Re: OT: L2L Tunnel wont come up!! from Jay McMickle on 2011-05-22 (Ccielab archives 05/2011)

From: Jay McMickle <crazyservers_at_yahoo.com>
Date: Sun, 22 May 2011 07:47:54 -0700 (PDT)

Steve,
I found your issue and I've sent to you unicast. Your transform-set's
don't match on both sides and your ACL 151 doesn't match for phase2.

Shout
back unicast with further debugs if it's still troubling you. I can simulate
in my lab, too, if needed.

OUT.

Regards,
Jay McMickle- CCNP, CCSP, CCDP,
MCSE
http://mycciepursuit.wordpress.com/

From: Steve Di Bias
<sdibias_at_gmail.com>
To: karim jamali <karim.jamali_at_gmail.com>
Cc: Cisco
certification <ccielab_at_groupstudy.com>
Sent: Saturday, May 21, 2011 4:52 PM
Subject: Re: OT: L2L Tunnel wont come up!!

I did modify it but never posted
the config

SD-c850-Edge#sh access-list 101
Extended IP access list 101
    10
permit udp any eq bootps any eq bootpc (39 matches)
    11 permit udp any any
eq isakmp (60 matches)
    12 permit udp any eq isakmp any
    13 permit esp
any any
    14 permit udp any any eq non500-isakmp
    20 deny ip host
91.212.226.179 any log
    30 deny ip host 194.28.112.6 any log
    40 deny
tcp any any log (112 matches)
    50 deny udp any any log (97 matches)
    60
deny ip any any log (11269 matches)

On Sat, May 21, 2011 at 2:13 PM, karim
jamali <karim.jamali_at_gmail.com>wrote:

> Hi Steve,
>
> I still see the ACL as
follows:
>
> access-list 101 permit udp any eq bootps any eq bootpc
>
access-list 101 deny ip host 91.212.226.179 any log
> access-list 101 deny
ip host 194.28.112.6 any log
> access-list 101 deny tcp any any log
>
access-list 101 deny udp any any log
> access-list 101 deny ip any any log
>
> did you fix the ACL because as such you are still dropping IKE traffic?
>
>
Thanks
>
>
> On Sun, May 22, 2011 at 12:07 AM, Steve Di Bias
<sdibias_at_gmail.com> wrote:
>
>> Thanks for the help guys, I added but still
having issues. as you can see
>> in my post to Joe
>>
>>
>> On Sat, May 21,
2011 at 1:53 PM, karim jamali <karim.jamali_at_gmail.com>wrote:
>>
>>> Hi Steve,
>>>
>>> Looking at the debug output I noticed the following:
>>>
>>>
>>> *May
16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
>>>
10.70.100.100(500) -> 10.70.100.55(500), 7 packets
>>>
>>> It seems your ACL
101 is dropping the IKE traffic (UDP Port 500) which is
>>> causing the
problem. Try allowing IKE in your ACL and then putting the deny
>>> ip any
any.
>>>
>>> HTH,
>>>
>>> Thanks
>>>
>>> Take Care
>>>
>>> On Sat, May 21,
2011 at 11:22 PM, Steve Di Bias <sdibias_at_gmail.com>wrote:
>>>
>>>> Hello
Experts!
>>>>
>>>> I just finished building a tunnel between a Cisco 850
running IOS
>>>> 12.4(15)T14 and an ASA 5510 running 8.0(3). Here are my
configs::
>>>>
>>>> On the Router
>>>>
>>>> crypto isakmp policy 1
>>>> encr
3des
>>>> authentication pre-share
>>>> group 2
>>>> crypto isakmp key *
address 10.70.100.100
>>>> !
>>>> crypto ipsec security-association lifetime
seconds 28800
>>>> !
>>>> crypto ipsec transform-set vpn esp-3des
>>>> !
>>>>
crypto map vpn 10 ipsec-isakmp
>>>> set peer 10.70.100.100
>>>> set
transform-set vpn
>>>> match address 151
>>>>
>>>> access-list 120 deny ip
192.168.100.0 0.0.0.255 host 10.186.56.6
>>>> access-list 120 permit ip
192.168.100.0 0.0.0.255 any
>>>> access-list 120 deny ip any any log
>>>>
access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
>>>>
access-list 151 deny ip any any log
>>>>
>>>> route-map NO-NAT permit 10
>>>> match ip address 120
>>>>
>>>> ip nat inside source route-map NO-NAT
interface FastEthernet4 overload
>>>>
>>>>
>>>> On the ASA
>>>>
>>>>
tunnel-group 10.70.100.55 type ipsec-l2l
>>>> tunnel-group 10.70.100.55
ipsec-attributes
>>>> pre-shared-key *
>>>>
>>>> access-list
outside_1_cryptomap_NetEngCCIE extended permit ip host
>>>> 10.186.56.6
192.168.100.0 255.255.255.0
>>>> access-list outside_1_cryptomap_NetEngCCIE
remark CCIE_Tunnel
>>>>
>>>> access-list inside_nat0_outbound extended permit
ip host 10.186.56.6
>>>> 192.168.100.0 255.255.255.0
>>>>
>>>> crypto map
outside_map 7 match address outside_1_cryptomap_NetEngCCIE
>>>> crypto map
outside_map 7 set peer 10.70.100.55
>>>> crypto map outside_map 7 set
transform-set ESP-3DES-SHA
>>>>
>>>>
>>>>
>>>> And here are the debugs when I
try to bring the tunnel up:
>>>>
>>>>
>>>> *May 16 2011 01:34:26.880 PDT:
ISAKMP:(0): SA request profile is (NULL)
>>>> *May 16 2011 01:34:26.880 PDT:
ISAKMP: Created a peer struct for
>>>> 10.70.100.100, peer port 500
>>>> *May
16 2011 01:34:26.880 PDT: ISAKMP: New peer created peer =
>>>> 0x81FB0F04
>>>>
peer_handle = 0x8000000A
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: Locking
peer struct 0x81FB0F04,
>>>> refcount 1 for isakmp_initiator
>>>> *May 16 2011
01:34:26.880 PDT: ISAKMP: local port 500, remote port 500
>>>> *May 16 2011
01:34:26.880 PDT: ISAKMP: set new node 0 to QM_IDLE
>>>> *May 16 2011
01:34:26.880 PDT: insert sa successfully sa = 82FBBE5C
>>>> *May 16 2011
01:34:26.880 PDT: ISAKMP:(0):Can not start Aggressive mode,
>>>> trying Main
mode.
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):found peer pre-shared key
>>>> matching
>>>> 10.70.100.100
>>>> *May 16 2011 01:34:26.880 PDT:
ISAKMP:(0): constructed NAT-T
>>>> vendor-rfc3947
>>>> ID
>>>> *May 16 2011
01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-07
>>>> ID
>>>> *May 16
2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-03
>>>> ID
>>>>
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-02
>>>> ID
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
>>>> IKE_SA_REQ_MM
>>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Old State =
IKE_READY New
>>>> State =
>>>> IKE_I_MM1
>>>>
>>>> *May 16 2011 01:34:26.880
PDT: ISAKMP:(0): beginning Main Mode exchange
>>>> SD-c850-Edge#
>>>> *May 16
2011 01:34:26.880 PDT: ISAKMP:(0): sending packet to
>>>> 10.70.100.100
>>>>
my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011 01:34:26.880 PDT:
ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> SD-c850-Edge#
>>>> SD-c850-Edge#
>>>> SD-c850-Edge#
>>>> SD-c850-Edge#
>>>> *May 16 2011
01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE...
>>>>
*May 16 2011 01:34:36.882 PDT: ISAKMP (0:0): incrementing error counter
>>>>
on
>>>> sa, attempt 1 of 5: retransmit phase 1
>>>> *May 16 2011 01:34:36.882
PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> *May 16 2011
01:34:36.882 PDT: ISAKMP:(0): sending packet to
>>>> 10.70.100.100
>>>>
my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011 01:34:36.882 PDT:
ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011
01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE...
>>>>
*May 16 2011 01:34:46.885 PDT: ISAKMP (0:0): incrementing error counter
>>>>
on
>>>> sa, attempt 2 of 5: retransmit phase 1
>>>> *May 16 2011 01:34:46.885
PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> *May 16 2011
01:34:46.885 PDT: ISAKMP:(0): sending packet to
>>>> 10.70.100.100
>>>>
my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011 01:34:46.885 PDT:
ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011
01:34:56.879 PDT: ISAKMP: set new node 0 to QM_IDLE
>>>> *May 16 2011
01:34:56.879 PDT: ISAKMP:(0):SA is still budding. Attached
>>>> new
>>>> ipsec
request to it. (local 10.70.100.55, remote 10.70.100.100)
>>>> *May 16 2011
01:34:56.879 PDT: ISAKMP: Error while processing SA
>>>> request:
>>>> Failed
to initialize SA
>>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while
processing KMI
>>>> message 0,
>>>> error 2.
>>>> *May 16 2011 01:34:56.887
PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE...
>>>> *May 16 2011
01:34:56.887 PDT: ISAKMP (0:0): incrementing error counter
>>>> on
>>>> sa,
attempt 3 of 5: retransmit phase 1
>>>> *May 16 2011 01:34:56.887 PDT:
ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> SD-c850-Edge#
>>>>
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0): sending packet to
>>>>
10.70.100.100
>>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011
01:34:56.887 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
>>>>
MM_NO_STATE...
>>>> *May 16 2011 01:35:06.889 PDT: ISAKMP (0:0): incrementing
error counter
>>>> on
>>>> sa, attempt 4 of 5: retransmit phase 1
>>>> *May 16
2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): sending packet to
>>>>
10.70.100.100
>>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011
01:35:06.889 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
>>>> 10.70.100.55(0) -> 10.70.100.100(0), 5 packets
>>>> *May 16 2011
01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
>>>>
10.70.100.100(500) -> 10.70.100.55(500), 7 packets
>>>> SD-c850-Edge#
>>>>
*May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
>>>>
MM_NO_STATE...
>>>> *May 16 2011 01:35:16.891 PDT: ISAKMP (0:0): incrementing
error counter
>>>> on
>>>> sa, attempt 5 of 5: retransmit phase 1
>>>> *May 16
2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
>>>> MM_NO_STATE
>>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): sending packet to
>>>>
10.70.100.100
>>>> my_port 500 peer_port 500 (I) MM_NO_STATE
>>>> *May 16 2011
01:35:16.891 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>>>> SD-c850-Edge#
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0): retransmitting phase 1
>>>>
MM_NO_STATE...
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):peer does not do
paranoid
>>>> keepalives.
>>>>
>>>> *May 16 2011 01:35:26.894 PDT:
ISAKMP:(0):deleting SA reason "Death by
>>>> retransmission P1" state (I)
MM_NO_STATE (peer 10.70.100.100)
>>>> *May 16 2011 01:35:26.894 PDT:
ISAKMP:(0):deleting SA reason "Death by
>>>> retransmission P1" state (I)
MM_NO_STATE (peer 10.70.100.100)
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:
Unlocking peer struct 0x81FB0F04
>>>> for
>>>> isadb_mark_sa_deleted(), count
0
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP: Deleting peer node by peer_reap
>>>> for
>>>> 10.70.100.100: 81FB0F04
>>>> SD-c850-Edge#
>>>> *May 16 2011
01:35:26.894 PDT: ISAKMP:(0):deleting node 1945611004 error
>>>> FALSE reason
"IKE deleted"
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node
1604588444 error
>>>> FALSE reason "IKE deleted"
>>>> *May 16 2011
01:35:26.894 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
>>>> IKE_PHASE1_DEL
>>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Old State = IKE_I_MM1 New
>>>>
State =
>>>> IKE_DEST_SA
>>>>
>>>>
>>>>
>>>> Any ideas on what is causing
this?? Thanks in advance!
>>>>
>>>>
>>>>
>>>> --
>>>> -Steve Di Bias
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>>
Received on Sun May 22 2011 - 07:47:54 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART