IPsec Troubleshooting

-

After an upgrade cisco router couldnt establish ipsec tunnel


During debugs i see the below logs


# debug cry isa sa

*Jun 16 19:47:12.296 EEST: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

*Jun 16 19:47:12.296 EEST: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Jun 16 19:47:12.296 EEST: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE

*Jun 16 19:47:12.296 EEST: ISAKMP-PAK: (0):sending packet to 88.28.206.154 my_port 500 peer_port 500 (I) MM_NO_STATE

*Jun 16 19:47:12.296 EEST: ISAKMP: (0):Sending an IKE IPv4 Packet.

*Jun 16 19:47:12.296 EEST: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...

*Jun 16 19:47:12.296 EEST: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1


From the logs the issue seems to be phase 1. If you see there are increment attempts. Which means PH1 is cannot be established

As we know isakmp is the PH1 of the IKEv1 IPsec.

 

Cisco deprecated DH group 5 form supported algorithms on XE SW.

During the upgrade, the router upgraded the algorithm to DH16 and PH1 and that was the issue.

 

Corrected isakmp and everything was ok.






Comments

Post a Comment

Popular posts from this blog

Converting lightweigh to standalone AP and vice versa

-
Connect with console cable to the cisco AP Default credentials Username : cisco Password: Cisco You can find the AP image type by running the command show version When the AP image ends with k9w8 means the AP is lightweight When the AP image ends with k9w7 means the AP is Standalone AP7cad.74ff.975e> sho version Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JK2, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2020 by Cisco Systems, Inc. Compiled Wed 01-Apr-20 04:25 by prod_rel_team ROM: Bootstrap program is C3700 boot loader BOOTLDR: C3700 Boot Loader (AP3G2-BOOT-M) LoaderVersion 15.2(4)JB, RELEASE SOFTWARE (fc1) AP7cad.74ff.975e uptime is 5 minutes System returned to ROM by power-on System image file is "flash:/ap3g2- k9w8 -mx.153-3.JK2/ap3g2-k9w8-xx.153-3.JK2" Last reload reason: Reason Not Known To convert the AP from lightweight to standalone please follow the below pro...
Read more

Upgrade WLC / Supplementary image

-
  Today I had to upgrade an AIROS cisco 2504 WLC. After checking if the APs are supported by the new recommended version I noticed that I had to install the supplementary image also. The reason was that 1602i APs wasn’t supported by the main image in 8.5.171.0 version. Due to image size cisco created separate file for some AP images called Supplementary AP Bundle image. Procedure:   Step 1:   Check the current WLC image (Cisco Controller) >show boot Primary Boot Image............................... 8.3.150.0 (default) (active) Backup Boot Image................................ 8.0.152.0 Step 2: Upload the new image ( AIR-CT2500-K9-8-5-171-0.aes ) I did the below procedure via HTTPS. Verify (Cisco Controller) >show boot Primary Boot Image............................... 8.5.171.0 (default) Backup Boot Image................................ 8.3.150.0 (active) Step 3: Check Supported APs of the new version (Cisco Controller) >show ap bundle primary Pr...
Read more

ISE Direct Upgrade URT

-
Run Upgrade Readiness Tool (URT) to validate config DB upgrade from 2.7,3.0,3.1 to 3.2. This is a signed bundle for image integrity (ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz) In this case i am running ise 3.1 patch 7 and will upgrade to 3.2 As we are running an HA the URT need to run on secondary admin node. Got the below error once i tried to run it on Primary Checking ISE persona ======================================================   - Failed (URT can only be run on Secondary Admin Node or Standalone % Application install or upgrade cancelled. ise03/admin# ====================================================== *Note When you need to run it on secondary note, you have to generate on secondary the key (crypto host_key add host 10.10.10.10) and then you can run the URT. Below is URT logging ise04/adMIN# application install ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz  ""SFTP-SRV01"" Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Gen...
Read more