IPSEC Phase 1 Error – Troubleshooting Guide

Was does the MM_NO_STATE usually mean when having errors bringing phase 1 up?

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
X.X.X.122  X.X.X.107    MM_NO_STATE          0 ACTIVE

Debug log:

Feb 18 09:25:36.732: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= X.X.X.107:500, remote= X.X.X.122:500,
    local_proxy= LOCAL.LAN.SUBNET/255.255.255.0/256/0,
    remote_proxy= REMOTE.LAN.SUBNET/255.255.240.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Feb 18 09:25:36.732: ISAKMP:(0): SA request profile is (NULL)
Feb 18 09:25:36.732: ISAKMP: Created a peer struct for X.X.X.122, peer port 500
Feb 18 09:25:36.732: ISAKMP: New peer created peer = 0x21027558 peer_handle = 0x80000022
Feb 18 09:25:36.732: ISAKMP: Locking peer struct 0x21027558, refcount 1 for isakmp_initiator
Feb 18 09:25:36.732: ISAKMP: local port 500, remote port 500
Feb 18 09:25:36.732: ISAKMP: set new node 0 to QM_IDLE      
Feb 18 09:25:36.732: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 3D3B8698
Feb 18 09:25:36.732: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Feb 18 09:25:36.732: ISAKMP:(0):found peer pre-shared key matching X.X.X.122
Feb 18 09:25:36.732: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 18 09:25:36.732: ISAKMP:(0): constructed NAT-T vendor-07 ID
Feb 18 09:25:36.732: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 18 09:25:36.732: ISAKMP:(0): constructed NAT-T vendor-02 ID
Feb 18 09:25:36.732: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Feb 18 09:25:36.732: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

Feb 18 09:25:36.732: ISAKMP:(0): beginning Main Mode exchange
Feb 18 09:25:36.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:25:36.732: ISAKMP:(0):Sending an IKE IPv4 Packet
Feb 18 09:25:46.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:25:46.732: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Feb 18 09:25:46.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:25:46.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:25:46.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:25:51.340: ISAKMP:(0):purging node -1205386052
Feb 18 09:25:51.340: ISAKMP:(0):purging node 359996904
Feb 18 09:25:56.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:25:56.732: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Feb 18 09:25:56.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:25:56.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:25:56.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:26:01.340: ISAKMP:(0):purging SA., sa=3D3A9E34, delme=3D3A9E34
Feb 18 09:26:06.732: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= X.X.X.107:0, remote= X.X.X.122:0,
    local_proxy= LOCAL.LAN.SUBNET/255.255.255.0/256/0,
    remote_proxy= REMOTE.LAN.SUBNET/255.255.240.0/256/0
Feb 18 09:26:06.732: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= X.X.X.107:500, remote= X.X.X.122:500,
    local_proxy= LOCAL.LAN.SUBNET/255.255.255.0/256/0,
    remote_proxy= REMOTE.LAN.SUBNET/255.255.240.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel), 
    lifedur= 3600s and 4608000kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Feb 18 09:26:06.732: ISAKMP: set new node 0 to QM_IDLE      
Feb 18 09:26:06.732: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local X.X.X.107, remote X.X.X.122)
Feb 18 09:26:06.732: ISAKMP: Error while processing SA request: Failed to initialize SA
Feb 18 09:26:06.732: ISAKMP: Error while processing KMI message 0, error 2.
Feb 18 09:26:06.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:26:06.732: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Feb 18 09:26:06.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:26:06.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:26:06.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:26:16.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:26:16.732: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Feb 18 09:26:16.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:26:16.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:26:16.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:26:26.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:26:26.732: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Feb 18 09:26:26.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:26:26.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:26:26.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:26:36.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:26:36.732: ISAKMP:(0):peer does not do paranoid keepalives.

Feb 18 09:26:36.732: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.122)
Feb 18 09:26:36.732: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= X.X.X.107:0, remote= X.X.X.122:0,
    local_proxy= LOCAL.LAN.SUBNET/255.255.255.0/256/0,
    remote_proxy= REMOTE.LAN.SUBNET/255.255.240.0/256/0
Feb 18 09:26:36.732: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.122) 
Feb 18 09:26:36.732: ISAKMP: Unlocking peer struct 0x21027558 for isadb_mark_sa_deleted(), count 0
Feb 18 09:26:36.732: ISAKMP: Deleting peer node by peer_reap for X.X.X.122: 21027558
Feb 18 09:26:36.732: ISAKMP:(0):deleting node 1892890669 error FALSE reason "IKE deleted"
Feb 18 09:26:36.732: ISAKMP:(0):deleting node -2013997155 error FALSE reason "IKE deleted"
Feb 18 09:26:36.732: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 18 09:26:36.732: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA 

Feb 18 09:26:36.732: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 18 09:27:26.732: ISAKMP:(0):purging node 1892890669
Feb 18 09:27:26.732: ISAKMP:(0):purging node -2013997155
Feb 18 09:27:36.732: ISAKMP:(0):purging SA., sa=3D3B8698, delme=3D3B869

Best Answer

MM_NO_STATE means Main Mode No State. That is, the state machine is still in the initial state because it hasn't received any response from the peer.

Feb 18 09:26:06.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:26:06.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE

This seems to indicate that this router is sending IKE data to the peer, but the peer is not responding. You should verify that the peer is configured correctly.

Best Answer

Related Solutions

Cisco VPN IPsec – Phase 2 Unable to Come Up

How to Identify IPsec Phase 2 on Specific Phase 1

Related Topic