Did you apply the crypto map to the interface on the ASA?
Also confirm that you have crypto isakmp enabled on that interface.
Regards,
Antonio Soares, CCIE #18473 (R&S/SP)
amsoares_at_netcabo.pt
http://www.ccie18473.net
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Steve Di Bias
Sent: sabado, 21 de Maio de 2011 21:22
To: ccielab_at_groupstudy.com
Subject: OT: L2L Tunnel wont come up!!
Hello Experts!
I just finished building a tunnel between a Cisco 850 running IOS
12.4(15)T14 and an ASA 5510 running 8.0(3). Here are my configs::
On the Router
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key * address 10.70.100.100
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set vpn esp-3des
!
crypto map vpn 10 ipsec-isakmp
set peer 10.70.100.100
set transform-set vpn
match address 151
access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list 120 permit ip 192.168.100.0 0.0.0.255 any
access-list 120 deny ip any any log
access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list 151 deny ip any any log
route-map NO-NAT permit 10
match ip address 120
ip nat inside source route-map NO-NAT interface FastEthernet4 overload
On the ASA
tunnel-group 10.70.100.55 type ipsec-l2l
tunnel-group 10.70.100.55 ipsec-attributes
pre-shared-key *
access-list outside_1_cryptomap_NetEngCCIE extended permit ip host
10.186.56.6 192.168.100.0 255.255.255.0
access-list outside_1_cryptomap_NetEngCCIE remark CCIE_Tunnel
access-list inside_nat0_outbound extended permit ip host 10.186.56.6
192.168.100.0 255.255.255.0
crypto map outside_map 7 match address outside_1_cryptomap_NetEngCCIE
crypto map outside_map 7 set peer 10.70.100.55
crypto map outside_map 7 set transform-set ESP-3DES-SHA
And here are the debugs when I try to bring the tunnel up:
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): SA request profile is (NULL)
*May 16 2011 01:34:26.880 PDT: ISAKMP: Created a peer struct for
10.70.100.100, peer port 500
*May 16 2011 01:34:26.880 PDT: ISAKMP: New peer created peer = 0x81FB0F04
peer_handle = 0x8000000A
*May 16 2011 01:34:26.880 PDT: ISAKMP: Locking peer struct 0x81FB0F04,
refcount 1 for isakmp_initiator
*May 16 2011 01:34:26.880 PDT: ISAKMP: local port 500, remote port 500
*May 16 2011 01:34:26.880 PDT: ISAKMP: set new node 0 to QM_IDLE
*May 16 2011 01:34:26.880 PDT: insert sa successfully sa = 82FBBE5C
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Can not start Aggressive mode,
trying Main mode.
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):found peer pre-shared key matching
10.70.100.100
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-rfc3947
ID
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Old State = IKE_READY New State =
IKE_I_MM1
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): beginning Main Mode exchange
SD-c850-Edge#
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
SD-c850-Edge#
SD-c850-Edge#
SD-c850-Edge#
SD-c850-Edge#
*May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:34:36.882 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 1 of 5: retransmit phase 1
*May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
*May 16 2011 01:34:36.882 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:34:36.882 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:34:46.885 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 2 of 5: retransmit phase 1
*May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
*May 16 2011 01:34:46.885 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:34:46.885 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:34:56.879 PDT: ISAKMP: set new node 0 to QM_IDLE
*May 16 2011 01:34:56.879 PDT: ISAKMP:(0):SA is still budding. Attached new
ipsec request to it. (local 10.70.100.55, remote 10.70.100.100)
*May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing SA request:
Failed to initialize SA
*May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing KMI message 0,
error 2.
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:34:56.887 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 3 of 5: retransmit phase 1
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
SD-c850-Edge#
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:35:06.889 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 4 of 5: retransmit phase 1
*May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
*May 16 2011 01:35:06.889 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:35:06.889 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
10.70.100.55(0) -> 10.70.100.100(0), 5 packets
*May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
10.70.100.100(500) -> 10.70.100.55(500), 7 packets
SD-c850-Edge#
*May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:35:16.891 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 5 of 5: retransmit phase 1
*May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
*May 16 2011 01:35:16.891 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:35:16.891 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):peer does not do paranoid
keepalives.
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
*May 16 2011 01:35:26.894 PDT: ISAKMP: Unlocking peer struct 0x81FB0F04 for
isadb_mark_sa_deleted(), count 0
*May 16 2011 01:35:26.894 PDT: ISAKMP: Deleting peer node by peer_reap for
10.70.100.100: 81FB0F04
SD-c850-Edge#
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1945611004 error
FALSE reason "IKE deleted"
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1604588444 error
FALSE reason "IKE deleted"
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Old State = IKE_I_MM1 New State =
IKE_DEST_SA
Any ideas on what is causing this?? Thanks in advance!
-- -Steve Di Bias Blogs and organic groups at http://www.ccie.netReceived on Sat May 21 2011 - 21:39:27 ART
This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART