Tuesday, April 26, 2011

IPsec Stuck in MM_SA_SETUP and MM_NO_STATE

Network Setup:


Problem Symptom:
1. The states of the ISAKMP SAs are stuck in MM_SA_SETUP and MM_NO_STATE.
2. The following error messages are seen in the output of the debug crypto isakmp privileged command:
ISAKMP (0:X): phase 1 packet is a duplicate of a previous packet.
ISAKMP (0:X): retransmitting phase 1 MM_SA_SETUP...

Sample Output:
PC1#ping 172.16.2.2 rep 50

Type escape sequence to abort.
Sending 50, 100-byte ICMP Echos to 172.16.2.2, timeout is 2 seconds:
..................................................
Success rate is 0 percent (0/50)
PC1#

RT2#debug crypto isakmp
Crypto ISAKMP debugging is on
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot

RT2#
00:01:01: ISAKMP (0:0): received packet from 10.10.10.2 (N) NEW SA
00:01:01: ISAKMP: local port 500, remote port 500
00:01:01: ISAKMP (0:1): processing SA payload. message ID = 0
00:01:01: ISAKMP (0:1): found peer pre-shared key matching 10.10.10.2
00:01:01: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
00:01:01: ISAKMP:      encryption 3DES-CBC
00:01:01: ISAKMP:      hash SHA
00:01:01: ISAKMP:      default group 2
00:01:01: ISAKMP:      auth pre-share
00:01:01: ISAKMP:      life type in seconds
00:01:01: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
00:01:01: ISAKMP (0:1): atts are acceptable. Next payload is 0
00:01:01: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:01:01: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:11: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:11: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:11: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:11: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:12: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:12: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:12: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:12: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:21: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:21: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:21: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:21: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:22: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:22: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:22: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:22: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:31: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:31: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:31: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:31: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:32: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:32: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:32: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:32: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:41: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:41: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:41: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:41: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:42: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:42: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:42: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:42: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:01:51: ISAKMP (0:1): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:01:51: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
00:01:51: ISAKMP (0:1): retransmitting due to retransmit phase 1
00:01:51: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:52: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:01:52: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:01:52: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP
00:01:52: ISAKMP (0:1): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           1       0

RT2#
00:02:01: ISAKMP (0:0): received packet from 10.10.10.2 (N) NEW SA
00:02:01: ISAKMP: local port 500, remote port 500
00:02:01: ISAKMP (0:2): processing SA payload. message ID = 0
00:02:01: ISAKMP (0:2): found peer pre-shared key matching 10.10.10.2
00:02:01: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 1 policy
00:02:01: ISAKMP:      encryption 3DES-CBC
00:02:01: ISAKMP:      hash SHA
00:02:01: ISAKMP:      default group 2
00:02:01: ISAKMP:      auth pre-share
00:02:01: ISAKMP:      life type in seconds
00:02:01: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
00:02:01: ISAKMP (0:2): atts are acceptable. Next payload is 0
00:02:01: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
00:02:01: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
00:02:02: ISAKMP (0:1): retransmitting phase 1 MM_SA_SETUP...
00:02:02: ISAKMP (0:1): peer does not do paranoid keepalives.

00:02:02: ISAKMP (0:1): deleting SA reason "death by retransmission P1"
state (R) MM_SA_SETUP (peer 10.10.10.2) input queue 0
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:11: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:11: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:11: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:11: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:12: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:12: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:12: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:12: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:21: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:21: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:21: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:21: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:22: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:22: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:22: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:22: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:31: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:31: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:31: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:31: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:32: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:32: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:32: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:32: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:41: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:41: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:41: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:41: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:42: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:42: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:42: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:42: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:02:51: ISAKMP (0:2): received packet from 10.10.10.2 (R) MM_SA_SETUP
00:02:51: ISAKMP (0:2): phase 1 packet is a duplicate of a previous packet.
00:02:51: ISAKMP (0:2): retransmitting due to retransmit phase 1
00:02:51: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:52: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:02:52: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
00:02:52: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP
00:02:52: ISAKMP (0:2): sending packet to 10.10.10.2 (R) MM_SA_SETUP
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_SA_SETUP           2       0
11.11.11.2      10.10.10.2      MM_NO_STATE           1       0   (deleted)

RT2#
00:03:02: ISAKMP (0:1): purging SA., sa=623CF540, delme=623CF540
00:03:02: ISAKMP (0:2): retransmitting phase 1 MM_SA_SETUP...
00:03:02: ISAKMP (0:2): peer does not do paranoid keepalives.

00:03:02: ISAKMP (0:2): deleting SA reason "death by retransmission P1"
state (R) MM_SA_SETUP (peer 10.10.10.2) input queue 0
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot
11.11.11.2      10.10.10.2      MM_NO_STATE           2       0   (deleted)

RT2#
00:04:02: ISAKMP (0:2): purging SA., sa=61FEBB84, delme=61FEBB84
RT2#
RT2#sh crypto isakmp sa
dst             src             state           conn-id    slot

RT2#

Root Cause:
Missing static (default) routing configuration to RT1 on RT2.
RT2 is unable to send out the responses for the IKE messages from RT1, 10.10.10.2.
RT2#sh ip route

Gateway of last resort is not set

     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.2.0 is directly connected, FastEthernet0/0
     11.0.0.0/24 is subnetted, 1 subnets
C       11.11.11.0 is directly connected, FastEthernet1/0
RT2#

Lessons Learned:
1. Routing and Switching are the foundation of networking, without them configured properly, other technologies, eg: security, voip, etc, would/could fail.
2. Always issue show ip route to verify the routing configuration is in placed, never assume everything is in placed.
Posted by Yap Chin Hoong at 8:46 PM
Labels: ,

8 comments:

  1. AnonymousApril 26, 2011 at 10:05 PM

    Nice Tip YAP, Thx a LOT, Usefull for Me.

    OscaR, C.R Central America

    ReplyDelete
  2. AnonymousMay 9, 2012 at 6:58 AM

    Good man, back to basics! :)

    ReplyDelete
  3. UnknownMay 28, 2013 at 2:59 AM

    Hello
    but to route the traffic through the VPN tunnel how we'll do it.?
    ip route
    to what destination?

    ReplyDelete
  4. AnonymousAugust 13, 2013 at 9:02 AM

    Saved my day mate... thx

    ReplyDelete
  5. MasoodMarch 13, 2018 at 7:14 PM

    thank you for your interesting infomation. vpn reviews

    ReplyDelete
  6. UnknownApril 12, 2018 at 12:54 AM

    Something messed up.

    I real time , its not the case .
    MM_NO_STATE : ISAKMP SA process has started but has not continued to form ( typically due to a connectivity issue with the peer )


    ---------------------------------------------------------------------------------------------------
    MM_NO_SETUP : Both peers agree on ISAMKP SA parameters and will move along the process
    ---------------------------------------------------------------------------------------------------
    MM_KEY_EXCH : Both peers exchange their DH keys .( This state could also mean there is a mis-matched authentication type or PSK , if it doesn't proceed to the next step )
    --------------------------------------------------------------------------------------------------
    MM_KEY_AUTH : ISAKMP SA's have been authenticated in main mode and will proceed to QM_IDLE immediately
    ---------------------------------------------------------------------------------------------------

    ReplyDelete
  7. UnknownApril 12, 2018 at 12:55 AM

    In addition
    1. NAT exemption or nat 0 should be there.
    2. default route for internet traffic.
    3. proper access list

    ReplyDelete
  8. UnknownApril 24, 2018 at 10:23 AM

    Thanks very interesting blog! facebook sign in

    ReplyDelete

Subscribe to: Post Comments (Atom)