Answer the question
In order to leave comments, you need to log in
A
A
Alx2015-06-04 17:10:22
Alx, 2015-06-04 17:10:22
Why breaks ipsec between cisco 2951 and 881 every two minutes?
Good afternoon, colleagues!
Is cisco 2951 with ipsec tunnels on the cities, is cisco 881 on which the tunnel to 2951 breaks every two minutes. There are similar cisco 881 with the same ios version and config, which work fine.
What's wrong?
sh run on 2951:
c2951-universalk9-mz.SPA.153-3.M.bin
.
.
.
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 4
authentication pre-share
!
crypto isakmp policy 12
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key THISISKEY address 85.XXX.XXX.10
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set VPN_Office esp-aes esp-md5-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile VPN_Office
set transform-set VPN_Office
!
.
.
.
!
interface Tunnel19
description ---===piter===---
ip address 172.16.100.89 255.255.255.252
tunnel source 85.XXX.XXX.14
tunnel mode ipsec ipv4
tunnel destination 85.XXX.XXX.10
tunnel protection ipsec profile VPN_Office
!
.
.
.sh run on 881:
c880data-universalk9-mz.153-3.M.bin
.
.
.
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key THISISKEY address 85.XXX.XXX.14
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set VPN_Office esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec profile VPN_Office
set transform-set VPN_Office
!
!
!
!
interface Tunnel19
description ---===moscow===---
ip address 172.16.100.90 255.255.255.252
tunnel source 85.XXX.XXX.10
tunnel mode ipsec ipv4
tunnel destination 85.XXX.XXX.14
tunnel protection ipsec profile VPN_Office
!
.
.
.sh cry sess det on 2951:
Interface: Tunnel19
Uptime: 00:00:40
Session status: UP-ACTIVE
Peer: 85.XXX.XXX.10 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 85.XXX.XXX.10
Desc: (none)
Session ID: 0
IKEv1 SA: local 85.XXX.XXX.14/500 remote 85.XXX.XXX.10/500 Active
Capabilities:D connid:12866 lifetime:23:58:53
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 759646 drop 2 life (KB/Sec) 4178190/3559
Outbound: #pkts enc'ed 564876 drop 0 life (KB/Sec) 4191031/3559sh cry sess det on 811:
Interface: Tunnel19
Uptime: 00:01:02
Session status: UP-ACTIVE
Peer: 85.XXX.XXX.14 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 85.XXX.XXX.14
Desc: (none)
Session ID: 0
IKEv1 SA: local 85.XXX.XXX.10/500 remote 85.XXX.XXX.14/500 Active
Capabilities:D connid:2065 lifetime:23:58:30
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 222869 drop 0 life (KB/Sec) 4346407/3537
Outbound: #pkts enc'ed 374400 drop 0 life (KB/Sec) 4338287/3537
Interface: FastEthernet4
Uptime: 00:01:02
Session status: DOWN-NEGOTIATING
Peer: 85.XXX.XXX.14 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 85.XXX.XXX.14
Desc: (none)
Session ID: 0
IKEv1 SA: local 85.XXX.XXX.10/500 remote 85.XXX.XXX.14/500 Inactive
Capabilities:(none) connid:0 lifetime:0In logs 2951:
Jun 4 16:29:12 rojg2951 Moscow: %CRYPTO-4-IKMP_NO_SA: IKE message from 85.XXX.XXX.10 has no SA and is not an initialization offer
Jun 4 16:31:12 rojg2951 Moscow: %CRYPTO-4-IKMP_NO_SA: IKE message from 85.XXX.XXX.10 has no SA and is not an initialization offer
Jun 4 16:33:12 rojg2951 Moscow: %CRYPTO-4-IKMP_NO_SA: IKE message from 85.XXX.XXX.10 has no SA and is not an initialization offer
Jun 4 16:35:12 rojg2951 Moscow: %CRYPTO-4-IKMP_NO_SA: IKE message from 85.XXX.XXX.10 has no SA and is not an initialization offer
Jun 4 16:37:12 rojg2951 Moscow: %CRYPTO-4-IKMP_NO_SA: IKE message from 85.XXX.XXX.10 has no SA and is not an initialization offer
Jun 4 16:39:12 rojg2951 Moscow: %CRYPTO-4-IKMP_NO_SA: IKE message from 85.XXX.XXX.10 has no SA and is not an initialization offer
Jun 4 16:41:12 rojg2951 Moscow: %CRYPTO-4-IKMP_NO_SA: IKE message from 85.XXX.XXX.10 has no SA and is not an initialization offerDebug on 2951:
Jun 4 16:36:23 Moscow: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to down
Jun 4 16:36:23 Moscow: IPSEC(ERROR): [ident_update_final_flow_stats] Peer index node NULL for peer index 0 when corresponding flow id 0x14000667 was completed
Jun 4 16:36:39 Moscow: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to up
Jun 4 16:37:12 Moscow: %CRYPTO-4-IKMP_NO_SA: IKE message from 85.XXX.XXX.10 has no SA and is not an initialization offer
Jun 4 16:37:40 Moscow: ISAKMP:(0):Invalid IKE exchange type 243
Jun 4 16:37:40 Moscow: ISAKMP:(0):Bad header. IKE Packet dropped.
Jun 4 16:37:45 Moscow: ISAKMP:(0):Invalid IKE exchange type 243
Jun 4 16:37:45 Moscow: ISAKMP:(0):Bad header. IKE Packet dropped.
Jun 4 16:38:13 Moscow: ISAKMP:(12855):deleting SA reason "Death by retransmission P1" state (I) QM_IDLE (peer 85.XXX.XXX.10)
Jun 4 16:38:13 Moscow: ISAKMP:(12855):deleting SA reason "Death by retransmission P1" state (I) QM_IDLE (peer 85.XXX.XXX.10)
Jun 4 16:38:23 Moscow: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_negotiating since it's already 0.
Jun 4 16:38:28 Moscow: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Jun 4 16:38:28 Moscow: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to down
Jun 4 16:38:28 Moscow: IPSEC(ERROR): [ident_update_final_flow_stats] Peer index node NULL for peer index 0 when corresponding flow id 0x14000669 was completed
Jun 4 16:38:40 Moscow: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to up
Jun 4 16:39:12 Moscow: %CRYPTO-4-IKMP_NO_SA: IKE message from 85.XXX.XXX.10 has no SA and is not an initialization offer
Jun 4 16:40:13 Moscow: ISAKMP:(12856):deleting SA reason "Death by retransmission P1" state (I) QM_IDLE (peer 85.XXX.XXX.10)
Jun 4 16:40:13 Moscow: ISAKMP:(12856):deleting SA reason "Death by retransmission P1" state (I) QM_IDLE (peer 85.XXX.XXX.10)
Jun 4 16:40:23 Moscow: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_negotiating since it's already 0.
Jun 4 16:40:28 Moscow: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Jun 4 16:40:28 Moscow: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to down
Jun 4 16:40:28 Moscow: IPSEC(ERROR): [ident_update_final_flow_stats] Peer index node NULL for peer index 0 when corresponding flow id 0x1400066B was completed
Jun 4 16:40:41 Moscow: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to upDebug on 881:
.Jun 4 16:52:46.249: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to up
.Jun 4 16:54:13.005: ISAKMP:(0): Phase 1 negotiation failed with DPD active; deleting IKE/IPSec SAs
.Jun 4 16:54:13.005: ISAKMP:(2061):deleting SA reason "Death by retransmission P1" state (R) QM_IDLE (peer 85.XXX.XXX.14)
.Jun 4 16:54:13.005: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 85.XXX.XXX.14)
.Jun 4 16:54:13.005: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to down
.Jun 4 16:54:13.009: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 85.XXX.XXX.14)
.Jun 4 16:54:13.013: ISAKMP:(2061):deleting SA reason "Death by retransmission P1" state (R) QM_IDLE (peer 85.XXX.XXX.14)
.Jun 4 16:54:13.013: IPSEC(ERROR): [ident_update_final_flow_stats] Peer index node NULL for peer index 0 when corresponding flow id 0x14000017 was completed
.Jun 4 16:54:13.193: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=85.XXX.XXX.10, prot=50, spi=0x5CD3DCBE(1557388478), srcaddr=85.XXX.XXX.14, input interface=FastEthernet4
.Jun 4 16:54:47.073: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to up
.Jun 4 16:56:13.001: ISAKMP:(0): Phase 1 negotiation failed with DPD active; deleting IKE/IPSec SAs
.Jun 4 16:56:13.001: ISAKMP:(2062):deleting SA reason "Death by retransmission P1" state (R) QM_IDLE (peer 85.XXX.XXX.14)
.Jun 4 16:56:13.001: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 85.XXX.XXX.14)
.Jun 4 16:56:13.001: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to down
.Jun 4 16:56:13.009: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 85.XXX.XXX.14)
.Jun 4 16:56:13.009: ISAKMP:(2062):deleting SA reason "Death by retransmission P1" state (R) QM_IDLE (peer 85.XXX.XXX.14)
.Jun 4 16:56:13.013: IPSEC(ERROR): [ident_update_final_flow_stats] Peer index node NULL for peer index 0 when corresponding flow id 0x14000019 was completed
.Jun 4 16:56:13.021: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=85.XXX.XXX.10, prot=50, spi=0xE15B6CBD(3780865213), srcaddr=85.XXX.XXX.14, input interface=FastEthernet4
.Jun 4 16:56:47.957: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to up
.Jun 4 16:58:12.997: ISAKMP:(0): Phase 1 negotiation failed with DPD active; deleting IKE/IPSec SAs
.Jun 4 16:58:12.997: ISAKMP:(2063):deleting SA reason "Death by retransmission P1" state (R) QM_IDLE (peer 85.XXX.XXX.14)
.Jun 4 16:58:12.997: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 85.XXX.XXX.14)
.Jun 4 16:58:12.997: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel19, changed state to down
Similar questions
D
A
I
A
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question