vpn ipsec down hacia router Cisco

Para temas sobre las VPN, incluyendo la configuración, resolución de problemas e interoperabilidad.
Responder
Jeisson Alexamder
Mensajes: 5
Registrado: 30 Abr 2021, 16:14

vpn ipsec down hacia router Cisco

Mensaje por Jeisson Alexamder »

Buen Dia, tengo un foritgate 1500D que se actualizo de la version 6.0 a la 6.4.5 con todos los saltos respectivos, pero tuna Vpn Ipsec hacia un router cisco quedo Down, volvi a configurar la VPN pero la falla persiste y no se que mas pruebas puedo realizar para restablecer la VPN

Muchas gracias

vpn ipsec downFW1500D # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_Tosite2 ver=1 serial=1 190.60.250.78:0->45.7.135.230:0 dst_mtu=0
bound_if=25 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=10 ilast=10 olast=10 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_Tosite2 proto=0 sa=0 ref=1 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0

FW1500D # diagnose vpn ipsec status
All ipsec crypto devices in use:
NP6_0:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0

NP6_1:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0

NPU Host Offloading:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0

CP8:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0

SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0


FW1500D # diagnose vpn ike log-filter dst-addr4 45.7.135.230

FW1500D # diagnose debug application ike -1
Debug messages will be on for 30 minutes.

FW1500D # diagnose debug enable

FW1500D # ike 0:VPN_Tosite2:17874: out 186F07BE9F46857D00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17874: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=186f07be9f46857d/0000000000000000
ike 0:VPN_Tosite2:17874: negotiation timeout, deleting
ike 0:VPN_Tosite2: connection expiring due to phase1 down
ike 0:VPN_Tosite2: deleting
ike 0:VPN_Tosite2: deleted
ike 0:VPN_Tosite2: schedule auto-negotiate
ike shrank heap by 159744 bytes
ike 0:VPN_Tosite2:17875: initiator: main mode is sending 1st message...
ike 0:VPN_Tosite2:17875: cookie c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: out C670828CDEA9452100000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17875: sent IKE msg (ident_i1send): 190.60.250.78:500->45.7.135.230:500, len=168, id=c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: out C670828CDEA9452100000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17875: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: out C670828CDEA9452100000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17875: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: out C670828CDEA9452100000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17875: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: negotiation timeout, deleting
ike 0:VPN_Tosite2: connection expiring due to phase1 down
ike 0:VPN_Tosite2: deleting
ike 0:VPN_Tosite2: deleted
ike 0:VPN_Tosite2: schedule auto-negotiate
ike 0:VPN_Tosite2:17876: initiator: main mode is sending 1st message...
ike 0:VPN_Tosite2:17876: cookie e5282139166300c4/0000000000000000
ike 0:VPN_Tosite2:17876: out E5282139166300C400000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2FW1500D # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_Tosite2 ver=1 serial=1 190.60.250.78:0->45.7.135.230:0 dst_mtu=0
bound_if=25 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=10 ilast=10 olast=10 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_Tosite2 proto=0 sa=0 ref=1 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0

FW1500D # diagnose vpn ipsec status
All ipsec crypto devices in use:
NP6_0:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0

NP6_1:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0

NPU Host Offloading:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0

CP8:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0

SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0


FW1500D # diagnose vpn ike log-filter dst-addr4 45.7.135.230

FW1500D # diagnose debug application ike -1
Debug messages will be on for 30 minutes.

FW1500D # diagnose debug enable

FW1500D # ike 0:VPN_Tosite2:17874: out 186F07BE9F46857D00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17874: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=186f07be9f46857d/0000000000000000
ike 0:VPN_Tosite2:17874: negotiation timeout, deleting
ike 0:VPN_Tosite2: connection expiring due to phase1 down
ike 0:VPN_Tosite2: deleting
ike 0:VPN_Tosite2: deleted
ike 0:VPN_Tosite2: schedule auto-negotiate
ike shrank heap by 159744 bytes
ike 0:VPN_Tosite2:17875: initiator: main mode is sending 1st message...
ike 0:VPN_Tosite2:17875: cookie c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: out C670828CDEA9452100000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17875: sent IKE msg (ident_i1send): 190.60.250.78:500->45.7.135.230:500, len=168, id=c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: out C670828CDEA9452100000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17875: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: out C670828CDEA9452100000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17875: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: out C670828CDEA9452100000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17875: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=c670828cdea94521/0000000000000000
ike 0:VPN_Tosite2:17875: negotiation timeout, deleting
ike 0:VPN_Tosite2: connection expiring due to phase1 down
ike 0:VPN_Tosite2: deleting
ike 0:VPN_Tosite2: deleted
ike 0:VPN_Tosite2: schedule auto-negotiate
ike 0:VPN_Tosite2:17876: initiator: main mode is sending 1st message...
ike 0:VPN_Tosite2:17876: cookie e5282139166300c4/0000000000000000
ike 0:VPN_Tosite2:17876: out E5282139166300C400000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17876: sent IKE msg (ident_i1send): 190.60.250.78:500->45.7.135.230:500, len=168, id=e5282139166300c4/0000000000000000
ike 0:VPN_Tosite2:17876: out E5282139166300C400000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17876: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=e5282139166300c4/0000000000000000
ike 0:VPN_Tosite2:17876: out E5282139166300C400000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17876: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=e5282139166300c4/0000000000000000
ike 0:VPN_Tosite2:17876: out E5282139166300C400000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17876: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=e5282139166300c4/0000000000000000

FW1500D # ike 0:VPN_Tosite2:17876: negotiation timeout, deleting
ike 0:VPN_Tosite2: connection expiring due to phase1 down
ike 0:VPN_Tosite2: deleting
ike 0:VPN_Tosite2: deleted
ike 0:VPN_Tosite2: schedule auto-negotiate
ike 0:VPN_Tosite2:17877: initiator: main mode is sending 1st message...
ike 0:VPN_Tosite2:17877: cookie beb1ccdeac675764/0000000000000000
ike 0:VPN_Tosite2:17877: out BEB1CCDEAC67576400000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17877: sent IKE msg (ident_i1send): 190.60.250.78:500->45.7.135.230:500, len=168, id=beb1ccdeac675764/0000000000000000
FW1500D #
FW1500D # ike 0:VPN_Tosite2:17877: out BEB1CCDEAC67576400000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17877: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=beb1ccdeac675764/0000000000000000
iagnose debug
Unknown action 0

FW1500D #
FW1500D # diagnose debug ike 0:VPN_Tosite2:17877: out BEB1CCDEAC67576400000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C708080010007800E010080030001800200028004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_Tosite2:17877: sent IKE msg (P1_RETRANSMIT): 190.60.250.78:500->45.7.135.230:500, len=168, id=beb1ccdeac675764/0000000000000000
disable
AndresW
Mensajes: 171
Registrado: 09 Jun 2014, 17:05

Re: vpn ipsec down hacia router Cisco

Mensaje por AndresW »

Hola,

Algunas preguntas:

- ¿Pediste que en el endpoint hicieran un clear al IKE sólo para descartar?. A veces queda tomado y haciendo un clear se vuelve a negociar.

- ¿Qué ven al otro lado en sus logs, llegan los paquetes ESP?.

Es raro lo que te ocurre. Me imagino que mantuviste exactamente los mismos parámetros en ambas fases.
Saludos!

_____________________________________________________________

Grupo de Telegram referente a FortiGate --> https://t.me/FortiGate_es
Jeisson Alexamder
Mensajes: 5
Registrado: 30 Abr 2021, 16:14

Re: vpn ipsec down hacia router Cisco

Mensaje por Jeisson Alexamder »

El otro extremo es un router cisco 891 en un sitio lejano no tengo acceso al equipo en el momento, no eh podido validar los logs del otro extremo y efectivamente mantuve los mismos parametros, esto ocurrio desde el upgrate de version
AndresW
Mensajes: 171
Registrado: 09 Jun 2014, 17:05

Re: vpn ipsec down hacia router Cisco

Mensaje por AndresW »

Vas a tener que conseguir esa información, ya que la local del FG no indica demasiado. Si mantuviste los mismos parámetros teóricamente debiera haber levantado de inmediato.

¿Sabes la versión de IOS que corre el 891?, también es importante que lo valides para descartar alguna eventual incompatibillidad o bug entre el nuevo FoS y el IOS remoto.
Saludos!

_____________________________________________________________

Grupo de Telegram referente a FortiGate --> https://t.me/FortiGate_es
Jeisson Alexamder
Mensajes: 5
Registrado: 30 Abr 2021, 16:14

Re: vpn ipsec down hacia router Cisco

Mensaje por Jeisson Alexamder »

La versión de IOS es la 15.4, no eh encontrado fallas frente a la compatibilidad de la versión de FortiOS.
Intentare validar el equipo remoto y compartiré lo que registre.
Muchas Gracias por tu ayuda.
Jeisson Alexamder
Mensajes: 5
Registrado: 30 Abr 2021, 16:14

Re: vpn ipsec down hacia router Cisco

Mensaje por Jeisson Alexamder »

Logre obtener los logs del otro extremo, si responde a ping el peer, reconfigure los mismos parametros pero sigue el error

4d23h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 201.217.221.134

Site2#debug crypto isakmp
Crypto ISAKMP debugging is on
Site2#
5d00h: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
5d00h: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
5d00h: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
5d00h: ISAKMP:(0): sending packet to 201.217.221.134 my_port 500 peer_port 500 (I) MM_NO_STATE
5d00h: ISAKMP:(0):Sending an IKE IPv4 Packet.
Site2#
5d00h: ISAKMP (0): received packet from 201.217.221.134 dport 500 sport 500 Global (R) MM_NO_STATE
Site2#
5d00h: ISAKMP:(0):purging node 1920718495
5d00h: ISAKMP:(0):purging node 1448841418
5d00h: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
5d00h: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
5d00h: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
5d00h: ISAKMP:(0): sending packet to 201.217.221.134 my_port 500 peer_port 500 (I) MM_NO_STATE
5d00h: ISAKMP:(0):Sending an IKE IPv4 Packet.
Site2#
5d00h: ISAKMP (0): received packet from 201.217.221.134 dport 500 sport 500 Global (R) MM_NO_STATE
Site2#
5d00h: ISAKMP:(0):purging SA., sa=8EDE647C, delme=8EDE647C
5d00h: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
5d00h: ISAKMP:(0):peer does not do paranoid keepalives.

5d00h: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 201.217.221.134)
5d00h: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 201.217.221.134)
5d00h: ISAKMP: Unlocking peer struct 0x8ED416F8 for isadb_mark_sa_deleted(), count 0
5d00h: ISAKMP: Deleting peer node by peer_reap for 201.217.221.134: 8ED416F8
5d00h: ISAKMP:(0):deleting node 1721387607 error FALSE reason "IKE deleted"
Site2#
5d00h: ISAKMP:(0):deleting node -211090769 error FALSE reason "IKE deleted"
5d00h: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
5d00h: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

5d00h: ISAKMP:(0): SA request profile is (NULL)
5d00h: ISAKMP: Created a peer struct for 201.217.221.134, peer port 500
5d00h: ISAKMP: New peer created peer = 0x8ED416F8 peer_handle = 0x80003736
5d00h: ISAKMP: Locking peer struct 0x8ED416F8, refcount 1 for isakmp_initiator
5d00h: ISAKMP: local port 500, remote port 500
5d00h: ISAKMP: set new node 0 to QM_IDLE
5d00h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8EDE647C
5d00h: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
5d00h: ISAKMP:(0):found peer pre-shared key matching 201.217.221.134
5d00h: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
5d00h: ISAKMP:(0): constructed NAT-T vendor-07 ID
5d00h: ISAKMP:(0): constructed NAT-T vendor-03 ID
5d00h: ISAKMP:(0): constructed N
SID_1437530_DIAT-T vendor-02 ID
5d00h: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
5d00h: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

5d00h: ISAKMP:(0): beginning Main Mode exchange
5d00h: ISAKMP:(0): sending packet to 201.217.221.134 my_port 500 peer_port 500 (I) MM_NO_STATE
5d00h: ISAKMP:(0):Sending an IKE IPv4 Packet.
5d00h: ISAKMP (0): received packet from 201.217.221.134 dport 500 sport 500 Global (I) MM_NO_STATE
5d00h: ISAKMP:(0):Notify has no hash. Rejected.
5d00h: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
5d00h: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
5d00h: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

5d00h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 201.217.221.134
5d00h: ISAKMP (0): received packet from 201.217.221.134 dport 500 sport 500 Global (R) MM_NO_STATEAN_PAMPLONA#
Site2#no debug crypto isakmp
Crypto ISAKMP debugging is off
Site2#
5d00h: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
5d00h: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
5d00h: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
5d00h: ISAKMP:(0): sending packet to 201.217.221.134 my_port 500 peer_port 500 (I) MM_NO_STATE
5d00h: ISAKMP:(0):Sending an IKE IPv4 Packet.
5d00h: ISAKMP (0): received packet from 201.217.221.134 dport 500 sport 500 Global (R) MM_NO_STATE
AndresW
Mensajes: 171
Registrado: 09 Jun 2014, 17:05

Re: vpn ipsec down hacia router Cisco

Mensaje por AndresW »

Eso es extraño, lo de encontrar un SA duplicado. Reinicia el iKE correspondiente por el extremo del Cisco.
5d00h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8EDE647C
5d00h: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Saludos!

_____________________________________________________________

Grupo de Telegram referente a FortiGate --> https://t.me/FortiGate_es
Jeisson Alexamder
Mensajes: 5
Registrado: 30 Abr 2021, 16:14

Re: vpn ipsec down hacia router Cisco

Mensaje por Jeisson Alexamder »

Ya lo realice pero persiste

SID_1437530_DIAN_PAMPLONA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
190.0.244.67 201.217.221.134 MM_NO_STATE 0 ACTIVE (deleted)
201.217.221.134 190.0.244.67 MM_NO_STATE 0 ACTIVE
201.217.221.134 190.0.244.67 MM_NO_STATE 0 ACTIVE (deleted)
AndresW
Mensajes: 171
Registrado: 09 Jun 2014, 17:05

Re: vpn ipsec down hacia router Cisco

Mensaje por AndresW »

Te sugiero abrir un ticket al TAC para que te puedan orientar, quizás se trate de un bug.
Saludos!

_____________________________________________________________

Grupo de Telegram referente a FortiGate --> https://t.me/FortiGate_es
Responder