VPN issue with Cisco 871

Discussion in 'Cisco' started by persepolis77, Apr 2, 2008.

  1. persepolis77

    persepolis77

    Joined:
    Oct 25, 2007
    Messages:
    6
    Hello,
    I have a cellular modem, Airlink Raven X, connected to WAN port of Cisco router 871.
    Neither site to site VPN nor EZVPN do come up.
    The debug crypto isakmp gives me the following result:

    *Apr 1 19:09:05.083: ISAKMP: Unlocking peer struct 0x84223770 for isadb_mark_sa
    _deleted(), count 0
    *Apr 1 19:09:05.083: ISAKMP: Deleting peer node by peer_reap for W.X.Y.Z: 8
    4223770
    *Apr 1 19:09:05.083: ISAKMP:(0):deleting node 102384373 error FALSE reason "IKE
    deleted"
    *Apr 1 19:09:05.083: ISAKMP:(0):deleting node -145314910 error FALSE reason "IK
    E deleted"
    *Apr 1 19:09:05.083: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    *Apr 1 19:09:05.083: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

    *Apr 1 19:09:09.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
    *Apr 1 19:09:09.883: ISAKMP (0:0): incrementing error counter on sa, attempt 3
    of 5: retransmit phase 1
    *Apr 1 19:09:09.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
    *Apr 1 19:09:09.883: ISAKMP:(0): sending packet to A.B.C.D my_port 500 pe
    er_port 500 (I) AG_INIT_EXCH
    *Apr 1 19:09:09.883: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Apr 1 19:09:19.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
    *Apr 1 19:09:19.883: ISAKMP (0:0): incrementing error counter on sa, attempt 4
    of 5: retransmit phase 1
    *Apr 1 19:09:19.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
    *Apr 1 19:09:19.883: ISAKMP:(0): sending packet to A.B.C.D my_port 500 pe
    er_port 500 (I) AG_INIT_EXCH
    *Apr 1 19:09:19.883: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Apr 1 19:09:29.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
    *Apr 1 19:09:29.883: ISAKMP (0:0): incrementing error counter on sa, attempt 5
    of 5: retransmit phase 1
    *Apr 1 19:09:29.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
    *Apr 1 19:09:29.883: ISAKMP:(0): sending packet to A.B.C.D my_port 500 pe
    er_port 500 (I) AG_INIT_EXCH
    *Apr 1 19:09:29.883: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Apr 1 19:09:35.083: ISAKMP:(0): SA request profile is (NULL)
    *Apr 1 19:09:35.083: ISAKMP: Created a peer struct for W.X.Y.Z, peer port 5
    00
    *Apr 1 19:09:35.083: ISAKMP: New peer created peer = 0x8398F440 peer_handle = 0
    x8000000A
    *Apr 1 19:09:35.083: ISAKMP: Locking peer struct 0x8398F440, refcount 1 for isa
    kmp_initiator
    *Apr 1 19:09:35.083: ISAKMP: local port 500, remote port 500
    *Apr 1 19:09:35.083: ISAKMP: set new node 0 to QM_IDLE
    *Apr 1 19:09:35.083: ISAKMP: Find a dup sa in the avl tree during calling isadb
    _insert sa = 83683FF4
    *Apr 1 19:09:35.083: ISAKMP:(0):Can not start Aggressive mode, trying Main mode
    .
    *Apr 1 19:09:35.083: ISAKMP:(0):found peer pre-shared key matching W.X.Y.Z
    *Apr 1 19:09:35.087: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    *Apr 1 19:09:35.087: ISAKMP:(0): constructed NAT-T vendor-07 ID
    *Apr 1 19:09:35.087: ISAKMP:(0): constructed NAT-T vendor-03 ID
    *Apr 1 19:09:35.087: ISAKMP:(0): constructed NAT-T vendor-02 ID
    *Apr 1 19:09:35.087: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    *Apr 1 19:09:35.087: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

    *Apr 1 19:09:35.087: ISAKMP:(0): beginning Main Mode exchange
    *Apr 1 19:09:35.087: ISAKMP:(0): sending packet to W.X.Y.Z my_port 500 peer
    _port 500 (I) MM_NO_STATE
    *Apr 1 19:09:35.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
    *Apr 1 19:09:38.651: ISAKMP:(0):purging SA., sa=842B12EC, delme=842B12EC
    *Apr 1 19:09:39.883: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
    *Apr 1 19:09:39.883: ISAKMP:(0):peer does not do paranoid keepalives.

    *Apr 1 19:09:39.883: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
    state (I) AG_INIT_EXCH (peer A.B.C.D)
    *Apr 1 19:09:39.883: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vp
    ngrp Client_public_addr=192.168.13.100 Server_public_addr=A.B.C.D
    *Apr 1 19:09:39.883: ISAKMP:(0):deleting SA reason "Death by retransmission P1"
    state (I) AG_INIT_EXCH (peer A.B.C.D)
    *Apr 1 19:09:39.883: ISAKMP: Unlocking peer struct 0x83CF266C for isadb_mark_sa
    _deleted(), count 0

    The interesting point is that when I connect the cable modem to the same router, it works fine, but with this cellular modem.

    Here is router config:

    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname Raven-X
    !
    boot-start-marker
    boot system flash c870-advipservicesk9-mz.124-15.T1.bin
    boot-end-marker
    !
    logging buffered 10000 debugging
    no logging console
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone EST -5
    clock summer-time EDT recurring
    ip subnet-zero
    no ip source-route
    ip cef
    !
    vpdn enable
    !
    !
    file prompt quiet
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    crypto isakmp key <removed> address W.X.Y.Z
    !
    !
    crypto ipsec transform-set CTtransform esp-3des esp-sha-hmac
    !
    crypto ipsec client ezvpn bureau
    connect auto
    group vpngrp key <removed>
    mode network-extension
    peer A.B.C.D
    acl 100
    username <removed> password <removed>
    xauth userid mode local
    !
    !
    crypto map BBdynmap 15 ipsec-isakmp
    set peer W.X.Y.Z
    set transform-set CTtransform
    set pfs group2
    match address cryptoBBB
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    ip address dhcp client-id FastEthernet4
    no ip redirects
    no ip proxy-arp
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    duplex auto
    speed auto
    crypto map BBdynmap
    crypto ipsec client ezvpn bureau
    !
    interface Vlan1
    ip address 10.132.29.1 255.255.255.128
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip tcp adjust-mss 1392
    crypto ipsec client ezvpn bureau inside
    hold-queue 100 out
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    !
    !
    no ip http server
    no ip http secure-server
    !
    access-list 100 permit ip any any


    ip access-list extended cryptoBBB
    permit ip any any
    dialer-list 1 protocol ip permit

    line con 0
    session-timeout 15
    login authentication loginvty
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    session-timeout 15
    login authentication loginvty
    !
    scheduler max-task-time 5000
    end

    Any suggestion?
    Thanks,
    Mehdi
    persepolis77, Apr 2, 2008
    #1
    1. Advertising

  2. persepolis77

    rob_67

    Joined:
    Apr 2, 2008
    Messages:
    7
    Hi,


    how long lives your SA?


    rob
    rob_67, Apr 2, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. strippone@hotmail.com

    configuration cisco 871 & vpn

    strippone@hotmail.com, Dec 13, 2006, in forum: Cisco
    Replies:
    0
    Views:
    1,195
    strippone@hotmail.com
    Dec 13, 2006
  2. brane

    cisco 871 vpn split tunnel

    brane, Jun 19, 2007, in forum: Cisco
    Replies:
    0
    Views:
    582
    brane
    Jun 19, 2007
  3. Vincent

    Windows XP -- Cisco 871 VPN

    Vincent, Jul 24, 2007, in forum: Cisco
    Replies:
    1
    Views:
    521
    Chad Mahoney
    Jul 24, 2007
  4. Vincent
    Replies:
    4
    Views:
    3,524
    Scooty
    Jan 30, 2008
  5. TimParker
    Replies:
    3
    Views:
    2,038
    TimParker
    Mar 14, 2009
Loading...

Share This Page