Re: L2L Tunnel wont come up!! from Steve Di Bias on 2011-05-21 (Ccielab archives 05/2011)

From: Steve Di Bias <sdibias_at_gmail.com>
Date: Sat, 21 May 2011 15:27:10 -0700

What's up Jay!??

Let me send you the configs so you can take a look, Thanks!

On Sat, May 21, 2011 at 3:16 PM, Jay McMickle <crazyservers_at_yahoo.com>wrote:

> Yo, Steve!
>
> It looks like you partially get P1 (IKE), but it fails before you get to
> P2. Can you send me the full config (minus the keys) to me directly?
>
> Also, you'll definately need to remove the deny on ACL 151 for your 850
> router. It's implied and it will cause P2 to fail since you don't have it
> on the other side (and don't need it, either).
>
> FYI- IKE default is 86400 and so is the IPSEC P2. Since you haven't
> specified either, that's what they are set to. You'll need to reduce the
> IKE timer to be half of the IPSEC key to ensure stability.
>
>
> Regards,
> Jay McMickle- CCNP, CCSP, CCDP, MCSE
> http://mycciepursuit.wordpress.com/
>
>
> *From:* Steve Di Bias <sdibias_at_gmail.com>
> *To:* Joseph L. Brunner <joe_at_affirmedsystems.com>
> *Cc:* "ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
> *Sent:* Saturday, May 21, 2011 3:43 PM
> *Subject:* Re: L2L Tunnel wont come up!!
>
> Joe, here you go
>
> show run crypto (ASA)
>
> crypto map outside_map 7 match address outside_1_cryptomap_NetEngCCIE
> crypto map outside_map 7 set peer 71.2.66.243
> crypto map outside_map 7 set transform-set ESP-3DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
>
> show ip access-list (Router)
>
> access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
> access-list 120 permit ip 192.168.100.0 0.0.0.255 any
> access-list 120 deny ip any any log
> access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
> access-list 151 deny ip any any lo
>
>
>
> On Sat, May 21, 2011 at 1:32 PM, Joseph L. Brunner
> <joe_at_affirmedsystems.com>wrote:
>
> > Why is this being logged on your router?
> >
> > Let's see the rest of your configurations... especially the ACCESS LIST
> on
> > the ROUTER
> >
> > *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
> > 10.70.100.55(0) -> 10.70.100.100(0), 5 packets
> > *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
> > 10.70.100.100(500) -> 10.70.100.55(500), 7 packets
> >
> > Also on the ASA
> >
> > Show run crypto
> >
> > (paste result)
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Steve Di Bias
> > Sent: Saturday, May 21, 2011 4:22 PM
> > To: ccielab_at_groupstudy.com
> > Subject: OT: L2L Tunnel wont come up!!
> >
> > Hello Experts!
> >
> > I just finished building a tunnel between a Cisco 850 running IOS
> > 12.4(15)T14 and an ASA 5510 running 8.0(3). Here are my configs::
> >
> > On the Router
> >
> > crypto isakmp policy 1
> > encr 3des
> > authentication pre-share
> > group 2
> > crypto isakmp key * address 10.70.100.100
> > !
> > crypto ipsec security-association lifetime seconds 28800
> > !
> > crypto ipsec transform-set vpn esp-3des
> > !
> > crypto map vpn 10 ipsec-isakmp
> > set peer 10.70.100.100
> > set transform-set vpn
> > match address 151
> >
> > access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
> > access-list 120 permit ip 192.168.100.0 0.0.0.255 any
> > access-list 120 deny ip any any log
> > access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
> > access-list 151 deny ip any any log
> >
> > route-map NO-NAT permit 10
> > match ip address 120
> >
> > ip nat inside source route-map NO-NAT interface FastEthernet4 overload
> >
> >
> > On the ASA
> >
> > tunnel-group 10.70.100.55 type ipsec-l2l
> > tunnel-group 10.70.100.55 ipsec-attributes
> > pre-shared-key *
> >
> > access-list outside_1_cryptomap_NetEngCCIE extended permit ip host
> > 10.186.56.6 192.168.100.0 255.255.255.0
> > access-list outside_1_cryptomap_NetEngCCIE remark CCIE_Tunnel
> >
> > access-list inside_nat0_outbound extended permit ip host 10.186.56.6
> > 192.168.100.0 255.255.255.0
> >
> > crypto map outside_map 7 match address outside_1_cryptomap_NetEngCCIE
> > crypto map outside_map 7 set peer 10.70.100.55
> > crypto map outside_map 7 set transform-set ESP-3DES-SHA
> >
> >
> >
> > And here are the debugs when I try to bring the tunnel up:
> >
> >
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): SA request profile is (NULL)
> > *May 16 2011 01:34:26.880 PDT: ISAKMP: Created a peer struct for
> > 10.70.100.100, peer port 500
> > *May 16 2011 01:34:26.880 PDT: ISAKMP: New peer created peer = 0x81FB0F04
> > peer_handle = 0x8000000A
> > *May 16 2011 01:34:26.880 PDT: ISAKMP: Locking peer struct 0x81FB0F04,
> > refcount 1 for isakmp_initiator
> > *May 16 2011 01:34:26.880 PDT: ISAKMP: local port 500, remote port 500
> > *May 16 2011 01:34:26.880 PDT: ISAKMP: set new node 0 to QM_IDLE
> > *May 16 2011 01:34:26.880 PDT: insert sa successfully sa = 82FBBE5C
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Can not start Aggressive mode,
> > trying Main mode.
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):found peer pre-shared key
> > matching
> > 10.70.100.100
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T
> vendor-rfc3947
> > ID
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-07 ID
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-03 ID
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-02 ID
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
> > IKE_SA_REQ_MM
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Old State = IKE_READY New
> State
> > =
> > IKE_I_MM1
> >
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): beginning Main Mode exchange
> > SD-c850-Edge#
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): sending packet to
> 10.70.100.100
> > my_port 500 peer_port 500 (I) MM_NO_STATE
> > *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> > SD-c850-Edge#
> > SD-c850-Edge#
> > SD-c850-Edge#
> > SD-c850-Edge#
> > SD-c850-Edge#
> > *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE...
> > *May 16 2011 01:34:36.882 PDT: ISAKMP (0:0): incrementing error counter
> on
> > sa, attempt 1 of 5: retransmit phase 1
> > *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE
> > *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): sending packet to
> 10.70.100.100
> > my_port 500 peer_port 500 (I) MM_NO_STATE
> > *May 16 2011 01:34:36.882 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> > SD-c850-Edge#
> > *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE...
> > *May 16 2011 01:34:46.885 PDT: ISAKMP (0:0): incrementing error counter
> on
> > sa, attempt 2 of 5: retransmit phase 1
> > *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE
> > *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): sending packet to
> 10.70.100.100
> > my_port 500 peer_port 500 (I) MM_NO_STATE
> > *May 16 2011 01:34:46.885 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> > SD-c850-Edge#
> > *May 16 2011 01:34:56.879 PDT: ISAKMP: set new node 0 to QM_IDLE
> > *May 16 2011 01:34:56.879 PDT: ISAKMP:(0):SA is still budding. Attached
> new
> > ipsec request to it. (local 10.70.100.55, remote 10.70.100.100)
> > *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing SA request:
> > Failed to initialize SA
> > *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing KMI message
> > 0,
> > error 2.
> > *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE...
> > *May 16 2011 01:34:56.887 PDT: ISAKMP (0:0): incrementing error counter
> on
> > sa, attempt 3 of 5: retransmit phase 1
> > *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE
> > SD-c850-Edge#
> > *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): sending packet to
> 10.70.100.100
> > my_port 500 peer_port 500 (I) MM_NO_STATE
> > *May 16 2011 01:34:56.887 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> > SD-c850-Edge#
> > *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE...
> > *May 16 2011 01:35:06.889 PDT: ISAKMP (0:0): incrementing error counter
> on
> > sa, attempt 4 of 5: retransmit phase 1
> > *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE
> > *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): sending packet to
> 10.70.100.100
> > my_port 500 peer_port 500 (I) MM_NO_STATE
> > *May 16 2011 01:35:06.889 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> > SD-c850-Edge#
> > *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
> > 10.70.100.55(0) -> 10.70.100.100(0), 5 packets
> > *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
> > 10.70.100.100(500) -> 10.70.100.55(500), 7 packets
> > SD-c850-Edge#
> > *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE...
> > *May 16 2011 01:35:16.891 PDT: ISAKMP (0:0): incrementing error counter
> on
> > sa, attempt 5 of 5: retransmit phase 1
> > *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE
> > *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): sending packet to
> 10.70.100.100
> > my_port 500 peer_port 500 (I) MM_NO_STATE
> > *May 16 2011 01:35:16.891 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> > SD-c850-Edge#
> > *May 16 2011 01:35:26.894 PDT: ISAKMP:(0): retransmitting phase 1
> > MM_NO_STATE...
> > *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):peer does not do paranoid
> > keepalives.
> >
> > *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
> > retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
> > *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
> > retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
> > *May 16 2011 01:35:26.894 PDT: ISAKMP: Unlocking peer struct 0x81FB0F04
> for
> > isadb_mark_sa_deleted(), count 0
> > *May 16 2011 01:35:26.894 PDT: ISAKMP: Deleting peer node by peer_reap
> for
> > 10.70.100.100: 81FB0F04
> > SD-c850-Edge#
> > *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1945611004 error
> > FALSE reason "IKE deleted"
> > *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1604588444 error
> > FALSE reason "IKE deleted"
> > *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> > IKE_PHASE1_DEL
> > *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Old State = IKE_I_MM1 New
> State
> > =
> > IKE_DEST_SA
> >
> >
> >
> > Any ideas on what is causing this?? Thanks in advance!
> >
> >
> >
> > --
> > -Steve Di Bias
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> -Steve Di Bias
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>

-- 
-Steve Di Bias
Blogs and organic groups at http://www.ccie.net

Received on Sat May 21 2011 - 15:27:10 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART