Solved

VPN error

Posted on 2014-04-25
9
670 Views
Last Modified: 2014-05-13
I have 2 sites with site-to-site VPN. I have a primary and a secondary tunnel. When I did the debug isakmp error command on site A, I got the error below:
ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 206.22.10.12).

106.22.10.12 is the secondary vpn connection. It is just a backup implemented with a floating static route.
How do I get rid of this error? Thanks
0
Comment
Question by:leblanc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 40025191
If from the show crypto isakmp sa it shows the ISAKMP SA in MM_NO_STATE that would means that main mode has failed. It is also flagged in the erro msg shared. Pse verify that the phase 1 policy is on both peers, and ensure that all the attributes match.

The device that is performing NAT needs to forward the UDP 500, UDP 4500 and Protocol 50 (ESP), also to add on both devices the global configuration command "crypto ipsec nat-transparency spi-matching".

Also to suggest you double check any devices "in front" of the VPN devices to makes sure all access is un-restricted for VPN's.

Ref: IPsec Troubleshooting: Understanding and Using debug Commands
0
 
LVL 28

Accepted Solution

by:
asavener earned 250 total points
ID: 40027340
If you're using Cisco routers, try adding crypto isakmp invalid-spi-recovery at both ends.

There's a corresponding command for the ASA platform; I'll dig it up if you need it.
0
 
LVL 1

Author Comment

by:leblanc
ID: 40027454
I only have Cisco routers. What does crypto isakmp invalid-spi-recovery do? Will it be a downtime if I add the command on both side?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 28

Expert Comment

by:asavener
ID: 40027496
It does not require any interruption of service.

Basically, it allows the routers to recover if the other end becomes unavailable for a time, or reboots.

The problem you're seeing may be due to one end dropping the VPN (or rebooting), and the other end thinking the VPN is still active.


Once you've entered the command, you may want to find a time when you can bounce the VPNs.  Run "clear crypto ipsec sa" which will force the VPNs to rebuild from scratch.  Typically this causes no down time, as the VPN rebuild process should take less than a second.
0
 
LVL 1

Author Comment

by:leblanc
ID: 40027655
I have two tunnels going between 2 sites. One is the primary and the other one is secondary with a floating static route. So when the primary link is up and running, the route for the secondary link is not in the routing table of the router. I think that is why I see this error. So the crypto isakmp invalid-spi-recovery will not get rid of the error, does it? Thanks
0
 
LVL 63

Expert Comment

by:btan
ID: 40028586
The recovery is pertaining to SA getting out of sync, strictly speaking it may recover but root cause is still not established. However, your error doesnt seems to lead to out of sync as sample below. You can see cisco on this command here

Sep  2 13:27:57.707: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet
   has invalid spi for destaddr=20.1.1.2, prot=50, spi=0xB761863E(3076621886),
   srcaddr=10.1.1.1
0
 
LVL 1

Author Comment

by:leblanc
ID: 40028669
Yes I don't have that command. Below is my error from debug crypto isakmp error command:
ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 206.22.10.12)
0
 
LVL 63

Expert Comment

by:btan
ID: 40028684
was the first posting possible to help you?
0
 
LVL 1

Author Comment

by:leblanc
ID: 40028696
I did not add any commands in my existing config as everything is currently working fine. I am just curious on those warnings. I said warning because when I did the debug crypto isakmp command error, it did not show that warning as an error. Thanks
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question