Home/Support/Support Forum/IPSec main mode failing connection
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

IPSec main mode failing connection

0 votes
Hello All:

I'm getting an error that is not in the latest version of the QN51 doc when connecting and IPsec tunnel to a Cisco IOS router in main mode:
10:17:22, 16 Nov 2018,(321) IKE SA Removed. Peer: 125.19.8.230,Negotiation Failure
10:17:22, 16 Nov 2018,(322) IKE SA Removed. Peer: 125.19.8.230,Negotiation Failure
10:17:22, 16 Nov 2018,(322) IKE Negotiation Failed. Peer: ,Inactivity
10:17:20, 16 Nov 2018,IKE Request Received From Eroute 2
10:17:10, 16 Nov 2018,IKE Request Received From Eroute 2
10:17:00, 16 Nov 2018,IKE Request Received From Eroute 2
10:16:52, 16 Nov 2018,(322) New Phase 2 IKE Session 125.19.8.230,Initiator
10:16:52, 16 Nov 2018,(321) IKE Keys Negotiated. Peer:
10:16:50, 16 Nov 2018,(321) New Phase 1 IKE Session 125.19.8.230,Initiator
10:16:50, 16 Nov 2018,IKE Request Received From Eroute 2

This just continually repeats. I have other sites connected to this router that are fine.

The field units are WR41s but I am testing locally withe a WR44v2.
FW in my WR44v2 is:
Firmware Version: 6.1.3.8 (Sep 21 2018 14:37:04)
SBIOS Version: 7.63u
Build Version: LW
HW Version: 2204a

I have crossed checked the config with other Digi's I have connected to my local Cisco 2911 and their configs looks the same as this one so am scratching my head.

I do not have access to the Cisco side debug as its a customer's system that I assisted with configuration on 2 years ago and everything was working so they changes all the pwds and access stuff as its not my router...so yah, we can only see stuff from the Digi side.

Any pointers would be helpful.

Cheers,
john
asked Nov 15, 2018 in Digi TransPort Cellular by jserink Community Contributor (72 points)

Please log in or register to answer this question.

3 Answers

0 votes
Update.....
Changed the IKE timeout to 40 seconds from the default 30:
Stop IKE negotiation if no packet received for 40 seconds

And the eventlog messages changed slightly:
10:46:02, 16 Nov 2018,(493) IKE SA Removed. Peer: 125.19.8.230,Negotiation Failure
10:46:02, 16 Nov 2018,(494) IKE SA Removed. Peer: 125.19.8.230,Negotiation Failure
10:46:02, 16 Nov 2018,(494) IKE Negotiation Failed. Peer: ,Retries Exceeded
10:46:00, 16 Nov 2018,IKE Request Received From Eroute 2
10:45:50, 16 Nov 2018,IKE Request Received From Eroute 2
10:45:40, 16 Nov 2018,IKE Request Received From Eroute 2
10:45:32, 16 Nov 2018,(494) New Phase 2 IKE Session 125.19.8.230,Initiator
10:45:32, 16 Nov 2018,(493) IKE Keys Negotiated. Peer:
10:45:30, 16 Nov 2018,(493) New Phase 1 IKE Session 125.19.8.230,Initiator
10:45:30, 16 Nov 2018,IKE Request Received From Eroute 2
answered Nov 15, 2018 by jserink Community Contributor (72 points)
0 votes
Hi

You are stuck as it looks like the Cisco is not liking the connection and is not responding to the request.

You would need to see what is wrong with the proposal on the Cisco .

You would need to check the configuration on the other routers and see what is different on this device

regards
answered Nov 20, 2018 by James.Wilson Veteran of the Digi Community (1,225 points)
Hi Guys:

More analysis, the Digi adds another IKA sa every 60 seconds and this is reflected in the Cisco.

Why is this happening with this particular Cisco?

Cheers,
john
commented Apr 30, 2019 by jserink Community Contributor (72 points)
0 votes
Hi All:

I now have access to the Cisco and this is the unit we're working with:
isco IOS XE Software, Version 03.13.03.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Thu 28-May-15 14:26 by mcpre

Ok, now this is what appears to be happening:
1. We have ~25 digis,
2. There are about 15 connected,
3. The other 10 will not connect.

We looked at the cisco and there about 7,500 IKAKMP SAs open to the digis.
We look at ANY of the connected digis and every one of them has hundreds IKEv1 SAs open.
Click the Remove all V1 SAs and all but one disappears. The after a few minutes this list starts to fill up.

The Cisco is running out of tunneling resources because each connected Digi has HUNDREDS of IKEV1 SAs open.

And now the weird thing, I use exactly the same digi config against my office router which is a Cisco 1921 rather than the client's ASR1000 and it works perfectly, a single IKEv1 SA is present.

Any tips on how to stop the digi from generating all these IKE SAs?
Is there a command line command that I could schedule to run every 5 minutes that does the same as the "Remove all V1 SAs"?

Cheers,
john
answered Apr 30, 2019 by jserink Community Contributor (72 points)
More info.....
In the IKE setup on the digi, if we leave the "Remove SA" option on "normal" rather than "Both", then the Digi does not keep adding and unsed IKE SA every 60 seconds.

Still working on the not bringing up phase 2.

Cheers,
john
commented Apr 30, 2019 by jserink Community Contributor (72 points)
...