Re: OT: L2L Tunnel wont come up!! from karim jamali on 2011-05-21 (Ccielab archives 05/2011)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Sat, 21 May 2011 23:53:56 +0300

Hi Steve,

Looking at the debug output I noticed the following:

*May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
10.70.100.100(500) -> 10.70.100.55(500), 7 packets

It seems your ACL 101 is dropping the IKE traffic (UDP Port 500) which is
causing the problem. Try allowing IKE in your ACL and then putting the deny
ip any any.

HTH,

Thanks

Take Care

On Sat, May 21, 2011 at 11:22 PM, Steve Di Bias <sdibias_at_gmail.com> wrote:

> Hello Experts!
>
> I just finished building a tunnel between a Cisco 850 running IOS
> 12.4(15)T14 and an ASA 5510 running 8.0(3). Here are my configs::
>
> On the Router
>
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp key * address 10.70.100.100
> !
> crypto ipsec security-association lifetime seconds 28800
> !
> crypto ipsec transform-set vpn esp-3des
> !
> crypto map vpn 10 ipsec-isakmp
> set peer 10.70.100.100
> set transform-set vpn
> match address 151
>
> access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
> access-list 120 permit ip 192.168.100.0 0.0.0.255 any
> access-list 120 deny ip any any log
> access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
> access-list 151 deny ip any any log
>
> route-map NO-NAT permit 10
> match ip address 120
>
> ip nat inside source route-map NO-NAT interface FastEthernet4 overload
>
>
> On the ASA
>
> tunnel-group 10.70.100.55 type ipsec-l2l
> tunnel-group 10.70.100.55 ipsec-attributes
> pre-shared-key *
>
> access-list outside_1_cryptomap_NetEngCCIE extended permit ip host
> 10.186.56.6 192.168.100.0 255.255.255.0
> access-list outside_1_cryptomap_NetEngCCIE remark CCIE_Tunnel
>
> access-list inside_nat0_outbound extended permit ip host 10.186.56.6
> 192.168.100.0 255.255.255.0
>
> crypto map outside_map 7 match address outside_1_cryptomap_NetEngCCIE
> crypto map outside_map 7 set peer 10.70.100.55
> crypto map outside_map 7 set transform-set ESP-3DES-SHA
>
>
>
> And here are the debugs when I try to bring the tunnel up:
>
>
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): SA request profile is (NULL)
> *May 16 2011 01:34:26.880 PDT: ISAKMP: Created a peer struct for
> 10.70.100.100, peer port 500
> *May 16 2011 01:34:26.880 PDT: ISAKMP: New peer created peer = 0x81FB0F04
> peer_handle = 0x8000000A
> *May 16 2011 01:34:26.880 PDT: ISAKMP: Locking peer struct 0x81FB0F04,
> refcount 1 for isakmp_initiator
> *May 16 2011 01:34:26.880 PDT: ISAKMP: local port 500, remote port 500
> *May 16 2011 01:34:26.880 PDT: ISAKMP: set new node 0 to QM_IDLE
> *May 16 2011 01:34:26.880 PDT: insert sa successfully sa = 82FBBE5C
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Can not start Aggressive mode,
> trying Main mode.
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):found peer pre-shared key
> matching
> 10.70.100.100
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-rfc3947
> ID
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-07 ID
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-03 ID
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-02 ID
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
> IKE_SA_REQ_MM
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Old State = IKE_READY New State
> =
> IKE_I_MM1
>
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): beginning Main Mode exchange
> SD-c850-Edge#
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): sending packet to 10.70.100.100
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> SD-c850-Edge#
> SD-c850-Edge#
> SD-c850-Edge#
> SD-c850-Edge#
> SD-c850-Edge#
> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011 01:34:36.882 PDT: ISAKMP (0:0): incrementing error counter on
> sa, attempt 1 of 5: retransmit phase 1
> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE
> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): sending packet to 10.70.100.100
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> SD-c850-Edge#
> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011 01:34:46.885 PDT: ISAKMP (0:0): incrementing error counter on
> sa, attempt 2 of 5: retransmit phase 1
> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE
> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): sending packet to 10.70.100.100
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> SD-c850-Edge#
> *May 16 2011 01:34:56.879 PDT: ISAKMP: set new node 0 to QM_IDLE
> *May 16 2011 01:34:56.879 PDT: ISAKMP:(0):SA is still budding. Attached new
> ipsec request to it. (local 10.70.100.55, remote 10.70.100.100)
> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing SA request:
> Failed to initialize SA
> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing KMI message
> 0,
> error 2.
> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011 01:34:56.887 PDT: ISAKMP (0:0): incrementing error counter on
> sa, attempt 3 of 5: retransmit phase 1
> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE
> SD-c850-Edge#
> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): sending packet to 10.70.100.100
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> SD-c850-Edge#
> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011 01:35:06.889 PDT: ISAKMP (0:0): incrementing error counter on
> sa, attempt 4 of 5: retransmit phase 1
> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE
> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): sending packet to 10.70.100.100
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> SD-c850-Edge#
> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
> 10.70.100.55(0) -> 10.70.100.100(0), 5 packets
> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
> 10.70.100.100(500) -> 10.70.100.55(500), 7 packets
> SD-c850-Edge#
> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011 01:35:16.891 PDT: ISAKMP (0:0): incrementing error counter on
> sa, attempt 5 of 5: retransmit phase 1
> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE
> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): sending packet to 10.70.100.100
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> SD-c850-Edge#
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):peer does not do paranoid
> keepalives.
>
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
> retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
> retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
> *May 16 2011 01:35:26.894 PDT: ISAKMP: Unlocking peer struct 0x81FB0F04 for
> isadb_mark_sa_deleted(), count 0
> *May 16 2011 01:35:26.894 PDT: ISAKMP: Deleting peer node by peer_reap for
> 10.70.100.100: 81FB0F04
> SD-c850-Edge#
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1945611004 error
> FALSE reason "IKE deleted"
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1604588444 error
> FALSE reason "IKE deleted"
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_DEL
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Old State = IKE_I_MM1 New State
> =
> IKE_DEST_SA
>
>
>
> Any ideas on what is causing this?? Thanks in advance!
>
>
>
> --
> -Steve Di Bias
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Sat May 21 2011 - 23:53:56 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART