Solved

Cisco MM_NO_STATE - ACTIVE (Deleted) in S2S IPSec VPN

Posted on 2016-08-05
2
143 Views
Last Modified: 2016-08-11
Hello Experts,

I'm facing some issue with s2s ipsec vpn tunnel. VPN created between cisco router and ASA
I'm getting Ph-1 coming up and get deleted. error "MM_NO_STATE - ACTIVE (Deleted)"
when I run debug on router found below error. Please help me to understand what is issue.

003299: Aug  5 09:20:10.172 BST: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.17.9.74:500, remote= 193.XX.XX.XX:500,
    local_proxy= 10.16.43.128/255.255.255.128/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
003300: Aug  5 09:20:10.172 BST: ISAKMP: (0):SA request profile is (NULL)
003301: Aug  5 09:20:10.172 BST: ISAKMP: (0):Created a peer struct for 193.XX.XX.XX, peer port 500
003302: Aug  5 09:20:10.172 BST: ISAKMP: (0):New peer created peer = 0x100AE7C peer_handle = 0x80000013
003303: Aug  5 09:20:10.172 BST: ISAKMP: (0):Locking peer struct 0x100AE7C, refcount 1 for isakmp_initiator
003304: Aug  5 09:20:10.172 BST: ISAKMP: (0):local port 500, remote port 500
003305: Aug  5 09:20:10.172 BST: ISAKMP: (0):set new node 0 to QM_IDLE      
003306: Aug  5 09:20:10.172 BST: ISAKMP: (0):insert sa successfully sa = 100A328
003307: Aug  5 09:20:10.172 BST: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
003308: Aug  5 09:20:10.172 BST: ISAKMP: (0):found peer pre-shared key matching 193.XX.XX.XX
003309: Aug  5 09:20:10.172 BST: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
003310: Aug  5 09:20:10.172 BST: ISAKMP: (0):constructed NAT-T vendor-07 ID
003311: Aug  5 09:20:10.172 BST: ISAKMP: (0):constructed NAT-T vendor-03 ID
003312: Aug  5 09:20:10.172 BST: ISAKMP: (0):constructed NAT-T vendor-02 ID
003313: Aug  5 09:20:10.172 BST: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
003314: Aug  5 09:20:10.172 BST: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

003315: Aug  5 09:20:10.172 BST: ISAKMP: (0):beginning Main Mode exchange
003316: Aug  5 09:20:10.172 BST: ISAKMP-PAK: (0):sending packet to 193.XX.XX.XX my_port 500 peer_port 500 (I) MM_NO_STATE
003317: Aug  5 09:20:10.172 BST: ISAKMP: (0):Sending an IKE IPv4 Packet.
003318: Aug  5 09:20:10.324 BST: ISAKMP-PAK: (0):received packet from 193.XX.XX.XX dport 500 sport 500 Global (I) MM_NO_STATE
003319: Aug  5 09:20:10.324 BST: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
003320: Aug  5 09:20:10.324 BST: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_I_MM2

003321: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing SA payload. message ID = 0
003322: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing vendor id payload
003323: Aug  5 09:20:10.324 BST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
003324: Aug  5 09:20:10.324 BST: ISAKMP: (0):vendor ID is NAT-T RFC 3947
003325: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing vendor id payload
003326: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing IKE frag vendor id payload
003327: Aug  5 09:20:10.324 BST: ISAKMP: (0):Support for IKE Fragmentation not enabled
003328: Aug  5 09:20:10.324 BST: ISAKMP: (0):found peer pre-shared key matching 193.XX.XX.XX
003329: Aug  5 09:20:10.324 BST: ISAKMP: (0):local preshared key found
003330: Aug  5 09:20:10.324 BST: ISAKMP: (0):Scanning profiles for xauth ...
003331: Aug  5 09:20:10.324 BST: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
003332: Aug  5 09:20:10.324 BST: ISAKMP: (0):      encryption 3DES-CBC
003333: Aug  5 09:20:10.324 BST: ISAKMP: (0):      hash SHA
003334: Aug  5 09:20:10.324 BST: ISAKMP: (0):      default group 2
003335: Aug  5 09:20:10.324 BST: ISAKMP: (0):      auth pre-share
003336: Aug  5 09:20:10.324 BST: ISAKMP: (0):      life type in seconds
003337: Aug  5 09:20:10.324 BST: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
003338: Aug  5 09:20:10.324 BST: ISAKMP: (0):atts are acceptable. Next payload is 0
003339: Aug  5 09:20:10.324 BST: ISAKMP: (0):Acceptable atts:actual life: 0
003340: Aug  5 09:20:10.324 BST: ISAKMP: (0):Acceptable atts:life: 0
003341: Aug  5 09:20:10.324 BST: ISAKMP: (0):Fill atts in sa vpi_length:4
003342: Aug  5 09:20:10.324 BST: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
003343: Aug  5 09:20:10.324 BST: ISAKMP: (0):Returning Actual lifetime: 86400
003344: Aug  5 09:20:10.324 BST: ISAKMP: (0):Started lifetime timer: 86400.

003345: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing vendor id payload
003346: Aug  5 09:20:10.324 BST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
003347: Aug  5 09:20:10.328 BST: ISAKMP: (0):vendor ID is NAT-T RFC 3947
003348: Aug  5 09:20:10.328 BST: ISAKMP: (0):processing vendor id payload
003349: Aug  5 09:20:10.328 BST: ISAKMP: (0):processing IKE frag vendor id payload
003350: Aug  5 09:20:10.328 BST: ISAKMP: (0):Support for IKE Fragmentation not enabled
003351: Aug  5 09:20:10.328 BST: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
003352: Aug  5 09:20:10.328 BST: ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM2

003353: Aug  5 09:20:10.328 BST: ISAKMP-PAK: (0):sending packet to 193.XX.XX.XX my_port 500 peer_port 500 (I) MM_SA_SETUP
003354: Aug  5 09:20:10.328 BST: ISAKMP: (0):Sending an IKE IPv4 Packet.
003355: Aug  5 09:20:10.328 BST: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
003356: Aug  5 09:20:10.328 BST: ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM3

003357: Aug  5 09:20:10.404 BST: ISAKMP-PAK: (0):received packet from 193.XX.XX.XX dport 500 sport 500 Global (I) MM_SA_SETUP
003358: Aug  5 09:20:10.408 BST: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
003359: Aug  5 09:20:10.408 BST: ISAKMP: (0):Old State = IKE_I_MM3  New State = IKE_I_MM4

003360: Aug  5 09:20:10.408 BST: ISAKMP: (0):processing KE payload. message ID = 0
003361: Aug  5 09:20:10.408 BST: ISAKMP: (0):processing NONCE payload. message ID = 0
003362: Aug  5 09:20:10.408 BST: ISAKMP: (0):found peer pre-shared key matching 193.XX.XX.XX
003363: Aug  5 09:20:10.408 BST: ISAKMP: (2016):processing vendor id payload
003364: Aug  5 09:20:10.408 BST: ISAKMP: (2016):vendor ID is Unity
003365: Aug  5 09:20:10.412 BST: ISAKMP: (2016):processing vendor id payload
003366: Aug  5 09:20:10.412 BST: ISAKMP: (2016):vendor ID seems Unity/DPD but major 204 mismatch
003367: Aug  5 09:20:10.412 BST: ISAKMP: (2016):vendor ID is XAUTH
003368: Aug  5 09:20:10.412 BST: ISAKMP: (2016):processing vendor id payload
003369: Aug  5 09:20:10.412 BST: ISAKMP: (2016):speaking to another IOS box!
003370: Aug  5 09:20:10.412 BST: ISAKMP: (2016):processing vendor id payload
003371: Aug  5 09:20:10.412 BST: ISAKMP: (2016):vendor ID seems Unity/DPD but hash mismatch
003372: Aug  5 09:20:10.412 BST: ISAKMP: (2016):received payload type 20
003373: Aug  5 09:20:10.412 BST: ISAKMP: (2016):NAT found, both nodes inside NAT
003374: Aug  5 09:20:10.412 BST: ISAKMP: (2016):received payload type 20
003375: Aug  5 09:20:10.412 BST: ISAKMP: (2016):My hash no match -  this node inside NAT
003376: Aug  5 09:20:10.412 BST: ISAKMP: (2016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
003377: Aug  5 09:20:10.412 BST: ISAKMP: (2016):Old State = IKE_I_MM4  New State = IKE_I_MM4

003378: Aug  5 09:20:10.412 BST: ISAKMP: (2016):Send initial contact
003379: Aug  5 09:20:10.412 BST: ISAKMP: (2016):SA is doing
003380: Aug  5 09:20:10.412 BST: ISAKMP: (2016):pre-shared key authentication using id type ID_IPV4_ADDR
003381: Aug  5 09:20:10.412 BST: ISAKMP: (2016):ID payload
        next-payload : 8

I have also attached a snapshot of the configs on our router and ASA
DynamicSitetoSite.txt
0
Comment
Question by:Member_2_7966113
2 Comments
 
LVL 9

Accepted Solution

by:
Ian Arakel earned 500 total points
Comment Utility
Hi There,

Refer to the below logs:

003323: Aug  5 09:20:10.324 BST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch

003366: Aug  5 09:20:10.412 BST: ISAKMP: (2016):vendor ID seems Unity/DPD but major 204 mismatc

On further analysis and going through the below thread, I assume it could be an issue with NAT traversal.
https://learningnetwork.cisco.com/thread/3097
0
 

Author Closing Comment

by:Member_2_7966113
Comment Utility
Thanks for your comments. I have abandoned this solution
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now