Re: OT: L2L Tunnel wont come up!! from Steve Di Bias on 2011-05-21 (Ccielab archives 05/2011)

From: Steve Di Bias <sdibias_at_gmail.com>
Date: Sat, 21 May 2011 14:52:50 -0700

I did modify it but never posted the config

SD-c850-Edge#sh access-list 101
Extended IP access list 101
    10 permit udp any eq bootps any eq bootpc (39 matches)
    11 permit udp any any eq isakmp (60 matches)
    12 permit udp any eq isakmp any
    13 permit esp any any
    14 permit udp any any eq non500-isakmp
    20 deny ip host 91.212.226.179 any log
    30 deny ip host 194.28.112.6 any log
    40 deny tcp any any log (112 matches)
    50 deny udp any any log (97 matches)
    60 deny ip any any log (11269 matches)

On Sat, May 21, 2011 at 2:13 PM, karim jamali <karim.jamali_at_gmail.com>wrote:

> Hi Steve,
>
> I still see the ACL as follows:
>
> access-list 101 permit udp any eq bootps any eq bootpc
> access-list 101 deny ip host 91.212.226.179 any log
> access-list 101 deny ip host 194.28.112.6 any log
> access-list 101 deny tcp any any log
> access-list 101 deny udp any any log
> access-list 101 deny ip any any log
>
> did you fix the ACL because as such you are still dropping IKE traffic?
>
> Thanks
>
>
> On Sun, May 22, 2011 at 12:07 AM, Steve Di Bias <sdibias_at_gmail.com> wrote:
>
>> Thanks for the help guys, I added but still having issues. as you can see
>> in my post to Joe
>>
>>
>> On Sat, May 21, 2011 at 1:53 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
>>
>>> Hi Steve,
>>>
>>> Looking at the debug output I noticed the following:
>>>
>>>
>>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
>>> 10.70.100.100(500) -> 10.70.100.55(500), 7 packets
>>>
>>> It seems your ACL 101 is dropping the IKE traffic (UDP Port 500) which is
>>> causing the problem. Try allowing IKE in your ACL and then putting the deny
>>> ip any any.
>>>
>>> HTH,
>>>
>>> Thanks
>>>
>>> Take Care
>>>
>>> On Sat, May 21, 2011 at 11:22 PM, Steve Di Bias <sdibias_at_gmail.com>wrote:
>>>
>>>> Hello Experts!
>>>>
>>>> I just finished building a tunnel between a Cisco 850 running IOS
>>>> 12.4(15)T14 and an ASA 5510 running 8.0(3). Here are my configs::
>>>>
>>>> On the Router
>>>>
>>>> crypto isakmp policy 1
>>>> encr 3des
>>>> authentication pre-share
>>>> group 2
>>>> crypto isakmp key * address 10.70.100.100
>>>> !
>>>> crypto ipsec security-association lifetime seconds 28800
>>>> !
>>>> crypto ipsec transform-set vpn esp-3des
>>>> !
>>>> crypto map vpn 10 ipsec-isakmp
>>>> set peer 10.70.100.100
>>>> set transform-set vpn
>>>> match address 151
>>>>
>>>> access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
>>>> access-list 120 permit ip 192.168.100.0 0.0.0.255 any
>>>> access-list 120 deny ip any any log
>>>> access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
>>>> access-list 151 deny ip any any log
>>>>
>>>> route-map NO-NAT permit 10
>>>> match ip address 120
>>>>
>>>> ip nat inside source route-map NO-NAT interface FastEthernet4 overload
>>>>
>>>>
>>>> On the ASA
>>>>
>>>> tunnel-group 10.70.100.55 type ipsec-l2l
>>>> tunnel-group 10.70.100.55 ipsec-attributes
>>>> pre-shared-key *
>>>>
>>>> access-list outside_1_cryptomap_NetEngCCIE extended permit ip host
>>>> 10.186.56.6 192.168.100.0 255.255.255.0
>>>> access-list outside_1_cryptomap_NetEngCCIE remark CCIE_Tunnel
>>>>
>>>> access-list inside_nat0_outbound extended permit ip host 10.186.56.6
>>>> 192.168.100.0 255.255.255.0
>>>>
>>>> crypto map outside_map 7 match address outside_1_cryptomap_NetEngCCIE
>>>> crypto map outside_map 7 set peer 10.70.100.55
>>>> crypto map outside_map 7 set transform-set ESP-3DES-SHA
>>>>
>>>>
>>>>
>>>> And here are the debugs when I try to bring the tunnel up:
>>>>
>>>>
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): SA request profile is (NULL)
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: Created a peer struct for
>>>> 10.70.100.100, peer port 500
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: New peer created peer =
>>>> 0x81FB0F04
>>>> peer_handle = 0x8000000A
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: Locking peer struct 0x81FB0F04,
>>>> refcount 1 for isakmp_initiator
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: local port 500, remote port 500
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: set new node 0 to QM_IDLE
>>>> *May 16 2011 01:34:26.880 PDT: insert sa successfully sa = 82FBBE5C
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Can not start Aggressive mode,
>>>> trying Main mode.
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):found peer pre-shared key
>>>> matching
>>>> 10.70.100.100
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T
>>>> vendor-rfc3947
>>>> ID
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-07
>>>> ID
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-03
>>>> ID
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-02
>>>> ID
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
>>>> IKE_SA_REQ_MM
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Old State = IKE_READY New
>>>> State =
>>>> IKE_I_MM1
>>>>
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): beginning Main Mode exchange
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): sending packet to
>>>> 10.70.100.100
>>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> SD-c850-Edge#
>>>> SD-c850-Edge#
>>>> SD-c850-Edge#
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE...
>>>> *May 16 2011 01:34:36.882 PDT: ISAKMP (0:0): incrementing error counter
>>>> on
>>>> sa, attempt 1 of 5: retransmit phase 1
>>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): sending packet to
>>>> 10.70.100.100
>>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE...
>>>> *May 16 2011 01:34:46.885 PDT: ISAKMP (0:0): incrementing error counter
>>>> on
>>>> sa, attempt 2 of 5: retransmit phase 1
>>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): sending packet to
>>>> 10.70.100.100
>>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: set new node 0 to QM_IDLE
>>>> *May 16 2011 01:34:56.879 PDT: ISAKMP:(0):SA is still budding. Attached
>>>> new
>>>> ipsec request to it. (local 10.70.100.55, remote 10.70.100.100)
>>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing SA
>>>> request:
>>>> Failed to initialize SA
>>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing KMI
>>>> message 0,
>>>> error 2.
>>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE...
>>>> *May 16 2011 01:34:56.887 PDT: ISAKMP (0:0): incrementing error counter
>>>> on
>>>> sa, attempt 3 of 5: retransmit phase 1
>>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): sending packet to
>>>> 10.70.100.100
>>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE...
>>>> *May 16 2011 01:35:06.889 PDT: ISAKMP (0:0): incrementing error counter
>>>> on
>>>> sa, attempt 4 of 5: retransmit phase 1
>>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): sending packet to
>>>> 10.70.100.100
>>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
>>>> 10.70.100.55(0) -> 10.70.100.100(0), 5 packets
>>>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
>>>> 10.70.100.100(500) -> 10.70.100.55(500), 7 packets
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE...
>>>> *May 16 2011 01:35:16.891 PDT: ISAKMP (0:0): incrementing error counter
>>>> on
>>>> sa, attempt 5 of 5: retransmit phase 1
>>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): sending packet to
>>>> 10.70.100.100
>>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE...
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):peer does not do paranoid
>>>> keepalives.
>>>>
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
>>>> retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
>>>> retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP: Unlocking peer struct 0x81FB0F04
>>>> for
>>>> isadb_mark_sa_deleted(), count 0
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP: Deleting peer node by peer_reap
>>>> for
>>>> 10.70.100.100: 81FB0F04
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1945611004 error
>>>> FALSE reason "IKE deleted"
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1604588444 error
>>>> FALSE reason "IKE deleted"
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
>>>> IKE_PHASE1_DEL
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Old State = IKE_I_MM1 New
>>>> State =
>>>> IKE_DEST_SA
>>>>
>>>>
>>>>
>>>> Any ideas on what is causing this?? Thanks in advance!
>>>>
>>>>
>>>>
>>>> --
>>>> -Steve Di Bias
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> KJ
>>>
>>
>>
>>
>> --
>> -Steve Di Bias
>>
>
>
>
> --
> KJ
>

-- 
-Steve Di Bias
Blogs and organic groups at http://www.ccie.net

Received on Sat May 21 2011 - 14:52:50 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART