IPsec tunnel is not up, phase 1 is completed but when check isakmp status, we got the following result:
ISR#sh crypto isakmp sa | i x.x.x.x
x.x.x.x x.x.x.x MM_NO_STATE 32112 ACTIVE (deleted)
ISR#debug crypto isakmp
..... Oct 17 10:35:02.045 GMT: ISAKMP: (32115):ID payload Oct 17 10:35:02.045 GMT: ISAKMP: (32115): address : x.x.x.x Oct 17 10:35:02.045 GMT: ISAKMP: (32115): protocol : 17 Oct 17 10:35:02.045 GMT: ISAKMP: (32115):Total payload length: 12 Oct 17 10:35:02.045 GMT: ISAKMP-PAK: (32115):sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_KEY_EXCH Oct 17 10:35:02.045 GMT: ISAKMP: (32115):Sending an IKE IPv4 Packet. Oct 17 10:35:02.045 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Oct 17 10:35:02.045 GMT: ISAKMP: (32115):Old State = IKE_I_MM4 New State = IKE_I_MM5 Oct 17 10:35:02.109 GMT: ISAKMP-PAK: (32115):received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH Oct 17 10:35:02.109 GMT: ISAKMP: (32115):processing ID payload. message ID = 0 Oct 17 10:35:02.109 GMT: ISAKMP: (32115):ID payload Oct 17 10:35:02.109 GMT: ISAKMP: (32115): address : x.x.x.x Oct 17 10:35:02.109 GMT: ISAKMP: (32115): protocol : 17 Oct 17 10:35:02.110 GMT: ISAKMP: (32115):processing HASH payload. message ID = 0 Oct 17 10:35:02.110 GMT: ISAKMP: (32115):received payload type 17 Oct 17 10:35:02.110 GMT: ISAKMP: (32115):processing keep alive: proposal=32767/32767 sec., actual=10/10 sec. Oct 17 10:35:02.110 GMT: ISAKMP: (32115):processing vendor id payload Oct 17 10:35:02.110 GMT: ISAKMP: (32115):vendor ID is DPD Oct 17 10:35:02.110 GMT: ISAKMP: (32115):SA authentication status: Oct 17 10:35:02.111 GMT: ISAKMP: (32115):SA has been authenticated with 217.168.2.25 Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Old State = IKE_I_MM5 New State = IKE_I_MM6 Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Old State = IKE_I_MM6 New State = IKE_I_MM6 Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Oct 17 10:35:02.111 GMT: ISAKMP: (32115):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE Oct 17 10:35:02.111 GMT: ISAKMP: (32115):IKE_DPD is enabled, initializing timers Oct 17 10:35:02.112 GMT: ISAKMP: (32115):beginning Quick Mode exchange, M-ID of 4059749610 Oct 17 10:35:02.113 GMT: ISAKMP: (32115):QM Initiator gets spi Oct 17 10:35:02.114 GMT: ISAKMP-PAK: (32115):sending packet to x.x.x.x my_port 500 peer_port 500 (I) QM_IDLE Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Sending an IKE IPv4 Packet. Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Node 4059749610, Input = IKE_MESG_INTERNAL, IKE_INIT_QM Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Old State = IKE_QM_READY New State = IKE_QM_I_QM1 Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Oct 17 10:35:02.114 GMT: ISAKMP: (32115):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Oct 17 10:35:02.186 GMT: ISAKMP-PAK: (32115):received packet from x.x.x.x dport 500 sport 500 Global (I) QM_IDLE Oct 17 10:35:02.187 GMT: ISAKMP: (32115):set new node 3638484499 to QM_IDLE Oct 17 10:35:02.187 GMT: ISAKMP: (32115):processing HASH payload. message ID = 3638484499 Oct 17 10:35:02.187 GMT: ISAKMP: (32115):processing NOTIFY INVALID_ID_INFO protocol 1 Oct 17 10:35:02.187 GMT: ISAKMP: (32115):peer does not do paranoid keepalives. Oct 17 10:35:02.187 GMT: ISAKMP-ERROR: (32115):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer x.x.x.x5) Oct 17 10:35:02.187 GMT: ISAKMP: (32115):deleting node 3638484499 error FALSE reason "Informational (in) state 1" Oct 17 10:35:02.187 GMT: ISAKMP: (32115):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Oct 17 10:35:02.187 GMT: ISAKMP: (32115):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Oct 17 10:35:02.187 GMT: ISAKMP (32115): IPSec has no more SA's with this peer. Won't keepalive phase 1. Oct 17 10:35:02.188 GMT: ISAKMP: (32115):set new node 633615013 to QM_IDLE Oct 17 10:35:02.188 GMT: ISAKMP-PAK: (32115):sending packet to x.x.x.x my_port 500 peer_port 500 (I) QM_IDLE Oct 17 10:35:02.188 GMT: ISAKMP: (32115):Sending an IKE IPv4 Packet. Oct 17 10:35:02.188 GMT: ISAKMP: (32115):purging node 633615013 Oct 17 10:35:02.188 GMT: ISAKMP: (32115):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Oct 17 10:35:02.188 GMT: ISAKMP: (32115):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
When it shows err info as bold text in above, it normally means that Phase 1 negotiation is completed but there is some mismatch in phase2 parameters OR VPN acl. The causes of such error can be:
1, Mismatched configuration of PFS on both sides,
2, Mismatched configuration of SA lifetime on both sides,
3, ACL configuration on both sides is not compatible, host or subnet allowed on one side is not allowed on the peer side.
4, etc.
“show crypto IPSec sa peer” shows tunnel is up, however we get traffic error as below:
host#sh crypto ipsec sa peer x.x.x.x interface: GigabitEthernet0/0/0.100 Crypto map tag: xxx, local addr x.x.x.x protected vrf: (none) local ident (addr/mask/prot/port): (10.32.34.23/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (23.33.42.11/255.255.255.255/0/0) current_peer x.x.x.x port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 3, #recv errors 0
“send errors” could be that mismatched configuration of encryption domain. That is access-list on both sides must match.