Courseiva
VPNCCNA 200-301

IPsec IKE Phase 1 (ISAKMP) Not Completing

Presenting Symptom

IPsec VPN tunnel fails to establish; IKE Phase 1 (ISAKMP) negotiation does not complete, and the tunnel remains down.

Network Context

A small branch office (Site B) with a Cisco 891 router (IOS 15.7) connects to an enterprise headquarters (Site A) with a Cisco 4331 router (IOS 16.9) over the internet. Both routers are configured for site-to-site IPsec VPN using pre-shared keys. The branch router shows 'ISAKMP SA not established' in show crypto isakmp sa.

Diagnostic Steps

1

Check ISAKMP Security Associations

show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.1.1.1        203.0.113.2     MM_NO_STATE       1001    0    ACTIVE

The state should be MM_ACTIVE or MM_KEY_EXCH for a completed Phase 1. MM_NO_STATE indicates no progress; check for mismatched parameters.

2

Enable ISAKMP Debugging

debug crypto isakmp
ISAKMP (0:0): received packet from 203.0.113.2 dport 500 sport 500 Global (R) MM_NO_STATE
ISAKMP (0:0): processing SA payload. message ID = 0
ISAKMP (0:0): checking ISAKMP transform 1 against priority 10 policy
ISAKMP (0:0): encryption DES-CBC
ISAKMP (0:0): hash SHA
ISAKMP (0:0): default group 1
ISAKMP (0:0): auth pre-share
ISAKMP (0:0): atts not acceptable. Next payload is 0
ISAKMP (0:0): no offers accepted!

The debug shows 'atts not acceptable' indicating a transform mismatch. Compare the proposed and configured transforms.

3

Verify ISAKMP Policy Configuration

show crypto isakmp policy
Protection suite of priority 10
        encryption algorithm: DES - Data Encryption Standard (56 bit keys).
        hash algorithm: Secure Hash Standard
        authentication method: Pre-Shared Key
        Diffie-Hellman group: #1 (768 bit)
        lifetime: 86400 seconds, no volume limit
Default protection suite
        encryption algorithm: DES - Data Encryption Standard (56 bit keys).
        hash algorithm: Secure Hash Standard
        authentication method: Rivest-Shamir-Adleman Signature
        Diffie-Hellman group: #1 (768 bit)
        lifetime: 86400 seconds, no volume limit

Check that the encryption, hash, DH group, and auth method match between peers. Common mismatch: one side uses 3DES while the other uses AES.

4

Check Pre-Shared Key Configuration

show running-config | include crypto isakmp key
crypto isakmp key cisco123 address 203.0.113.2

Verify the pre-shared key and peer address are correct. A mismatch will cause Phase 1 to fail after transform acceptance.

Root Cause

The ISAKMP policy on the branch router uses DES encryption and DH group 1, while the headquarters router expects AES-256 and DH group 5. The transform set mismatch prevents IKE Phase 1 from completing.

Resolution

On the branch router, reconfigure the ISAKMP policy to match the headquarters: ! Enter global configuration mode configure terminal ! Delete the existing policy (priority 10) no crypto isakmp policy 10 ! Create a new policy with matching parameters crypto isakmp policy 10 encryption aes 256 hash sha authentication pre-share group 5 lifetime 86400 ! Exit and verify end write memory

Verification

Run 'show crypto isakmp sa' and look for state MM_ACTIVE: IPv4 Crypto ISAKMP SA dst src state conn-id slot status 10.1.1.1 203.0.113.2 MM_ACTIVE 1001 0 ACTIVE Also verify the tunnel is up with 'show crypto ipsec sa' and check for packets encapsulated/decapsulated.

Prevention

1. Use a template or automation to ensure ISAKMP policies are consistent across all VPN peers. 2. Document the agreed-upon transform set and pre-shared key in a network design document. 3. Regularly audit VPN configurations using scripts or network management tools.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting multiple-choice questions where you must identify why IKE Phase 1 fails. The exam tests your ability to interpret 'show crypto isakmp sa' states and debug output. Key fact: ISAKMP policy parameters (encryption, hash, DH group, auth, lifetime) must match exactly between peers.

Exam Tips

1.

Memorize the ISAKMP SA states: MM_NO_STATE (no progress), MM_ACTIVE (Phase 1 complete).

2.

In debug output, 'atts not acceptable' always points to a transform mismatch.

3.

Know that pre-shared key mismatch causes failure after transform acceptance, not before.

Commands Used in This Scenario

debug crypto isakmp

Enables debugging of ISAKMP (Internet Security Association and Key Management Protocol) packets to troubleshoot IKE phase 1 issues in IPsec VPNs.

show crypto isakmp sa

Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions