Solved

Cisco MM_NO_STATE - ACTIVE (Deleted) in S2S IPSec VPN

Posted on 2016-08-05
2
677 Views
Last Modified: 2016-08-11
Hello Experts,

I'm facing some issue with s2s ipsec vpn tunnel. VPN created between cisco router and ASA
I'm getting Ph-1 coming up and get deleted. error "MM_NO_STATE - ACTIVE (Deleted)"
when I run debug on router found below error. Please help me to understand what is issue.

003299: Aug  5 09:20:10.172 BST: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.17.9.74:500, remote= 193.XX.XX.XX:500,
    local_proxy= 10.16.43.128/255.255.255.128/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
003300: Aug  5 09:20:10.172 BST: ISAKMP: (0):SA request profile is (NULL)
003301: Aug  5 09:20:10.172 BST: ISAKMP: (0):Created a peer struct for 193.XX.XX.XX, peer port 500
003302: Aug  5 09:20:10.172 BST: ISAKMP: (0):New peer created peer = 0x100AE7C peer_handle = 0x80000013
003303: Aug  5 09:20:10.172 BST: ISAKMP: (0):Locking peer struct 0x100AE7C, refcount 1 for isakmp_initiator
003304: Aug  5 09:20:10.172 BST: ISAKMP: (0):local port 500, remote port 500
003305: Aug  5 09:20:10.172 BST: ISAKMP: (0):set new node 0 to QM_IDLE      
003306: Aug  5 09:20:10.172 BST: ISAKMP: (0):insert sa successfully sa = 100A328
003307: Aug  5 09:20:10.172 BST: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
003308: Aug  5 09:20:10.172 BST: ISAKMP: (0):found peer pre-shared key matching 193.XX.XX.XX
003309: Aug  5 09:20:10.172 BST: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
003310: Aug  5 09:20:10.172 BST: ISAKMP: (0):constructed NAT-T vendor-07 ID
003311: Aug  5 09:20:10.172 BST: ISAKMP: (0):constructed NAT-T vendor-03 ID
003312: Aug  5 09:20:10.172 BST: ISAKMP: (0):constructed NAT-T vendor-02 ID
003313: Aug  5 09:20:10.172 BST: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
003314: Aug  5 09:20:10.172 BST: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

003315: Aug  5 09:20:10.172 BST: ISAKMP: (0):beginning Main Mode exchange
003316: Aug  5 09:20:10.172 BST: ISAKMP-PAK: (0):sending packet to 193.XX.XX.XX my_port 500 peer_port 500 (I) MM_NO_STATE
003317: Aug  5 09:20:10.172 BST: ISAKMP: (0):Sending an IKE IPv4 Packet.
003318: Aug  5 09:20:10.324 BST: ISAKMP-PAK: (0):received packet from 193.XX.XX.XX dport 500 sport 500 Global (I) MM_NO_STATE
003319: Aug  5 09:20:10.324 BST: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
003320: Aug  5 09:20:10.324 BST: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_I_MM2

003321: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing SA payload. message ID = 0
003322: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing vendor id payload
003323: Aug  5 09:20:10.324 BST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
003324: Aug  5 09:20:10.324 BST: ISAKMP: (0):vendor ID is NAT-T RFC 3947
003325: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing vendor id payload
003326: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing IKE frag vendor id payload
003327: Aug  5 09:20:10.324 BST: ISAKMP: (0):Support for IKE Fragmentation not enabled
003328: Aug  5 09:20:10.324 BST: ISAKMP: (0):found peer pre-shared key matching 193.XX.XX.XX
003329: Aug  5 09:20:10.324 BST: ISAKMP: (0):local preshared key found
003330: Aug  5 09:20:10.324 BST: ISAKMP: (0):Scanning profiles for xauth ...
003331: Aug  5 09:20:10.324 BST: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
003332: Aug  5 09:20:10.324 BST: ISAKMP: (0):      encryption 3DES-CBC
003333: Aug  5 09:20:10.324 BST: ISAKMP: (0):      hash SHA
003334: Aug  5 09:20:10.324 BST: ISAKMP: (0):      default group 2
003335: Aug  5 09:20:10.324 BST: ISAKMP: (0):      auth pre-share
003336: Aug  5 09:20:10.324 BST: ISAKMP: (0):      life type in seconds
003337: Aug  5 09:20:10.324 BST: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
003338: Aug  5 09:20:10.324 BST: ISAKMP: (0):atts are acceptable. Next payload is 0
003339: Aug  5 09:20:10.324 BST: ISAKMP: (0):Acceptable atts:actual life: 0
003340: Aug  5 09:20:10.324 BST: ISAKMP: (0):Acceptable atts:life: 0
003341: Aug  5 09:20:10.324 BST: ISAKMP: (0):Fill atts in sa vpi_length:4
003342: Aug  5 09:20:10.324 BST: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
003343: Aug  5 09:20:10.324 BST: ISAKMP: (0):Returning Actual lifetime: 86400
003344: Aug  5 09:20:10.324 BST: ISAKMP: (0):Started lifetime timer: 86400.

003345: Aug  5 09:20:10.324 BST: ISAKMP: (0):processing vendor id payload
003346: Aug  5 09:20:10.324 BST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
003347: Aug  5 09:20:10.328 BST: ISAKMP: (0):vendor ID is NAT-T RFC 3947
003348: Aug  5 09:20:10.328 BST: ISAKMP: (0):processing vendor id payload
003349: Aug  5 09:20:10.328 BST: ISAKMP: (0):processing IKE frag vendor id payload
003350: Aug  5 09:20:10.328 BST: ISAKMP: (0):Support for IKE Fragmentation not enabled
003351: Aug  5 09:20:10.328 BST: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
003352: Aug  5 09:20:10.328 BST: ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM2

003353: Aug  5 09:20:10.328 BST: ISAKMP-PAK: (0):sending packet to 193.XX.XX.XX my_port 500 peer_port 500 (I) MM_SA_SETUP
003354: Aug  5 09:20:10.328 BST: ISAKMP: (0):Sending an IKE IPv4 Packet.
003355: Aug  5 09:20:10.328 BST: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
003356: Aug  5 09:20:10.328 BST: ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM3

003357: Aug  5 09:20:10.404 BST: ISAKMP-PAK: (0):received packet from 193.XX.XX.XX dport 500 sport 500 Global (I) MM_SA_SETUP
003358: Aug  5 09:20:10.408 BST: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
003359: Aug  5 09:20:10.408 BST: ISAKMP: (0):Old State = IKE_I_MM3  New State = IKE_I_MM4

003360: Aug  5 09:20:10.408 BST: ISAKMP: (0):processing KE payload. message ID = 0
003361: Aug  5 09:20:10.408 BST: ISAKMP: (0):processing NONCE payload. message ID = 0
003362: Aug  5 09:20:10.408 BST: ISAKMP: (0):found peer pre-shared key matching 193.XX.XX.XX
003363: Aug  5 09:20:10.408 BST: ISAKMP: (2016):processing vendor id payload
003364: Aug  5 09:20:10.408 BST: ISAKMP: (2016):vendor ID is Unity
003365: Aug  5 09:20:10.412 BST: ISAKMP: (2016):processing vendor id payload
003366: Aug  5 09:20:10.412 BST: ISAKMP: (2016):vendor ID seems Unity/DPD but major 204 mismatch
003367: Aug  5 09:20:10.412 BST: ISAKMP: (2016):vendor ID is XAUTH
003368: Aug  5 09:20:10.412 BST: ISAKMP: (2016):processing vendor id payload
003369: Aug  5 09:20:10.412 BST: ISAKMP: (2016):speaking to another IOS box!
003370: Aug  5 09:20:10.412 BST: ISAKMP: (2016):processing vendor id payload
003371: Aug  5 09:20:10.412 BST: ISAKMP: (2016):vendor ID seems Unity/DPD but hash mismatch
003372: Aug  5 09:20:10.412 BST: ISAKMP: (2016):received payload type 20
003373: Aug  5 09:20:10.412 BST: ISAKMP: (2016):NAT found, both nodes inside NAT
003374: Aug  5 09:20:10.412 BST: ISAKMP: (2016):received payload type 20
003375: Aug  5 09:20:10.412 BST: ISAKMP: (2016):My hash no match -  this node inside NAT
003376: Aug  5 09:20:10.412 BST: ISAKMP: (2016):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
003377: Aug  5 09:20:10.412 BST: ISAKMP: (2016):Old State = IKE_I_MM4  New State = IKE_I_MM4

003378: Aug  5 09:20:10.412 BST: ISAKMP: (2016):Send initial contact
003379: Aug  5 09:20:10.412 BST: ISAKMP: (2016):SA is doing
003380: Aug  5 09:20:10.412 BST: ISAKMP: (2016):pre-shared key authentication using id type ID_IPV4_ADDR
003381: Aug  5 09:20:10.412 BST: ISAKMP: (2016):ID payload
        next-payload : 8

I have also attached a snapshot of the configs on our router and ASA
DynamicSitetoSite.txt
0
Comment
Question by:Member_2_7966113
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 9

Accepted Solution

by:
Ian Arakel earned 500 total points
ID: 41746772
Hi There,

Refer to the below logs:

003323: Aug  5 09:20:10.324 BST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch

003366: Aug  5 09:20:10.412 BST: ISAKMP: (2016):vendor ID seems Unity/DPD but major 204 mismatc

On further analysis and going through the below thread, I assume it could be an issue with NAT traversal.
https://learningnetwork.cisco.com/thread/3097
0
 
LVL 1

Author Closing Comment

by:Member_2_7966113
ID: 41753091
Thanks for your comments. I have abandoned this solution
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question