Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   IPSEC Tunnel Won't Establish on New ISP (http://www.velocityreviews.com/forums/t529650-ipsec-tunnel-wont-establish-on-new-isp.html)

NateVR 08-16-2007 03:09 PM

IPSEC Tunnel Won't Establish on New ISP
 
Hey everyone, sorry for the long post.

I am in the process of switching ISPs, the only thing left on my list is to bring my old PIX 515 over to the new connection for the 4 tunnels that run on it to small field offices.

A couple nights ago I tried to do this project, moved the cable, set new outside IP and default route. Both sides can ping eachother, and it looks like they communicate, but they never fully bring up the tunnels.

I'm not very good at diagnosing isakmp debugs, a couple things that stick out...

crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

Both of these seem to happen after they initially are able to talk.

I've looked around and have found information on the PSK and encryption sets not matching, however, none of this changes.

So, when this doesn't work, I move the cable, use 2 or 3 lines of code on each side relating to IPs and the tunnels pop back up. This points me away from any sort of crypto config. I emailed support and they said they don't have any sort of port or traffic type blocked at all, it really seems like they might though.

The only thing I change to get it back up are these lines (and a cable switch)...

remote side

isakmp key xxxxxx address 207.x.15.x netmask 255.255.255.255 no-xauth no-config-mode
crypto map outside_map 25 set peer 207.x.15.x
no crypto map outside_map 25 set peer 38.x.19.x

local side

no route outside 0.0.0.0 0.0.0.0 38.x.19.x 1
ip address outside 207.x.15.x 255.255.255.240
route outside 0.0.0.0 0.0.0.0 207.x.15.x 1

Here are excerpts of debug...

ISAKMP (0): deleting SA: src 38.x.19.x, dst 24.x.11.x
ISADB: reaper checking SA 0xad09fc, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -805598752:cffb89e0
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:38.x.19.x/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:38.x.19.x/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 2139566082
ISAKMP (0): processing notify INITIAL_CONTACT
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 24576 protocol 1
spi 0, message ID = 2450353941
ISAKMP (0): processing responder lifetime
ISAKMP (0): phase 1 responder lifetime of 1000s
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 0
spi 0, message ID = 235629346
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISAKMP (0): beginning Quick Mode exchange, M-ID of 321525329:132a1651
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 0
spi 0, message ID = 2922390133
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xcffb89e0
ISAKMP (0): beginning Quick Mode exchange, M-ID of 2085483773:7c4df4fd
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 0
spi 0, message ID = 2884540731
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): beginning Quick Mode exchange, M-ID of -521181726:e0ef65e2
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 0
spi 0, message ID = 4028817428
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (0/1)... mess_id 0x132a1651
ISAKMP (0): retransmitting phase 2 (1/2)... mess_id 0xcffb89e0
ISAKMP (0): retransmitting phase 2 (0/3)... mess_id 0x7c4df4fd
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
VPN Peer: ISAKMP: Peer ip:38.x.19.x/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:38.x.19.x/500 Total VPN peers:0
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 2 (0/4)... mess_id 0xe0ef65e2
ISAKMP (0): retransmitting phase 2 (1/5)... mess_id 0x132a1651
ISAKMP (0): deleting SA: src 24.x.11.x, dst 38.x.19.x
ISADB: reaper checking SA 0xad00bc, conn_id = 0
ISADB: reaper checking SA 0xac5ac4, conn_id = 0
ISADB: reaper checking SA 0xaca3bc, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

ISADB: reaper checking SA 0xad00bc, conn_id = 0
ISADB: reaper checking SA 0xac5ac4, conn_id = 0
ISAKMP (0): deleting SA: src 38.x.19.x, dst 24.x.11.x
ISAKMP (0): retransmitting phase 1 (1)...
ISADB: reaper checking SA 0xad00bc, conn_id = 0
ISADB: reaper checking SA 0xac5ac4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

ISADB: reaper checking SA 0xad00bc, conn_id = 0
ISAKMP (0): deleting SA: src 38.x.19.x, dst 24.x.11.x
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 1000
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISADB: reaper checking SA 0xad00bc, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

ISADB: reaper checking SA 0xaca3bc, conn_id = 0
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (1)...

Thanks for any help.

NateVR 08-17-2007 10:22 PM

Edited to fix a config.

Any ideas?


All times are GMT. The time now is 04:05 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.