IPSEC第一阶段错误
IPSEC第一阶段错误
提问于 2020-02-18 21:32:38
当第一阶段出现错误时,MM_NO_STATE通常是指吗?
IPv4 Crypto ISAKMP SA
dst src state conn-id status
X.X.X.122 X.X.X.107 MM_NO_STATE 0 ACTIVE调试日志:
Feb 18 09:25:36.732: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= X.X.X.107:500, remote= X.X.X.122:500,
local_proxy= LOCAL.LAN.SUBNET/255.255.255.0/256/0,
remote_proxy= REMOTE.LAN.SUBNET/255.255.240.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Feb 18 09:25:36.732: ISAKMP:(0): SA request profile is (NULL)
Feb 18 09:25:36.732: ISAKMP: Created a peer struct for X.X.X.122, peer port 500
Feb 18 09:25:36.732: ISAKMP: New peer created peer = 0x21027558 peer_handle = 0x80000022
Feb 18 09:25:36.732: ISAKMP: Locking peer struct 0x21027558, refcount 1 for isakmp_initiator
Feb 18 09:25:36.732: ISAKMP: local port 500, remote port 500
Feb 18 09:25:36.732: ISAKMP: set new node 0 to QM_IDLE
Feb 18 09:25:36.732: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 3D3B8698
Feb 18 09:25:36.732: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Feb 18 09:25:36.732: ISAKMP:(0):found peer pre-shared key matching X.X.X.122
Feb 18 09:25:36.732: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Feb 18 09:25:36.732: ISAKMP:(0): constructed NAT-T vendor-07 ID
Feb 18 09:25:36.732: ISAKMP:(0): constructed NAT-T vendor-03 ID
Feb 18 09:25:36.732: ISAKMP:(0): constructed NAT-T vendor-02 ID
Feb 18 09:25:36.732: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Feb 18 09:25:36.732: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Feb 18 09:25:36.732: ISAKMP:(0): beginning Main Mode exchange
Feb 18 09:25:36.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:25:36.732: ISAKMP:(0):Sending an IKE IPv4 Packet
Feb 18 09:25:46.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:25:46.732: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Feb 18 09:25:46.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:25:46.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:25:46.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:25:51.340: ISAKMP:(0):purging node -1205386052
Feb 18 09:25:51.340: ISAKMP:(0):purging node 359996904
Feb 18 09:25:56.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:25:56.732: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Feb 18 09:25:56.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:25:56.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:25:56.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:26:01.340: ISAKMP:(0):purging SA., sa=3D3A9E34, delme=3D3A9E34
Feb 18 09:26:06.732: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= X.X.X.107:0, remote= X.X.X.122:0,
local_proxy= LOCAL.LAN.SUBNET/255.255.255.0/256/0,
remote_proxy= REMOTE.LAN.SUBNET/255.255.240.0/256/0
Feb 18 09:26:06.732: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= X.X.X.107:500, remote= X.X.X.122:500,
local_proxy= LOCAL.LAN.SUBNET/255.255.255.0/256/0,
remote_proxy= REMOTE.LAN.SUBNET/255.255.240.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Feb 18 09:26:06.732: ISAKMP: set new node 0 to QM_IDLE
Feb 18 09:26:06.732: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local X.X.X.107, remote X.X.X.122)
Feb 18 09:26:06.732: ISAKMP: Error while processing SA request: Failed to initialize SA
Feb 18 09:26:06.732: ISAKMP: Error while processing KMI message 0, error 2.
Feb 18 09:26:06.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:26:06.732: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Feb 18 09:26:06.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:26:06.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:26:06.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:26:16.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:26:16.732: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Feb 18 09:26:16.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:26:16.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:26:16.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:26:26.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:26:26.732: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Feb 18 09:26:26.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:26:26.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE
Feb 18 09:26:26.732: ISAKMP:(0):Sending an IKE IPv4 Packet.
Feb 18 09:26:36.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Feb 18 09:26:36.732: ISAKMP:(0):peer does not do paranoid keepalives.
Feb 18 09:26:36.732: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.122)
Feb 18 09:26:36.732: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= X.X.X.107:0, remote= X.X.X.122:0,
local_proxy= LOCAL.LAN.SUBNET/255.255.255.0/256/0,
remote_proxy= REMOTE.LAN.SUBNET/255.255.240.0/256/0
Feb 18 09:26:36.732: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.122)
Feb 18 09:26:36.732: ISAKMP: Unlocking peer struct 0x21027558 for isadb_mark_sa_deleted(), count 0
Feb 18 09:26:36.732: ISAKMP: Deleting peer node by peer_reap for X.X.X.122: 21027558
Feb 18 09:26:36.732: ISAKMP:(0):deleting node 1892890669 error FALSE reason "IKE deleted"
Feb 18 09:26:36.732: ISAKMP:(0):deleting node -2013997155 error FALSE reason "IKE deleted"
Feb 18 09:26:36.732: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 18 09:26:36.732: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Feb 18 09:26:36.732: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Feb 18 09:27:26.732: ISAKMP:(0):purging node 1892890669
Feb 18 09:27:26.732: ISAKMP:(0):purging node -2013997155
Feb 18 09:27:36.732: ISAKMP:(0):purging SA., sa=3D3B8698, delme=3D3B869回答 1
Network Engineering用户
回答已采纳
发布于 2020-02-19 00:05:16
MM_NO_STATE的意思是主模式没有状态。也就是说,状态机仍然处于初始状态,因为它没有收到来自对等方的任何响应。
Feb 18 09:26:06.732: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Feb 18 09:26:06.732: ISAKMP:(0): sending packet to X.X.X.122 my_port 500 peer_port 500 (I) MM_NO_STATE这似乎表明此路由器正在向对等方发送IKE数据,但对等方没有响应。您应该验证对等方配置是否正确。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/65207
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号