Tuesday, April 26, 2011

IPsec Stuck in MM_SA_SETUP and MM_NO_STATE

Network Setup:


Problem Symptom:
1. The states of the ISAKMP SAs are stuck in MM_SA_SETUP and MM_NO_STATE.
2. The following error messages are seen in the output of the debug crypto isakmp privileged command:
ISAKMP (0:X): phase 1 packet is a duplicate of a previous packet.
ISAKMP (0:X): retransmitting phase 1 MM_SA_SETUP...

Sample Output:
PC1#ping 172.16.2.2 rep 50

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
..................................................
Success rate is 0 percent (0/50)
PC1#
RT2#debug crypto isakmp
Crypto ISAKMP debugging is on
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot

RT2#
00:01:01: ISAKMP (0:0): received packet from 10.10.10.2 (N) NEW SA
00:01:01: ISAKMP: local port 500, remote port 500
00:01:01: ISAKMP (0:1): processing SA payload. message ID = 0
00:01:01: ISAKMP (0:1): found peer pre-shared key matching 10.10.10.2
00:01:01: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
00:01:01: ISAKMP:      encryption 3DES-CBC
00:01:01: ISAKMP:      hash SHA
00:01:01: ISAKMP:      default group 2
00:01:01: ISAKMP:      auth pre-share
00:01:01: ISAKMP:      life type in seconds
00:01:01: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
00:01:01: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:01:01: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:01:01: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:11: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:11: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:11: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:11: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:12: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:12: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:12: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:12: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:21: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:21: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:21: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:21: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:22: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:22: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:22: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:22: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:31: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:31: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:31: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:31: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:32: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:32: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:32: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:32: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:41: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:41: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:41: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:41: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:42: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:42: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:42: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:42: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:51: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:51: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:51: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:51: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:52: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:52: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:52: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:52: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:02:01: ISAKMP (0:0): received packet from 10.10.10.2 (N) NEW SA
00:02:01: ISAKMP: local port 500, remote port 500
00:02:01: ISAKMP (0:2): processing SA payload. message ID = 0
00:02:01: ISAKMP (0:2): found peer pre-shared key matching 10.10.10.2
00:02:01: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1 policy
00:02:01: ISAKMP:      encryption 3DES-CBC
00:02:01: ISAKMP:      hash SHA
00:02:01: ISAKMP:      default group 2
00:02:01: ISAKMP:      auth pre-share
00:02:01: ISAKMP:      life type in seconds
00:02:01: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
00:02:01: ISAKMP (0:2): atts are acceptable. Next payload is 0
00:02:01: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:02:01: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
00:02:02: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:02:02: ISAKMP (0:1): peer does not do paranoid keepalives.

00:02:02: ISAKMP (0:1): deleting SA reason "death by retransmission P1"
state (R) MM_SA_SETUP (peer 10.10.10.2) input queue 0
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:11: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:11: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:11: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:11: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:12: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:12: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:12: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:12: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:21: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:21: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:21: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:21: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:22: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:22: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:22: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:22: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:31: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:31: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:31: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:31: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:32: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:32: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:32: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:32: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:41: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:41: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:41: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:41: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:42: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:42: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:42: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:42: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:51: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:51: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:51: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:51: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:52: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:52: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:52: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:52: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:03:02: ISAKMP (0:1): purging SA., sa=623CF540, delme=623CF540
00:03:02: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:03:02: ISAKMP (0:2): peer does not do paranoid keepalives.

00:03:02: ISAKMP (0:2): deleting SA reason "death by retransmission P1"
state (R) MM_SA_SETUP (peer 10.10.10.2) input queue 0
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_NO_STATE           2       0   (deleted)

RT2#
00:04:02: ISAKMP (0:2): purging SA., sa=61FEBB84, delme=61FEBB84
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot

RT2#

Root Cause:
Missing static (default) routing configuration to RT1 on RT2.
RT2 is unable to send out the responses for the IKE messages from RT1, 10.10.10.2.
RT2#sh ip route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.2.0 is directly connected, FastEthernet0/0
     11.0.0.0/24 is subnetted, 1 subnets
C       11.11.11.0 is directly connected, FastEthernet1/0
RT2#

Lessons Learned:
1. Routing and Switching are the foundation of networking, without them configured properly, other technologies, eg: security, voip, etc, would/could fail.
2. Always issue show ip route to verify the routing configuration is in placed, never assume everything is in placed.

4 comments:

  1. Nice Tip YAP, Thx a LOT, Usefull for Me.

    OscaR, C.R Central America

    ReplyDelete
  2. Good man, back to basics! :)

    ReplyDelete
  3. Hello
    but to route the traffic through the VPN tunnel how we'll do it.?
    ip route
    to what destination?

    ReplyDelete
  4. Saved my day mate... thx

    ReplyDelete