Hi,
I do have a Dmvpn with ipsec profile and it is generating a lot of logs related to %CRYPTO-6-IKMP_MODE_FAILURE Processing of Main mode failed with peer at x.x.x.x (multiple peer ip address) on some of my spoke router. Note, That my connection to hub is stable for more that a week.
From the peer address, I have located that it's another spoke site. Since this is a dmpn it also build a Ipsec tunnel to secure the connection between spoke to spoke right? But is it normal to see this logs though from other sites I cannot see this logs.
CRYPTO-4-IKMP_NO_SA -> Negotiation with the remote peer has failed, so there is a configuration mismatch between local and remote sites. Verify attributes at both sides.
During my testing, I'm able to see that I'm able to reach the spoke 2 LAN from Spoke 1 LAN segment. Does this mean that I'm having issue building the Ipsec or it it required since I still able to connect from spoke 1 to spoke 2.?
Example logs:
Spoke 1: Trace route: xxxxxxx#trace <SPOKE 2 LAN> source <SPOKE1 LAN> 1 172.x.x.x [AS x] 156 msec * * <---- HUB 2 172.x.x.x [AS x] 752 msec 764 msec * <---- Spoke 2 xxxxxx#sh crypto isakmp sa | i 112.x.x.x 112.x.x.x 201.x.x.x MM_NO_STATE 2121 ACTIVE (deleted) 112.x.x.x 201.x.x.x MM_NO_STATE 2116 ACTIVE (deleted) xxxxxx#sh dmvpn | i 112 1 112.x.x.x 172.24.194.54 UP 00:12:37 D <--- Dynamic Logs: Feb 17 08:24:13 GMT: %CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x has no SA and is not an initialization offer Feb 17 08:24:13 GMT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 58.x.x.x Feb 17 08:25:13 GMT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 112.x.x.x Feb 17 08:26:13 GMT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 112.x.x.x Feb 17 08:27:25 GMT: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 126.x.x.x Config: interface Tun100 bandwidth 2000 <> no ip redirects ip mtu 1400 ip pim nbma-mode ip pim sparse-mode ip nat outside ip nhrp group 2M ip nhrp map multicast xxxxx ip nhrp map xxx xxxx ip nhrp network-id 2x ip nhrp holdtime 500 ip nhrp nhs xxxx ip nhrp shortcut ip nhrp redirect ip virtual-reassembly in ip tcp adjust-mss 1360 qos pre-classify tunnel source xxxx tunnel mode gre multipoint tunnel key xx tunnel vrf xxx tunnel protection ipsec profile xxx shared
Spoke 2: xxxxx#sh crypto isakmp sa | i x.x.x.x 112.x.x.x 201.x.x.x QM_IDLE 4798 ACTIVE <---- OK? 116.x.x.x 201.x.x.x MM_NO_STATE 4777 ACTIVE (deleted) Logs: No logs related to Spoke 1
Thanks
No comments:
Post a Comment