Re: OT: L2L Tunnel wont come up!! from karim jamali on 2011-05-21 (Ccielab archives 05/2011)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Sun, 22 May 2011 00:13:59 +0300

Hi Steve,

I still see the ACL as follows:

access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip host 91.212.226.179 any log
access-list 101 deny ip host 194.28.112.6 any log
access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny ip any any log

did you fix the ACL because as such you are still dropping IKE traffic?

Thanks

On Sun, May 22, 2011 at 12:07 AM, Steve Di Bias <sdibias_at_gmail.com> wrote:

> Thanks for the help guys, I added but still having issues. as you can see
> in my post to Joe
>
>
> On Sat, May 21, 2011 at 1:53 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
>
>> Hi Steve,
>>
>> Looking at the debug output I noticed the following:
>>
>>
>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
>> 10.70.100.100(500) -> 10.70.100.55(500), 7 packets
>>
>> It seems your ACL 101 is dropping the IKE traffic (UDP Port 500) which is
>> causing the problem. Try allowing IKE in your ACL and then putting the deny
>> ip any any.
>>
>> HTH,
>>
>> Thanks
>>
>> Take Care
>>
>> On Sat, May 21, 2011 at 11:22 PM, Steve Di Bias <sdibias_at_gmail.com>wrote:
>>
>>> Hello Experts!
>>>
>>> I just finished building a tunnel between a Cisco 850 running IOS
>>> 12.4(15)T14 and an ASA 5510 running 8.0(3). Here are my configs::
>>>
>>> On the Router
>>>
>>> crypto isakmp policy 1
>>> encr 3des
>>> authentication pre-share
>>> group 2
>>> crypto isakmp key * address 10.70.100.100
>>> !
>>> crypto ipsec security-association lifetime seconds 28800
>>> !
>>> crypto ipsec transform-set vpn esp-3des
>>> !
>>> crypto map vpn 10 ipsec-isakmp
>>> set peer 10.70.100.100
>>> set transform-set vpn
>>> match address 151
>>>
>>> access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
>>> access-list 120 permit ip 192.168.100.0 0.0.0.255 any
>>> access-list 120 deny ip any any log
>>> access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
>>> access-list 151 deny ip any any log
>>>
>>> route-map NO-NAT permit 10
>>> match ip address 120
>>>
>>> ip nat inside source route-map NO-NAT interface FastEthernet4 overload
>>>
>>>
>>> On the ASA
>>>
>>> tunnel-group 10.70.100.55 type ipsec-l2l
>>> tunnel-group 10.70.100.55 ipsec-attributes
>>> pre-shared-key *
>>>
>>> access-list outside_1_cryptomap_NetEngCCIE extended permit ip host
>>> 10.186.56.6 192.168.100.0 255.255.255.0
>>> access-list outside_1_cryptomap_NetEngCCIE remark CCIE_Tunnel
>>>
>>> access-list inside_nat0_outbound extended permit ip host 10.186.56.6
>>> 192.168.100.0 255.255.255.0
>>>
>>> crypto map outside_map 7 match address outside_1_cryptomap_NetEngCCIE
>>> crypto map outside_map 7 set peer 10.70.100.55
>>> crypto map outside_map 7 set transform-set ESP-3DES-SHA
>>>
>>>
>>>
>>> And here are the debugs when I try to bring the tunnel up:
>>>
>>>
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): SA request profile is (NULL)
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: Created a peer struct for
>>> 10.70.100.100, peer port 500
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: New peer created peer = 0x81FB0F04
>>> peer_handle = 0x8000000A
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: Locking peer struct 0x81FB0F04,
>>> refcount 1 for isakmp_initiator
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: local port 500, remote port 500
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: set new node 0 to QM_IDLE
>>> *May 16 2011 01:34:26.880 PDT: insert sa successfully sa = 82FBBE5C
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Can not start Aggressive mode,
>>> trying Main mode.
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):found peer pre-shared key
>>> matching
>>> 10.70.100.100
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T
>>> vendor-rfc3947
>>> ID
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-07 ID
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-03 ID
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-02 ID
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
>>> IKE_SA_REQ_MM
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Old State = IKE_READY New
>>> State =
>>> IKE_I_MM1
>>>
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): beginning Main Mode exchange
>>> SD-c850-Edge#
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): sending packet to
>>> 10.70.100.100
>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>> SD-c850-Edge#
>>> SD-c850-Edge#
>>> SD-c850-Edge#
>>> SD-c850-Edge#
>>> SD-c850-Edge#
>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE...
>>> *May 16 2011 01:34:36.882 PDT: ISAKMP (0:0): incrementing error counter
>>> on
>>> sa, attempt 1 of 5: retransmit phase 1
>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE
>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): sending packet to
>>> 10.70.100.100
>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>> SD-c850-Edge#
>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE...
>>> *May 16 2011 01:34:46.885 PDT: ISAKMP (0:0): incrementing error counter
>>> on
>>> sa, attempt 2 of 5: retransmit phase 1
>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE
>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): sending packet to
>>> 10.70.100.100
>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>> SD-c850-Edge#
>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: set new node 0 to QM_IDLE
>>> *May 16 2011 01:34:56.879 PDT: ISAKMP:(0):SA is still budding. Attached
>>> new
>>> ipsec request to it. (local 10.70.100.55, remote 10.70.100.100)
>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing SA request:
>>> Failed to initialize SA
>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing KMI message
>>> 0,
>>> error 2.
>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE...
>>> *May 16 2011 01:34:56.887 PDT: ISAKMP (0:0): incrementing error counter
>>> on
>>> sa, attempt 3 of 5: retransmit phase 1
>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE
>>> SD-c850-Edge#
>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): sending packet to
>>> 10.70.100.100
>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>> SD-c850-Edge#
>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE...
>>> *May 16 2011 01:35:06.889 PDT: ISAKMP (0:0): incrementing error counter
>>> on
>>> sa, attempt 4 of 5: retransmit phase 1
>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE
>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): sending packet to
>>> 10.70.100.100
>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>> SD-c850-Edge#
>>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
>>> 10.70.100.55(0) -> 10.70.100.100(0), 5 packets
>>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
>>> 10.70.100.100(500) -> 10.70.100.55(500), 7 packets
>>> SD-c850-Edge#
>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE...
>>> *May 16 2011 01:35:16.891 PDT: ISAKMP (0:0): incrementing error counter
>>> on
>>> sa, attempt 5 of 5: retransmit phase 1
>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE
>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): sending packet to
>>> 10.70.100.100
>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>> SD-c850-Edge#
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0): retransmitting phase 1
>>> MM_NO_STATE...
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):peer does not do paranoid
>>> keepalives.
>>>
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
>>> retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
>>> retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP: Unlocking peer struct 0x81FB0F04
>>> for
>>> isadb_mark_sa_deleted(), count 0
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP: Deleting peer node by peer_reap
>>> for
>>> 10.70.100.100: 81FB0F04
>>> SD-c850-Edge#
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1945611004 error
>>> FALSE reason "IKE deleted"
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1604588444 error
>>> FALSE reason "IKE deleted"
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
>>> IKE_PHASE1_DEL
>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Old State = IKE_I_MM1 New
>>> State =
>>> IKE_DEST_SA
>>>
>>>
>>>
>>> Any ideas on what is causing this?? Thanks in advance!
>>>
>>>
>>>
>>> --
>>> -Steve Di Bias
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> KJ
>>
>
>
>
> --
> -Steve Di Bias
>

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Sun May 22 2011 - 00:13:59 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART