Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Debug Help - Cisco Site-to-Site DVTI VPN

Status
Not open for further replies.
cflcrosland

cflcrosland

IS-IT--Management
Apr 3, 2012
35
0
0
Can anyone help me work out whats going wrong here? I have a main site with two wan interfaces. The VPN connection can be establised on one of the main site's interfaces but not on the other, here is the deug from the failing connecton

MAIN SITE
HO-RTR01#
*Apr 18 20:19:43.694: ISAKMP (0:0): received packet from 92.22.149.34 dport 500 sport 500 Global (N) NEW SA
*Apr 18 20:19:43.698: ISAKMP: Created a peer struct for 92.22.149.34, peer port 500
*Apr 18 20:19:43.698: ISAKMP: New peer created peer = 0x638D06A0 peer_handle = 0x80000022
*Apr 18 20:19:43.698: ISAKMP: Locking peer struct 0x638D06A0, IKE refcount 1 for crypto_isakmp_process_block
*Apr 18 20:19:43.698: ISAKMP: local port 500, remote port 500
*Apr 18 20:19:43.698: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 637D9260
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1

*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 18 20:19:43.698: ISAKMP (0:0): vendor ID is NAT-T v7
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 92.22.149.34
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): local preshared key found
*Apr 18 20:19:43.698: ISAKMP : Scanning profiles for xauth ... VPNClients
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0): Authentication by xauth preshared
*Apr 18 20:19:43.698: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
*Apr 18 20:19:43.698: ISAKMP: encryption 3DES-CBC
*Apr 18 20:19:43.698: ISAKMP: hash SHA
*Apr 18 20:19:43.698: ISAKMP: default
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01#
HO-RTR01# group 2
*Apr 18 20:19:43.698: ISAKMP: auth pre-share
*Apr 18 20:19:43.698: ISAKMP: life type in seconds
*Apr 18 20:19:43.698: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Apr 18 20:19:43.702: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1): processing vendor id payload
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1): vendor ID seems Unity/DPD but major 245 mismatch
*Apr 18 20:19:43.754: ISAKMP (0:134217743): vendor ID is NAT-T v7
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1): processing vendor id payload
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1): vendor ID is NAT-T v3
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1): processing vendor id payload
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1): vendor ID is NAT-T v2
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 18 20:19:43.754: ISAKMP:(0:15:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Apr 18 20:19:43.758: ISAKMP:(0:15:SW:1): constructed NAT-T vendor-07 ID
*Apr 18 20:19:43.758: ISAKMP:(0:15:SW:1): sending packet to 92.22.149.34 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 18 20:19:43.758: ISAKMP:(0:15:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 18 20:19:43.758: ISAKMP:(0:15:SW:1):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Apr 18 20:19:44.190: ISAKMP:(0:14:SW:1):purging SA., sa=638BE9A0, delme=638BE9A0
*Apr 18 20:19:53.698: ISAKMP (0:134217743): received packet from 92.22.149.34 dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 18 20:19:53.698: ISAKMP:(0:15:SW:1): phase 1 packet is a duplicate of a previous packet.
*Apr 18 20:19:53.698: ISAKMP:(0:15:SW:1): retransmitting due to retransmit phase 1
*Apr 18 20:19:54.198: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Apr 18 20:19:54.198: ISAKMP (0:134217743): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 18 20:19:54.198: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP
*Apr 18 20:19:54.198: ISAKMP:(0:15:SW:1): sending packet to 92.22.149.34 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 18 20:20:03.698: ISAKMP (0:134217743): received packet from 92.22.149.34 dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 18 20:20:03.698: ISAKMP:(0:15:SW:1): phase 1 packet is a duplicate of a previous packet.
*Apr 18 20:20:03.698: ISAKMP:(0:15:SW:1): retransmitting due to retransmit phase 1
*Apr 18 20:20:04.198: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Apr 18 20:20:04.198: ISAKMP (0:134217743): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Apr 18 20:20:04.198: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP
*Apr 18 20:20:04.198: ISAKMP:(0:15:SW:1): sending packet to 92.22.149.34 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 18 20:20:13.698: ISAKMP (0:134217743): received packet from 92.22.149.34 dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 18 20:20:13.698: ISAKMP:(0:15:SW:1): phase 1 packet is a duplicate of a previous packet.
*Apr 18 20:20:13.698: ISAKMP:(0:15:SW:1): retransmitting due to retransmit phase 1
*Apr 18 20:20:14.198: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Apr 18 20:20:14.198: ISAKMP (0:134217743): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Apr 18 20:20:14.198: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP
*Apr 18 20:20:14.198: ISAKMP:(0:15:SW:1): sending packet to 92.22.149.34 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 18 20:20:23.702: ISAKMP (0:134217743): received packet from 92.22.149.34 dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 18 20:20:23.702: ISAKMP:(0:15:SW:1): phase 1 packet is a duplicate of a previous packet.
*Apr 18 20:20:23.702: ISAKMP:(0:15:SW:1): retransmitting due to retransmit phase 1
*Apr 18 20:20:24.202: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Apr 18 20:20:24.202: ISAKMP (0:134217743): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Apr 18 20:20:24.202: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP
*Apr 18 20:20:24.202: ISAKMP:(0:15:SW:1): sending packet to 92.22.149.34 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 18 20:20:33.702: ISAKMP (0:134217743): received packet from 92.22.149.34 dport 500 sport 500 Global (R) MM_SA_SETUP
*Apr 18 20:20:33.702: ISAKMP:(0:15:SW:1): phase 1 packet is a duplicate of a previous packet.
*Apr 18 20:20:33.702: ISAKMP:(0:15:SW:1): retransmitting due to retransmit phase 1
*Apr 18 20:20:34.202: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Apr 18 20:20:34.202: ISAKMP (0:134217743): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Apr 18 20:20:34.202: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP
*Apr 18 20:20:34.202: ISAKMP:(0:15:SW:1): sending packet to 92.22.149.34 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Apr 18 20:20:44.202: ISAKMP:(0:15:SW:1): retransmitting phase 1 MM_SA_SETUP...
*Apr 18 20:20:44.202: ISAKMP:(0:15:SW:1):peer does not do paranoid keepalives.

*Apr 18 20:20:44.202: ISAKMP:(0:15:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 92.22.149.34)
*Apr 18 20:20:44.202: ISAKMP:(0:15:SW:1):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 92.22.149.34)
*Apr 18 20:20:44.202: ISAKMP: Unlocking IKE struct 0x638D06A0 for isadb_mark_sa_deleted(), count 0
*Apr 18 20:20:44.202: ISAKMP: Deleting peer node by peer_reap for 92.22.149.34: 638D06A0
*Apr 18 20:20:44.202: ISAKMP:(0:15:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 18 20:20:44.202: ISAKMP:(0:15:SW:1):Old State = IKE_R_MM2 New State = IKE_DEST_SA

REMOTE SITE
remote-02#
.Apr 18 20:19:40.369: ISAKMP: received ke message (1/1)
.Apr 18 20:19:40.373: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
.Apr 18 20:19:40.373: ISAKMP: Created a peer struct for 195.137.6.6, peer port 500
.Apr 18 20:19:40.373: ISAKMP: New peer created peer = 0x82C5BD20 peer_handle = 0x80000024
.Apr 18 20:19:40.373: ISAKMP: Locking peer struct 0x82C5BD20, IKE refcount 1 for isakmp_initiator
.Apr 18 20:19:40.373: ISAKMP: local port 500, remote port 500
.Apr 18 20:19:40.373: ISAKMP: set new node 0 to QM_IDLE
.Apr 18 20:19:40.373: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82E328B8
.Apr 18 20:19:40.373: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
.Apr 18 20:19:40.377: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 195.137.6.6
.Apr 18 20:19:40.377: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
.Apr 18 20:19:40.377: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
.Apr 18 20:19:40.377: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
.Apr 18 20:19:40.377: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.Apr 18 20:19:40.377: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

.Apr 18 20:19:40.381: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
remote-02#
.Apr 18 20:19:40.381: ISAKMP:(0:0:N/A:0): sending packet to 195.137.6.6 my_port 500 peer_port 500 (I) MM_NO_STATE
.Apr 18 20:19:40.381: ISAKMP:(0:0:N/A:0):purging SA., sa=82E34920, delme=82E34920
remote-02#
.Apr 18 20:19:50.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
.Apr 18 20:19:50.381: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
.Apr 18 20:19:50.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
.Apr 18 20:19:50.381: ISAKMP:(0:0:N/A:0): sending packet to 195.137.6.6 my_port 500 peer_port 500 (I) MM_NO_STATE
remote-02#
.Apr 18 20:20:00.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
.Apr 18 20:20:00.381: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
.Apr 18 20:20:00.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
.Apr 18 20:20:00.381: ISAKMP:(0:0:N/A:0): sending packet to 195.137.6.6 my_port 500 peer_port 500 (I) MM_NO_STATE
remote-02#
.Apr 18 20:20:10.369: ISAKMP: received ke message (1/1)
.Apr 18 20:20:10.369: ISAKMP: set new node 0 to QM_IDLE
.Apr 18 20:20:10.369: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 92.22.149.34, remote 195.137.6.6)
.Apr 18 20:20:10.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
.Apr 18 20:20:10.381: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
.Apr 18 20:20:10.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
.Apr 18 20:20:10.381: ISAKMP:(0:0:N/A:0): sending packet to 195.137.6.6 my_port 500 peer_port 500 (I) MM_NO_STATE
remote-02#
.Apr 18 20:20:20.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
.Apr 18 20:20:20.381: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
.Apr 18 20:20:20.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
.Apr 18 20:20:20.381: ISAKMP:(0:0:N/A:0): sending packet to 195.137.6.6 my_port 500 peer_port 500 (I) MM_NO_STATE
remote-02#
.Apr 18 20:20:30.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
.Apr 18 20:20:30.381: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
.Apr 18 20:20:30.381: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
.Apr 18 20:20:30.381: ISAKMP:(0:0:N/A:0): sending packet to 195.137.6.6 my_port 500 peer_port 500 (I) MM_NO_STATE
remote-02#
.Apr 18 20:20:40.369: ISAKMP: received ke message (3/1)
.Apr 18 20:20:40.369: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

.Apr 18 20:20:40.369: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 195.137.6.6)
.Apr 18 20:20:40.373: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 195.137.6.6)
.Apr 18 20:20:40.373: ISAKMP: Unlocking IKE struct 0x82C5BD20 for isadb_mark_sa_deleted(), count 0
.Apr 18 20:20:40.373: ISAKMP: Deleting peer node by peer_reap for 195.137.6.6: 82C5BD20
.Apr 18 20:20:40.377: ISAKMP:(0:0:N/A:0):deleting node -1634220772 error FALSE reason "IKE deleted"
remote-02#
.Apr 18 20:20:40.377: ISAKMP:(0:0:N/A:0):deleting node 1491622890 error FALSE reason "IKE deleted"
.Apr 18 20:20:40.377: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Apr 18 20:20:40.377: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
 
Status
Not open for further replies.

Similar threads

F
  • Question
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
0
Views
1K
FrankSider12
F
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
169
sircles
sircles
teknance
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
305
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Question
Best vpn safe and fast
Replies
4
Views
193
GlobeTrekkerGal
GlobeTrekkerGal
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
125
Joon Smith
Joon Smith

Part and Inventory Search

Sponsor

Back
Top