I’m getting an error that is not in the latest version of the QN51 doc when connecting and IPsec tunnel to a Cisco IOS router in main mode:
10:17:22, 16 Nov 2018,(321) IKE SA Removed. Peer: 125.19.8.230,Negotiation Failure
10:17:22, 16 Nov 2018,(322) IKE SA Removed. Peer: 125.19.8.230,Negotiation Failure
10:17:22, 16 Nov 2018,(322) IKE Negotiation Failed. Peer: ,Inactivity
10:17:20, 16 Nov 2018,IKE Request Received From Eroute 2
10:17:10, 16 Nov 2018,IKE Request Received From Eroute 2
10:17:00, 16 Nov 2018,IKE Request Received From Eroute 2
10:16:52, 16 Nov 2018,(322) New Phase 2 IKE Session 125.19.8.230,Initiator
10:16:52, 16 Nov 2018,(321) IKE Keys Negotiated. Peer:
10:16:50, 16 Nov 2018,(321) New Phase 1 IKE Session 125.19.8.230,Initiator
10:16:50, 16 Nov 2018,IKE Request Received From Eroute 2
This just continually repeats. I have other sites connected to this router that are fine.
The field units are WR41s but I am testing locally withe a WR44v2.
FW in my WR44v2 is:
Firmware Version: 6.1.3.8 (Sep 21 2018 14:37:04)
SBIOS Version: 7.63u
Build Version: LW
HW Version: 2204a
I have crossed checked the config with other Digi’s I have connected to my local Cisco 2911 and their configs looks the same as this one so am scratching my head.
I do not have access to the Cisco side debug as its a customer’s system that I assisted with configuration on 2 years ago and everything was working so they changes all the pwds and access stuff as its not my router…so yah, we can only see stuff from the Digi side.
Update…
Changed the IKE timeout to 40 seconds from the default 30:
Stop IKE negotiation if no packet received for 40 seconds
And the eventlog messages changed slightly:
10:46:02, 16 Nov 2018,(493) IKE SA Removed. Peer: 125.19.8.230,Negotiation Failure
10:46:02, 16 Nov 2018,(494) IKE SA Removed. Peer: 125.19.8.230,Negotiation Failure
10:46:02, 16 Nov 2018,(494) IKE Negotiation Failed. Peer: ,Retries Exceeded
10:46:00, 16 Nov 2018,IKE Request Received From Eroute 2
10:45:50, 16 Nov 2018,IKE Request Received From Eroute 2
10:45:40, 16 Nov 2018,IKE Request Received From Eroute 2
10:45:32, 16 Nov 2018,(494) New Phase 2 IKE Session 125.19.8.230,Initiator
10:45:32, 16 Nov 2018,(493) IKE Keys Negotiated. Peer:
10:45:30, 16 Nov 2018,(493) New Phase 1 IKE Session 125.19.8.230,Initiator
10:45:30, 16 Nov 2018,IKE Request Received From Eroute 2
I now have access to the Cisco and this is the unit we’re working with:
isco IOS XE Software, Version 03.13.03.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Thu 28-May-15 14:26 by mcpre
Ok, now this is what appears to be happening:
We have ~25 digis,
There are about 15 connected,
The other 10 will not connect.
We looked at the cisco and there about 7,500 IKAKMP SAs open to the digis.
We look at ANY of the connected digis and every one of them has hundreds IKEv1 SAs open.
Click the Remove all V1 SAs and all but one disappears. The after a few minutes this list starts to fill up.
The Cisco is running out of tunneling resources because each connected Digi has HUNDREDS of IKEV1 SAs open.
And now the weird thing, I use exactly the same digi config against my office router which is a Cisco 1921 rather than the client’s ASR1000 and it works perfectly, a single IKEv1 SA is present.
Any tips on how to stop the digi from generating all these IKE SAs?
Is there a command line command that I could schedule to run every 5 minutes that does the same as the “Remove all V1 SAs”?
More info…
In the IKE setup on the digi, if we leave the “Remove SA” option on “normal” rather than “Both”, then the Digi does not keep adding and unsed IKE SA every 60 seconds.