 15:14:01.439: ISAKMP: local port 500, remote port 500
*Jan 27 15:14:01.439: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B94390
*Jan 27 15:14:01.439: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:14:01.439: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 27 15:14:01.439: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:14:01.439: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan
xnw0252# 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:14:01.439: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:14:01.439: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:14:01.439: ISAKMP:(0): local preshared key found
*Jan 27 15:14:01.439: ISAKMP : Scanning profiles for xauth ...
*Jan 27 15:14:01.439: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 15:14:01.439: ISAKMP: encryption AES-CBC
*Jan 27 15:14:01.439: ISAKMP: keylength of 256
*Jan 27 15:14:01.439: ISAKMP: hash SHA
*Jan 27 15:14:01.439: ISAKMP: default group 5
*Jan 27 15:14:01.439: ISAKMP: auth pre-share
*Jan 27 15:14:01.439: ISAKMP: life type in seconds
*Jan 27 15:14:01.439: ISAKMP: life duration (basic) of 3600
*Jan 27 15:14:01.439: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 15:14:01.439: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 15:14:01.439: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 15:14:01.439: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 15:14:01.439: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 15:14:01.439: ISAKMP:(0)::Started lifetime timer: 3600.
# sh crypto isakmp sa (at Hub)
IPv4 Crypto ISAKMP SA
dst src state conn-id status
83.X.X.X 62.Y.Y.Y QM_IDLE 14577 ACTIVE
62.Y.Y.Y 80.X.X.X MM_KEY_EXCH 14589 ACTIVE
62.Y.Y.Y 80.X.X.X MM_NO_STATE 14588 ACTIVE (deleted)
Debug isakmp error at Spoke side:
*Jan 27 14:43:50.595: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:43:50.595: ISAKMP:(4178):SA is still budding. Attached new ipsec request to it. (local 80.X.X.X, remote 62.Y.Y.Y)
*Jan 27 14:43:50.595: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 27 14:43:50.595: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 27 14:43:50.602: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:43:50.602: ISAKMP (4178): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 14:43:50.602: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:43:50.602: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:43:50.602: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:43:51.617: ISAKMP (4178): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:43:51.617: ISAKMP:(4178): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:43:51.617: ISAKMP:(4178): retransmission skipped for phase 1 (time since last transmission 500)
*Jan 27 14:43:52.063: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:43:52.063: ISAKMP (4178): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 14:43:52.157: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:43:52.157: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:43:52.256: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:43:58.259: ISAKMP:(4177):purging node -1724346266
*Jan 27 14:43:58.468: ISAKMP:(4177):purging node 1984618017
*Jan 27 14:44:00.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:44:00.567: ISAKMP (4178): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 27 14:44:00.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:44:00.567: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:44:00.567: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:44:08.839: ISAKMP:(4177):purging SA., sa=322035C8, delme=322035C8
*Jan 27 14:44:10.487: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 80.X.X.X:0, remote= 62.Y.Y.Y:0,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0
*Jan 27 14:47:10.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:10.567: ISAKMP:(4178):peer does not do paranoid keepalives.
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 62.Y.Y.Y)
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 62.Y.Y.Y)
*Jan 27 14:47:10.567: ISAKMP: Unlocking peer struct 0x2B1155EC for isadb_mark_sa_deleted(), count 0
*Jan 27 14:47:10.567: ISAKMP: Deleting peer node by peer_reap for 62.Y.Y.Y: 2B1155EC
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting node 365907352 error FALSE reason "IKE deleted"
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting node -49897289 error FALSE reason "IKE deleted"
*Jan 27 14:47:10.567: ISAKMP:(4178):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 27 14:47:10.567: ISAKMP:(4178):Old State = IKE_I_MM5 New State = IKE_DEST_SA
*Jan 27 14:47:10.567: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 27 14:47:13.571: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.X.X.X:500, remote= 62.Y.Y.Y:500,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 27 14:47:13.571: ISAKMP:(0): SA request profile is (NULL)
*Jan 27 14:47:13.571: ISAKMP: Created a peer struct for 62.Y.Y.Y, peer port 500
*Jan 27 14:47:13.571: ISAKMP: New peer created peer = 0x2B1155EC peer_handle = 0x800199D6
*Jan 27 14:47:13.571: ISAKMP: Locking peer struct 0x2B1155EC, refcount 1 for isakmp_initiator
*Jan 27 14:47:13.571: ISAKMP: local port 500, remote port 500
*Jan 27 14:47:13.571: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:47:13.571: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 322035C8
*Jan 27 14:47:13.571: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 27 14:47:13.571: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 27 14:47:13.571: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 27 14:47:13.571: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jan 27 14:47:13.571: ISAKMP:(0): beginning Main Mode exchange
*Jan 27 14:47:13.571: ISAKMP:(0): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 27 14:47:13.571: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.571: ISAKMP (0): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 27 14:47:13.571: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 14:47:13.571: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jan 27 14:47:13.571: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 14:47:13.571: ISAKMP:(0): processing vendor id payload
*Jan 27 14:47:13.571: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 14:47:13.571: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 14:47:13.571: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.575: ISAKMP:(0): local preshared key found
*Jan 27 14:47:13.575: ISAKMP : Scanning profiles for xauth ...
*Jan 27 14:47:13.575: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 14:47:13.575: ISAKMP: encryption AES-CBC
*Jan 27 14:47:13.575: ISAKMP: keylength of 256
*Jan 27 14:47:13.575: ISAKMP: hash SHA
*Jan 27 14:47:13.575: ISAKMP: default group 5
*Jan 27 14:47:13.575: ISAKMP: auth pre-share
*Jan 27 14:47:13.575: ISAKMP: life type in seconds
*Jan 27 14:47:13.575: ISAKMP: life duration (basic) of 3600
*Jan 27 14:47:13.575: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 14:47:13.575: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 14:47:13.575: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 14:47:13.575: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 14:47:13.575: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 14:47:13.575: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 27 14:47:13.575: ISAKMP:(0): processing vendor id payload
*Jan 27 14:47:13.575: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 14:47:13.575: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 14:47:13.575: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 14:47:13.575: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jan 27 14:47:13.575: ISAKMP:(0): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jan 27 14:47:13.575: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.575: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 14:47:13.575: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jan 27 14:47:13.579: ISAKMP (0): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_SA_SETUP
*Jan 27 14:47:13.579: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 14:47:13.579: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jan 27 14:47:13.579: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 27 14:47:13.651: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 27 14:47:13.651: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.651: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): vendor ID is Unity
*Jan 27 14:47:13.655: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): vendor ID is DPD
*Jan 27 14:47:13.655: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): speaking to another IOS box!
*Jan 27 14:47:13.655: ISAKMP:received payload type 20
*Jan 27 14:47:13.655: ISAKMP (4179): His hash no match - this node outside NAT
*Jan 27 14:47:13.655: ISAKMP:received payload type 20
*Jan 27 14:47:13.655: ISAKMP (4179): No NAT Found for self or peer
*Jan 27 14:47:13.655: ISAKMP:(4179):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 14:47:13.655: ISAKMP:(4179):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jan 27 14:47:13.655: ISAKMP:(4179):Send initial contact
*Jan 27 14:47:13.655: ISAKMP:(4179):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 27 14:47:13.655: ISAKMP (4179): ID payload
next-payload : 8
type : 1
address : 80.X.X.X
protocol : 17
port : 500
length : 12
*Jan 27 14:47:13.655: ISAKMP:(4179):Total payload length: 12
*Jan 27 14:47:13.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:13.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.655: ISAKMP:(4179):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 14:47:13.655: ISAKMP:(4179):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jan 27 14:47:14.651: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:14.651: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:14.651: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 996)
*Jan 27 14:47:23.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:23.655: ISAKMP (4179): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jan 27 14:47:23.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:23.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:23.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:24.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:24.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:24.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:33.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:33.655: ISAKMP (4179): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 27 14:47:33.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:33.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:33.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:34.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:34.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:34.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:43.571: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 80.X.X.X:0, remote= 62.Y.Y.Y:0,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0
*Jan 27 14:47:43.571: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.X.X.X:500, remote= 62.Y.Y.Y:500,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 27 14:47:43.571: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:47:43.571: ISAKMP:(4179):SA is still budding. Attached new ipsec request to it. (local 80.X.X.X, remote 62.Y.Y.Y)
*Jan 27 14:47:43.571: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 27 14:47:43.571: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 27 14:47:43.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:43.655: ISAKMP (4179): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 14:47:43.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:43.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:43.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:44.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:44.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:44.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:53.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:53.655: ISAKMP (4179): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 14:47:53.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:53.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:53.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:48:00.567: ISAKMP:(4178):purging node 365907352
*Jan 27 14:48:00.567: ISAKMP:(4178):purging node -49897289
xnwn252#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
62.Y.Y.Y 80.X.X.X MM_NO_STATE 4270 ACTIVE (deleted)Hello,
I am doing a test lab for dmvpn and I couldn't find out the problem for one of the spoke's isakmp error. The Interesting part is I have done same for another spoke and which has successfully create VPN with the hub. There is no firewall between these two routers or any ACL. I would appreciate for any assist. I have uploaded hub and spoke configuration and the error messages at hub and spoke are given below:
Debug isakmp error at Hub Side:
*Jan 27 15:13:00.523: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (N) NEW SA
*Jan 27 15:13:00.523: ISAKMP: Created a peer struct for 80.x.x.x, peer port 500
*Jan 27 15:13:00.523: ISAKMP: New peer created peer = 0x2B96890 peer_handle = 0x80002A44
*Jan 27 15:13:00.523: ISAKMP: Locking peer struct 0x2B96890, refcount 1 for crypto_isakmp_process_block
*Jan 27 15:13:00.523: ISAKMP: local port 500, remote port 500
*Jan 27 15:13:00.523: ISAKMP:(0):insert sa successfully sa = 10BB3F84
*Jan 27 15:13:00.523: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:13:00.523: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 27 15:13:00.523: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 15:13:00.523: ISAKMP:(0): pro
xnw0252#cessing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:13:00.523: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:13:00.523: ISAKMP:(0): local preshared key found
*Jan 27 15:13:00.523: ISAKMP : Scanning profiles for xauth ...
*Jan 27 15:13:00.523: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 15:13:00.523: ISAKMP: encryption AES-CBC
*Jan 27 15:13:00.523: ISAKMP: keylength of 256
*Jan 27 15:13:00.523: ISAKMP: hash SHA
*Jan 27 15:13:00.523: ISAKMP: default group 5
*Jan 27 15:13:00.523: ISAKMP: auth pre-share
*Jan 27 15:13:00.523: ISAKMP: life type in seconds
*Jan 27 15:13:00.523: ISAKMP: life duration (basic) of 3600
*Jan 27 15:13:00.523: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 15:13:00.523: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 15:13:00.523: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 15:13:00.523: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 15:13:00.523: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 15:13:00.523: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.523: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:13:00.523: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 15:13:00.523: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:13:00.527: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:13:00.527: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:13:00.527: ISAKMP:(0): processing vendor id payload
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:13:00.527: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Jan 27 15:13:00.527: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 27 15:13:00.527: ISAKMP:(0): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_SA_SETUP
*Jan 27 15:13:00.527: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Jan 27 15:13:00.527: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_SA_SETUP
*Jan 27 15:13:00.527: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:13:00.527: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Jan 27 15:13:00.527: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 27 15:13:00.531: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 27 15:13:00.531: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID is DPD
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): speaking to another IOS box!
*Jan 27 15:13:00.531: ISAKMP:(14514): processing vendor id payload
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID seems Unity/DPD but major 196 mismatch
*Jan 27 15:13:00.531: ISAKMP:(14514): vendor ID is XAUTH
*Jan 27 15:13:00.531: ISAKMP:received payload type 20
*Jan 27 15:13:00.531: ISAKMP (14514): His hash no match - this node outside NAT
*Jan 27 15:13:00.531: ISAKMP:received payload type 20
*Jan 27 15:13:00.531: ISAKMP (14514): No NAT Found for self or peer
*Jan 27 15:13:00.531: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 15:13:00.531: ISAKMP:(14514):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jan 27 15:13:00.531: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 27 15:13:00.531: ISAKMP:(14514):Sending an IKE IPv4 Packet.
*Jan 27 15:13:00.531: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 15:13:00.531: ISAKMP:(14514):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Jan 27 15:13:00.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:00.607: ISAKMP: reserved not zero on ID payload!
*Jan 27 15:13:00.607: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 80.x.x.x failed its sanity check or is malformed
*Jan 27 15:13:00.607: ISAKMP (14514): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
*Jan 27 15:13:01.607: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:01.607: ISAKMP (14514): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 27 15:13:01.607: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:01.607: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Jan 27 15:13:01.607: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
xnw0252#
*Jan 27 15:13:10.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:10.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:10.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:11.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:11.107: ISAKMP (14514): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 15:13:11.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:11.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:11.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:20.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:20.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:20.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:21.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:21.107: ISAKMP (14514): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 15:13:21.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:21.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:21.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:30.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:30.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:30.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:31.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:31.107: ISAKMP (14514): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 27 15:13:31.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 15:13:31.107: ISAKMP:(14514): sending packet to 80.x.x.x my_port 500 peer_port 500 (R) MM_KEY_EXCH
xnw0252#
*Jan 27 15:13:31.107: ISAKMP:(14514):Sending an IKE IPv4 Packet.
xnw0252#
*Jan 27 15:13:40.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_KEY_EXCH
*Jan 27 15:13:40.607: ISAKMP:(14514): phase 1 packet is a duplicate of a previous packet.
*Jan 27 15:13:40.607: ISAKMP:(14514): retransmitting due to retransmit phase 1
*Jan 27 15:13:41.107: ISAKMP:(14514): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 15:13:41.107: ISAKMP:(14514):peer does not do paranoid keepalives.
*Jan 27 15:13:41.107: ISAKMP:(14514):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.x.x.x)
xnw0252#
*Jan 27 15:13:41.107: ISAKMP:(14514):deleting SA reason "Death by retransmission P1" state (R) MM_KEY_EXCH (peer 80.x.x.x)
*Jan 27 15:13:41.107: ISAKMP: Unlocking peer struct 0x2B96890 for isadb_mark_sa_deleted(), count 0
*Jan 27 15:13:41.107: ISAKMP: Deleting peer node by peer_reap for 80.x.x.x: 2B96890
*Jan 27 15:13:41.107: ISAKMP:(14514):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 27 15:13:41.107: ISAKMP:(14514):Old State = IKE_R_MM4 New State = IKE_DEST_SA
xnw0252#
*Jan 27 15:13:50.607: ISAKMP (14514): received packet from 80.x.x.x dport 500 sport 500 Global (R) MM_NO_STATE
xnw0252#
*Jan 27 15:14:01.439: ISAKMP (0): received packet from 80.x.x.x dport 500 sport 500 Global (N) NEW SA
*Jan 27 15:14:01.439: ISAKMP: Created a peer struct for 80.x.x.x, peer port 500
*Jan 27 15:14:01.439: ISAKMP: New peer created peer = 0x14BDDFFC peer_handle = 0x80002A46
*Jan 27 15:14:01.439: ISAKMP: Locking peer struct 0x14BDDFFC, refcount 1 for crypto_isakmp_process_block
*Jan 27 15:14:01.439: ISAKMP: local port 500, remote port 500
*Jan 27 15:14:01.439: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2B94390
*Jan 27 15:14:01.439: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 15:14:01.439: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Jan 27 15:14:01.439: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 15:14:01.439: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan
xnw0252# 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jan 27 15:14:01.439: ISAKMP (0): vendor ID is NAT-T v7
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID is NAT-T v3
*Jan 27 15:14:01.439: ISAKMP:(0): processing vendor id payload
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jan 27 15:14:01.439: ISAKMP:(0): vendor ID is NAT-T v2
*Jan 27 15:14:01.439: ISAKMP:(0):found peer pre-shared key matching 80.x.x.x
*Jan 27 15:14:01.439: ISAKMP:(0): local preshared key found
*Jan 27 15:14:01.439: ISAKMP : Scanning profiles for xauth ...
*Jan 27 15:14:01.439: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 15:14:01.439: ISAKMP: encryption AES-CBC
*Jan 27 15:14:01.439: ISAKMP: keylength of 256
*Jan 27 15:14:01.439: ISAKMP: hash SHA
*Jan 27 15:14:01.439: ISAKMP: default group 5
*Jan 27 15:14:01.439: ISAKMP: auth pre-share
*Jan 27 15:14:01.439: ISAKMP: life type in seconds
*Jan 27 15:14:01.439: ISAKMP: life duration (basic) of 3600
*Jan 27 15:14:01.439: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 15:14:01.439: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 15:14:01.439: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 15:14:01.439: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 15:14:01.439: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 15:14:01.439: ISAKMP:(0)::Started lifetime timer: 3600.
# sh crypto isakmp sa (at Hub)
IPv4 Crypto ISAKMP SA
dst src state conn-id status
83.X.X.X 62.Y.Y.Y QM_IDLE 14577 ACTIVE
62.Y.Y.Y 80.X.X.X MM_KEY_EXCH 14589 ACTIVE
62.Y.Y.Y 80.X.X.X MM_NO_STATE 14588 ACTIVE (deleted)
Debug isakmp error at Spoke side:
*Jan 27 14:43:50.595: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:43:50.595: ISAKMP:(4178):SA is still budding. Attached new ipsec request to it. (local 80.X.X.X, remote 62.Y.Y.Y)
*Jan 27 14:43:50.595: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 27 14:43:50.595: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 27 14:43:50.602: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:43:50.602: ISAKMP (4178): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 14:43:50.602: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:43:50.602: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:43:50.602: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:43:51.617: ISAKMP (4178): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:43:51.617: ISAKMP:(4178): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:43:51.617: ISAKMP:(4178): retransmission skipped for phase 1 (time since last transmission 500)
*Jan 27 14:43:52.063: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:43:52.063: ISAKMP (4178): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 14:43:52.157: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:43:52.157: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:43:52.256: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:43:58.259: ISAKMP:(4177):purging node -1724346266
*Jan 27 14:43:58.468: ISAKMP:(4177):purging node 1984618017
*Jan 27 14:44:00.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:44:00.567: ISAKMP (4178): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Jan 27 14:44:00.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:44:00.567: ISAKMP:(4178): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:44:00.567: ISAKMP:(4178):Sending an IKE IPv4 Packet.
*Jan 27 14:44:08.839: ISAKMP:(4177):purging SA., sa=322035C8, delme=322035C8
*Jan 27 14:44:10.487: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 80.X.X.X:0, remote= 62.Y.Y.Y:0,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0
*Jan 27 14:47:10.567: ISAKMP:(4178): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:10.567: ISAKMP:(4178):peer does not do paranoid keepalives.
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 62.Y.Y.Y)
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 62.Y.Y.Y)
*Jan 27 14:47:10.567: ISAKMP: Unlocking peer struct 0x2B1155EC for isadb_mark_sa_deleted(), count 0
*Jan 27 14:47:10.567: ISAKMP: Deleting peer node by peer_reap for 62.Y.Y.Y: 2B1155EC
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting node 365907352 error FALSE reason "IKE deleted"
*Jan 27 14:47:10.567: ISAKMP:(4178):deleting node -49897289 error FALSE reason "IKE deleted"
*Jan 27 14:47:10.567: ISAKMP:(4178):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jan 27 14:47:10.567: ISAKMP:(4178):Old State = IKE_I_MM5 New State = IKE_DEST_SA
*Jan 27 14:47:10.567: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan 27 14:47:13.571: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.X.X.X:500, remote= 62.Y.Y.Y:500,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 27 14:47:13.571: ISAKMP:(0): SA request profile is (NULL)
*Jan 27 14:47:13.571: ISAKMP: Created a peer struct for 62.Y.Y.Y, peer port 500
*Jan 27 14:47:13.571: ISAKMP: New peer created peer = 0x2B1155EC peer_handle = 0x800199D6
*Jan 27 14:47:13.571: ISAKMP: Locking peer struct 0x2B1155EC, refcount 1 for isakmp_initiator
*Jan 27 14:47:13.571: ISAKMP: local port 500, remote port 500
*Jan 27 14:47:13.571: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:47:13.571: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 322035C8
*Jan 27 14:47:13.571: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 27 14:47:13.571: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 27 14:47:13.571: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 27 14:47:13.571: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 27 14:47:13.571: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Jan 27 14:47:13.571: ISAKMP:(0): beginning Main Mode exchange
*Jan 27 14:47:13.571: ISAKMP:(0): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 27 14:47:13.571: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.571: ISAKMP (0): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 27 14:47:13.571: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 14:47:13.571: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Jan 27 14:47:13.571: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 27 14:47:13.571: ISAKMP:(0): processing vendor id payload
*Jan 27 14:47:13.571: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 14:47:13.571: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 14:47:13.571: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.575: ISAKMP:(0): local preshared key found
*Jan 27 14:47:13.575: ISAKMP : Scanning profiles for xauth ...
*Jan 27 14:47:13.575: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 27 14:47:13.575: ISAKMP: encryption AES-CBC
*Jan 27 14:47:13.575: ISAKMP: keylength of 256
*Jan 27 14:47:13.575: ISAKMP: hash SHA
*Jan 27 14:47:13.575: ISAKMP: default group 5
*Jan 27 14:47:13.575: ISAKMP: auth pre-share
*Jan 27 14:47:13.575: ISAKMP: life type in seconds
*Jan 27 14:47:13.575: ISAKMP: life duration (basic) of 3600
*Jan 27 14:47:13.575: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 27 14:47:13.575: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 27 14:47:13.575: ISAKMP:(0):Acceptable atts:life: 0
*Jan 27 14:47:13.575: ISAKMP:(0):Basic life_in_seconds:3600
*Jan 27 14:47:13.575: ISAKMP:(0):Returning Actual lifetime: 3600
*Jan 27 14:47:13.575: ISAKMP:(0)::Started lifetime timer: 3600.
*Jan 27 14:47:13.575: ISAKMP:(0): processing vendor id payload
*Jan 27 14:47:13.575: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 27 14:47:13.575: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 27 14:47:13.575: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 14:47:13.575: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Jan 27 14:47:13.575: ISAKMP:(0): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jan 27 14:47:13.575: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.575: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 14:47:13.575: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Jan 27 14:47:13.579: ISAKMP (0): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_SA_SETUP
*Jan 27 14:47:13.579: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 27 14:47:13.579: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Jan 27 14:47:13.579: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 27 14:47:13.651: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 27 14:47:13.651: ISAKMP:(0):found peer pre-shared key matching 62.Y.Y.Y
*Jan 27 14:47:13.651: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): vendor ID is Unity
*Jan 27 14:47:13.655: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): vendor ID is DPD
*Jan 27 14:47:13.655: ISAKMP:(4179): processing vendor id payload
*Jan 27 14:47:13.655: ISAKMP:(4179): speaking to another IOS box!
*Jan 27 14:47:13.655: ISAKMP:received payload type 20
*Jan 27 14:47:13.655: ISAKMP (4179): His hash no match - this node outside NAT
*Jan 27 14:47:13.655: ISAKMP:received payload type 20
*Jan 27 14:47:13.655: ISAKMP (4179): No NAT Found for self or peer
*Jan 27 14:47:13.655: ISAKMP:(4179):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 27 14:47:13.655: ISAKMP:(4179):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Jan 27 14:47:13.655: ISAKMP:(4179):Send initial contact
*Jan 27 14:47:13.655: ISAKMP:(4179):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 27 14:47:13.655: ISAKMP (4179): ID payload
next-payload : 8
type : 1
address : 80.X.X.X
protocol : 17
port : 500
length : 12
*Jan 27 14:47:13.655: ISAKMP:(4179):Total payload length: 12
*Jan 27 14:47:13.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:13.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:13.655: ISAKMP:(4179):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 27 14:47:13.655: ISAKMP:(4179):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Jan 27 14:47:14.651: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:14.651: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:14.651: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 996)
*Jan 27 14:47:23.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:23.655: ISAKMP (4179): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jan 27 14:47:23.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:23.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:23.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:24.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:24.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:24.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:33.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:33.655: ISAKMP (4179): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jan 27 14:47:33.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:33.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:33.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:34.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:34.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:34.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:43.571: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 80.X.X.X:0, remote= 62.Y.Y.Y:0,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0
*Jan 27 14:47:43.571: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 80.X.X.X:500, remote= 62.Y.Y.Y:500,
local_proxy= 80.X.X.X/255.255.255.255/47/0,
remote_proxy= 62.Y.Y.Y/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 27 14:47:43.571: ISAKMP: set new node 0 to QM_IDLE
*Jan 27 14:47:43.571: ISAKMP:(4179):SA is still budding. Attached new ipsec request to it. (local 80.X.X.X, remote 62.Y.Y.Y)
*Jan 27 14:47:43.571: ISAKMP: Error while processing SA request: Failed to initialize SA
*Jan 27 14:47:43.571: ISAKMP: Error while processing KMI message 0, error 2.
*Jan 27 14:47:43.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:43.655: ISAKMP (4179): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jan 27 14:47:43.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:43.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:43.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:47:44.151: ISAKMP (4179): received packet from 62.Y.Y.Y dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 27 14:47:44.151: ISAKMP:(4179): phase 1 packet is a duplicate of a previous packet.
*Jan 27 14:47:44.151: ISAKMP:(4179): retransmission skipped for phase 1 (time since last transmission 496)
*Jan 27 14:47:53.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH...
*Jan 27 14:47:53.655: ISAKMP (4179): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Jan 27 14:47:53.655: ISAKMP:(4179): retransmitting phase 1 MM_KEY_EXCH
*Jan 27 14:47:53.655: ISAKMP:(4179): sending packet to 62.Y.Y.Y my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 27 14:47:53.655: ISAKMP:(4179):Sending an IKE IPv4 Packet.
*Jan 27 14:48:00.567: ISAKMP:(4178):purging node 365907352
*Jan 27 14:48:00.567: ISAKMP:(4178):purging node -49897289
xnwn252#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
62.Y.Y.Y 80.X.X.X MM_NO_STATE 4270 ACTIVE (deleted) -
Isakmp peers using non-standard port 4500
Hello,
I have a remote site using the Internet to access corporate networks over IPSEC. Set-up is as below:
Remote Router uses public IP across internet --> hits corporate untrusted nework FW --> NAT'ed to private 10.x.x.x IP --> reaches trusted network router.
The problem is that the peer keeps hanging and the only way to reset it is to issue 'clear crypto session' on the central trusted router. I have added isakmp keepalives with the aim of forcing some keepalive traffic:
crypto isakmp keepalive 90 30 periodic
...and this works to some degree (with DPD are u there keepalives). However I have noticed that the far end router uses non-standard ports when trying to set up phase-1 tunnel:
BEVRLY_D_CR184_01#sh crypto isa pee
Peer: 161.x.x.x Port: 4500 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10456 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10554 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10557 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10580 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10589 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10596 Local: 77.x.x.x
Phase1 id: 10.2.0.92
Peer: 161.x.x.x Port: 10600 Local: 77.x.x.x
Phase1 id: 10.2.0.92
These ports (non-4500) will be blocked by our firewalls. Why does it use these, and is there a way of stopping the router using anything other than port 4500?
Thanks
PhilHello,
Yes - there's NAT at the trusted central router end our side of the firewall... the config used is below:
Remote Router end:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 180
crypto isakmp key address
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 90 30 periodic
crypto ipsec security-association idle-time 300
crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
crypto ipsec profile VTI
set security-association lifetime seconds 1800
set transform-set BEVERLEY_Transform
interface Tunnel1
description BEVRLY_CC296_01 F0/8 (10.30.45.29)
ip address x.x.x.x 255.255.255.252
ip helper-address 10.91.6.30
ip helper-address 10.4.162.92
ip mtu 1400
ip ospf message-digest-key 1 md5
load-interval 30
tunnel source Dialer1
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
Central Router:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 180
crypto isakmp key address
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 90 30 periodic
crypto ipsec security-association idle-time 300
crypto ipsec transform-set BEVERLEY_Transform esp-3des esp-md5-hmac
crypto ipsec profile VTI
set security-association lifetime seconds 1800
set transform-set BEVERLEY_Transform
interface Tunnel1
description link to Beverley via internet (BEVERLY_CR184_01 Tun1)
ip address x.x.x.x 255.255.255.252
ip mtu 1400
ip ospf message-digest-key 1 md5
load-interval 30
tunnel source FastEthernet0/1
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
I believe the DPD keepalives ensure NAT is known and compatible (crypto isakmp keepalive 90 30 periodic) between the peers....
Any help gladly appreciated....
thanks
Phil -
881 VPN fails after 24hrs/IKE key lifetime
Hi all,
This is my first post on the support forms and I only just got my CCNA, so please bear with me and don't shoot me if I pose a slightly newbish perspective on things. Thanks in advance.
We've got a central office (actually quite small) where several IPSec connections connect to. Two of these connections are Cisco 881 routers. One of them works fine, the other craps out after 24 hours (coincidentally also the IKE key lifetime). When I mean "craps out", it means the VPN worked fine from the get go, until 24 hours later. Only a reload will bring back the VPN tunnel. I've verified my PFS and DPD configurations are solid, because these kind of symptoms would most likely occur when these configurations aren't in order.
The two 881 configurations are quite similar. The only differences between the two are some details in the PPPoE configurations and (quite obviously) the IP address space for the two sites. Both operate on the premise of a point to point connection (no multipoint stuff going on here).
I have examined all I can. It took me two weeks to make sure I exhausted all my options before I post my issue here.
Here is a brief list of things I've done.
- Checked configuration of central router (which is a Mikrotik RB800 btw)
- Verified that the central router is not the cause of the VPN not coming back. Rebooted it as a last resort; VPN stays down. Rebooted 881, VPN comes back.
- I've downgraded the 881 firmware image from version 152.4.M2 to 151.4.M4 (the succesful 881 was running the 151.4.M4 image, and I found some Ipsec issues in the caveat for version 152.4.M2), but to no avail.
- I've tried to clear several crypto components hoping to restore key exchanging, also to no avail. Only a reload will suffice.
I've included the 881's config:
Building configuration...Current configuration : 7795 bytes
! Last configuration change at 15:37:50 Paris Tue May 28 2013 by admin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname <<removed>>
boot-start-marker
boot system flash c880data-universalk9-mz.151-4.M4.bin
boot-end-marker
logging buffered 102400
enable secret 4 <<removed>>
no aaa new-model
memory-size iomem 10
clock timezone Paris 1 0
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki token default removal timeout 0
!no ip source-route
ip dhcp excluded-address 192.168.4.1 192.168.4.9
ip dhcp excluded-address 192.168.4.199 192.168.4.254
ip dhcp pool Main
network 192.168.4.0 255.255.255.0
dns-server 192.168.4.250 8.8.4.4
default-router 192.168.4.250
lease infinite
ip cef
ip domain lookup source-interface Dialer1
ip domain name <<removed>>
ip name-server 8.8.4.4
ip name-server 192.168.58.199
no ipv6 cef
password encryption aes!
object-group network SUBNET_DUITSLAND
description Hele subnet IC Duitsland
192.168.4.0 255.255.255.0
object-group network SUBNET_IC_ARNHEM
description Hele subnet IC Arnhem
192.168.58.0 255.255.255.0
object-group network WAN_IC_ARNHEM
description Het WAN IP adres van IC Arnhem
host <<removed>>
vtp mode transparent
username <<removed>> privilege 15 view root secret 4 <<removed>>
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 102
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 105
class-map type inspect match-all ccp-cls--1
match access-group name Outgoing
class-map type inspect match-all ccp-cls--2
match access-group name Incoming
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
pass
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
zone security Inside
zone security Outside
zone-pair security sdm-zp-Inside-Outside source Inside destination Outside
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-Outside-Inside source Outside destination Inside
service-policy type inspect ccp-policy-ccp-cls--2
crypto logging ezvpn
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key <<removed>> address <<removed>>
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to CO
set peer <<removed>>
set transform-set ESP-AES256-SHA
set pfs group5
match address 104
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
description DeutscheTelekom$ETH-WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface Vlan1
description $FW_INSIDE$
ip address 192.168.4.250 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security Inside
ip tcp adjust-mss 1412
interface Dialer1
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
zone-member security Outside
encapsulation ppp
no ip route-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap hostname <<removed>>
ppp chap password 7 <<removed>>
ppp pap sent-username <<removed>> password 7 <<removed>>
ppp ipcp dns request
ppp ipcp address accept
crypto map SDM_CMAP_1
ip forward-protocol nd
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip access-list extended Incoming
remark CCP_ACL Category=128
permit ip any object-group SUBNET_DUITSLAND
ip access-list extended Outgoing
remark CCP_ACL Category=128
permit ip object-group SUBNET_DUITSLAND any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 permit <<removed>>
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.58.0 0.0.0.255
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip host <<removed>> any
access-list 101 permit ip 192.168.58.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 remark CCP_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 192.168.58.0 0.0.0.255 192.168.4.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 103
line con 0
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
password 7 <<removed>>
login local
transport input ssh
ntp update-calendar
ntp server de.pool.ntp.org prefer
end
Also, I have some ISAKMP debug output (when the VPN fails, I can still reach the router via the internet):
.May 29 08:31:22.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:28.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:30.016: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:31:30.016: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:31:30.016: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:31:30.016: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:30.016: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:31:30.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:30.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:34.848: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:40.016: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:31:40.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:40.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:40.844: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:46.380: ISAKMP:(0):purging node 297623767
.May 29 08:31:46.380: ISAKMP:(0):purging node -1266458641
.May 29 08:31:46.452: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:49.848: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:31:50.016: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:31:50.016: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:31:50.016: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:31:52.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:31:56.381: ISAKMP:(0):purging SA., sa=874CF15C, delme=874CF15C
.May 29 08:31:58.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:00.017: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:00.017: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:32:00.017: ISAKMP: Unlocking peer struct 0x874792E0 for isadb_mark_sa_deleted(), count 0
.May 29 08:32:00.017: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 874792E0
.May 29 08:32:00.017: ISAKMP:(0):deleting node -118750948 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):deleting node -1193365643 error FALSE reason "IKE deleted"
.May 29 08:32:00.017: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:32:00.017: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA.May 29 08:32:02.037: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:32:02.037: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:32:02.037: ISAKMP: New peer created peer = 0x875BF6B8 peer_handle = 0x8000000A
.May 29 08:32:02.037: ISAKMP: Locking peer struct 0x875BF6B8, refcount 1 for isakmp_initiator
.May 29 08:32:02.037: ISAKMP: local port 500, remote port 500
.May 29 08:32:02.037: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:02.037: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85C6B420
.May 29 08:32:02.037: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:32:02.037: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:32:02.037: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:32:02.041: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:32:02.041: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:32:02.041: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1.May 29 08:32:02.041: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:32:02.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:02.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:04.849: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:10.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:12.041: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:32:12.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:12.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:16.845: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:22.041: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
.May 29 08:32:22.041: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:22.041: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:22.449: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:28.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:32.038: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:32:32.038: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local <<remote office WAN IP>>, remote <<central office WAN IP>>)
.May 29 08:32:32.038: ISAKMP: Error while processing SA request: Failed to initialize SA
.May 29 08:32:32.038: ISAKMP: Error while processing KMI message 0, error 2.
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:32.042: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.May 29 08:32:32.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:32.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:34.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:40.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:42.042: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.May 29 08:32:42.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:42.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:46.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:50.018: ISAKMP:(0):purging node -118750948
.May 29 08:32:50.018: ISAKMP:(0):purging node -1193365643
.May 29 08:32:51.346: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<<remote office WAN IP>>, prot=50, spi=0xCF8BD5F3(3482047987), srcaddr=<<central office WAN IP>>, input interface=Dialer1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:32:52.042: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.May 29 08:32:52.042: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:32:52.042: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:32:52.846: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:32:58.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>
.May 29 08:33:00.019: ISAKMP:(0):purging SA., sa=875BE8B8, delme=875BE8B8
.May 29 08:33:02.043: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:02.043: ISAKMP:(0):peer does not do paranoid keepalives..May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer <<central office WAN IP>>)
.May 29 08:33:02.043: ISAKMP: Unlocking peer struct 0x875BF6B8 for isadb_mark_sa_deleted(), count 0
.May 29 08:33:02.043: ISAKMP: Deleting peer node by peer_reap for <<central office WAN IP>>: 875BF6B8
.May 29 08:33:02.043: ISAKMP:(0):deleting node 1839947115 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):deleting node -1221586275 error FALSE reason "IKE deleted"
.May 29 08:33:02.043: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.May 29 08:33:02.043: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA.May 29 08:33:02.455: ISAKMP:(0): SA request profile is (NULL)
.May 29 08:33:02.455: ISAKMP: Created a peer struct for <<central office WAN IP>>, peer port 500
.May 29 08:33:02.455: ISAKMP: New peer created peer = 0x874792E0 peer_handle = 0x8000000B
.May 29 08:33:02.455: ISAKMP: Locking peer struct 0x874792E0, refcount 1 for isakmp_initiator
.May 29 08:33:02.455: ISAKMP: local port 500, remote port 500
.May 29 08:33:02.455: ISAKMP: set new node 0 to QM_IDLE
.May 29 08:33:02.455: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87060E68
.May 29 08:33:02.455: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
.May 29 08:33:02.455: ISAKMP:(0):found peer pre-shared key matching <<central office WAN IP>>
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-07 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-03 ID
.May 29 08:33:02.455: ISAKMP:(0): constructed NAT-T vendor-02 ID
.May 29 08:33:02.455: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.May 29 08:33:02.455: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1.May 29 08:33:02.455: ISAKMP:(0): beginning Main Mode exchange
.May 29 08:33:02.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:02.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
.May 29 08:33:04.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>ndebug crypto isakmp
.May 29 08:33:10.847: ISAKMP:(0): ignoring request to send delete notify (sa not authenticated) src <<remote office WAN IP>> dst <<central office WAN IP>>o debug crypto isakmp
Crypto ISAKMP debugging is off
IC-Deutschland#
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
.May 29 08:33:12.455: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.May 29 08:33:12.455: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0): sending packet to <<central office WAN IP>> my_port 500 peer_port 500 (I) MM_NO_STATE
.May 29 08:33:12.455: ISAKMP:(0):Sending an IKE IPv4 Packet.
Can anyone shed some light as what could be going on?
Much obliged!Unfortunately I do not have a support contract for our hardware. I wouldn't even know how to get one.
However, we do pay top dollar for the equipment and it seems one it's components doesn't work as advertised. So if no support is given I will have to try warrenty instead. This does mean I have to replace the unit with a competitor brand which isn't something I'm keen to do because I want to use Cisco as our main brand. This issue effectively nukes my entire plan.
Given our work load, CPU power isn't an issue. The encryption level is set to this level because I'm paranoid. Which I reckon is a good thing when it comes to network security (correct me if I'm wrong). Do you suspect these settings could be of any influence in this particular case?
If I remember correctly I used the "debug crypto isakmp" or "debug crypto isakmp errors" and "debug crypto ipsec" (also perhaps with the "error" suffix), I'm not sure. -
Help! Weird lifetime vs. lifetime remaining on VPN tunnel...
I am getting a seriously bizarre set of results here...
8 IKE Peer: <peer IP>
Type : L2L Role : responder
Rekey : no State : MM_WAIT_MSG5
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 2147480830
Any ideas?!
crypto isakmp policy 16
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400That would be me referencing the wrong policy.
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400 -
Hi,
By default SA lifetime is 24 hours.
Occassionally i receive the message such as
MM_REKEY_DONE_H2
During that time i need to clear the tunnel using the command.
clear crypto isakmp sa peer x.x.x.x inorder to rebuilt the seeion.
MY question is
1 why does it happens occassionally
2 if i donot clear that how much time will be taken to build the session automatically.Your understanding of the IPSEC SA Lifetime is correct. If you have 3600 and 28800 has the IPSEC Lifetime between two peers, the smaller value will be considered for the SA and in your case 3600. And a new SA is negotiated 30 seconds before the lifetime (3600) expires. This should keep your traffic flowing across the tunnel without any issues.
I hope it helps.
Regards,
Arul -
Crypto isakmp key invalid input. not able to add pre-share key to cisco asa
Hello!
I am setting up a site to site VPN using 2 cisco asa the remote site is configured with a dynamic IP and the main office with a static IP.
after the initial ISAKMP setup: on remote asa
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
I am running the following command to add the pre-share key:
crypto isakmp key xxxxxxxxx address 0.0.0.0 0.0.0.0
but I am getting an error:
invalid input under "key"
any idea?
thanksDuplicate post.
Go HERE. -
MIB object for remaining key lifetime
Is there a MIB object for 'remaining key lifetime'? [433 seconds in the example below]
router# sh crypto ipsec sa interface VlanXXX
current_peer a.b.c.d port 500
sa timing: remaining key lifetime (k/sec): (4541405/433)
inbound esp sas:
sa timing: remaining key lifetime (k/sec): (4541405/433)
--sk
Stuart Kendrick
FHCRCUnfortunately I do not have a support contract for our hardware. I wouldn't even know how to get one.
However, we do pay top dollar for the equipment and it seems one it's components doesn't work as advertised. So if no support is given I will have to try warrenty instead. This does mean I have to replace the unit with a competitor brand which isn't something I'm keen to do because I want to use Cisco as our main brand. This issue effectively nukes my entire plan.
Given our work load, CPU power isn't an issue. The encryption level is set to this level because I'm paranoid. Which I reckon is a good thing when it comes to network security (correct me if I'm wrong). Do you suspect these settings could be of any influence in this particular case?
If I remember correctly I used the "debug crypto isakmp" or "debug crypto isakmp errors" and "debug crypto ipsec" (also perhaps with the "error" suffix), I'm not sure. -
Help! My 2691xm router is deaf to ISAKMP
Hello.
I am trying to set up a DMVPN.
The setup is the following:
1751-V is a spoke - c1700-advsecurityk9-mz.124-15.T14.bin
2691xm is a hub - c2691-advsecurityk9-mz.124-15.T14.bin
As I stated in the title, my clients' 2691xm router is deaf to ISAKMP. It is configured as a hub for DMVPN, and doesn't show that it is receiving anything VPN-related. The 1751-V on the other hand is very noisy sending out alot of IKE requests to the 2691xm.
I made the 1751-V talk to my home's 1751-V with a slightly modified version of the 2691xm's config without any problems. I didn't get access through the VPN quite yet, but they at least got through ISAKMP.
I turned on "debug dmvpn all all" and "term mon", and I get NO ouput from the 2691xm.
I also get nothing from "show crypto isakmp sa".
I thought the traffic might be blocked by the ISP. I called and asked, and it isn't.
I thought the traffic might be stopped at the firewall, so I set the relevant ports to log traffic as evident in the next paste.
router-1#show access-list INTERNET_IN
Extended IP access list INTERNET_IN
70 permit udp any any eq isakmp log (2576 matches)
80 permit gre any any log
90 permit esp any any log
So I AM getting traffic through to the router, but my router isn't reacting to it?
Below are snippets of relevant configs.
HUB:
Internet: int fa0/1 - T1 w/ static IP through ethernet
LAN : int fa0/0 - lan 192.168.20.1
ip multicast-routing
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ABCD address 0.0.0.0 no-xauth
crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
crypto ipsec profile PROFILE_1
set security-association lifetime seconds 600
set transform-set TRANSFORM_1
set pfs group2
interface Tunnel0
ip pim sparse-mod
bandwidth 1536
ip address 10.0.20.20 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source fa0/1
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp authentication ABCD ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.20.0 0.0.0.255
no auto-summary
ip access-list extended NAT_TRAFFIC
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
route-map NONAT permit 10
match ip address NAT_TRAFFIC
ip nat inside source route-map NONAT interface fa0/1 overload
SPOKE:
Internet: int dialer0 - DSL, PPPoE, DHCP
LAN : int vlan0 - 192.168.22.1
ip multicast-routing
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ABCD address 0.0.0.0 no-xauth
crypto ipsec transform-set TRANSFORM_1 esp-aes 256 esp-sha-hmac
crypto ipsec profile PROFILE_1
set security-association lifetime seconds 600
set transform-set TRANSFORM_1
set pfs group2
interface Tunnel0
ip pim sparse-mod
bandwidth 1536
ip address 10.0.20.22 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source d0
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
ip nhrp map 10.0.20.20 2691_WAN_IP
ip nhrp map multicast 2691_WAN_IP
ip nhrp network-id 20
ip nhrp holdtime 600
ip nhrp nhs 10.0.20.20
ip nhrp authentication ABCD ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.22.0 0.0.0.255
no auto-summary
eigrp stub connected
ip access-list extended NAT_TRAFFIC
deny ip 192.168.22.0 0.0.0.255 192.168.20.0 0.0.0.255
permit ip 192.168.22.0 0.0.0.255 any
route-map NONAT permit 10
match ip address NAT_TRAFFIC
ip nat inside source route-map NONAT interface Dialer0 overload
As I previously said, 2691xm DOES NOT REACT. Only thing I have been able to determine is the router DOES NOT block traffic on port 500 UDP.
Here is some output from 1751-v (spoke router).
ISAKMP: set new node 0 to QM_IDLE
ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 1751_WAN_IP, remote 2691_WAN_IP)
ISAKMP: Error while processing SA request: Failed to initialize SA
ISAKMP: Error while processing KMI message 0, error 2.
ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
router-1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE
2691_WAN_IP 1751_WAN_IP MM_NO_STATE 0 0 ACTIVE (deleted)
The 1751-v works with another 1751-v (to an extent), just not the 2691xm I need it to work with.
Please help as this is driving me CRAZY!!!!
I would appreciate ANY suggestions/comments/critisicms/hypotheses/requests/ANYTHING!!!!
-VittorioHere is the requested information:
interface Tunnel0
bandwidth 1536
ip address 10.0.20.20 255.255.255.0
no ip redirects
ip mtu 1400
ip hold-time eigrp 1 35
no ip next-hop-self eigrp 1
ip pim sparse-mode
ip nhrp authentication ABADCADS
ip nhrp map multicast dynamic
ip nhrp network-id 20
ip nhrp holdtime 600
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile PROFILE_1
interface FastEthernet0/0
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
interface FastEthernet0/1
ip address INTERNET_ADDRESS 255.255.255.248
ip access-group INTERNET_IN in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
router eigrp 1
network 10.0.20.0 0.0.0.255
network 192.168.20.0
no auto-summary
ip access-list extended INTERNET_IN
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp any any established
permit udp any eq domain any
permit udp any any eq ntp
permit udp any any eq isakmp log
permit gre any any log
permit esp any any log
permit udp any eq ntp any
permit tcp any any eq 22
deny ip any any log-input
ip access-list extended NAT_TRAFFIC
deny ip 192.168.20.0 0.0.0.255 192.168.21.0 0.0.0.255
deny ip 192.168.20.0 0.0.0.255 192.168.22.0 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 any
ip nat inside source route-map NONAT interface FastEthernet0/1 overload
Thank you, please tell me if you need anything else
-Vittorio -
The difference between "ipsec-isakmp dynamic" and "ipsec-isakmp profile" cyrpto map configs
The IOS documentation for the crypto map command gives the syntax as
crypto map [ipv6] map-name seq-num [ ipsec-isakmp [ dynamic dynamic-map-name | discover | profile profile-name ] ]
I have a 881w ISR. In what different situations do we use the ipsec-isakmp dynamic form as opposed to the ipsec-isakmp profile form?
I understand that ipsec-isakmp profile is applied directly to the vpdn-group. Does this substitute for applying the crypto map directing to the WAN interface? Why would I want to do that?Hello, thomasmcleod.
The main difference between dynamic and profile in conditions to establish VPN connection. You can look at the difference if you compare EzVPN (dynamic profiles) technology with Lan-2-Lan (manual profile) technology.
And why you should put crypto map to the interface. After puting this command to interface Cisco is starting to check traffic for encryption rules. In fact it can be any interface (not only WAN) when you want use encrypted VPN channel.
Best Regards.
Maybe you are looking for
-
Error importing a table from DB2 in OBI 10g
Hello, I am trying to import a table from DB2, but I have the following issue: *[nQSError: 16001] ODBC error state: S1000 code: 29986 message: [IBM][Controlador ODBC de iSeries Access][DB2 UDB]SQL0901 - Error del sistema SQL..* Steps I have done are:
-
HI I am attempting to filter data based on a "date" column compared to the current date, depending on certain criteria set by the client (example they select "please show all data within last day", or perhaps "Show all data previous 7 days").The curr
-
Ok, here's my story: I recently had a hard dri've fail on me, so I had to reinstall Windows (2000) on a new one and basically start over. I have everything pretty much back to normal now, except for my SB Li've. When I first booted up, it acted like
-
Laptop Bought Pre-Loaded with Photoshop elements V9.0.3.
When I bought my Windows 7 laptop 3 years ago it came preloaded with Photoshop elements V9.0.3.Can I transfer this over to my new windows 8 machine? How do I do it?
-
Garage Band for IOS and iCloud
Hi all, I created a song with Garage Band on my iPad2 which I want to save in the iCloud, load it with Garage Band on my iPhone 4s and then export it as a ringtone. "Use iCloud" is activated. According to the descriptions I read you have to tap the "