Re: Plzzzzzzzzzzzzzz help retransmitting phase 1 AG_INIT_EXCH from Sadiq Yakasai on 2013-11-04 (Ccielab archives 12/2013)

From: Sadiq Yakasai <sadiqtanko_at_gmail.com>
Date: Mon, 4 Nov 2013 12:13:01 +0000

Hello Jeremy,

Can you show us the debugs on the server side of the connection?

Thanks,
Sadiq

On Mon, Nov 4, 2013 at 11:57 AM, jeremy co <jeremy.cool14_at_gmail.com> wrote:

> R3----R6 back to back conenction .
>
>
> R3:Client
>
>
> crypto ipsec client ezvpn EASY
> connect manual
> group ezvpn_DVTI key cisco123
> local-address FastEthernet0/0
> mode client
> peer 7.7.19.6
> username cisco password cisco
> xauth userid mode local
> !
> !
>
> !
> interface Loopback0
> ip address 7.7.53.3 255.255.255.255
> crypto ipsec client ezvpn EASY inside
> !
> interface FastEthernet0/0
> ip address 7.7.19.3 255.255.255.0
> crypto ipsec client ezvpn EASY outside
>
>
>
> R6: Server
>
> aaa new-model
> aaa authentication login ikev1-list local
> aaa authorization network ikev1-list local
> aaa session-id common
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
>
> crypto isakmp client configuration group ezvpn_DVTI
> key cisco123
> domain cisco.com
> pool pool2
> save-password
>
> crypto isakmp profile isakmp_profile_dvti
> match identity group ezvpn_DVTI
> client authentication list lkey1-list
> isakmp authorization list lkey1-list
> client configuration address respond
> client configuration group ezvpn_DVTI
> virtual-template 2
> local-address FastEthernet0/0
>
> crypto ipsec transform-set cisco esp-3des esp-sha-hmac
>
> crypto ipsec profile ikev1
> set transform-set cisco
> set isakmp-profile isakmp_profile_dvti
> interface Virtual-Template2 type tunnel
> ip unnumbered FastEthernet0/0
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile ikev1
>
> ip local pool pool2 13.1.1.1 13.1.1.10
>
>
> interface FastEthernet0/0
> ip address 7.7.19.6 255.255.255.0
>
>
>
> Here is the debug: its not even passing IKE phase 1
>
> --------------------------------------------------------------------------------------------------------------------------------
>
> R3# crypto ipsec client ezvpn connect
> R3#
> *Mar 1 00:01:59.583: del_node src 7.7.19.3:500 dst 7.7.19.6:500 fvrf 0x0,
> ivrf 0x0
> *Mar 1 00:01:59.583: ISAKMP:(0):peer does not do paranoid keepalives.
>
> *Mar 1 00:01:59.591: ISAKMP:(0): SA request profile is (NULL)
> *Mar 1 00:01:59.591: ISAKMP: Created a peer struct for 7.7.19.6, peer port
> 500
> *Mar 1 00:01:59.595: ISAKMP: New peer created peer = 0x66BCA8DC
> peer_handle = 0x80000003
> *Mar 1 00:01:59.595: ISAKMP: Locking peer struct 0x66BCA8DC, refcount 1
> for isakmp_initiator
> *Mar 1 00:01:59.595: ISAKMP:(0):Setting client config settings 664962C4
> *Mar 1 00:01:59.595: ISAKMP: local port 500, remote port 500
> *Mar 1 00:01:59.599: ISAKMP: Find a dup sa in the avl tree during calling
> isadb_insert sa = 66651EA4
> *Mar 1 00:01:59.599: ISAKMP:(0): client mode configured.
> *Mar 1 00:01:59.611: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
> *Mar 1 00:01:59.611: ISAKMP:(0): constructed NAT-T vendor-07 ID
> *Mar 1 00:01:59.611: ISAKMP:(0): constructed NAT-T vendor-03 ID
> *Mar 1 00:01:59.615: ISAKMP:(0): constructed NAT-T vendor-02 ID
> *Mar 1 00:01:59.615: ISKAMP: growing send buffer from 1024 to 3072
> *Mar 1 00:01:59.615: ISAKMP:(0):SA is doing pre-shared key authentication
> plus XAUTH using id type ID_KEY_ID
> *Mar 1 00:01:59.619: ISAKMP (0:0): ID payload
> next-payload : 13
> type : 11
> group id : ezvpn_DVTI
> protocol : 17
> port : 0
> length : 18
> *Mar 1 00:01:59.619: ISAKMP:(0):Total payload length: 18
> *Mar 1 00:01:59.619: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
> *Mar 1 00:01:59.619: ISAKMP:(0):Old State = IKE_READY New State =
> IKE_I_AM1
>
> *Mar 1 00:01:59.619: ISAKMP:(0): beginning Aggressive Mode exchange
> *Mar 1 00:01:59.619: ISAKMP:(0): sending packet to 7.7.19.6 my_port 500
> peer_port 500 (I) AG_INIT_EXCH
> *Mar 1 00:01:59.619: ISAKMP:(0):Sending an IKE IPv4 Packet.
> R3#
> R3#
> *Mar 1 00:02:09.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
> *Mar 1 00:02:09.619: ISAKMP (0:0): incrementing error counter on sa,
> attempt 1 of 5: retransmit phase 1
> *Mar 1 00:02:09.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
> *Mar 1 00:02:09.623: ISAKMP:(0): sending packet to 7.7.19.6 my_port 500
> peer_port 500 (I) AG_INIT_EXCH
> *Mar 1 00:02:09.623: ISAKMP:(0):Sending an IKE IPv4 Packet.
> R3#
> *Mar 1 00:02:19.623: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
> *Mar 1 00:02:19.623: ISAKMP (0:0): incrementing error counter on sa,
> attempt 2 of 5: retransmit phase 1
> *Mar 1 00:02:19.623: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
> *Mar 1 00:02:19.627: ISAKMP:(0): sending packet to 7.7.19.6 my_port 500
> peer_port 500 (I) AG_INIT_EXCH
> *Mar 1 00:02:19.627: ISAKMP:(0):Sending an IKE IPv4 Packet.
> R3#
> *Mar 1 00:02:29.627: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
> *Mar 1 00:02:29.627: ISAKMP (0:0): incrementing error counter on sa,
> attempt 3 of 5: retransmit phase 1
> *Mar 1 00:02:29.627: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
> *Mar 1 00:02:29.631: ISAKMP:(0): sending packet to 7.7.19.6 my_port 500
> peer_port 500 (I) AG_INIT_EXCH
> *Mar 1 00:02:29.631: ISAKMP:(0):Sending an IKE IPv4 Packet.
> R3#
> *Mar 1 00:02:39.631: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
> *Mar 1 00:02:39.631: ISAKMP (0:0): incrementing error counter on sa,
> attempt 4 of 5: retransmit phase 1
> *Mar 1 00:02:39.631: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
> *Mar 1 00:02:39.635: ISAKMP:(0): sending packet to 7.7.19.6 my_port 500
> peer_port 500 (I) AG_INIT_EXCH
> *Mar 1 00:02:39.635: ISAKMP:(0):Sending an IKE IPv4 Packet.
> R3#
> *Mar 1 00:02:49.635: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
> *Mar 1 00:02:49.635: ISAKMP (0:0): incrementing error counter on sa,
> attempt 5 of 5: retransmit phase 1
> *Mar 1 00:02:49.635: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
> *Mar 1 00:02:49.639: ISAKMP:(0): sending packet to 7.7.19.6 my_port 500
> peer_port 500 (I) AG_INIT_EXCH
> *Mar 1 00:02:49.639: ISAKMP:(0):Sending an IKE IPv4 Packet.
> R3#
> *Mar 1 00:02:53.079: ISAKMP:(0):purging SA., sa=66A6DCD4, delme=66A6DCD4
> R3#
> EZVPN(EASY): IPSec connection terminated
> *Mar 1 00:02:59.639: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
> *Mar 1 00:02:59.639: ISAKMP:(0):peer does not do paranoid keepalives.
>
> *Mar 1 00:02:59.639: ISAKMP:(0):deleting SA reason "Death by
> retransmission P1" state (I) AG_INIT_EXCH (peer 7.7.19.6)
> *Mar 1 00:02:59.647: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=ezvpn_DVTI Client_public_addr=7.7.19.3 Server_public_addr=7.7.19.6
> R3#
> *Mar 1 00:02:59.655: ISAKMP:(0):deleting SA reason "Death by
> retransmission P1" state (I) AG_INIT_EXCH (peer 7.7.19.6)
> *Mar 1 00:02:59.655: ISAKMP: Unlocking peer struct 0x66BCA8DC for
> isadb_mark_sa_deleted(), count 0
> *Mar 1 00:02:59.659: ISAKMP: Deleting peer node by peer_reap for 7.7.19.6
> :
> 66BCA8DC
> *Mar 1 00:02:59.659: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
> *Mar 1 00:02:59.659: ISAKMP:(0):Old State = IKE_I_AM1 New State =
> IKE_DEST_SA
>
>
> Thanks
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIEx2 (R&S|Sec) #19963
Blogs and organic groups at http://www.ccie.net

Received on Mon Nov 04 2013 - 12:13:01 ART

This archive was generated by hypermail 2.2.0 : Wed Jan 01 2014 - 20:26:19 ART