Re: IPSEC VPN PROBLEM

From: joshua lauer (jslauer@hotmail.com)
Date: Tue Sep 14 2004 - 16:51:47 GMT-3

Is your ISP blocking any ports that you know of? Could be why your
connection isnt setting up. Make sure they are not blocking the critical
ports (port 500) needed for your connection set up. I've had a similar issue
working with nortel equipment in the past. Just a thought, I really didnt
have time to drill down into your debugs. I'll check them out when I get
home from work :)

Josh Lauer

----- Original Message -----
From: <adeolu@sympatico.ca>
To: <ccielab@groupstudy.com>
Sent: Tuesday, September 14, 2004 3:02 PM
Subject: IPSEC VPN PROBLEM

>I was wondering if anyone could bail me out.....this issue has me at my
>wits' end. I am running a hub and spoke VPN for my company. The head-end
>router is a Cisco 7204 running IOS 12.2(13)T3 and I am running IOS
>12.3(7)T2 on the remote. The reason i am running such a recent version on
>the remote router is because of a need to support the 4-port switch WIC in
>the router.
>
> I was able to successfully test this using a PPPoE Internet connection
> (ADSL) but so far, I have been unable to successfully use it with Cable
> Internet (which is the link type on site). The connection just refuses to
> be set up. I have checked the ISAKMP policies, crypto maps etc. and
> ensured that they are matched.
>
> I have pasted some debugs below
>
> Any help will be appreciated.
>
> = 0x400A
> *Mar 10 02:25:10: ISAKMP: received ke message (1/1)
> *Mar 10 02:25:10: ISAKMP: set new node 0 to QM_IDLE
> *Mar 10 02:25:10: ISAKMP:(0:1:HW:2):SA is still budding. Attached new
> ipsec requ
> est to it. (local 24.86.96.233, remote 209.5.96.157)
> *Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> *Mar 10 02:25:10: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> retransmit
> phase 1
> *Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> *Mar 10 02:25:10: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> my_port 500
> peer_port 500 (I) MM_NO_STATE
> *Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> *Mar 10 02:25:20: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> retransmit
> phase 1
> *Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> *Mar 10 02:25:20: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> my_port 500
> peer_port 500 (I) MM_NO_STATE
> *Mar 10 02:25:28: IPSEC(key_engine): request timer fired: count = 1,
> (identity) local= 24.86.96.233, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
> *Mar 10 02:25:28: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 24.86.96.233, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
> lifedur= 3600s and 4608000kb,
> spi= 0xD029AD14(3492392212), conn_id= 0, keysize= 0, flags= 0x400A
> *Mar 10 02:25:28: ISAKMP: received ke message (1/1)
> *Mar 10 02:25:28: ISAKMP: set new node 0 to QM_IDLE
> *Mar 10 02:25:28: ISAKMP:(0:1:HW:2):SA is still budding. Attached new
> ipsec requ
> est to it. (local 24.86.96.233, remote 209.5.96.157)
> *Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> *Mar 10 02:25:30: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> retransmit
> phase 1
> *Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> *Mar 10 02:25:30: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> my_port 500
> peer_port 500 (I) MM_NO_STATE
> *Mar 10 02:25:40: IPSEC(key_engine): request timer fired: count = 2,
> (identity) local= 24.86.96.233, remote= 209.5.96.157,
> local_proxy= 142.225.130.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)
> *Mar 10 02:25:40: ISAKMP: received ke message (3/1)
> *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
>
> *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to
> delet
> e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
> *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to
> delet
> e ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
> *Mar 10 02:25:40: ISAKMP: Unlocking IKE struct 0x824C53A4 for
> isadb_mark_sa_dele
> ted(), count 0
> *Mar 10 02:25:40: ISAKMP: Deleting peer node by peer_reap for
> 209.5.96.157: 824C
> 53A4
> *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -938513491 error TRUE
> reason "
> receive request to delete ike sa"
> *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1343263010 error TRUE
> reason
> "receive request to delete ike sa"
> *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -2146876017 error TRUE
> reason
> "receive request to delete ike sa"
> *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1379398450 error TRUE
> reason
> "receive request to delete ike sa"
> *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_DEL
> *Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State =
> IKE_DEST_
> SA
>
> *Mar 10 02:25:50: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 10: Neighbor
> 142.225.150.134 (V
> lan521) is up: new adjacency
> *Mar 10 02:25:58: IPSEC(key_engine): request timer fired: count = 2,
> (identity) local= 24.86.96.233, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4)
> *Mar 10 02:25:58: ISAKMP: received ke message (3/1)
> *Mar 10 02:25:58: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
> Log Buffer (4096 bytes):
> nding packet to 209.5.96.157 my_port 500 peer_port 500 (I) MM_NO_STATE
> *Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> *Sep 13 20:57:54: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> retransmit phase 1
> *Sep 13 20:57:54: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> *Sep 13 20:57:54: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> *Sep 13 20:58:04: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> retransmit phase 1
> *Sep 13 20:58:04: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> *Sep 13 20:58:04: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *Sep 13 20:58:14: IPSEC(key_engine): request timer fired: count = 1,
> (identity) local= 209.5.255.142, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
> *Sep 13 20:58:14: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 209.5.255.142, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4),
> protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
> lifedur= 3600s and 4608000kb,
> spi= 0x21BF4A39(566184505), conn_id= 0, keysize= 0, flags= 0x400A
> *Sep 13 20:58:14: ISAKMP: received ke message (1/1)
> *Sep 13 20:58:14: ISAKMP: set new node 0 to QM_IDLE
> *Sep 13 20:58:14: ISAKMP:(0:1:HW:2):SA is still budding. Attached new
> ipsec request to it. (local 209.5.255.142, remote 209.5.96.157)
> *Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> *Sep 13 20:58:14: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> retransmit phase 1
> *Sep 13 20:58:14: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> *Sep 13 20:58:14: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> *Sep 13 20:58:24: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> retransmit phase 1
> *Sep 13 20:58:24: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> *Sep 13 20:58:24: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
> *Sep 13 20:58:34: ISAKMP:(0:1:HW:2):incrementing error counter on sa:
> retransmit phase 1
> *Sep 13 20:58:34: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
> *Sep 13 20:58:34: ISAKMP:(0:1:HW:2): sending packet to 209.5.96.157
> my_port 500 peer_port 500 (I) MM_NO_STATE
> Sep 13 20:58:44: IPSEC(key_engine): request timer fired: count = 2,
> (identity) local= 209.5.255.142, remote= 209.5.96.157,
> local_proxy= 142.225.0.0/255.255.0.0/0/0 (type=4),
> remote_proxy= 172.16.0.0/255.240.0.0/0/0 (type=4)
> *Sep 13 20:58:44: ISAKMP: received ke message (3/1)
> *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
> *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to
> delete ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
> *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to
> delete ike sa" state (I) MM_NO_STATE (peer 209.5.96.157) input queue 0
> *Sep 13 20:58:44: ISAKMP: Unlocking IKE struct 0x821712B4 for
> isadb_mark_sa_deleted(), count 0
> *Sep 13 20:58:44: ISAKMP: Deleting peer node by peer_reap for
> 209.5.96.157: 821712B4
> *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -862965495 error TRUE
> reason "receive request to delete ike sa"
> *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):deleting node -542169726 error TRUE
> reason "receive request to delete ike sa"
> *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_DEL
> *Sep 13 20:58:44: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State =
> IKE_DEST_SA
> Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -862965495
> *Sep 13 20:59:34: ISAKMP:(0:1:HW:2):purging node -542169726
> *Sep 13 20:59:44: ISAKMP:(0:1:HW:2):purging SA., sa=829FC038,
> delme=829FC038
> fnbur020#
>
>
> I have pasted some debugs below
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Oct 01 2004 - 15:00:42 GMT-3