IPSEC VPN PROBLEM

From: adeolu@sympatico.ca
Date: Tue Sep 14 2004 - 16:02:09 GMT-3

I was wondering if anyone could bail me out.....this issue has me at my wits' end. I am running a hub and spoke VPN for my company. The head-end router is a Cisco 7204 running IOS 12.2(13)T3 and I am running IOS 12.3(7)T2 on the remote. The reason i am running such a recent version on the remote router is because of a need to support the 4-port switch WIC in the router.

I was able to successfully test this using a PPPoE Internet connection (ADSL) but so far, I have been unable to successfully use it with Cable Internet (which is the link type on site). The connection just refuses to be set up. I have checked the ISAKMP policies, crypto maps etc. and ensured that they are matched.

I have pasted some debugs below

Any help will be appreciated.

= 0x400A
*Mar 10 02:25:10: ISAKMP: received ke message (1/1)
*Mar 10 02:25:10: ISAKMP: set new node 0 to QM_IDLE
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2):SA is still budding. Attached new ipsec requ
est to it. (local 24.86.96.233, remote 209.5.96.157)
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit
 phase 1
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157 my_port 500
peer_port 500 (I) MM_NO_STATE
*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Mar 10 02:25:20: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit
 phase 1
*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157 my_port 500
peer_port 500 (I) MM_NO_STATE
*Mar 10 02:25:28: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 24.86.96.233, remote= 209.5.96.157,
    local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
*Mar 10 02:25:28: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 24.86.96.233, remote= 209.5.96.157,
    local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0xD029AD14(3492392212), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 10 02:25:28: ISAKMP: received ke message (1/1)
*Mar 10 02:25:28: ISAKMP: set new node 0 to QM_IDLE
*Mar 10 02:25:28: ISAKMP:(0:1:HW:2):SA is still budding. Attached new ipsec requ
est to it. (local 24.86.96.233, remote 209.5.96.157)
*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Mar 10 02:25:30: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit
 phase 1
*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157 my_port 500
peer_port 500 (I) MM_NO_STATE
*Mar 10 02:25:40: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 24.86.96.233, remote= 209.5.96.157,
    local_proxy= 142.225.130.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)
*Mar 10 02:25:40: ISAKMP: received ke message (3/1)
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to delet
e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to delet
e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
*Mar 10 02:25:40: ISAKMP: Unlocking IKE struct 0x824C53A4 for isadb_mark_sa_dele
ted(), count 0
*Mar 10 02:25:40: ISAKMP: Deleting peer node by peer_reap for 209.5.96.157: 824C
53A4
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -938513491 error TRUE reason "
receive request to delete ike sa"
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1343263010 error TRUE reason
"receive request to delete ike sa"
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -2146876017 error TRUE reason
"receive request to delete ike sa"
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1379398450 error TRUE reason
"receive request to delete ike sa"
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State = IKE_DEST_
SA

*Mar 10 02:25:50: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor 142.225.150.134 (V
lan521) is up: new adjacency
*Mar 10 02:25:58: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 24.86.96.233, remote= 209.5.96.157,
    local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
*Mar 10 02:25:58: ISAKMP: received ke message (3/1)
*Mar 10 02:25:58: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
Log Buffer (4096 bytes):
nding packet to 209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Sep 13 20:57:54: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1
*Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Sep 13 20:57:54: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Sep 13 20:58:04: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1
*Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Sep 13 20:58:04: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 13 20:58:14: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 209.5.255.142, remote= 209.5.96.157,
    local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
*Sep 13 20:58:14: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 209.5.255.142, remote= 209.5.96.157,
    local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
 lifedur= 3600s and 4608000kb,
    spi= 0x21BF4A39(566184505), conn_id= 0, keysize= 0, flags= 0x400A
*Sep 13 20:58:14: ISAKMP: received ke message (1/1)
*Sep 13 20:58:14: ISAKMP: set new node 0 to QM_IDLE
*Sep 13 20:58:14: ISAKMP:(0:1:HW:2):SA is still budding. Attached new ipsec request to it. (local 209.5.255.142, remote 209.5.96.157)
*Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Sep 13 20:58:14: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1
*Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Sep 13 20:58:14: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Sep 13 20:58:24: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1
*Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Sep 13 20:58:24: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
*Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Sep 13 20:58:34: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1
*Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Sep 13 20:58:34: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 13 20:58:44: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 209.5.255.142, remote= 209.5.96.157,
    local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
*Sep 13 20:58:44: ISAKMP: received ke message (3/1)
*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to delete ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to delete ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
*Sep 13 20:58:44: ISAKMP: Unlocking IKE struct 0x821712B4 for isadb_mark_sa_deleted(), count 0
*Sep 13 20:58:44: ISAKMP: Deleting peer node by peer_reap for 209.5.96.157: 821712B4
*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -862965495 error TRUE reason "receive request to delete ike sa"
*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -542169726 error TRUE reason "receive request to delete ike sa"
*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -862965495
*Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -542169726
*Sep 13 20:59:44: ISAKMP:(0:1:HW:2):purging SA., sa=829FC038, delme=829FC038
fnbur020#

I have pasted some debugs below

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:42 GMT-3