Here's the "debug dmvpn detail all" output from the DMVPN spoke
1254496: May 17 17:58:08.385 UTC: ISAKMP:(0): beginning Main Mode exchange
1254497: May 17 17:58:08.385 UTC: ISAKMP:(0): sending packet to
111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
1254498: May 17 17:58:08.389 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
1254501: May 17 17:58:18.389 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
1254502: May 17 17:58:18.389 UTC: ISAKMP (0): incrementing error counter on
sa, attempt 1 of 5: retransmit phase 1
1254503: May 17 17:58:18.389 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
1254504: May 17 17:58:18.389 UTC: ISAKMP:(0): sending packet to
111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
1254505: May 17 17:58:18.389 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
1254506: May 17 17:58:23.649 UTC: NHRP: Setting retrans delay to 64 for nhs
dst 10..1.1.1
1254507: May 17 17:58:23.649 UTC: IPSEC-IFC MGRE/Tu100(
10.20.2.2/111.111.111.111): connection lookup returned 47C1E6EC
1254508: May 17 17:58:23.649 UTC: NHRP: Attempting to send packet via DEST
10.1.1.1
1254509: May 17 17:58:23.649 UTC: NHRP: NHRP successfully resolved 10.1.1.1
to NBMA 111.111.111.111
1254510: May 17 17:58:23.649 UTC: NHRP: Encapsulation succeeded. Tunnel IP
addr 111.111.111.111
1254511: May 17 17:58:23.649 UTC: NHRP: Send Registration Request via
Tunnel100 vrf 0, packet size: 92
1254512: May 17 17:58:23.649 UTC: NHRP: 120 bytes out Tunnel100
1254513: May 17 17:58:23.649 UTC: NHRP-RATE: Retransmitting Registration
Request for 10.1.1.1, reqid 66217, (retrans ivl 64 sec)
1254514: May 17 17:58:27.161 UTC: NHRP-RATE: Tunnel100: Used 1
1254515: May 17 17:58:28.389 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
1254516: May 17 17:58:28.389 UTC: ISAKMP (0): incrementing error counter on
sa, attempt 2 of 5: retransmit phase 1
1254517: May 17 17:58:28.389 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
1254518: May 17 17:58:28.389 UTC: ISAKMP:(0): sending packet to
111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
1254519: May 17 17:58:28.389 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
1254520: May 17 17:58:38.386 UTC: IPSEC(key_engine): request timer fired:
count = 1,
(identity) local= 10.20.2.2, remote= 111.111.111.111,
local_proxy= 10.20.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 111.111.111.111/255.255.255.255/47/0 (type=1)
1254521: May 17 17:58:38.386 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.20.2.2, remote= 111.111.111.111,
local_proxy= 10.20.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 111.111.111.111/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
1254522: May 17 17:58:38.386 UTC: ISAKMP: set new node 0 to QM_IDLE
1254523: May 17 17:58:38.386 UTC: ISAKMP:(0):SA is still budding. Attached
new ipsec request to it. (local 10.20.2.2, remote 111.111.111.111)
1254524: May 17 17:58:38.386 UTC: ISAKMP: Error while processing SA request:
Failed to initialize SA
1254525: May 17 17:58:38.386 UTC: ISAKMP: Error while processing KMI message
0, error 2.
1254526: May 17 17:58:38.390 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
1254527: May 17 17:58:38.390 UTC: ISAKMP (0): incrementing error counter on
sa, attempt 3 of 5: retransmit phase 1
1254528: May 17 17:58:38.390 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
1254529: May 17 17:58:38.390 UTC: ISAKMP:(0): sending packet to
111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
1254530: May 17 17:58:38.390 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
1254533: May 17 17:58:48.390 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
1254534: May 17 17:58:48.390 UTC: ISAKMP (0): incrementing error counter on
sa, attempt 4 of 5: retransmit phase 1
1254535: May 17 17:58:48.390 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
1254536: May 17 17:58:48.390 UTC: ISAKMP:(0): sending packet to
111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
1254537: May 17 17:58:48.390 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
1254538: May 17 17:58:58.002 UTC: ISAKMP:(0):purging node -271425466
1254539: May 17 17:58:58.002 UTC: ISAKMP:(0):purging node -1779998897
1254540: May 17 17:58:58.390 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
1254541: May 17 17:58:58.390 UTC: ISAKMP (0): incrementing error counter on
sa, attempt 5 of 5: retransmit phase 1
1254542: May 17 17:58:58.390 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
1254543: May 17 17:58:58.390 UTC: ISAKMP:(0): sending packet to
111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
1254544: May 17 17:58:58.390 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
1254545: May 17 17:59:08.003 UTC: ISAKMP:(0):purging SA., sa=49BF8494,
delme=49BF8494
1254546: May 17 17:59:08.387 UTC: IPSEC(key_engine): request timer fired:
count = 2,
(identity) local= 10.20.2.2, remote= 111.111.111.111,
local_proxy= 10.20.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 111.111.111.111/255.255.255.255/47/0 (type=1)
1254547: May 17 17:59:08.387 UTC: IPSEC-IFC MGRE/Tu100(
10.20.2.2/111.111.111.111): Socket error (OPEN_FAILED) received.
1254548: May 17 17:59:08.387 UTC: IPSEC-IFC MGRE/Tu100(
10.20.2.2/111.111.111.111): connection lookup returned 47C1E6EC
1254549: May 17 17:59:08.387 UTC: IPSEC-IFC MGRE/Tu100(
10.20.2.2/111.111.111.111): tunnel_protection_socket_down
1254550: May 17 17:59:08.387 UTC: NHRP: Setting cache expiry for
111.111.111.111 to 5000 milliseconds in IPv4 cache
1254551: May 17 17:59:08.387 UTC: NHRP: Setting cache expiry for
111.111.111.111 to 5000 milliseconds in IPv6 cache
1254552: May 17 17:59:08.391 UTC: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
1254553: May 17 17:59:08.391 UTC: ISAKMP:(0):peer does not do paranoid
keepalives.
1254554: May 17 17:59:08.391 UTC: ISAKMP:(0):deleting SA reason "Death by
retransmission P1" state (I) MM_NO_STATE (peer 111.111.111.111)
1254555: May 17 17:59:08.391 UTC: ISAKMP:(0):deleting SA reason "Death by
retransmission P1" state (I) MM_NO_STATE (peer 111.111.111.111)
1254556: May 17 17:59:08.391 UTC: ISAKMP: Unlocking peer struct 0x47C2184C
for isadb_mark_sa_deleted(), count 0
1254557: May 17 17:59:08.391 UTC: ISAKMP: Deleting peer node by peer_reap
for 111.111.111.111: 47C2184C
1254558: May 17 17:59:08.391 UTC: ISAKMP:(0):deleting node 665970139 error
FALSE reason "IKE deleted"
1254559: May 17 17:59:08.391 UTC: ISAKMP:(0):deleting node -1373319767 error
FALSE reason "IKE deleted"
1254560: May 17 17:59:08.391 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
1254561: May 17 17:59:08.391 UTC: ISAKMP:(0):Old State = IKE_I_MM1 New
State = IKE_DEST_SA
1254562: May 17 17:59:08.391 UTC: IPSEC(key_engine): got a queue event with
1 KMI message(s)
1254565: May 17 17:59:10.123 UTC: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.20.2.2, remote= 111.111.111.111,
local_proxy= 10.20.2.2/255.255.255.255/47/0 (type=1),
remote_proxy= 111.111.111.111/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
1254566: May 17 17:59:10.123 UTC: ISAKMP:(0): SA request profile is (NULL)
1254567: May 17 17:59:10.123 UTC: ISAKMP: Created a peer struct for
111.111.111.111, peer port 500
1254568: May 17 17:59:10.123 UTC: ISAKMP: New peer created peer = 0x47BF71A4
peer_handle = 0x8000B287
1254569: May 17 17:59:10.123 UTC: ISAKMP: Locking peer struct 0x47BF71A4,
refcount 1 for isakmp_initiator
1254570: May 17 17:59:10.123 UTC: ISAKMP: local port 500, remote port 500
1254571: May 17 17:59:10.123 UTC: ISAKMP: set new node 0 to QM_IDLE
1254572: May 17 17:59:10.123 UTC: ISAKMP: Find a dup sa in the avl tree
during calling isadb_insert sa = 47BF9474
1254573: May 17 17:59:10.123 UTC: ISAKMP:(0):Can not start Aggressive mode,
trying Main mode.
1254574: May 17 17:59:10.123 UTC: ISAKMP:(0):found peer pre-shared key
matching 111.111.111.111
1254575: May 17 17:59:10.123 UTC: ISAKMP:(0): constructed NAT-T
vendor-rfc3947 ID
1254576: May 17 17:59:10.123 UTC: ISAKMP:(0): constructed NAT-T vendor-07 ID
1254577: May 17 17:59:10.123 UTC: ISAKMP:(0): constructed NAT-T vendor-03 ID
1254578: May 17 17:59:10.123 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
1254579: May 17 17:59:10.123 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
1254580: May 17 17:59:10.123 UTC: ISAKMP:(0):Old State = IKE_READY New
State = IKE_I_MM1
1254581: May 17 17:59:10.123 UTC: ISAKMP:(0): beginning Main Mode exchange
1254582: May 17 17:59:10.123 UTC: ISAKMP:(0): sending packet to
111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
1254583: May 17 17:59:10.123 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
On Tue, May 17, 2011 at 10:31 AM, Andrey <unde...@gmail.com> wrote:
> Mark,
>
> i think "debug dmvpn detail all" would be more useful
>
> --
> Best regards,
> Andrey
>
> On Tue, May 17, 2011 at 11:01 PM, Mark Senteza <msent...@googlemail.com>wrote:
>
>> So here's the "debug crypto isakmp" output of the DMVPN spoke when I
>> change the transform-set to transport mode:
>>
>> 1250096: May 17 16:44:58.279 UTC: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
>> 1250097: May 17 16:44:58.291 UTC: ISAKMP:(0): SA request profile is (NULL)
>> 1250098: May 17 16:44:58.291 UTC: ISAKMP: Created a peer struct for
>> 111.111.111.111, peer port 500
>> 1250099: May 17 16:44:58.291 UTC: ISAKMP: New peer created peer =
>> 0x47C2184C peer_handle = 0x8000B252
>> 1250100: May 17 16:44:58.291 UTC: ISAKMP: Locking peer struct 0x47C2184C,
>> refcount 1 for isakmp_initiator
>> 1250101: May 17 16:44:58.291 UTC: ISAKMP: local port 500, remote port 500
>> 1250102: May 17 16:44:58.291 UTC: ISAKMP: set new node 0 to QM_IDLE
>> 1250103: May 17 16:44:58.291 UTC: ISAKMP: Find a dup sa in the avl tree
>> during calling isadb_insert sa = 49C2CD74
>> 1250104: May 17 16:44:58.291 UTC: ISAKMP:(0):Can not start Aggressive
>> mode, trying Main mode.
>> 1250105: May 17 16:44:58.291 UTC: ISAKMP:(0):found peer pre-shared key
>> matching 111.111.111.111
>> 1250106: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T
>> vendor-rfc3947 ID
>> 1250107: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-07
>> ID
>> 1250108: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-03
>> ID
>> 1250109: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-02
>> ID
>> 1250110: May 17 16:44:58.291 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
>> IKE_SA_REQ_MM
>> 1250111: May 17 16:44:58.291 UTC: ISAKMP:(0):Old State = IKE_READY New
>> State = IKE_I_MM1
>>
>> 1250112: May 17 16:44:58.291 UTC: ISAKMP:(0): beginning Main Mode exchange
>> 1250113: May 17 16:44:58.291 UTC: ISAKMP:(0): sending packet to
>> 204.108.14.201 my_port 500 peer_port 500 (I) MM_NO_STATE
>> 1250114: May 17 16:44:58.291 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
>> 1250116: May 17 16:45:06.467 UTC: ISAKMP:(0):purging node 81046127
>> 1250117: May 17 16:45:06.467 UTC: ISAKMP:(0):purging node -1754295019
>> 1250118: May 17 16:45:08.295 UTC: ISAKMP:(0): retransmitting phase 1
>> MM_NO_STATE...
>> 1250119: May 17 16:45:08.295 UTC: ISAKMP (0): incrementing error counter
>> on sa, attempt 1 of 5: retransmit phase 1
>> 1250120: May 17 16:45:08.295 UTC: ISAKMP:(0): retransmitting phase 1
>> MM_NO_STATE
>> 1250121: May 17 16:45:08.295 UTC: ISAKMP:(0): sending packet to
>> 111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
>> 1250122: May 17 16:45:08.295 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
>> 1250123: May 17 16:45:08.411 UTC: ISAKMP:(0):purging node 387403375
>> 1250126: May 17 16:45:16.467 UTC: ISAKMP:(0):purging SA., sa=47BFEEA4,
>> delme=47BFEEA4
>> 1250127: May 17 16:45:18.295 UTC: ISAKMP:(0): retransmitting phase 1
>> MM_NO_STATE...
>> 1250128: May 17 16:45:18.295 UTC: ISAKMP (0): incrementing error counter
>> on sa, attempt 2 of 5: retransmit phase 1
>> 1250129: May 17 16:45:18.295 UTC: ISAKMP:(0): retransmitting phase 1
>> MM_NO_STATE
>> 1250130: May 17 16:45:18.295 UTC: ISAKMP:(0): sending packet to
>> 111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE
>> 1250131: May 17 16:45:18.295 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.
>> 1250132: May 17 16:45:18.411 UTC: ISAKMP:(0):purging SA., sa=49BC4B84,
>> delme=49BC4B84
>>
>>
>> On Mon, May 16, 2011 at 10:42 PM, Kingsley Charles <
>> kingsley.char...@gmail.com> wrote:
>>
>>> Can you try configuring the transform set of spokes behind NAT using
>>> transport mode.
>>>
>>>
>>> With regards
>>> Kings
>>>
>>> On Tue, May 17, 2011 at 3:16 AM, Mark Senteza
>>> <msent...@googlemail.com>wrote:
>>>
>>>> Hey all,
>>>>
>>>> A real scenario that I'd appreciate your opinion on.
>>>>
>>>> I've got a DMVPN setup that I'm trying to deploy. The endpoints sit
>>>> inside the secure network, so I'm using NAT's on the ASAs to give them a
>>>> public presence. The VPN wont come up though, and I'm trying to figure out
>>>> what I'm missing and where I should be looking. Appreciate any responses.
>>>>
>>>>
>>>> The DMVPN routers sit behind ASAs on either end. The logical topology
>>>> looks like:
>>>>
>>>> *Router-R1 (DMVPN HUB) Gi0/0.600 -----Router-RA----------ASA-1*
>>>> --------------------INTERNET-------------------*ASA-2---------------Router-RB----------------Gi0/0.603
>>>> Router-R2 (DMVPN Spoke)*
>>>>
>>>> The tunnel source interfaces at both ends have NAT'd IPs on the ASAs and
>>>> use these IPs for peering.
>>>>
>>>> Configs are as follows:
>>>>
>>>> *ROUTER-R1* (DMVPN Hub)
>>>>
>>>> crypto isakmp policy 10
>>>> encr aes
>>>> authentication pre-share
>>>> group 2
>>>>
>>>> crypto isakmp key dmvpnpasswd address 222.222.222.222
>>>>
>>>> crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac
>>>>
>>>> crypto ipsec profile DMVPN
>>>> set transform-set AESSHA-TRANSFORM
>>>>
>>>>
>>>> interface Tunnel100
>>>> description GI DMVPN Hub Interface
>>>> ip address 10.1.1.1 255.255.255.248
>>>> no ip redirects
>>>> no ip next-hop-self eigrp 100
>>>> ip nhrp map multicast dynamic
>>>> ip nhrp network-id 100
>>>> no ip split-horizon eigrp 100
>>>> delay 150000
>>>> tunnel source GigabitEthernet0/0.600
>>>> tunnel mode gre multipoint
>>>> tunnel key 100
>>>> tunnel protection ipsec profile DMVPN
>>>>
>>>> interface GigabitEthernet0/0.600
>>>> ip address 10.10.1.1 255.255.255.0
>>>>
>>>> router eigrp 100
>>>> passive-interface default
>>>> no passive-interface Tunnel100
>>>> network 10.255.254.48 0.0.0.7
>>>> no auto-summary
>>>>
>>>>
>>>> *ASA-1*
>>>>
>>>> static (inside,outside) 111.111.111.111 10.10.1.1 netmask
>>>> 255.255.255.255
>>>>
>>>> access-list OUTSIDE line 66 extended permit esp host 222.222.222.222
>>>> host 111.111.111.111 (hitcnt=0) 0x628ac306
>>>> access-list OUTSIDE line 66 extended permit gre host 222.222.222.222
>>>> host 111.111.111.111 (hitcnt=0) 0x1e349ff8
>>>> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222
>>>> host 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b
>>>> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222
>>>> host 111.111.111.111 eq 4500 (hitcnt=0)
>>>>
>>>> **************************************
>>>>
>>>> *ROUTER-R2*
>>>>
>>>> crypto isakmp policy 10
>>>> encr aes
>>>> authentication pre-share
>>>> group 2
>>>>
>>>> crypto isakmp key dmvpnpasswd address 111.111.111.111
>>>>
>>>> crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac
>>>>
>>>> crypto ipsec profile DMVPN
>>>> set transform-set AESSHA-TRANSFORM
>>>>
>>>> interface Tunnel100
>>>> description GI DMVPN Spoke Interface
>>>> ip address 10.1.1.2 255.255.255.248
>>>> no ip redirects
>>>> ip nhrp map 10.1.1.1 111.111.111.111
>>>> ip nhrp map multicast 111.111.111.111
>>>> ip nhrp network-id 100
>>>> ip nhrp nhs 10.1.1.1
>>>> delay 150000
>>>> tunnel source GigabitEthernet0/0.603
>>>> tunnel mode gre multipoint
>>>> tunnel key 100
>>>> tunnel protection ipsec profile DMVPN
>>>>
>>>> interface GigabitEthernet0/0.603
>>>> ip address 10.20.2.2 255.255.255.0 <-
>>>> This has been NAT'd to 222.222.222.222 on the ASA-B firewall, which I dont
>>>> have visibility into.
>>>>
>>>> router eigrp 100
>>>> passive-interface default
>>>> no passive-interface Tunnel100
>>>> network 10.1.1.0 0.0.0.7
>>>> no auto-summary
>>>>
>>>>
>>>> *Observations:*
>>>>
>>>> 1. I can ping from the DMVPN spoke to the DMVPN hub, using the Public
>>>> IPs and I see the hit-count on the ASA increasing, so I know for sure that
>>>> the routing is fine and the NAT on the remote ASA that I dont manage are
>>>> correct.
>>>> 2. None of the crypto protocol traffic I'm allowing inbound shows any
>>>> hit count.
>>>>
>>>> 3. The following is the "show crypto isakmp sa" output from the DMVPN
>>>> spoke (Router-2)
>>>>
>>>> dst src state
>>>> conn-id status
>>>> 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE
>>>> 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE (deleted)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>> Are you a CCNP or CCIE and looking for a job? Check out
>>>> www.PlatinumPlacement.com
>>>>
>>>
>>>
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
