PIX to 827 Router vpn tunnel can only be started in one direction

[paulmcl]

Can't work this out - anyone any thoughts......

Site1 PIX with many working vpn tunnels
Site2 827 Router with working vpn config

When tunnel is up it works okay in both directions. If the tunnel is left idle it stops responding for pings from hosts behind 827 to hosts behind PIX fail. If you ping in reverse (PIX hosts to 827 hosts) the tunnel starts working and all host can ping each other in both directions.

I also have similar problem using PIX to 827 (another two sites not connected) and if the tunnel idles it can only be restarted from the 827 side - exactly the oppsoite!

Thanks in advance.

Regards

Paul

 

[yizhar]

HI.

Can you post the isakmp, crypto and related access-list config of both devices?

Look for mismatching timeout values.
Look for mismatching mirrored access-list.
Look for related syslog messages or debug output.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[paulmcl]

Yizhar,

Thanks for reply, as requested config sections and debugs, appears to be a phase 2 error but not sure how to resolve.

Sorry for length of info.....

Regards

Paul


Relevant PIX config sections....

PIX Version 6.2(2)

access-list 100 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 151 permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set myset
crypto map newmap 24 ipsec-isakmp
crypto map newmap 24 match address 151
crypto map newmap 24 set peer 200.10.10.10
crypto map newmap 24 set transform-set myset
crypto map newmap client configuration address initiate
crypto map newmap client configuration address respond
crypto map newmap client authentication partnerauth
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 200.10.10.10 netmask 255.255.255.255
isakmp keepalive 60 30
isakmp client configuration address-pool local bigpool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup 3000-all address-pool bigpool
vpngroup 3000-all wins-server 192.168.0.40
vpngroup 3000-all default-domain password
vpngroup 3000-all split-tunnel 123
vpngroup 3000-all idle-time 48600
vpngroup 3000-all password ********

Relevant 827 config sections....

crypto isakmp policy 2
hash md5
authentication pre-share
group 2
crypto isakmp key 123456 address 200.99.99.99
crypto isakmp keepalive 60 30
crypto ipsec transform-set LINK esp-des esp-md5-hmac
crypto map nolan 2 ipsec-isakmp
set peer 200.99.99.99
set transform-set LINK
match address 120
interface Dialer1
crypto map nolan
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 130 permit ip 192.168.10.0 0.0.0.255 any
route-map nonat permit 10
match ip address 130


**** 827 debugs (crypto ipsec, isakmp and engine)

remote827#
1d22h: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 200.10.10.10, remote= 200.99.99.99,
local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x49524CA4(1230130340), conn_id= 0, keysize= 0, flags= 0x400C
1d22h: ISAKMP: received ke message (1/1)
1d22h: ISAKMP (0:0): no idb in request
1d22h: ISAKMP: local port 500, remote port 500
1d22h: ISAKMP: set new node 0 to QM_IDLE
1d22h: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Old State = IKE_READY New State = IKE_I_MM1

1d22h: ISAKMP (0:1): beginning Main Mode exchange
1d22h: ISAKMP (0:1): sending packet to 200.99.99.99 (I) MM_NO_STATE
1d22h: ISAKMP (0:1): received packet from 200.99.99.99 (I) MM_NO_STATE
1d22h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM1 New State = IKE_I_MM2

1d22h: ISAKMP (0:1): processing SA payload. message ID = 0
1d22h: ISAKMP (0:1): found peer pre-shared key matching 200.99.99.99
1d22h: ISAKMP (0:1) local preshared key found
1d22h: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 2 policy
1d22h: ISAKMP: encryption DES-CBC
1d22h: ISAKMP: hash MD5
1d22h: ISAKMP: default group 2
1d22h: ISAKMP: auth pre-share
1d22h: ISAKMP: life type in seconds
1d22h: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
1d22h: ISAKMP (0:1): atts are acceptable. Next payload is 0
1d22h: CryptoEngine0: generate alg parameter
1d22h: CRYPTO_ENGINE: Dh phase 1 status: 0
1d22h: CRYPTO_ENGINE: Dh phase 1 status: 0
1d22h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_I_MM2 New State = IKE_I_MM2

1d22h: ISAKMP (0:1): sending packet to 200.99.99.99 (I) MM_SA_SETUP
1d22h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_I_MM2 New State = IKE_I_MM3

1d22h: ISAKMP (0:1): received packet from 200.99.99.99 (I) MM_SA_SETUP
1d22h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM3 New State = IKE_I_MM4

1d22h: ISAKMP (0:1): processing KE payload. message ID = 0
1d22h: CryptoEngine0: generate alg parameter
1d22h: ISAKMP (0:1): processing NONCE payload. message ID = 0
1d22h: ISAKMP (0:1): found peer pre-shared key matching 200.99.99.99
1d22h: CryptoEngine0: create ISAKMP SKEYID for conn id 1
1d22h: ISAKMP (0:1): SKEYID state generated
1d22h: ISAKMP (0:1): processing vendor id payload
1d22h: ISAKMP (0:1): vendor ID is Unity
1d22h: ISAKMP (0:1): processing vendor id payload
1d22h: ISAKMP (0:1): vendor ID is DPD
1d22h: ISAKMP (0:1): processing vendor id payload
1d22h: ISAKMP (0:1): speaking to another IOS box!
1d22h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_I_MM4 New State = IKE_I_MM4

1d22h: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
1d22h: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
1d22h: ISAKMP (1): Total payload length: 12
1d22h: CryptoEngine0: generate hmac context for conn id 1
1d22h: ISAKMP (0:1): sending packet to 200.99.99.99 (I) MM_KEY_EXCH
1d22h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_I_MM4 New State = IKE_I_MM5

1d22h: ISAKMP (0:1): received packet from 200.99.99.99 (I) MM_KEY_EXCH
1d22h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_I_MM5 New State = IKE_I_MM6

1d22h: ISAKMP (0:1): processing ID payload. message ID = 0
1d22h: ISAKMP (0:1): processing HASH payload. message ID = 0
1d22h: CryptoEngine0: generate hmac context for conn id 1
1d22h: ISAKMP (0:1): SA has been authenticated with 200.99.99.99
1d22h: ISAKMP (0:1): IKE_DPD is enabled, initializing timers
1d22h: ISAKMP: Locking DPD struct 0x81E039AC from crypto_ikmp_dpd_ike_init, count 1
1d22h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Old State = IKE_I_MM6 New State = IKE_I_MM6

1d22h: ISAKMP (0:1): received packet from 200.99.99.99 (I) MM_KEY_EXCH
1d22h: ISAKMP: set new node -1397737283 to QM_IDLE
1d22h: CryptoEngine0: generate hmac context for conn id 1
1d22h: ISAKMP (0:1): processing HASH payload. message ID = -1397737283
1d22h: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = -1397737283, sa = 81E45634
1d22h: ISAKMP (0:1): Process initial contact, bring down existing phase 1 and 2 SA's
1d22h: ISAKMP (0:1): peer does not do paranoid keepalives.

1d22h: ISAKMP (0:1): deleting node -1397737283 error FALSE reason "informational (in) state 1"
1d22h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Old State = IKE_I_MM6 New State = IKE_I_MM6

1d22h: CryptoEngine0: clear dh number for conn id 1
1d22h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

1d22h: IPSEC(key_engine): got a queue event...
1d22h: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
1d22h: IPSEC(key_engine_delete_sas): delete all SAs shared with 200.99.99.99
1d22h: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1535243735
1d22h: CryptoEngine0: generate hmac context for conn id 1
1d22h: ISAKMP (0:1): sending packet to 200.99.99.99 (I) QM_IDLE
1d22h: ISAKMP (0:1): Node 1535243735, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Old State = IKE_QM_READY New State = IKE_QM_I_QM1

1d22h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

1d22h: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1535243735 ...
1d22h: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
1d22h: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
1d22h: ISAKMP (0:1): retransmitting phase 2 1535243735 QM_IDLE
1d22h: ISAKMP (0:1): sending packet to 200.99.99.99 (I) QM_IDLE
1d22h: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1535243735 ...
1d22h: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
1d22h: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
1d22h: ISAKMP (0:1): retransmitting phase 2 1535243735 QM_IDLE
1d22h: ISAKMP (0:1): sending packet to 200.99.99.99 (I) QM_IDLE
1d22h: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 200.10.10.10, remote= 200.99.99.99,
local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
1d22h: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 200.10.10.10, remote= 200.99.99.99,
local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x7EB94AFB(2126072571), conn_id= 0, keysize= 0, flags= 0x400C
1d22h: ISAKMP: received ke message (1/1)
1d22h: ISAKMP: set new node 0 to QM_IDLE
1d22h: ISAKMP (0:1): sitting IDLE. Starting QM immediately (QM_IDLE )
1d22h: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1664374500
1d22h: CryptoEngine0: generate hmac context for conn id 1
1d22h: ISAKMP (0:1): sending packet to 200.99.99.99 (I) QM_IDLE
1d22h: ISAKMP (0:1): Node 1664374500, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Old State = IKE_QM_READY New State = IKE_QM_I_QM1

1d22h: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1535243735 ...
1d22h: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
1d22h: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2
1d22h: ISAKMP (0:1): retransmitting phase 2 1535243735 QM_IDLE
1d22h: ISAKMP (0:1): sending packet to 200.99.99.99 (I) QM_IDLE
1d22h: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 1664374500 ...
1d22h: ISAKMP (0:1): peer does not do paranoid keepalives.

1d22h: ISAKMP (0:1): deleting SA reason "death by retransmission P2" state (I) QM_IDLE (peer 200.99.99.
99) input queue 0
1d22h: ISAKMP: set new node -927063943 to QM_IDLE
1d22h: CryptoEngine0: generate hmac context for conn id 1
1d22h: ISAKMP (0:1): sending packet to 200.99.99.99 (I) QM_IDLE
1d22h: ISAKMP (0:1): purging node -927063943
1d22h: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

1d22h: ISAKMP (0:1): deleting SA reason "" state (I) QM_IDLE (peer 200.99.99.99) input queue 0
1d22h: ISAKMP (0:1): deleting node 1535243735 error FALSE reason ""
1d22h: ISAKMP (0:1): deleting node 1664374500 error FALSE reason ""
1d22h: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Old State = IKE_DEST_SA New State = IKE_DEST_SA

1d22h: ISAKMP (0:1): purging node -1397737283
remote827#
remote827#
1d22h: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 200.10.10.10, remote= 200.99.99.99,
local_proxy= 192.168.10.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4)
1d22h: ISAKMP: received ke message (3/1)
1d22h: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 200.10.10.10 dst 200.99.99.99 for
SPI 0x0
1d22h: ISAKMP (0:1): purging node 1535243735
1d22h: ISAKMP (0:1): purging node 1664374500
1d22h: ISAKMP (0:1): purging SA., sa=81E45634, delme=81E45634
1d22h: ISAKMP: Unlocking DPD struct 0x81E039AC for declare_sa_dead(), count 0
1d22h: CryptoEngine0: delete connection 1
1d22h: CryptoEngine0: delete connection 1


**** PIX debugs (crypto ipsec, isakmp and engine)

ISADB: reaper checking SA 0x8152aa18, conn_id = 0
ISADB: reaper checking SA 0x81522998, conn_id = 0
ISADB: reaper checking SA 0x815209e8, conn_id = 0
crypto_isakmp_process_block: src 200.10.10.10, dest 200.99.99.99
VPN Peer: ISAKMP: Added new peer: ip:200.10.10.10 Total VPN Peers:5
VPN Peer: ISAKMP: Peer ip:200.10.10.10 Ref cnt incremented to:1 Total VPN Peers:5
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 200.10.10.10, dest 200.99.99.99
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 200.10.10.10, dest 200.99.99.99
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 25
ISAKMP (0): Total payload length: 29
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src 200.10.10.10, dest 200.99.99.99
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
return status is IKMP_ERR_RETRANS
crypto_isakmp_process_block: src 200.10.10.10, dest 200.99.99.99
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src 200.10.10.10, dest 200.99.99.99
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src 200.10.10.10, dest 200.99.99.99
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
return status is IKMP_ERR_RETRANS
crypto_isakmp_process_block: src 200.10.10.10, dest 200.99.99.99
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block: src 200.10.10.10, dest 200.99.99.99
ISAKMP (0): processing DELETE payload. message ID = 2142982354
ISAKMP (0): deleting SA: src 200.10.10.10, dst 200.99.99.99
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x8152aa18, conn_id = 0
ISADB: reaper checking SA 0x81522998, conn_id = 0
ISADB: reaper checking SA 0x815209e8, conn_id = 0
ISADB: reaper checking SA 0x81537b00, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:200.10.10.10 Ref cnt decremented to:0 Total VPN Peers:5
VPN Peer: ISAKMP: Deleted peer: ip:200.10.10.10 Total VPN peers:4IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 200.10.10.10

ISADB: reaper checking SA 0x8152aa18, conn_id = 0
ISADB: reaper checking SA 0x81522998, conn_id = 0
ISADB: reaper checking SA 0x815209e8, conn_id = 0

 

[yizhar]

HI.

I have so far looked at the configuration only (not at the debug output).
I don't remember if the default timeouts are the same in IOS and PIX, so you should verify this by manualy setting timeouts for IPSec.
Use "show crypto ..." commands at both the pix and the router to verify that they use the exact same values.
Remember that there are timeouts for ISAKMP (phase 1) and for IPSEC (phase 2). You should verify matching values for all parameters.

And another thing:
> crypto map newmap client configuration address initiate
> crypto map newmap client configuration address respond
> crypto map newmap client authentication partnerauth
> isakmp key ******** address 200.10.10.10 netmask 255.255.255.255

At the pix, try to add the parameters "no-xauth" and "no-configmode" to the last line above.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[jerph]

I have the same problem ! Have you resolved it ?

 

[paulmcl]

Yizhar,

Access-lists are matching - surely it would not work in at all if access-lists were not matching?

Had a look also for timeout parameters - I cannot see a command on the router or PIX to verify these - can you advise what command(s) I should be using?


Jerph,

Not resolved unfortunately, I have spoken to Cisco TAC at length regarding this problem and it has been esculated but they do not know what is causing the problem. They want me to run this debug and that debug, sniff packets and various other tests - I have asked if they can replicate the problem in their labs but they refuse to do this - they offered to connect into the PIX but couldn't not do it with the Cisco VPN client as I suggested cause it is a security risk?!? - using their own product a security risk - what a bloody joke! I am currently thinking there is a bug/mismatch between the IOS and PIX software bacause the config is correct (it is the one of the Cisco site)

Anyway enough moaning - what IOS on your router and what PIX software version do you use? Let me know and I will compare.

Current workaround is a batch file that sends a ping packet every 10 minutes to keep the tunnel active - not exactly the solution I can recommend to clients!!

Regards

Paul

 

[jerph]

Hi paulmcl,

My configuration :

PIX 515 failover, DES
6.2(2)

Router 1721 with IOS 12.2(13)T

"Current workaround is a batch file that sends a ping packet every 10 minutes to keep the tunnel active - not exactly the solution I can recommend to clients!!"

;o)

for timeout parameters, you can use this :
sh crypto map policy (show lifetime...)

My access-lists are matching and my debug is the same :

Router debugs : (debug crypto isakmp)

20:53:24: ISAKMP: received ke message (1/1)
20:53:24: ISAKMP (0:0): no idb in request
20:53:24: ISAKMP: local port 500, remote port 500
20:53:24: ISAKMP: set new node 0 to QM_IDLE
20:53:24: ISAKMP (0:5): constructed NAT-T vendor-03 ID
20:53:24: ISAKMP (0:5): constructed NAT-T vendor-02 ID
20:53:24: ISAKMP (0:5): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
20:53:24: ISAKMP (0:5): Old State = IKE_READY New State = IKE_I_MM1

20:53:24: ISAKMP (0:5): beginning Main Mode exchange
20:53:24: ISAKMP (0:5): sending packet to @IP PIXmy_port 500
peer_port 5
00 (I) MM_NO_STATE
20:53:24: ISAKMP (0:5): received packet from @IP PIXdport 500
sport 500
(I) MM_NO_STATE
20:53:24: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
20:53:24: ISAKMP (0:5): Old State = IKE_I_MM1 New State = IKE_I_MM2

20:53:24: ISAKMP (0:5): processing SA payload. message ID = 0
20:53:24: ISAKMP (0:5): found peer pre-shared key matching @IP PIX
20:53:24: ISAKMP (0:5) local preshared key found
20:53:24: ISAKMP (0:5): Checking ISAKMP transform 1 against priority 10
policy
20:53:24: ISAKMP: encryption DES-CBC
20:53:24: ISAKMP: hash MD5
20:53:24: ISAKMP: default group 2
20:53:24: ISAKMP: auth pre-share
20:53:24: ISAKMP: life type in seconds
20:53:24: ISAKMP: life duration (basic) of 3600
20:53:24: ISAKMP (0:5): atts are acceptable. Next payload is 0
20:53:24: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
20:53:24: ISAKMP (0:5): Old State = IKE_I_MM2 New State = IKE_I_MM2

20:53:24: ISAKMP (0:5): sending packet to @IP PIXmy_port 500
peer_port 5
00 (I) MM_SA_SETUP
20:53:24: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
20:53:24: ISAKMP (0:5): Old State = IKE_I_MM2 New State = IKE_I_MM3

20:53:24: ISAKMP (0:5): received packet from @IP PIXdport 500
sport 500
(I) MM_SA_SETUP
20:53:24: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
20:53:24: ISAKMP (0:5): Old State = IKE_I_MM3 New State = IKE_I_MM4

20:53:24: ISAKMP (0:5): processing KE payload. message ID = 0
20:53:25: ISAKMP (0:5): processing NONCE payload. message ID = 0
20:53:25: ISAKMP (0:5): found peer pre-shared key matching @IP PIX
20:53:25: ISAKMP (0:5): SKEYID state generated
20:53:25: ISAKMP (0:5): processing vendor id payload
20:53:25: ISAKMP (0:5): vendor ID is Unity
20:53:25: ISAKMP (0:5): vendor ID is NAT-T
20:53:25: ISAKMP (0:5): processing vendor id payload
20:53:25: ISAKMP (0:5): vendor ID is DPD
20:53:25: ISAKMP (0:5): vendor ID is NAT-T
20:53:25: ISAKMP (0:5): processing vendor id payload
20:53:25: ISAKMP (0:5): speaking to another IOS box!
20:53:25: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
20:53:25: ISAKMP (0:5): Old State = IKE_I_MM4 New State = IKE_I_MM4

20:53:25: ISAKMP (0:5): Send initial contact
20:53:25: ISAKMP (0:5): SA is doing pre-shared key authentication using id
type
ID_IPV4_ADDR
20:53:25: ISAKMP (5): ID payload
next-payload : 8
type : 1
addr : @IP ROUTER
protocol : 17
port : 0
length : 8
20:53:25: ISAKMP (5): Total payload length: 12
20:53:25: ISAKMP (0:5): sending packet to @IP PIXmy_port 500
peer_port 5
00 (I) MM_KEY_EXCH
20:53:25: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
20:53:25: ISAKMP (0:5): Old State = IKE_I_MM4 New State = IKE_I_MM5

20:53:25: ISAKMP (0:5): received packet from @IP PIXdport 500
sport 500
(I) MM_KEY_EXCH
20:53:25: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
20:53:25: ISAKMP (0:5): Old State = IKE_I_MM5 New State = IKE_I_MM6

20:53:25: ISAKMP (0:5): processing ID payload. message ID = 0
20:53:25: ISAKMP (0:5): processing HASH payload. message ID = 0
20:53:25: ISAKMP (0:5): SA has been authenticated with @IP PIX
20:53:25: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
20:53:25: ISAKMP (0:5): Old State = IKE_I_MM6 New State = IKE_I_MM6

20:53:25: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
20:53:25: ISAKMP (0:5): Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE

20:53:25: ISAKMP (0:5): beginning Quick Mode exchange, M-ID of -1862961801
20:53:25: ISAKMP (0:5): sending packet to @IP PIXmy_port 500
peer_port 5
00 (I) QM_IDLE
20:53:25: ISAKMP (0:5): Node -1862961801, Input = IKE_MESG_INTERNAL,
IKE_INIT_QM

20:53:25: ISAKMP (0:5): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
20:53:25: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
20:53:25: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE


20:53:35: ISAKMP (0:5): retransmitting phase 2 QM_IDLE -1862961801 ...
20:53:35: ISAKMP (0:5): incrementing error counter on sa: retransmit phase 2
20:53:35: ISAKMP (0:5): incrementing error counter on sa: retransmit phase 2
20:53:35: ISAKMP (0:5): retransmitting phase 2 -1862961801 QM_IDLE
20:53:35: ISAKMP (0:5): sending packet to @IP PIXmy_port 500
peer_port 5
00 (I) QM_IDLE
20:53:45: ISAKMP (0:5): retransmitting phase 2 QM_IDLE -1862961801 ...
20:53:45: ISAKMP (0:5): incrementing error counter on sa: retransmit phase 2
20:53:45: ISAKMP (0:5): incrementing error counter on sa: retransmit phase 2
20:53:45: ISAKMP (0:5): retransmitting phase 2 -1862961801 QM_IDLE
20:53:45: ISAKMP (0:5): sending packet to @IP PIXmy_port 500
peer_port 5
00 (I) QM_IDLE
20:53:53: ISAKMP (0:4): purging node 1124307939
20:53:53: ISAKMP (0:4): purging node 786456195
20:53:54: ISAKMP: received ke message (1/1)
20:53:54: ISAKMP: set new node 0 to QM_IDLE
20:53:54: ISAKMP (0:5): sitting IDLE. Starting QM immediately (QM_IDLE )
20:53:54: ISAKMP (0:5): beginning Quick Mode exchange, M-ID of 843101127
20:53:54: ISAKMP (0:5): sending packet to @IP PIXmy_port 500
peer_port 5
00 (I) QM_IDLE
20:53:54: ISAKMP (0:5): Node 843101127, Input = IKE_MESG_INTERNAL,
IKE_INIT_QM
20:53:54: ISAKMP (0:5): Old State = IKE_QM_READY New State = IKE_QM_I_QM1
20:53:55: ISAKMP (0:5): retransmitting phase 2 QM_IDLE -1862961801 ...
20:53:55: ISAKMP (0:5): incrementing error counter on sa: retransmit phase 2
20:53:55: ISAKMP (0:5): incrementing error counter on sa: retransmit phase 2
20:53:55: ISAKMP (0:5): retransmitting phase 2 -1862961801 QM_IDLE
20:53:55: ISAKMP (0:5): sending packet to @IP PIXmy_port 500
peer_port 5
00 (I) QM_IDLE
20:54:03: ISAKMP (0:4): purging SA., sa=81D48684, delme=81D48684
20:54:04: ISAKMP (0:5): retransmitting phase 2 QM_IDLE 843101127 ...
20:54:04: ISAKMP (0:5): peer does not do paranoid keepalives.

20:54:04: ISAKMP (0:5): deleting SA reason "death by retransmission P2"
state (I
) QM_IDLE (peer @IP PIX) input queue 0
20:54:04: ISAKMP: set new node -1050917715 to QM_IDLE
20:54:04: ISAKMP (0:5): sending packet to @IP PIXmy_port 500
peer_port 5
00 (I) QM_IDLE
20:54:04: ISAKMP (0:5): purging node -1050917715
20:54:04: ISAKMP (0:5): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
20:54:04: ISAKMP (0:5): Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

20:54:04: ISAKMP (0:5): deleting SA reason "" state (I) QM_IDLE
(peer 217.
167.213.38) input queue 0
20:54:04: ISAKMP (0:5): deleting node -1862961801 error FALSE reason ""
20:54:04: ISAKMP (0:5): deleting node 843101127 error FALSE reason ""
20:54:04: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
20:54:04: ISAKMP (0:5): Old State = IKE_DEST_SA New State = IKE_DEST_SA

20:54:24: ISAKMP: received ke message (3/1)
20:54:24: ISAKMP: ignoring request to send delete notify (no ISAKMP sa)
src 80.1
3.148.19 dst @IP PIXfor SPI 0x0
20:54:24: ISAKMP: received ke message (1/1)
20:54:24: ISAKMP (0:0): no idb in request
20:54:24: ISAKMP: local port 500, remote port 500
20:54:24: ISAKMP: set new node 0 to QM_IDLE

 

[paulmcl]

My crypto policies are the same


The problem I think is the debug:

deleting SA reason "" state
deleting SA reason "death by retransmission P2"

The Cisco website has nothing on this 2nd debug and I don't understand what is causing this and what I can do to stop it.

I'm still investigating this in the background but I am running out of ideas.

Regards

Paul

 

[yizhar]

HI.

*****

To "paulmcl":
From pix partial config:
> crypto dynamic-map dynmap 20 set transform-set myset
> crypto map newmap 24 ...
I did not see any line like this:
crypto map newmap XXXX ipsec-isakmp dynamic dynmap
But I guess you do have one, don't you?
The XXXX value must be higher number (lower priority) then 24, for example 9999.
Or else - the pix will try to match incoming IPSec packets as VPN client first before site to site, which could cause your problem.
If you still have problems, try without remote access VPN (only site to site) for the test.

*****

From "paulmcl" post (827 debug):
> 1d22h: ISAKMP (0:1): peer does not do paranoid keepalives.

From "jerph" post:
> 20:54:04: ISAKMP (0:5): peer does not do paranoid keepalives

I think that this might be related to the problem. Did you configure PFS (Perfect Forward Sec..) on either of the peers but not the other? Can you try without that option? Does the PFS configuration match?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[jerph]

WONDERFULL !!!

PFS was disabled on the router and the pix.

sh crypto map
PFS(Y/N):N

I turn on PFS to group2 on the router and the pix and it's good ;o)

set pfs group2

Thanks !!!

Jérôme