Table Of Contents

Troubleshooting

Troubleshooting Solution Components

Cisco 7200 Series Internet Router Troubleshooting

RADIUS Troubleshooting

Troubleshooting Customer Premise Equipment

Troubleshooting IP Solution Center Version 3.0

Troubleshooting Cisco IOS Software

Troubleshooting Cisco VPNS

Troubleshooting IPSec

ISAKMP and IPSec Troubleshooting Commands

IPSec Troubleshooting Strategy

Sample IPSec Debug

Common IPSec Error Messages

Common IPSec Issues

Troubleshooting Tunnel Establishment

Routing Issues

Troubleshooting Example

Troubleshooting Tips

Troubleshooting

---

This chapter provides information on troubleshooting the Cisco network-based IPSec VPN solution Release 1.5. It provides links to information on troubleshooting solution components as well as IPSec. It also provides solution-specific troubleshooting.

Troubleshooting Solution Components

Cisco 7200 Series Internet Router Troubleshooting

See Cisco 7202 and Cisco 7204 router troubleshooting at:

http://www.cisco.com/univercd/cc/td/doc/product/core/7200vx/3518.htm

RADIUS Troubleshooting

Any RADIUS server (such as Cisco Access Registrar) that understands Cisco AV pairs can be used as an AAA server. For information on troubleshooting the Cisco Access Registrar, see http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/users/trouble.htm.

Troubleshooting Customer Premise Equipment

This section provides references to troubleshooting information for the following customer premises equipment used with the Network-Based IPSec VPN:

•Cisco VPN 3002 hardware client

•Cisco 800 series routers

•Cisco 1700 series routers

•Cisco 2600 series routers

•Cisco 3600 series routers

•Cisco 7200 series routers

Table 3-1 Customer Premise Equipment Troubleshooting Information

Customer Premise Equipment	Upgrade Information
Cisco VPN 3002 hardware client	See the information at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00800bcd46.html.
Cisco 800 series routers	See the information at: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/800/800hwins/trouble.htm.
Cisco 1700 series routers	See the information at: http://www.cisco.com/en/US/products/hw/routers/ps221/prod_alerts_troubleshooting.html
Cisco 2600 series routers	See the information at: http://www.cisco.com/warp/public/108/hwts_2600_16138.html.
Cisco 3600 series routers	See the information at: http://www.cisco.com/en/US/products/hw/routers/ps274/prod_alerts_troubleshooting.html.
Cisco 7200 series routers	See the information at: http://www.cisco.com/warp/public/63/hwts_7200_16122.html.

Troubleshooting IP Solution Center Version 3.0

See the information at: http://www.cisco.com/univercd/home/home.htm.

Troubleshooting Cisco IOS Software

For general information on troubleshooting Cisco IOS software, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/taclinks.htm.

Troubleshooting Cisco VPNS

For information on troubleshooting Cisco VPNS, see http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00800a6c11.shtml.

Troubleshooting IPSec

Troubleshooting IPSec-related connectivity problems is fairly straightforward if you use a logical and methodical approach.

When IPSec works correctly, the normal flow of events is as follows:

•Router receives interesting traffic, which is traffic that must be encrypted.

•Router negotiates and sets up an IKE tunnel with the remote peer specified in the configuration.

•Router negotiates IPSec tunnels (one for the inbound direction and one for the outbound) with the remote peer.

•Routers pass encrypted traffic back and forth.

ISAKMP and IPSec Troubleshooting Commands

---

Note As with all other debug commands, ISAKMP and IPSec debug commands consume CPU cycles and produce copious output.

---

The ISAKMP and IPSec troubleshooting commands provide detailed information about IPSec failure. See Appendix A, "Troubleshooting Commands," for more examples of these commands as well as the information they provide.

debug crypto engine

Use this command to view encrypted traffic.

The following is sample output from the debug crypto engine command. The first sample output shows messages from a router that successfully generates RSA keys. The second sample output shows messages from a router that decrypts the RSA key during Internet Key Exchange (IKE) negotiation.

Router# debug crypto engine

00:25:13:CryptoEngine0:generate key pair

00:25:13:CryptoEngine0:CRYPTO_GEN_KEY_PAIR

00:25:13:CRYPTO_ENGINE:key process suspended and continued

00:25:14:CRYPTO_ENGINE:key process suspended and continuedcr

Router# debug crypto engine

00:27:45:%SYS-5-CONFIG_I:Configured from console by console

00:27:51:CryptoEngine0:generate alg parameter

00:27:51:CRYPTO_ENGINE:Dh phase 1 status:0

00:27:51:CRYPTO_ENGINE:Dh phase 1 status:0

00:27:51:CryptoEngine0:generate alg parameter

00:27:52:CryptoEngine0:calculate pkey hmac for conn id 0

00:27:52:CryptoEngine0:create ISAKMP SKEYID for conn id 1

00:27:52:Crypto engine 0:RSA decrypt with public key

00:27:52:CryptoEngine0:CRYPTO_RSA_PUB_DECRYPT

00:27:52:CryptoEngine0:generate hmac context for conn id 1

00:27:52:CryptoEngine0:generate hmac context for conn id 1

00:27:52:Crypto engine 0:RSA encrypt with private key

00:27:52:CryptoEngine0:CRYPTO_RSA_PRIV_ENCRYPT

00:27:53:CryptoEngine0:clear dh number for conn id 1

00:27:53:CryptoEngine0:generate hmac context for conn id 1

00:27:53:validate proposal 0

00:27:53:validate proposal request 0

00:27:54:CryptoEngine0:generate hmac context for conn id 1

00:27:54:CryptoEngine0:generate hmac context for conn id 1

00:27:54:ipsec allocate flow 0

00:27:54:ipsec allocate flow 0

debug crypto isakmp

Use this command to view to see the Internet Security Association and Key Management Protocol (ISAKMP) phase 1 negotiations.

The following is sample output from the debug crypto isakmp command for an IKE peer that initiates an IKE negotiation. First, IKE negotiates its own security association (SA), checking for a matching IKE policy:

Router# debug crypto isakmp

20:26:58: ISAKMP (8): beginning Main Mode exchange

20:26:58: ISAKMP (8): processing SA payload. message ID = 0

20:26:58: ISAKMP (8): Checking ISAKMP transform 1 against priority 10 policy

20:26:58: ISAKMP: encryption DES-CBC

20:26:58: ISAKMP: hash SHA

20:26:58: ISAKMP: default group 1

20:26:58: ISAKMP: auth pre-share

20:26:58: ISAKMP (8): atts are acceptable. Next payload is 0




IKE has found a matching policy. Next, the IKE SA is used by each peer to authenticate the other peer:

20:26:58: ISAKMP (8): SA is doing pre-shared key authentication

20:26:59: ISAKMP (8): processing KE payload. message ID = 0

20:26:59: ISAKMP (8): processing NONCE payload. message ID = 0

20:26:59: ISAKMP (8): SKEYID state generated

20:26:59: ISAKMP (8): processing ID payload. message ID = 0

20:26:59: ISAKMP (8): processing HASH payload. message ID = 0

20:26:59: ISAKMP (8): SA has been authenticated




Next, IKE negotiates to set up the IPSec SA by searching for a matching transform set:

20:26:59: ISAKMP (8): beginning Quick Mode exchange, M-ID of 767162845

20:26:59: ISAKMP (8): processing SA payload. message ID = 767162845

20:26:59: ISAKMP (8): Checking IPSec proposal 1

20:26:59: ISAKMP: transform 1, ESP_DES

20:26:59: ISAKMP: attributes in transform:

20:26:59: ISAKMP: encaps is 1

20:26:59: ISAKMP: SA life type in seconds

20:26:59: ISAKMP: SA life duration (basic) of 600

20:26:59: ISAKMP: SA life type in kilobytes

20:26:59: ISAKMP: SA life duration (VPI) of

0x0 0x46 0x50 0x0

20:26:59: ISAKMP: authenticator is HMAC-MD5

20:26:59: ISAKMP (8): atts are acceptable.




A matching IPSec transform set has been found at the two peers. Now the IPSec SA can be created (one SA is created for each direction):

20:26:59: ISAKMP (8): processing NONCE payload. message ID = 767162845

20:26:59: ISAKMP (8): processing ID payload. message ID = 767162845

20:26:59: ISAKMP (8): processing ID payload. message ID = 767162845

20:26:59: ISAKMP (8): Creating IPSec SAs

20:26:59: inbound SA from 155.0.0.2 to 155.0.0.1 (proxy 155.0.0.2 to 155.0.0.1)

20:26:59: has spi 454886490 and conn_id 9 and flags 4

20:26:59: lifetime of 600 seconds

20:26:59: lifetime of 4608000 kilobytes

20:26:59: outbound SA from 155.0.0.1 to 155.0.0.2 (proxy 155.0.0.1

to 155.0.0.2 )

20:26:59: has spi 75506225 and conn_id 10 and flags 4

20:26:59: lifetime of 600 seconds

20:26:59: lifetime of 4608000 kilobytes

debug crypto ipsec

Use this command to view the IPSec phase 2 negotiations.

The following is sample output from the debug crypto ipsec command. In this example, security associations (SAs) have been successfully established.

Router# debug crypto ipsec




IPSec requests SAs between 172.21.114.123 and 172.21.114.67, on behalf of the permit ip host 172.21.114.123 host 172.21.114.67 command. It prefers to use the transform set esp-des w/esp-md5-hmac, but it also considers ah-sha-hmac.

00:24:30: IPSEC(sa_request): ,

(key eng. msg.) src= 172.21.114.123, dest= 172.21.114.67,

src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 120s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

00:24:30: IPSEC(sa_request): ,

(key eng. msg.) src= 172.21.114.123, dest= 172.21.114.67,

src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1).,

protocol= AH, transform= ah-sha-hmac ,

lifedur= 120s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0.




IKE asks for SPIs from IPSec. For inbound security associations, IPSec controls its own SPI space.

00:24:34: IPSEC(key_engine): got a queue event...

00:24:34: IPSEC(spi_response): getting spi 302974012ld for SA

from 172.21.114.67 to 172.21.114.123 for prot 3

00:24:34: IPSEC(spi_response): getting spi 525075940ld for SA

from 172.21.114.67 to 172.21.114.123 for prot 2




IKE asks IPSec if it accepts the SA proposal. In this case, it will be the one sent by the local IPSec:

00:24:34: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 172.21.114.67, src= 172.21.114.123,

dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),

src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4




After the proposal is accepted, IKE finishes the negotiations, generates the keying material, and then notifies IPSec of the new security associations (one security association for each direction).

00:24:35: IPSEC(key_engine): got a queue event...




The following output pertains to the inbound SA. The conn_id value references an entry in the crypto engine connection table.

00:24:35: IPSEC(initialize_sas): ,

(key eng. msg.) dest= 172.21.114.123, src= 172.21.114.67,

dest_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

src_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 120s and 4608000 kb,

spi= 0x120F043C(302974012), conn_id= 29, keysize= 0, flags= 0x4




The following output pertains to the outbound SA:

00:24:35: IPSEC(initialize_sas): ,

(key eng. msg.) src= 172.21.114.123, dest= 172.21.114.67,

src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 120s and 4608000kb,

spi= 0x38914A4(59315364), conn_id= 30, keysize= 0, flags= 0x4




IPSec now installs the SA information into its SA database.

00:24:35: IPSEC(create_sa): sa created,

(sa) sa_dest= 172.21.114.123, sa_prot= 50,

sa_spi= 0x120F043C(302974012),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 29

00:24:35: IPSEC(create_sa): sa created,

(sa) sa_dest= 172.21.114.67, sa_prot= 50,

sa_spi= 0x38914A4(59315364),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 30




The following is sample output for the debug crypto ipsec command as seen on the peer router. In this example, IKE asks IPSec to accept an SA proposal. Although the peer sent two proposals, IPSec accepts the first proposal.

00:26:15: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 172.21.114.67, src= 172.21.114.123,

dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),

src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4




IKE asks for SPIs.

00:26:15: IPSEC(key_engine): got a queue event...

00:26:15: IPSEC(spi_response): getting spi 59315364ld for SA

from 172.21.114.123 to 172.21.114.67 for prot 3




IKE performs the remaining processing, completing the negotiation and generating keys. It then tells IPSec about the new SAs.

00:26:15: IPSEC(key_engine): got a queue event...




The following output pertains to the inbound SA:

00:26:15: IPSEC(initialize_sas): ,

(key eng. msg.) dest= 172.21.114.67, src= 172.21.114.123,

dest_proxy= 172.21.114.67/0.0.0.0/0/0 (type=1),

src_proxy= 172.21.114.123/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 120s and 4608000kb,

spi= 0x38914A4(59315364), conn_id= 25, keysize= 0, flags= 0x4




The following output pertains to the outbound SA:

00:26:15: IPSEC(initialize_sas): ,

(key eng. msg.) src= 172.21.114.67, dest= 172.21.114.123,

src_proxy= 172.21.114.67/0.0.0.0/0/0 (type=1),

dest_proxy= 172.21.114.123/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 120s and 4608000kb,

spi= 0x120F043C(302974012), conn_id= 26, keysize= 0, flags= 0x4




IPSec installs the SA information into its SA database:

00:26:15: IPSEC(create_sa): sa created,

(sa) sa_dest= 172.21.114.67, sa_prot= 50,

sa_spi= 0x38914A4(59315364),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 25

00:26:15: IPSEC(create_sa): sa created,

(sa) sa_dest= 172.21.114.123, sa_prot= 50,

sa_spi= 0x120F043C(302974012),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 26

show crypto ipsec sa

Use this command to view the IPSec SAs built between peers.

The encrypted tunnel is built between 12.1.1.1 and 12.1.1.2 for traffic traveling between networks 20.1.1.0 and 10.1.1.0. You can view the two Encapsulating Security Payload (ESP) SAs built inbound and outbound. Authentication Header (AH) is not used because there are no AH SAs. Below is an example of the show crypto ipsec sa command.

interface: FastEthernet0

Crypto map tag: test, local addr. 12.1.1.1

local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

current_peer: 12.1.1.2

PERMIT, flags={origin_is_acl,}

#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918

#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2

path mtu 1500, media mtu 1500

current outbound spi: 3D3

inbound esp sas:

spi: 0x136A010F(325714191)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3442, flow_id: 1443, crypto map: test

sa timing: remaining key lifetime (k/sec): (4608000/52)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

inbound pcp sas:

outbound esp sas:

spi: 0x3D3(979)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3443, flow_id: 1444, crypto map: test

sa timing: remaining key lifetime (k/sec): (4608000/52)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

show crypto engine connection active

Use this command to view each phase 2 SA built and the amount of traffic sent.

---

Note Remember that phase 2 SAs are unidirectional, so each SA shows traffic in one direction only (encryptions are outbound, decryptions are inbound).

---

IPSec Troubleshooting Strategy

This section provides a general IPSec troubleshooting path.

1. Remove crypto maps from the interfaces and check basic IP connectivity.

2. Compare configuration on both sides for symmetry.

3. Apply maps back on, turn on the following debugs:

a. debug crypto ipsec

b. debug crypto isakmp

c. debug crypto engine

4. Generate interesting traffic (often an extended ping is necessary)

5. Observe debugs for error messages and exceptions

6. Check to see if the match address access list is receiving hits

7. Use the following show commands:

a. show crypto isakmp sa

b. show crypto ipsec sa

c. sh crypto engine connections active

8. Use the following commands to clear established sessions and regenerate debugs:

a. clear crypto sa

b. clear crypto isakmp

9. Use the following show commands:

a. show crypto isakmp sa

b. show crypto ipsec sa

c. sh crypto engine connections active

10. Use the following commands to clear established sessions and regenerate debugs:

a. clear crypto sa

b. clear crypto isakmp

Hardware Accelerator Card Problems

Determine if the router is using a hardware accelerator (encryption) card by issuing the following command:

show crypto engine config

If the hardware card is not being used, the `crypto engine type' is reported as `software,' otherwise, it reports the actual card type in use, such as ISA/ISM.

If the hardware card is being used, it might sometimes lapse into a limbo state and cause problems with establishment of tunnels. You can disable the card to determine if this is the case by issuing the following command:

no crypto engine accelerator <slot_#>

You can then recheck for the tunnels. If the tunnels resume operation successfully, the problem resides with the accelerator card.

You can put the card back in service by issuing the following command:

crypto engine accelerator <slot_#>

If you continue to experience problems with the card, you can try reloading the router. If the problem persists, try swapping out the card for a new one.

---

Note Each time you disable or enable the accelerator card, all existing crypto connections are torn down.

---

The following commands can be used to obtain statistics from the hardware card for the 7000 platforms and other platforms, respectively:

show pas isa interface

sho crypto engine accelerator stats

Questions for Effective Troubleshooting

IPSec connectivity fails if problems occur during any of the stages listed above. To effectively troubleshoot connectivity problems, consider the key questions in the following sections.

• Is the router receiving and recognizing interesting traffic?

• Does the router successfully negotiate an IKE tunnel with its peer?

• Does the router successfully negotiate IPSec tunnels with its peer?

Is the router receiving and recognizing interesting traffic?

---

Step 1 To check for interesting traffic, issue the following command:

show access-list <access-list-name>

The number of matches for the access list should increment for each interesting data packet; if the number of matches is increasing, you can skip the following step.

Step 2 If the number of matches is not increasing, check to make sure that the source interface for the traffic is operational by using the following command:

show interface <interface name>

If the interface is operational, check the `match address' section of your crypto map to make sure that the access list specified there indicates the correct source and destination addresses / networks.

Step 3 Next, check to make sure that the interesting traffic is being routed to the correct interface by issuing the following command:

show ip routes

If the interesting traffic is not being routed to the correct interface, configure the required route entries.

Step 4 Finally, verify that the crypto map is being applied to the outbound interface by issuing the following command:

show run interface <interface_name>

---

Does the router successfully negotiate an IKE tunnel with its peer?

When the router sees interesting traffic, it attempts to negotiate an IKE tunnel with the remote peer specified in the `set peer' statement of the crypto map.

---

Step 1 To verify if IKE is active, issue the following command:

show crypto isakmp sa

If the IKE is active, output similar to the following appears:

dst src state conn-id slot

192.1.66.1 192.168.1.1 QM_IDLE 468 0




If the IKE is active, you can skip Step 2.

If output similar to either of the following examples appears, the peers are still attempting to negotiate IKE:

dst src state conn-id slot

192.1.66.1 192.168.1.1 MM_KEY_EXCH 320 0




dst src state conn-id slot

192.1.66.1 192.168.1.1 MM_SA_SETUP 36 0




If output similar to the following example appears, the IKE is not established:

dst src state conn-id slot

192.1.66.1 192.168.1.1 MM_NO_STATE 36 0




Step 2 If the IKE does not become active, ping to make sure that the remote peer (tunnel endpoint) is reachable. (Remember that the tunnel endpoints must be routable addresses). If you are unable to ping the remote peer, check your routing tables by issuing the following command:

show ip routes

Step 3 Configure any necessary routes. Check the status of all intervening interfaces along the routing path, and make sure that they are all operational.

Step 4 If the remote peer is reachable, check to make sure that the ISAKMP policies are the same on both peers. Issue the following command on both peers:

show crypto isakmp policy

Step 5 The encryption algorithm, hash algorithm, authentication method, ISAKMP lifetimes and Diffie-Helman group must match each other. Correct the configuration if you see discrepancies. If preshared keys are being used, such as the authentication method, the keys must be the same on both peers. Check this by issuing the following command:

show crypto isakmp key

You should then see output similar to the following:

7200-Gen#show crypto isakmp key

Hostname/Address Preshared key

192.168.1.1 cisco

192.16.7.1 beehive




Step 6 Compare the ISAKMP policies manually on the two peers to identify discrepancies. An alternate method of identifying problems is referencing error messages that are logged to the syslog by such discrepancies. (It is a good idea to keep the syslog turned on).

Step 7 Another important safeguard is checking to make sure that the ISAKMP packets are not blocked. To implement this procedure, simply run debugs on both peers and check to see if there is any activity.

---

Does the router successfully negotiate IPSec tunnels with its peer?

---

Step 1 When the IKE is operational, IPSec tunnels (one for inbound and one for outbound traffic) are negotiated. To check, issue the following command:

show crypto engine connection active

If the IPSec tunnels are active, you should see output similar to the following:

UUT#sho cry eng conn active

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 <none> <none> set HMAC_SHA+3DES_56_C 0 0

2029 Serial5/0 192.168.1.1 set HMAC_SHA+3DES_56_C 0 1987

2030 Serial5/0 192.168.1.1 set HMAC_SHA+3DES_56_C 2378 0

UUT#




Step 2 The numbers in the `encrypted' and `decrypted' columns must increment continuously depending upon whether the router is encrypting packets, decrypting packets, or both. If this is not happening, check to verify that there is at least one matching crypto IPSec transform on the two peers by issuing the following command:

sho crypto ipsec transform

Step 3 There must be at least one transform common to both peers. The first transform that matches (not necessarily the strongest common transform) is used to build the IPSec tunnels. If there is no transform common to both peers, IPSec tunnels do not come up. Be sure to configure transforms correctly.

Step 4 You can also display detailed information and statistics for the IPSec tunnels by issuing the following command:

show crypto ipsec sa

The information provided by this command might be useful for more in-depth troubleshooting. The output from this command will be similar to the following example:

7200-Gen#show crypto ipsec sa

interface: ATM5/0.1

Crypto map tag: crypmap1, local addr. 192.1.1.1

local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (100.1.1.1/255.255.255.255/0/0)

current_peer: 192.168.1.1

PERMIT, flags={origin_is_acl,}

#pkts encaps: 3010, #pkts encrypt: 3010, #pkts digest 3010

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 3, #recv errors 0

local crypto endpt.: 192.1.1.1, remote crypto endpt.: 192.168.1.1

path mtu 4470, media mtu 4470

current outbound spi: 5ECB6495

inbound esp sas:

spi: 0xD90CEC8(227593928)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3739, flow_id: 1711, crypto map: crypmap1

sa timing: remaining key lifetime (k/sec): (4608000/590)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x5ECB6495(1590387861)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3740, flow_id: 1712, crypto map: crypmap1

sa timing: remaining key lifetime (k/sec): (4607415/590)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Sample IPSec Debug

The following is a sample IPSec debug:

irmg.cayman#sh debug

Cryptographic Subsystem:

Crypto ISAKMP debugging is on

Crypto Engine debugging is on

Crypto IPSEC debugging is onirmg.cayman#ping

Protocol [ip]:

Target IP address: 10.146.1.1

Repeat count [5]: 10

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 205.136.238.33

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 10, 100-byte ICMP Echos to 10.146.1.1, timeout is 2 seconds:

1d09h: IPSEC(sa_request): ,

(key eng. msg.) src= 205.136.238.33, dest= 209.146.47.206,

src_proxy= 205.136.238.0/255.255.255.0/0/0 (type=4),

dest_proxy= 10.146.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

1d09h: ISAKMP (16): beginning Main Mode exchange1d09h: ISAKMP (16): processing SA payload. message ID = 0

1d09h: ISAKMP (16): Checking ISAKMP transform 1 against priority 1 policy

1d09h: ISAKMP: encryption DES-CBC

1d09h: ISAKMP: hash MD5

1d09h: ISAKMP: default group 1

1d09h: ISAKMP: auth pre-share.

1d09h: ISAKMP (16): atts are acceptable. Next payload is 0

1d09h: Crypto engine 0: generate alg param

1d09h: CRYPTO_ENGINE: Dh phase 1 status: 0

1d09h: ISAKMP (16): SA is doing pre-shared key authentication

1d09h: ISAKMP (16): processing KE payload. message ID = 0

1d09h: Crypto engine 0: generate alg param

1d09h: ISAKMP (16): processing NONCE payload. message ID = 0

1d09h: Crypto engine 0: create ISAKMP SKEYID for conn id 16

1d09h: ISAKMP (16): SKEYID state generated

1d09h: ISAKMP (16): processing vendor id payload

1d09h: ISAKMP (16): speaking to another IOS box!

1d09h: generate hmac context for conn id 16

1d09h: ISAKMP (16): processing ID payload. message ID = 0

1d09h: ISAKMP (16): processing HASH payload. message ID = 0

1d09h: generate hmac context for conn id 16

1d09h: ISAKMP (16): SA has been authenticated with 209.146.47.206

1d09h: ISAKMP (16): beginning Quick Mode exchange, M-ID of 102008272

1d09h: IPSEC(key_engine): got a queue event...

1d09h: IPSEC(spi_response): getting spi 207749755ld for SA

from 209.146.47.206 to 205.136.238.33 for prot 3

1d09h: generate hmac context for conn id 16

1d09h: generate hmac context for conn id 16

1d09h: ISAKMP (16): processing SA payload. message ID = 102008272

1d09h: ISAKMP (16): Checking IPSec proposal 1

1d09h: ISAKMP: transform 1, ESP_DES

1d09h: ISAKMP: attributes in transform:

1d09h: ISAKMP: encaps is 1

1d09h: ISAKMP: SA life type in seconds

1d09h: ISAKMP: SA life duration (basic) of 3600

1d09h: ISAKMP: SA life type in kilobytes

1d09h: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

1d09h: ISAKMP (16): atts are acceptable.

1d09h: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 209.146.47.206, src= 205.136.238.33,

dest_proxy= 10.146.1.0/255.255.255.0/0/0 (type=4),

src_proxy= 205.136.238.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

1d09h: ISAKMP (16): processing NONCE payload. message ID = 102008272

1d09h: ISAKMP (16): processing ID payload. message ID = 102008272

1d09h: ISAKMP (16): processing ID payload. message ID = 102008272

1d09h: generate hmac context for conn id 16

1d09h: ISAKMP (16): Creating IPSec SAs

1d09h: inbound SA from 209.146.47.206 to 205.136.238.33 (proxy 10.146.

1.0 to 205.136.238.0 )

1d09h: has spi 207749755 and conn_id 17 and flags 4

1d09h: lifetime of 3600 seconds

1d09h: lifetime of 4608000 kilobytes

1d09h: outbound SA from 205.136.238.33 to 209.146.47.206 (proxy 205.13

6.238.0 to 10.146.1.0 )

1d09h: has spi 440535111 and conn_id 18 and flags 4

1d09h: lifetime of 3600 seconds

1d09h: lifetime of 4608000 kilobytes

1d09h: IPSEC(key_engine): got a queue event...

1d09h: IPSEC(initialize_sas): ,

(key eng. msg.) dest= 205.136.238.33, src= 209.146.47.206,

dest_proxy= 205.136.238.0/255.255.255.0/0/0 (type=4),

src_proxy= 10.146.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0xC62027B(207749755), conn_id= 17, keysize= 0, flags= 0x4

1d09h: IPSEC(initialize_sas): ,

(key eng. msg.) src= 205.136.238.33, dest= 209.146.47.206,

src_proxy= 205.136.238.0/255.255.255.0/0/0 (type=4),

dest_proxy= 10.146.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, .transform= esp-des ,

lifedur= 3600s and 4608000kb,

spi= 0x1A420847(440535111), conn_id= 18, keysize= 0, flags= 0x4

1d09h: IPSEC(create_sa): sa created,

(sa) sa_dest= 205.136.238.33, sa_prot= 50,

sa_spi= 0xC62027B(207749755),

sa_trans= esp-des , sa_conn_id= 17

1d09h: IPSEC(create_sa): sa created, (sa) sa_dest= 209.146.47.206, sa_prot= 50,

sa_spi= 0x1A420847(440535111),

sa_trans= esp-des , sa_conn_id= 18!!!!!!!!

Success rate is 80 percent (8/10), round-trip

min/avg/max = 180/185/205 ms

irmg.cayman#sh crypto engine conn ac

ID Interface IP-Address State Algorithm Encrypt decrypt

16 no idb no address set DES_56_CBC 0 0

17 Se0/0.1 205.136.238.33 set DES_56_CBC 0 8

18 Se0/0.1 205.136.238.33 set DES_56_CBC 8 0

irmg.cayman#sh crypto isa sa

dst src state conn-id slot

209.146.47.206 205.136.238.33 QM_IDLE 16 0

irmg.cayman#sh crypto ipsec sa

interface: Serial0/0.1

Crypto map tag: charlie2peer, local addr. 205.136.238.33

local ident (addr/mask/prot/port): (205.136.238.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.146.1.0/255.255.255.0/0/0)

current_peer: 209.146.47.206

PERMIT, flags={origin_is_acl,}

#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 0

#pkts decaps: 8, #pkts decrypt: 8, #pkts verify 0

#send errors 2, #recv errors 0

local crypto endpt.: 205.136.238.33, remote crypto endpt.: 209.146.47.206

path mtu 1500, media mtu 1500

current outbound spi: 1A420847

inbound esp sas:

spi: 0xC62027B(207749755)

transform: esp-des ,

in use settings ={Tunnel, }

slot: 0, conn id: 17, crypto map: charlie2peer

sa timing: remaining key lifetime (k/sec): (4607998/3455)

IV size: 8 bytes

replay detection support: N

inbound ah sas:

outbound esp sas:

spi: 0x1A420847(440535111)

transform: esp-des ,

in use settings ={Tunnel, }

slot: 0, conn id: 18, crypto map: charlie2peer

sa timing: remaining key lifetime (k/sec): (4607999/3446)

IV size: 8 bytes

replay detection support: N

outbound ah sas:

irmg.cayman#sh ru

Building configuration...

Current configuration:

hostname irmg.cayman

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key orientexpress address 209.146.47.206

crypto ipsec transform-set encrypt-des esp-des

crypto map charlie2peer local-address Ethernet0/0

crypto map charlie2peer 10 ipsec-isakmp

set peer 209.146.47.206

set transform-set encrypt-des

match address 110

interface Ethernet0/0

description connected to EthernetLAN

ip address 205.136.238.33 255.255.255.224

no ip directed-broadcast

no keepalive

interface Serial0/0

no ip address

no ip directed-broadcast

encapsulation frame-relay

no ip route-cache

no ip mroute-cache

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

description connected to Internet

ip unnumbered Ethernet0/0

no ip directed-broadcast

no ip route-cache

no ip mroute-cache

bandwidth 64

frame-relay interface-dlci 16 IETF

crypto map charlie2peer

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0.1

access-list 110 permit ip 205.136.238.0 0.0.0.255 10.146.1.0 0.0.0.255

Common IPSec Error Messages

Table 3-2 shows some common IPSec error messages, reasons for them, as well as possible solutions.

Table 3-2 Common IPSec Error Messages 

Message	Reason	Solution
invalid local address 1.2.3.4 no IPSEC cryptomap exists for local address 1.2.3.4	The specified address is not one of our local IPSec addresses.	Check to see if the outgoing interfaces address has been specified on the peer as peer id. Check peer id address for error. Use the crypto map local address command.
proxy identities not supported	The flow identities do not match a crypto map ACL permit statement.	The address being pinged is not included in the match address access-list. Change the access-list. Use reflected access-lists on the two ends of the tunnel.
atts are not acceptable. Next payload is 0 no offers accepted! SA not acceptable! %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 155.0.0.1	The polices and configurations on the two peers do not match.	Check to make sure that the policies configured on the two ends of the tunnel are correct and correlate.
reserved no zero on payload 5! %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 155.0.0.1 failed its sanity check or is malformed	The encryption keys on the two ends do not match.	Check to make sure that the preshared keys are correctly configured. Regenerate RSA encrypted keys.
Rec'd packet not an IPSEC packet. (ip) dest_addr= 1.2.3.4, src_addr= 2.3.4.5, prot= 1	An incoming packet matched the match address access list but was not encrypted. Due to security concerns such packets are dropped.	Check to make sure that the routing between the two routers is correct (that is, packets are being sent between the interfaces doing encryption). Verfiy NAT is not occurring for IPSEC traffic.
		Do not use match address access list with any any. Turn off fast switching. Some Cisco IOS software versions issue a bug if partial subnets are configured in the match address access list.
ISAKMP (0:1): SA is still budding. Attached new ipsec request to it.	Indicates IPSec has sent another request to IKE to create SAs on its behalf; however, IKE is in the process of fulfilling a similar request. Thus, IKE attaches the new request to the SA-negotiation already in progress.	This is an informational message and does not necessarily signify an error.
ISAKMP (0:1): deleting node-45086069 error FALSE [reason]	Indicates that a memory structure that is not needed has been cleared during normal housekeeping. The error False portion of this message indicates that an error has not occurred; an error True portion of this message would indicate that a memory structure that is not needed has been cleared, but an error has occurred.	—
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSec packet has invalid spi for destaddr=16.0.0.3, prot=50, spi=0xdeadbeef.	Indicates that the IPSec SAs between router A and router B are out of sync. This can occur if router A has cleared its IPSec SAs but router B has not. Thus, when router B attempts to send encrypted traffic corresponding to the SAs, router A drops the packet and reports this message.	This is an informational message and does not necessarily signify an error.
ISAKMP (0:2): deleting SA reason "P1 delete notify (in)" state (I) CONF_ADDR (peer 10.13.1.21) input queue 0	Indicates that the IKE SA with the connection ID 2 has been deleted. P1 delete notify indicates that the router received a phase 1 delete notification from its peer. The (I) (in 'state') means that the router was the initiator for this SA; an (R) would mean that the responder was the initiator. This message also indicates the peer IP address.	—
ISAKMP (0:2): Notify has no hash. Rejected	Indicates that the notify message received from the peer lacked a valid hash. This means that the notify message was not authenticated. For security reasons, this message is ignored.	—
IPSEC(validate_proposal): invalid local address 12.2.6.2 ISAKMP (0:3): atts not acceptable. Next payload is 0 ISAKMP (0:3): SA not acceptable!	This error message is attributed to one of the following two common problems: •The crypto map map-name local-address interface-id command causes the router to use an incorrect address as the identity because it forces the router to use a specified address. •Crypto map is applied to the incorrect interface or, it is not applied at all.	Check the configuration to ensure that crypto map is applied to the correct interface.
1d00H:%CRPTO-4-IKMP_BAD_MESSAGE: IKE message from 150.150.150.1 failed its sanity check or is malformed	The preshared key on the peers do not match.	Check the preshared key on both sides.
1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 1d00h: ISAKMP (0:1); no offers accepted! 1d00h: ISAKMP (0:1): SA not acceptable! 1d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at 150.150.150.1	This is an example of the Main Mode error message. The failure of Main Mode suggests that the phase I policy does not match on both sides.	Verify that the phase I policy is on both peers and ensure that all the attributes match, for example: Encryption DES or 3DES Hash MD5 or SHA Diffie-Hellman Group 1 or 2 Authentcation {rsa-sig | rsa-encr | pre-share
1d00h: IPSec(validate_transform_proposal): proxy identities not supported 1d00h: ISAKMP: IPSec policy invalidated proposal 1d00h: ISAKMP (0:2): SA not acceptable!	The message appears in debugs if the access-list for IPSec traffic does not match.	The access-list on each peer should mirror each other (all entries should be reversible). See below: Peer A access-list 150 permit ip 172.21.113.0 0.0.0.255 172.21.114.0 0.0.0.255 access-list 150 permit ip host 15.15.15.1 host 172.21.114.123 Peer B access-list 150 permit ip 172.21.114.0 0.0.0.255 172.21.113.0 0.0.0.255 access-list 150 permit ip host 172.21.114.123 host 15.15.15.1
1d00h: IPSec (validate_proposal): transform proposal (port 3, trans 2, hmac_alg 2) not supported 1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0 1d00h: ISAKMP (0:2) SA not acceptable	Indicates the Phase II (IPSec) does not match on both sides.	Occurs if there is a mismatch in the transform-set. Verify that the transform-set matches on both sides: crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] ? ah-md5-hmac ? ah-sha-hmac ? esp-des ? esp-des and esp-md5-hmac ? esp-des and esp-sha-hmac ? esp-3des and esp-md5-hmac ? esp-3des and esp-sha-hmac ? comp-lzs
1d00h: ISAKMP: No cert, and no keys (public or pre-shared) with remote peer 150.150.150.2	Indicates that the peer address configured on the router is incorrect or has changed.	Verify that the peer address is correct and reachable.
20:44:44: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 194.70.240.150, src= 198.174.236.6, dest_proxy= 10.0.0.76/255.255.255.255/0/0 (type=1), src_proxy= 198.174.238.203/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 20:44:44: IPSEC(validate_transform_proposal): peer address 198.174.236.6 not found	Normally appears with the corresponding Cisco VPN 3000 concentrator message: No proposal chosen(14). This is a result of the connections being host-to-host. The router configuration had the IPSec proposals ordered so that the proposal chosen for the router matched the access-list, but not the peer. The access-list had a larger network that included the host that was intersecting traffic.	Make the router proposal for this concentrator-to-router connection first in line, so that it matches the specific host first.
21:57:57: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 192.1.1.1, src= 192.1.1.2, dest_proxy= 10.1.1.1/255.255.255.0/0/0 (type=4), src_proxy= 20.1.1.1/255.255.255.0/0/0 (type=4)	The debug command output of this proposal request shows the corresponding access-list 103 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255 does not match. The access-list is network specific on one end and host specific on the other.	Match access lists.
21:57:57: IPSEC(initialize_sas): invalid proxy IDs	Indicates that the received proxy identity does not match the configured proxy identity as per the access-list.	Check to ensure that the received proxy identity and the configured proxy identity both match by checking the output from the debug command.

Common IPSec Issues

This section shows samples of the following common IPSec issues:

• Mismatch in Phase 1 Policy Parameters

• No Preshared Key for the Peer

• Incorrect Preshared Key

• No Matching Peer

• Mismatched Transform Sets

• Crypto Map Not Applied to Interface

• Incorrect Access List—Mismatched Proxies

• Nonmatching VPN Group for VPN Clients

• Failed Authentication—XAUTH for VPN Clients

• Incorrect Pool Definition for VPN Clients

• Incompatible ISAKMP Policy or Preshared Secrets

• Incompatible or Incorrect Access Lists

• Crypto Map on Incorrect Interface

• Incorrect SA Selection by the Router

• Routing Establishment

Mismatch in Phase 1 Policy Parameters

*Nov 17 16:52:03.373: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 1 policy

*Nov 17 16:52:03.373: ISAKMP: encryption 3DES-CBC

*Nov 17 16:52:03.373: ISAKMP: hash MD5

*Nov 17 16:52:03.373: ISAKMP: default group 1

*Nov 17 16:52:03.373: ISAKMP: auth pre-share

*Nov 17 16:52:03.373: ISAKMP: life type in seconds

*Nov 17 16:52:03.373: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Nov 17 16:52:03.373: ISAKMP (0:3): Hash algorithm offered does not match policy!

*Nov 17 16:52:03.373: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Nov 17 16:52:03.373: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 65535 policy

*Nov 17 16:52:03.373: ISAKMP: encryption 3DES-CBC

*Nov 17 16:52:03.373: ISAKMP: hash MD5

*Nov 17 16:52:03.373: ISAKMP: default group 1

*Nov 17 16:52:03.373: ISAKMP: auth pre-share

*Nov 17 16:52:03.373: ISAKMP: life type in seconds

*Nov 17 16:52:03.373: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Nov 17 16:52:03.373: ISAKMP (0:3): Encryption algorithm offered does not match policy!

*Nov 17 16:52:03.373: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Nov 17 16:52:03.373: ISAKMP (0:3): no offers accepted!

*Nov 17 16:52:03.373: ISAKMP (0:3): phase 1 SA not acceptable!

No Preshared Key for the Peer

*Nov 19 13:12:00.562: ISAKMP (0:3): processing SA payload. message ID = 0

*Nov 19 13:12:00.562: ISAKMP (0:3): No pre-shared key with 20.1.1.1!

*Nov 19 13:12:00.562: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 1 policy

*Nov 19 13:12:00.562: ISAKMP: encryption 3DES-CBC

*Nov 19 13:12:00.562: ISAKMP: hash SHA

*Nov 19 13:12:00.562: ISAKMP: default group 1

*Nov 19 13:12:00.562: ISAKMP: auth pre-share

*Nov 19 13:12:00.562: ISAKMP: life type in seconds

*Nov 19 13:12:00.562: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Nov 19 13:12:00.562: ISAKMP (0:3): Preshared authentication offered but does not match policy!

*Nov 19 13:12:00.562: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Nov 19 13:12:00.562: ISAKMP (0:3): Checking ISAKMP transform 1 against priority 65535 policy

*Nov 19 13:12:00.562: ISAKMP: encryption 3DES-CBC

*Nov 19 13:12:00.562: ISAKMP: hash SHA

*Nov 19 13:12:00.562: ISAKMP: default group 1

*Nov 19 13:12:00.562: ISAKMP: auth pre-share

*Nov 19 13:12:00.562: ISAKMP: life type in seconds

*Nov 19 13:12:00.562: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Nov 19 13:12:00.562: ISAKMP (0:3): Encryption algorithm offered does not match policy!

*Nov 19 13:12:00.562: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Nov 19 13:12:00.562: ISAKMP (0:3): no offers accepted!

Incorrect Preshared Key

*Nov 19 13:14:51.946: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 20.1.1.1 failed its sanity check or is malformed

No Matching Peer

*Nov 17 16:58:51.789: ISAKMP (0:1): Checking IPSec proposal 1

*Nov 17 16:58:51.789: ISAKMP: transform 1, ESP_3DES

*Nov 17 16:58:51.789: ISAKMP: attributes in transform:

*Nov 17 16:58:51.789: ISAKMP: encaps is 1

*Nov 17 16:58:51.789: ISAKMP: SA life type in seconds

*Nov 17 16:58:51.789: ISAKMP: SA life duration (basic) of 3600

*Nov 17 16:58:51.789: ISAKMP: SA life type in kilobytes

*Nov 17 16:58:51.789: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Nov 17 16:58:51.789: ISAKMP: authenticator is HMAC-SHA

*Nov 17 16:58:51.789: IPSEC(validate_proposal): peer address 20.1.1.1 not found

*Nov 17 16:58:51.789: ISAKMP (0:1): atts not acceptable. Next payload is 0

*Nov 17 16:58:51.789: ISAKMP (0:1): phase 2 SA not acceptable!

Mismatched Transform Sets

*Nov 17 17:03:41.457: ISAKMP (0:2): Checking IPSec proposal 1

*Nov 17 17:03:41.457: ISAKMP: transform 1, ESP_3DES

*Nov 17 17:03:41.457: ISAKMP: attributes in transform:

*Nov 17 17:03:41.457: ISAKMP: encaps is 1

*Nov 17 17:03:41.457: ISAKMP: SA life type in seconds

*Nov 17 17:03:41.457: ISAKMP: SA life duration (basic) of 3600

*Nov 17 17:03:41.457: ISAKMP: SA life type in kilobytes

*Nov 17 17:03:41.457: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Nov 17 17:03:41.457: ISAKMP: authenticator is HMAC-SHA

*Nov 17 17:03:41.457: IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not

supported

*Nov 17 17:03:41.457: ISAKMP (0:2): atts not acceptable. Next payload is 0

*Nov 17 17:03:41.457: ISAKMP (0:2): phase 2 SA not acceptable!

Crypto Map Not Applied to Interface

*Nov 17 17:07:38.289: ISAKMP (0:3): Checking IPSec proposal 1

*Nov 17 17:07:38.289: ISAKMP: transform 1, ESP_3DES

*Nov 17 17:07:38.289: ISAKMP: attributes in transform:

*Nov 17 17:07:38.289: ISAKMP: encaps is 1

*Nov 17 17:07:38.289: ISAKMP: SA life type in seconds

*Nov 17 17:07:38.289: ISAKMP: SA life duration (basic) of 3600

*Nov 17 17:07:38.289: ISAKMP: SA life type in kilobytes

*Nov 17 17:07:38.289: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

*Nov 17 17:07:38.289: ISAKMP: authenticator is HMAC-SHA

*Nov 17 17:07:38.289: IPSEC(validate_proposal): invalid local address 30.1.1.2

*Nov 17 17:07:38.289: ISAKMP (0:3): atts not acceptable. Next payload is 0

*Nov 17 17:07:38.289: ISAKMP (0:3): phase 2 SA not acceptable!

Incorrect Access List—Mismatched Proxies

*Nov 17 17:14:07.505: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 30.1.1.2, remote= 20.1.1.1,

local_proxy= 101.1.2.0/255.255.255.0/0/0 (type=4),

remote_proxy= 101.1.1.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

*Nov 17 17:14:07.505: IPSEC(validate_transform_proposal): proxy identities not supported

*Nov 17 17:14:07.505: ISAKMP (0:4): IPSec policy invalidated proposal

*Nov 17 17:14:07.505: ISAKMP (0:4): phase 2 SA not acceptable!

Nonmatching VPN Group for VPN Clients

*Nov 19 16:29:46.389: AAA: parse name=ISAKMP-ID-AUTH idb type=-1 tty=-1

*Nov 19 16:29:46.389: AAA/MEMORY: create_user (0x63D75E28) user='ezvpn' ruser='NULL' ds0=0

port='ISAKMP-ID-AUTH' rem_addr='50.1.1.1' authen_type=NONE service=LOGIN priv=0 initial_task_id='0'

*Nov 19 16:29:46.389: ISAKMP (0:5): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Nov 19 16:29:46.389: ISAKMP (0:5): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

*Nov 19 16:29:46.389: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(1787711329): Port='ISAKMP-ID-AUTH'

list='localist' service=NET

*Nov 19 16:29:46.389: AAA/AUTHOR/CRYPTO AAA: ISAKMP-ID-AUTH(1787711329) user='ezvpn'

*Nov 19 16:29:46.389: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(1787711329): send AV service=ike

*Nov 19 16:29:46.389: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(1787711329): send AV

protocol=ipsec

*Nov 19 16:29:46.389: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(1787711329): found list "localist"

*Nov 19 16:29:46.389: ISAKMP-ID-AUTH AAA/AUTHOR/CRYPTO AAA(1787711329): Method=LOCAL

*Nov 19 16:29:46.389: AAA/AUTHOR/IKMP/LOCAL: group ezvpn does not exist

*Nov 19 16:29:46.389: AAA/AUTHOR (1787711329): Post authorization status = ERROR

Failed Authentication—XAUTH for VPN Clients

Undefined user:

*Nov 19 16:36:18.829: AAA/AUTHEN(2414480242): Status=GETPASS

*Nov 19 16:36:18.829: AAA/AUTHEN/CONT (2414480242): Method=LOCAL

*Nov 19 16:36:18.829: AAA/AUTHEN(2414480242): User not found

*Nov 19 16:36:18.829: AAA/AUTHEN(2414480242): Status=FAIL




Incorrect password:

*Nov 19 16:38:50.373: AAA/AUTHEN(243054726): Status=GETPASS

*Nov 19 16:38:50.373: AAA/AUTHEN/CONT (243054726): Method=LOCAL

*Nov 19 16:38:50.373: AAA/AUTHEN(243054726): password incorrect

*Nov 19 16:38:50.373: AAA/AUTHEN(243054726): Status=FAIL

Incorrect Pool Definition for VPN Clients

*Nov 19 16:58:05.573: ISAKMP: Config payload REQUEST

*Nov 19 16:58:05.573: ISAKMP (0:1): checking request:

*Nov 19 16:58:05.573: ISAKMP: IP4_ADDRESS

*Nov 19 16:58:05.573: ISAKMP: IP4_NETMASK

*Nov 19 16:58:05.573: ISAKMP: IP4_DNS

*Nov 19 16:58:05.573: ISAKMP: IP4_DNS

*Nov 19 16:58:05.573: ISAKMP: IP4_NBNS

*Nov 19 16:58:05.573: ISAKMP: IP4_NBNS

*Nov 19 16:58:05.573: ISAKMP: SPLIT_INCLUDE

*Nov 19 16:58:05.573: ISAKMP: DEFAULT_DOMAIN

*Nov 19 16:58:05.573: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_REQ

*Nov 19 16:58:05.573: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State

_CONFIG_AUTHOR_AAA_AWAIT

*Nov 19 16:58:05.573: ISAKMP: got callback 1

*Nov 19 16:58:05.573: ISAKMP (0:1): attributes sent in message:

*Nov 19 16:58:05.573: Address: 0.2.0.0

*Nov 19 16:58:05.573: ISAKMP (0:1): Could not get address from pool!

*Nov 19 16:58:05.573: ISAKMP: Unknown Attr: IP4_NETMASK (0x2)

Incompatible ISAKMP Policy or Preshared Secrets

If no ISAKMP policies configured match, or if no preshared key for the negotiating peer is configured, the router tries the default policy (65535); if that does not match it fails ISAKMP negotiation.

A show crypto isakmp sa command shows the ISAKMP SA to be in MM_NO_STATE, meaning the main-mode failed:

ISAKMP (17): processing SA payload. Message ID = 0

ISAKMP (17): Checking ISAKMP transform 1 against priority 10 policy

encryption DES-CBC

hash SHA

default group 1

auth pre-share

ISAKMP (17): Checking ISAKMP transform 1 against priority 65535 policy

encryption DES-CBC

hash SHA

default group 1

auth pre-share

ISAKMP (17): atts are not acceptable. Next payload is 0

ISAKMP (17); no offers accepted!

ISAKMP (17): SA not acceptable!

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer

at 155.0.0.1




If the preshared secrets are not the same on both sides, the negotiation fails again, with the router complaining about sanity check failed. A show crypto isakmp sa command shows the ISAKMP SA to be in MM_NO_STATE, meaning the main mode failed:

ISAKMP (62): processing SA payload. message ID = 0

ISAKMP (62): Checking ISAKMP transform 1 against priority 10 policy

encryption DES-CBC

hash SHA

default group 1

auth pre-share

ISAKMP (62): atts are acceptable. Next payload is 0

ISAKMP (62): SA is doing preshared key authentication

ISAKMP (62): processing KE payload. message ID = 0

ISAKMP (62): processing NONCE payload. message ID = 0

ISAKMP (62): SKEYID state generated

ISAKMP (62); processing vendor id payload

ISAKMP (62): speaking to another IOS box!

ISAKMP: reserved no zero on payload 5!

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 155.0.0.1 failed its

sanity check or is malformed

Incompatible or Incorrect Access Lists

If the access lists on the two routers do not match or at least overlap, INVALID PROXY IDS or PROXY IDS NOT SUPPORTED results. It is recommended that access lists on the two routers be `reflections' of each other. It is also recommended that you do not use the key word "any" in match address access lists.

3d00h: IPSec(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 172.16.171.5, src= 172.16.171.27,

dest_proxy= 172.16.171.5/255.255.255.255/0/0 (type=1),

src_proxy= 172.16.171.27/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

3d00h: validate proposal request 0

3d00h: IPSec(validate_transform_proposal): proxy identities not supported

3d00h: ISAKMP (0:3): IPSec policy invalidated proposal

3d00h: ISAKMP (0:3): phase 2 SA not acceptable!




Access List:

access list 110 permit ip host 172.16.171.5 host 172.16.171.30

Crypto Map on Incorrect Interface

The crypto map needs to be applied to the outgoing interface of the router. If you do not want to use the outside interface's IP as the local ID, use the crypto map local address command to specify the correct interface.

If there are physical as well as logical interfaces involved in carrying outgoing traffic, you must apply the crypto map to both.

Incorrect SA Selection by the Router

If there are multiple peers to a router, make sure that the match address access lists for each of the peers are mutually exclusive from the match address access list for the other peers.

If this is not done, the router chooses the incorrect crypto map to try to establish a tunnel with one of the peers.

Identity doesn't match negotiated identity

(ip) dest_addr= 1.2.3.4, src_addr= 2.3.4.5, prot= 1

(ident) local=5.5.5.5, remote=6.6.6.6

local_proxy=1.2.3.5/255.255.255.255/0/0,

remote_proxy=2.3.4.5/255.255.255.255/0/0




Access list for 5.6.7.8:

Access-list 100 permit ip host 1.2.3.5 host 5.6.7.9

Access-list 100 permit ip host 1.2.3.5 host 2.3.4.5




Access list for 1.2.3.4:

Access-list 110 permit ip host 1.2.3.5 host 2.3.4.5

Routing Establishment

A packet needs to be routed to the interface which has the crypto map configured on it before IPSec successfully starts.

Routes need to be established not only for the router to reach its peers address but also for the IP subnets in the packets after they are decrypted.

Use the debug ip packet detailed command to see if the routing is occurring correctly.

---

Note Different switching methods use completely different code paths. It is possible to have one switching method break IPSec and another function correctly. Try a different switching path (cef, fast switching, process switching) if you are running into an obscure problem.

---

Troubleshooting Tunnel Establishment

The following paragraphs provide information about troubleshooting IPSec tunnel establishment.

Interesting Traffic Received

The ping source and destination addresses matched the match address access list for the crypto map multipeer.

05:59:42: IPSec(sa_request): ,

(key eng. msg.) src= 172.21.114.123,

dest= 172.21.114.68,




The `src' is the local tunnel end-point, the `dest' is the remote crypto end point as configured in the map.

src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

dest_proxy= 172.21.114.68/255.255.255.255/0/0 (type=1),

The src proxy is the src interesting traffic as defined by the match address access list; The dst proxy is the destination interesting traffic as defined by the match address access list

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,




The protocol and the transforms are specified by the active crypto map, as are the lifetimes.

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

05:59:42: ISAKMP (1): beginning Main Mode exchange.....




Note that the SPI is still 0; the main mode of negotiation is being started.

Main Mode IKE Negotiation

05:59:51: ISAKMP (1): processing SA

payload. message ID = 0

05:59:51: ISAKMP (1): Checking ISAKMP

transform 1 against

priority 10 policy




Policy 10 is the only isakmp policy configured on the router.

05:59:51: ISAKMP: encryption DES-CBC

05:59:51: ISAKMP: hash SHA

05:59:51: ISAKMP: default group 1

05:59:51: ISAKMP: auth pre-share




These are the isakmp attributes being offered by the other side.

05:59:51: ISAKMP (1): atts are acceptable. Next payload is 0




The policy 10 on this router and the atts offered by the other side matched.

05:59:53: ISAKMP (1): SA is doing preshared key authentication




Preshared key authentication now begins.

ISAKMP Authentication

05:59:53: ISAKMP (1): processing KE payload. message ID = 0

05:59:55: ISAKMP (1): processing NONCE payload. message ID =0




Nonce from the far end is being processed.

05:59:55: ISAKMP (1): SKEYID state generated

05:59:55: ISAKMP (1): processing ID payload. message ID = 0

05:59:55: ISAKMP (1): processing HASH payload. message ID = 0

05:59:55: ISAKMP (1): SA has been authenticated




Preshared authentication has succeeded; the ISAKMP SA has been successfully negotiated.

Quick Mode Negotiation

Quick mode starts and the IPSec SA negotiations begin; ISAKMP negotiates for IPSec as well.

ISAKMP (1): beginning Quick Mode exchange, M-ID of 132876399

IPSec(key_engine): got a queue event...

IPSec(spi_response): getting spi 600837116ld for SA from 172.21.114.68 to 172.21.114.123 for prot 3




ISAKMP gets the SPI from the IPSec routine to offer to the far side.

ISAKMP (1): processing SA payload. message ID = 132876399

ISAKMP (1): Checking IPSec proposal 1




ISAKMP processes the IPSec attributes offered by the remote end:

SAKMP: transform 1, ESP_DES




This is the protocol offered by the remote end in accordance with its transform set.

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 3600

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of

0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5




This is the payload authentication hash offered by the remote end in accordance with it s transform set.

ISAKMP (1): atts are acceptable.




The IPSec SA is now successfully negotiated. ISAKMP enters a state known as QM-IDLE.

IPSec SA Establishment

05:59:55: IPSec(validate_proposal_

request): proposal part #1,

(key eng. msg.) dest= 172.21.114.68,

src= 172.21.114.123,

dest_proxy= 172.21.114.68/255.255.

255.255/0/0 (type=1),

src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4




ISAMKP asks the IPSec routine to validate the IPSec proposal that it has negotiated with the remote side.

05:59:55: ISAKMP (1): Creating IPSec SAs

05:59:55: inbound SA from 172.21.114.68 to 172.21.114.123

(proxy 172.21.114.68 to 172.21.114.123 )

05:59:55: has spi 600837116 and conn_id 2 and flags 4

05:59:55: lifetime of 3600 seconds

05:59:55: lifetime of 4608000 kilobytes

05:59:55: outbound SA from 172.21.114.123 to 172.21.114.68

(proxy 172.21.114.123 to 172.21.114.68 )

05:59:55: has spi 130883577 and conn_id 3 and flags 4

05:59:55: lifetime of 3600 seconds

05:59:55: lifetime of 4608000 kilobytes




Two IPSec SAs are negotiated; an incoming SA with the SPI generated by the local machine and an outbound SA with the SPIs proposed by the remote end. Crypto engine entries have been created.

The ISAKMP routine informs the IPSec routine of the IPSec SA so that the SADB can be populated:

05:59:55: IPSec(initialize_sas): ,

(key eng. msg.) dest= 172.21.114.123, src= 172.21.114.68,

dest_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

src_proxy= 172.21.114.68/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x23D00BFC(600837116), conn_id= 2, keysize= 0, flags= 0x4

05:59:56: IPSec(initialize_sas): ,

(key eng. msg.) src= 172.21.114.123, dest= 172.21.114.68,

src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),

dest_proxy= 172.21.114.68/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x7CD1FF9(130883577), conn_id= 3, keysize= 0, flags= 0x4




The IPSec routine populates the SADB with the IPSec entries:

05:59:56: IPSec(create_sa): sa created,

(sa) sa_dest= 172.21.114.123, sa_prot= 50,

sa_spi= 0x23D00BFC(600837116),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2

05:59:56: IPSec(create_sa): sa created,

(sa) sa_dest= 172.21.114.68, sa_prot= 50,

sa_spi= 0x7CD1FF9(130883577),

sa_trans= esp-des esp-md5-hmac , sa_conn_id= 3




The SADB is updated and the IPSec SAs is initialized. The tunnel is now fully functional.

Routing Issues

Before IPSec begins functioning, a packet must be routed to the interface which has the crypto map configured on it.

Routes are necessary for the router to reach its peers address and for the IP subnets in the packets after they have been decrypted.

Use the debug ip packet command to see if the routing is occurring correctly (be careful on busy networks).

Troubleshooting Example

Use Figure 3-1 for the following troubleshooting example.

Figure 3-1 Troubleshooting Flow

No Connectivity Between the Peers

Check if the peer address is reachable.

pe1#sh ip route 99.1.1.3

% Subnet not in table

pe1#sh ip bgp nei 99.1.1.3

BGP neighbor is 99.1.1.3, remote AS 100, internal link

BGP version 4, remote router ID 0.0.0.0

BGP state = Active

Should read:

pe1#sh ip bgp nei 99.1.1.3

BGP neighbor is 99.1.1.3, remote AS 100, internal link

BGP version 4, remote router ID 99.1.1.3

BGP state = Established, up for 00:01:38

---

Note To list routes in the global routing table use the sh ip route command. Use sh ip route vrf command for listing routes in a specific VRF. You can also use the sh ip bgp vpnv4 vrf command to check routes learned/advertised through BGP.

---

pe1#sh ip route vrf vpn1

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route




Gateway of last resort is 30.1.1.1 to network 0.0.0.0

101.0.0.0/24 is subnetted, 2 subnets

S 101.1.1.0 [1/0] via 30.1.1.1

B 101.1.2.0 [200/0] via 99.1.1.3, 00:06:25

30.0.0.0/24 is subnetted, 1 subnets

C 30.1.1.0 is directly connected, FastEthernet2/0.1

S* 0.0.0.0/0 [1/0] via 30.1.1.1

pe1#sh ip bgp vpnv4 vrf vpn1

BGP table version is 5, local router ID is 99.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 100:1 (default for vrf vpn1)

*> 101.1.1.0/24 30.1.1.1 0 32768 ?

*>i101.1.2.0/24 99.1.1.3 0 100 0 ?

BGP Peer Miscommunication

A number of issues can arise if the VRF does not learn the BGP peer routes:

•Mismatch in route-target community strings for route import/export.

pe1#deb ip bgp up

BGP updates debugging is on

*Nov 18 13:33:47.756: BGP(2): 99.1.1.3 recv UPDATE w/ attr: nightspot 99.1.1.3, origin ?,

localpref 100, metric 0, extended community RT:200:1

*Nov 18 13:33:47.756: BGP(2): 99.1.1.3 rcvd 100:1:101.1.2.0/24 -- DENIED due to:

extended community not supported;




•Maximum number of route restrictions in the VRF.

ip vrf vpn1

rd 100:1

route-target export 100:1

route-target import 100:1

maximum routes 5 60

*Nov 18 14:16:40.356: BGP(2): Revise route installing 1 of 1 route for 1.1.1.0/24 -> 99.1.1.3

to vpn1 IP table

*Nov 18 14:16:40.356: BGP(2): Revise route installing 1 of 1 route for 2.1.1.0/24 -> 99.1.1.3

to vpn1 IP table

*Nov 18 14:16:40.356: %IPRT-3-ROUTELIMITEXCEEDED: IP routing table limit exceeded -

vpn1, 2.1.1.0/24




•Any kind of control information filtering based on AS_PATH, route-targets, or IP address.

Problems Forwarding Packets—Data Plane

Assuming that the route is in the VRF table, use the following checks to identify the problem:

---

Step 1 Verify the VPN labels on both the ends.

a. PE advertising the route.

pe3#sh mpls for vrf vpn1

Local Outgoing Prefix Bytes tag Outgoing Next Hop

tag tag or VC or Tunnel Id switched interface

17 Aggregate 101.1.2.0/24[V] 0

20 Aggregate 1.1.1.0/24[V] 0

21 Aggregate 2.1.1.0/24[V] 0




b. PE receiving the route.

pe1#sh ip bgp vpnv4 vrf vpn1 la

Network Next Hop In label/Out label

Route Distinguisher: 100:1 (vpn1)

1.1.1.0/24 99.1.1.3 nolabel/20

2.1.1.0/24 99.1.1.3 nolabel/21

101.1.1.0/24 30.1.1.1 19/nolabel

101.1.2.0/24 99.1.1.3 nolabel/17




Step 2 Verify that the CEF adjacency has been built out the correct interface.

pe1#sh ip cef vrf vpn1

Prefix Next Hop Interface

0.0.0.0/0 30.1.1.1 FastEthernet2/0.1

0.0.0.0/32 receive

1.1.1.0/24 125.1.10.1 FastEthernet2/1.1

2.1.1.0/24 125.1.10.1 FastEthernet2/1.1

30.1.1.0/24 attached FastEthernet2/0.1

30.1.1.0/32 receive

30.1.1.1/32 30.1.1.1 FastEthernet2/0.1

30.1.1.2/32 receive

30.1.1.255/32 receive

101.1.1.0/24 30.1.1.1 FastEthernet2/0.1

101.1.2.0/24 125.1.10.1 FastEthernet2/1.1

224.0.0.0/4 drop

224.0.0.0/24 receive

255.255.255.255/32 receive




Step 3 If this is in a controlled environment, then perform a debug mpls packet to verify MPLS packet switching on the PE in the MPLS to IP path.

*Nov 18 17:46:12.023: MPLS: Fa2/1.1: recvd: CoS=0, TTL=254, Label(s)=19

*Nov 18 17:46:12.023: MPLS: Fa2/0.1: xmit: (no label)




Step 4 Check for any kind of data traffic filtering at the egress/ingress PEs.

Step 5 CEF related packet drops can be troubleshot using show cef drop and debug ip cef drop.

---

Troubleshooting Tips

•Keep things simple (for example, mode config and xauth); use preshare; work your way up the feature list.

•Start from one host behind Cisco to one host behind the other device.

•Try to establish the connection from both sides; there might be issues starting it in a particular direction.

•Configure the two ends side by side.

•Make sure life time entries are matching both ends.

•Try transport mode if tunnel mode does not work.

•Remember that Cisco does not initiate aggressive mode but does accept it.

•In the current releases of the solution a default route (or a route to the endpoint) is needed both in the global as well as VRF routing table for endpoint reachability. Lack of global route will lead to IKE negotiation right away characterized by retransmissions in MM_SA_SETUP state.

*Nov 18 18:04:54.559: ISAKMP (0:2): sending packet to 20.1.1.1 (R) MM_SA_SETUP

*Nov 18 18:04:54.559: ISAKMP (0:2): Input = IKE_MESG_INTERNAL,

IKE_PROCESS_COMPLETE

*Nov 18 18:04:54.559: ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM2

*Nov 18 18:05:04.547: ISAKMP (0:2): retransmitting due to retransmit phase 1

*Nov 18 18:05:04.547: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...

*Nov 18 18:05:05.047: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...




•Ensure that the reachability to the remote LAN segment is available in the VRF table either through statics or through GRE and a routing protocol.

ip route vrf vpn1 101.1.1.0 255.255.255.0 30.1.1.1




•The current release of the solution also requires a public facing interface/VPN to terminate the IPSec sessions (GRE being an exception). Thus ensure that the session is terminating on the correct interface.

•With VPN clients connecting to a multipoint interface and using RRI to install a route in the VRF routing table, Cisco IOS software does not forward packets in the return path (MPLS to IP) out a multipoint interface due to a lack off next-hop. This can be seen in the following debug that packet is received with a VPN tag but is not untagged and forwarded.

*Nov 19 15:53:02.757: MPLS: Fa2/1.1: recvd: CoS=0, TTL=254, Label(s)=20

*Nov 19 15:53:04.753: MPLS: Fa2/1.1: recvd: CoS=0, TTL=254, Label(s)=20

*Nov 19 15:53:06.749: MPLS: Fa2/1.1: recvd: CoS=0, TTL=254, Label(s)=20




With multipoint interfaces, avoid using RRI for route injection. Instead, use a static route for the subnet pointing to a next hop that can then be redistributed into BGP.

Posted: Wed Jan 12 10:02:18 PST 2005
All contents are Copyright © 1992--2005 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.