4.2: Difficulty establishing ISAKMP SAs

I was hoping someone might be able to shed some light on why the ISAKMP SAs did not establish properly in this exercise.

I configured the Concentrator with rules on the Public filter to permit IKE in and out, similarly with ESP. I set the time locally on the ASAs, so did not configure such a rule with NTP.

Both ASAs enrolled with the trustpoint successfully.

The IPS was bridging traffic as expected, and before the exercise I confirmed using ICMP connectivity between tunnel endpoints.

The results were as followed:

ASA2(config)# Mar 23 15:46:43 [IKEv1]: IP = 174.1.123.12, Removing peer from peer table failed, no match!
Mar 23 15:46:43 [IKEv1]: IP = 174.1.123.12, Error: Unable to remove PeerTblEntry

ASA2(config)# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 174.1.123.12
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2

ASA1(config)# show cry isa sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.10.3.13
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3

Configuration looked as follows:

ASA1

crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto dynamic-map DYNAMIC 1 set transform-set 3DES_SHA
crypto dynamic-map DYNAMIC 1 set reverse-route
crypto map VPN 20 match address VLAN128_TO_VLAN132
crypto map VPN 20 set peer 174.1.135.13
crypto map VPN 20 set transform-set AES_MD5
crypto map VPN 20 set trustpoint IE
crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC
crypto map VPN interface outside
crypto ca trustpoint IE
revocation-check crl none
enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
crl configure
crypto ca certificate chain IE
certificate ca 5139429c9820f5b442490f19f3bd0f52
308202de 30820288 a0030201 02021051 39429c98 20f5b442 490f19f3 bd0f5230
0d06092a 864886f7 0d010105 05003081 8f312d30 2b06092a 864886f7 0d010901
161e7375 70706f72 7440696e 7465726e 6574776f 726b6578 70657274 2e636f6d
310b3009 06035504 06130255 53310b30 09060355 04081302 4e56310d 300b0603
55040713 0452656e 6f312230 20060355 040a1319 496e7465 726e6574 776f726b
20457870 6572742c 20496e63 2e311130 0f060355 04031308 73633033 2d616161
301e170d 30373130 32393132 33313538 5a170d31 37313032 39313234 3133345a
30818f31 2d302b06 092a8648 86f70d01 0901161e 73757070 6f727440 696e7465
726e6574 776f726b 65787065 72742e63 6f6d310b 30090603 55040613 02555331
0b300906 03550408 13024e56 310d300b 06035504 07130452 656e6f31 22302006
0355040a 1319496e 7465726e 6574776f 726b2045 78706572 742c2049 6e632e31
11300f06 03550403 13087363 30332d61 6161305c 300d0609 2a864886 f70d0101
01050003 4b003048 024100c7 ecfa94f1 8925ff16 6df09d05 68591b25 8be324f1
f15f08a5 6cbe091b a0a0d3b6 828bf285 dc280be3 28eae73a 8e300ca8 d270a844
ab103db5 b344b920 74833d02 03010001 a381bd30 81ba300b 0603551d 0f040403
0201c630 0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04 16041455
f912ef34 99b2883b 17b3f44f 463013f0 ecbbd030 69060355 1d1f0462 3060302d
a02ba029 86276874 74703a2f 2f736330 332d6161 612f4365 7274456e 726f6c6c
2f736330 332d6161 612e6372 6c302fa0 2da02b86 2966696c 653a2f2f 5c5c7363
30332d61 61615c43 65727445 6e726f6c 6c5c7363 30332d61 61612e63 726c3010
06092b06 01040182 37150104 03020100 300d0609 2a864886 f70d0101 05050003
41006738 84006d90 a13b907f 5f06dad7 6a48a3c3 33429707 d860a892 b1e02714
8f0b37d4 145ffedd ce1d21f4 d18993c0 d317cc5b 14fa78c1 12decff3 7bb56398 d28a
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group EzVPN type ipsec-ra
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
tunnel-group IPSECGROUP type ipsec-ra
tunnel-group IPSECGROUP general-attributes
address-pool MYPOOL
authentication-server-group RADIUS LOCAL
default-group-policy GROUP_POLICY
tunnel-group IPSECGROUP ipsec-attributes
pre-shared-key *
tunnel-group ASA2.internetworkexpert.com type ipsec-l2l
tunnel-group ASA2.internetworkexpert.com ipsec-attributes
trust-point IE

ASA2

crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto map VPN 10 match address VLAN132_TO_VLAN128
crypto map VPN 10 set peer 174.1.123.12
crypto map VPN 10 set transform-set AES_MD5
crypto map VPN 10 set trustpoint IE
crypto map VPN interface outside
crypto ca trustpoint IE
revocation-check crl none
enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
crl configure
crypto ca certificate chain IE
certificate ca 5139429c9820f5b442490f19f3bd0f52
308202de 30820288 a0030201 02021051 39429c98 20f5b442 490f19f3 bd0f5230
0d06092a 864886f7 0d010105 05003081 8f312d30 2b06092a 864886f7 0d010901
161e7375 70706f72 7440696e 7465726e 6574776f 726b6578 70657274 2e636f6d
310b3009 06035504 06130255 53310b30 09060355 04081302 4e56310d 300b0603
55040713 0452656e 6f312230 20060355 040a1319 496e7465 726e6574 776f726b
20457870 6572742c 20496e63 2e311130 0f060355 04031308 73633033 2d616161
301e170d 30373130 32393132 33313538 5a170d31 37313032 39313234 3133345a
30818f31 2d302b06 092a8648 86f70d01 0901161e 73757070 6f727440 696e7465
726e6574 776f726b 65787065 72742e63 6f6d310b 30090603 55040613 02555331
0b300906 03550408 13024e56 310d300b 06035504 07130452 656e6f31 22302006
0355040a 1319496e 7465726e 6574776f 726b2045 78706572 742c2049 6e632e31
11300f06 03550403 13087363 30332d61 6161305c 300d0609 2a864886 f70d0101
01050003 4b003048 024100c7 ecfa94f1 8925ff16 6df09d05 68591b25 8be324f1
f15f08a5 6cbe091b a0a0d3b6 828bf285 dc280be3 28eae73a 8e300ca8 d270a844
ab103db5 b344b920 74833d02 03010001 a381bd30 81ba300b 0603551d 0f040403
0201c630 0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04 16041455
f912ef34 99b2883b 17b3f44f 463013f0 ecbbd030 69060355 1d1f0462 3060302d
a02ba029 86276874 74703a2f 2f736330 332d6161 612f4365 7274456e 726f6c6c
2f736330 332d6161 612e6372 6c302fa0 2da02b86 2966696c 653a2f2f 5c5c7363
30332d61 61615c43 65727445 6e726f6c 6c5c7363 30332d61 61612e63 726c3010
06092b06 01040182 37150104 03020100 300d0609 2a864886 f70d0101 05050003
41006738 84006d90 a13b907f 5f06dad7 6a48a3c3 33429707 d860a892 b1e02714
8f0b37d4 145ffedd ce1d21f4 d18993c0 d317cc5b 14fa78c1 12decff3 7bb56398 d28a
quit
crypto isakmp identity hostname
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group ASA1.internetworkexpert.com type ipsec-l2l
tunnel-group ASA1.internetworkexpert.com ipsec-attributes
trust-point IE

Debugs, if those offer anything in addition:

%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-715047: IP = 192.10.3.13, processing SA payload
%ASA-7-713906: IP = 192.10.3.13, Oakley proposal is acceptable
%ASA-7-715047: IP = 192.10.3.13, processing VID payload
%ASA-7-715049: IP = 192.10.3.13, Received Fragmentation VID
%ASA-7-715064: IP = 192.10.3.13, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
%ASA-7-715047: IP = 192.10.3.13, processing IKE SA payload
%ASA-7-715028: IP = 192.10.3.13, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 3
%ASA-7-715046: IP = 192.10.3.13, constructing ISAKMP SA payload
%ASA-7-715046: IP = 192.10.3.13, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-715047: IP = 192.10.3.13, processing SA payload
%ASA-7-713906: IP = 192.10.3.13, Oakley proposal is acceptable
%ASA-7-715047: IP = 192.10.3.13, processing VID payload
%ASA-7-715049: IP = 192.10.3.13, Received Fragmentation VID
%ASA-7-715064: IP = 192.10.3.13, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
%ASA-7-715047: IP = 192.10.3.13, processing IKE SA payload
%ASA-7-715028: IP = 192.10.3.13, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 3
%ASA-7-715046: IP = 192.10.3.13, constructing ISAKMP SA payload
%ASA-7-715046: IP = 192.10.3.13, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-5-713201: IP = 192.10.3.13, Duplicate Phase 1 packet detected. Retransmitting last packet.
%ASA-6-713905: IP = 192.10.3.13, P1 Retransmit msg dispatched to MM FSM
%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-7-713236: IP = 192.10.3.13, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
%ASA-5-713201: IP = 192.10.3.13, Duplicate Phase 1 packet detected. Retransmitting last packet.
%ASA-6-713905: IP = 192.10.3.13, P1 Retransmit msg dispatched to MM FSM
%ASA-7-715065: IP = 192.10.3.13, IKE MM Responder FSM error history (struct &0x3fd3be8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
%ASA-7-713906: IP = 192.10.3.13, IKE SA MM:a8abf9c7 terminating: flags 0x01000002, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 192.10.3.13, sending delete/delete with reason message
%ASA-3-713902: IP = 192.10.3.13, Removing peer from peer table failed, no match!
%ASA-4-713903: IP = 192.10.3.13, Error: Unable to remove PeerTblEntry

I see in one entry that main-mode is terminating. Perhaps I could try aggressive mode?

Any assistance much appreciated in getting to the bottom of this one.

Thanks.

Comments

  • Hi,
    Can you try following suggestion:
    713201
    Error Message %PIX-5-713201: Duplicate (Phase 1/Phase 2 ) packet detected.
    (Retransmitting test packet/No last packet to retransmit.)
    Explanation This message is displayed when a duplicate IKE Pase 1 or IKE Phase 2 message is received. A duplicate message indicates that the peer did not receive the response to the message, because it was either dropped somewhere in the network, it was dropped by the peer because the message was in error, or it was never sent because the original message was in error.

    Recommended Action If this event is transient, then you can ignore it because it will not result in tunnel drops or tunnel errors. If the event persists and it is associated with tunnel failures, then you should take the following action:

    Review other events associated with this IKE session to determine whether one of the peers is misconfigured. A miscondifuration could result in messages being dropped by one or both peers. If a miscondifuration has not caused the error, then you may require a network analyzer to determine where the message is being dropped.
  • THIS POST WAS SUBMITTED BY

Sign In or Register to comment.