IPSEC Tunnel Won't Establish on New ISP

Discussion in 'Cisco' started by NateVR, Aug 16, 2007.

  1. NateVR

    NateVR

    Joined:
    Aug 16, 2007
    Messages:
    9
    Hey everyone, sorry for the long post.

    I am in the process of switching ISPs, the only thing left on my list is to bring my old PIX 515 over to the new connection for the 4 tunnels that run on it to small field offices.

    A couple nights ago I tried to do this project, moved the cable, set new outside IP and default route. Both sides can ping eachother, and it looks like they communicate, but they never fully bring up the tunnels.

    I'm not very good at diagnosing isakmp debugs, a couple things that stick out...

    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

    Both of these seem to happen after they initially are able to talk.

    I've looked around and have found information on the PSK and encryption sets not matching, however, none of this changes.

    So, when this doesn't work, I move the cable, use 2 or 3 lines of code on each side relating to IPs and the tunnels pop back up. This points me away from any sort of crypto config. I emailed support and they said they don't have any sort of port or traffic type blocked at all, it really seems like they might though.

    The only thing I change to get it back up are these lines (and a cable switch)...

    remote side

    isakmp key xxxxxx address 207.x.15.x netmask 255.255.255.255 no-xauth no-config-mode
    crypto map outside_map 25 set peer 207.x.15.x
    no crypto map outside_map 25 set peer 38.x.19.x

    local side

    no route outside 0.0.0.0 0.0.0.0 38.x.19.x 1
    ip address outside 207.x.15.x 255.255.255.240
    route outside 0.0.0.0 0.0.0.0 207.x.15.x 1

    Here are excerpts of debug...

    ISAKMP (0): deleting SA: src 38.x.19.x, dst 24.x.11.x
    ISADB: reaper checking SA 0xad09fc, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

    ISAKMP (0): beginning Main Mode exchange
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): received xauth v6 vendor id

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): remote peer supports dead peer detection

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): ID payload
    next-payload : 8
    type : 1
    protocol : 17
    port : 500
    length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): beginning Quick Mode exchange, M-ID of -805598752:cffb89e0
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    VPN Peer: ISAKMP: Added new peer: ip:38.x.19.x/500 Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:38.x.19.x/500 Ref cnt incremented to:1 Total VPN Peers:1
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 2139566082
    ISAKMP (0): processing notify INITIAL_CONTACT
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 24576 protocol 1
    spi 0, message ID = 2450353941
    ISAKMP (0): processing responder lifetime
    ISAKMP (0): phase 1 responder lifetime of 1000s
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 14 protocol 0
    spi 0, message ID = 235629346
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 1000
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    ISAKMP (0): beginning Quick Mode exchange, M-ID of 321525329:132a1651
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 14 protocol 0
    spi 0, message ID = 2922390133
    return status is IKMP_NO_ERR_NO_TRANS
    ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xcffb89e0
    ISAKMP (0): beginning Quick Mode exchange, M-ID of 2085483773:7c4df4fd
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 14 protocol 0
    spi 0, message ID = 2884540731
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 1000
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    ISAKMP (0): retransmitting phase 1 (0)...
    ISAKMP (0): beginning Quick Mode exchange, M-ID of -521181726:e0ef65e2
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    ISAKMP (0): processing NOTIFY payload 14 protocol 0
    spi 0, message ID = 4028817428
    return status is IKMP_NO_ERR_NO_TRANS
    ISAKMP (0): retransmitting phase 2 (0/1)... mess_id 0x132a1651
    ISAKMP (0): retransmitting phase 2 (1/2)... mess_id 0xcffb89e0
    ISAKMP (0): retransmitting phase 2 (0/3)... mess_id 0x7c4df4fd
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    VPN Peer: ISAKMP: Peer ip:38.x.19.x/500 Ref cnt decremented to:0 Total VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:38.x.19.x/500 Total VPN peers:0
    ISAKMP: larval sa found
    ISAKMP (0): retransmitting phase 1 (0)...
    ISAKMP (0): retransmitting phase 1 (1)...
    ISAKMP (0): retransmitting phase 2 (0/4)... mess_id 0xe0ef65e2
    ISAKMP (0): retransmitting phase 2 (1/5)... mess_id 0x132a1651
    ISAKMP (0): deleting SA: src 24.x.11.x, dst 38.x.19.x
    ISADB: reaper checking SA 0xad00bc, conn_id = 0
    ISADB: reaper checking SA 0xac5ac4, conn_id = 0
    ISADB: reaper checking SA 0xaca3bc, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

    ISADB: reaper checking SA 0xad00bc, conn_id = 0
    ISADB: reaper checking SA 0xac5ac4, conn_id = 0
    ISAKMP (0): deleting SA: src 38.x.19.x, dst 24.x.11.x
    ISAKMP (0): retransmitting phase 1 (1)...
    ISADB: reaper checking SA 0xad00bc, conn_id = 0
    ISADB: reaper checking SA 0xac5ac4, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

    ISADB: reaper checking SA 0xad00bc, conn_id = 0
    ISAKMP (0): deleting SA: src 38.x.19.x, dst 24.x.11.x
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 1000
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): processing vendor id payload

    ISAKMP (0:0): vendor ID is NAT-T
    ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    ISADB: reaper checking SA 0xad00bc, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

    ISADB: reaper checking SA 0xaca3bc, conn_id = 0
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

    ISAKMP: larval sa found
    ISAKMP (0): retransmitting phase 1 (0)...
    crypto_isakmp_process_block:src:38.x.19.x, dest:24.x.11.x spt:500 dpt:500
    VPN Peer:ISAKMP: Peer Info for 38.x.19.x/500 not found - peers:0

    ISAKMP: larval sa found
    ISAKMP (0): retransmitting phase 1 (1)...

    Thanks for any help.
    Last edited: Aug 17, 2007
    NateVR, Aug 16, 2007
    #1
    1. Advertising

  2. NateVR

    NateVR

    Joined:
    Aug 16, 2007
    Messages:
    9
    Edited to fix a config.

    Any ideas?
    NateVR, Aug 17, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Nowles
    Replies:
    0
    Views:
    1,025
    Martin Nowles
    Nov 10, 2003
  2. John Ireland
    Replies:
    1
    Views:
    1,068
    Claude LeFort
    Nov 11, 2003
  3. Hank Arnold
    Replies:
    0
    Views:
    718
    Hank Arnold
    Jan 15, 2004
  4. a.nonny mouse
    Replies:
    2
    Views:
    1,091
  5. Valentin
    Replies:
    4
    Views:
    3,348
    Valentin
    Feb 18, 2010
Loading...

Share This Page