Re: OT: L2L Tunnel wont come up!! from Steve Di Bias on 2011-05-22 (Ccielab archives 05/2011)

From: Steve Di Bias <sdibias_at_gmail.com>
Date: Sun, 22 May 2011 08:47:34 -0700

Jay, that did it, you're the man! Thanks to Jay, Joe, and everyone else for
pushing me in the right direction! The tunnel is now up and working
correctly!

dst src state conn-id slot status
10.70.100.100 10.70.100.55 QM_IDLE 2031 0 ACTIVE

Thanks!

On Sun, May 22, 2011 at 7:47 AM, Jay McMickle <crazyservers_at_yahoo.com>wrote:

> Steve,
> I found your issue and I've sent to you unicast. Your transform-set's
> don't match on both sides and your ACL 151 doesn't match for phase2.
>
> Shout back unicast with further debugs if it's still troubling you. I can
> simulate in my lab, too, if needed.
>
> OUT.
>
>
> Regards,
> Jay McMickle- CCNP, CCSP, CCDP, MCSE
> http://mycciepursuit.wordpress.com/
>
>
> *From:* Steve Di Bias <sdibias_at_gmail.com>
> *To:* karim jamali <karim.jamali_at_gmail.com>
> *Cc:* Cisco certification <ccielab_at_groupstudy.com>
> *Sent:* Saturday, May 21, 2011 4:52 PM
> *Subject:* Re: OT: L2L Tunnel wont come up!!
>
> I did modify it but never posted the config
>
> SD-c850-Edge#sh access-list 101
> Extended IP access list 101
> 10 permit udp any eq bootps any eq bootpc (39 matches)
> 11 permit udp any any eq isakmp (60 matches)
> 12 permit udp any eq isakmp any
> 13 permit esp any any
> 14 permit udp any any eq non500-isakmp
> 20 deny ip host 91.212.226.179 any log
> 30 deny ip host 194.28.112.6 any log
> 40 deny tcp any any log (112 matches)
> 50 deny udp any any log (97 matches)
> 60 deny ip any any log (11269 matches)
>
> On Sat, May 21, 2011 at 2:13 PM, karim jamali <karim.jamali_at_gmail.com
> >wrote:
>
> > Hi Steve,
> >
> > I still see the ACL as follows:
> >
> > access-list 101 permit udp any eq bootps any eq bootpc
> > access-list 101 deny ip host 91.212.226.179 any log
> > access-list 101 deny ip host 194.28.112.6 any log
> > access-list 101 deny tcp any any log
> > access-list 101 deny udp any any log
> > access-list 101 deny ip any any log
> >
> > did you fix the ACL because as such you are still dropping IKE traffic?
> >
> > Thanks
> >
> >
> > On Sun, May 22, 2011 at 12:07 AM, Steve Di Bias <sdibias_at_gmail.com>
> wrote:
> >
> >> Thanks for the help guys, I added but still having issues. as you can
> see
> >> in my post to Joe
> >>
> >>
> >> On Sat, May 21, 2011 at 1:53 PM, karim jamali <karim.jamali_at_gmail.com
> >wrote:
> >>
> >>> Hi Steve,
> >>>
> >>> Looking at the debug output I noticed the following:
> >>>
> >>>
> >>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
> >>> 10.70.100.100(500) -> 10.70.100.55(500), 7 packets
> >>>
> >>> It seems your ACL 101 is dropping the IKE traffic (UDP Port 500) which
> is
> >>> causing the problem. Try allowing IKE in your ACL and then putting the
> deny
> >>> ip any any.
> >>>
> >>> HTH,
> >>>
> >>> Thanks
> >>>
> >>> Take Care
> >>>
> >>> On Sat, May 21, 2011 at 11:22 PM, Steve Di Bias <sdibias_at_gmail.com
> >wrote:
> >>>
> >>>> Hello Experts!
> >>>>
> >>>> I just finished building a tunnel between a Cisco 850 running IOS
> >>>> 12.4(15)T14 and an ASA 5510 running 8.0(3). Here are my configs::
> >>>>
> >>>> On the Router
> >>>>
> >>>> crypto isakmp policy 1
> >>>> encr 3des
> >>>> authentication pre-share
> >>>> group 2
> >>>> crypto isakmp key * address 10.70.100.100
> >>>> !
> >>>> crypto ipsec security-association lifetime seconds 28800
> >>>> !
> >>>> crypto ipsec transform-set vpn esp-3des
> >>>> !
> >>>> crypto map vpn 10 ipsec-isakmp
> >>>> set peer 10.70.100.100
> >>>> set transform-set vpn
> >>>> match address 151
> >>>>
> >>>> access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
> >>>> access-list 120 permit ip 192.168.100.0 0.0.0.255 any
> >>>> access-list 120 deny ip any any log
> >>>> access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
> >>>> access-list 151 deny ip any any log
> >>>>
> >>>> route-map NO-NAT permit 10
> >>>> match ip address 120
> >>>>
> >>>> ip nat inside source route-map NO-NAT interface FastEthernet4 overload
> >>>>
> >>>>
> >>>> On the ASA
> >>>>
> >>>> tunnel-group 10.70.100.55 type ipsec-l2l
> >>>> tunnel-group 10.70.100.55 ipsec-attributes
> >>>> pre-shared-key *
> >>>>
> >>>> access-list outside_1_cryptomap_NetEngCCIE extended permit ip host
> >>>> 10.186.56.6 192.168.100.0 255.255.255.0
> >>>> access-list outside_1_cryptomap_NetEngCCIE remark CCIE_Tunnel
> >>>>
> >>>> access-list inside_nat0_outbound extended permit ip host 10.186.56.6
> >>>> 192.168.100.0 255.255.255.0
> >>>>
> >>>> crypto map outside_map 7 match address outside_1_cryptomap_NetEngCCIE
> >>>> crypto map outside_map 7 set peer 10.70.100.55
> >>>> crypto map outside_map 7 set transform-set ESP-3DES-SHA
> >>>>
> >>>>
> >>>>
> >>>> And here are the debugs when I try to bring the tunnel up:
> >>>>
> >>>>
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): SA request profile is
> (NULL)
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: Created a peer struct for
> >>>> 10.70.100.100, peer port 500
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: New peer created peer =
> >>>> 0x81FB0F04
> >>>> peer_handle = 0x8000000A
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: Locking peer struct 0x81FB0F04,
> >>>> refcount 1 for isakmp_initiator
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: local port 500, remote port 500
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP: set new node 0 to QM_IDLE
> >>>> *May 16 2011 01:34:26.880 PDT: insert sa successfully sa = 82FBBE5C
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Can not start Aggressive
> mode,
> >>>> trying Main mode.
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):found peer pre-shared key
> >>>> matching
> >>>> 10.70.100.100
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T
> >>>> vendor-rfc3947
> >>>> ID
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-07
> >>>> ID
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-03
> >>>> ID
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-02
> >>>> ID
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
> >>>> IKE_SA_REQ_MM
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Old State = IKE_READY New
> >>>> State =
> >>>> IKE_I_MM1
> >>>>
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): beginning Main Mode
> exchange
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): sending packet to
> >>>> 10.70.100.100
> >>>> my_port 500 peer_port 500 (I) MM_NO_STATE
> >>>> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> >>>> SD-c850-Edge#
> >>>> SD-c850-Edge#
> >>>> SD-c850-Edge#
> >>>> SD-c850-Edge#
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE...
> >>>> *May 16 2011 01:34:36.882 PDT: ISAKMP (0:0): incrementing error
> counter
> >>>> on
> >>>> sa, attempt 1 of 5: retransmit phase 1
> >>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE
> >>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0): sending packet to
> >>>> 10.70.100.100
> >>>> my_port 500 peer_port 500 (I) MM_NO_STATE
> >>>> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE...
> >>>> *May 16 2011 01:34:46.885 PDT: ISAKMP (0:0): incrementing error
> counter
> >>>> on
> >>>> sa, attempt 2 of 5: retransmit phase 1
> >>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE
> >>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): sending packet to
> >>>> 10.70.100.100
> >>>> my_port 500 peer_port 500 (I) MM_NO_STATE
> >>>> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: set new node 0 to QM_IDLE
> >>>> *May 16 2011 01:34:56.879 PDT: ISAKMP:(0):SA is still budding.
> Attached
> >>>> new
> >>>> ipsec request to it. (local 10.70.100.55, remote 10.70.100.100)
> >>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing SA
> >>>> request:
> >>>> Failed to initialize SA
> >>>> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing KMI
> >>>> message 0,
> >>>> error 2.
> >>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE...
> >>>> *May 16 2011 01:34:56.887 PDT: ISAKMP (0:0): incrementing error
> counter
> >>>> on
> >>>> sa, attempt 3 of 5: retransmit phase 1
> >>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): sending packet to
> >>>> 10.70.100.100
> >>>> my_port 500 peer_port 500 (I) MM_NO_STATE
> >>>> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE...
> >>>> *May 16 2011 01:35:06.889 PDT: ISAKMP (0:0): incrementing error
> counter
> >>>> on
> >>>> sa, attempt 4 of 5: retransmit phase 1
> >>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE
> >>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): sending packet to
> >>>> 10.70.100.100
> >>>> my_port 500 peer_port 500 (I) MM_NO_STATE
> >>>> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied
> udp
> >>>> 10.70.100.55(0) -> 10.70.100.100(0), 5 packets
> >>>> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied
> udp
> >>>> 10.70.100.100(500) -> 10.70.100.55(500), 7 packets
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE...
> >>>> *May 16 2011 01:35:16.891 PDT: ISAKMP (0:0): incrementing error
> counter
> >>>> on
> >>>> sa, attempt 5 of 5: retransmit phase 1
> >>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE
> >>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0): sending packet to
> >>>> 10.70.100.100
> >>>> my_port 500 peer_port 500 (I) MM_NO_STATE
> >>>> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0): retransmitting phase 1
> >>>> MM_NO_STATE...
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):peer does not do paranoid
> >>>> keepalives.
> >>>>
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
> >>>> retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
> >>>> retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP: Unlocking peer struct
> 0x81FB0F04
> >>>> for
> >>>> isadb_mark_sa_deleted(), count 0
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP: Deleting peer node by peer_reap
> >>>> for
> >>>> 10.70.100.100: 81FB0F04
> >>>> SD-c850-Edge#
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1945611004
> error
> >>>> FALSE reason "IKE deleted"
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1604588444
> error
> >>>> FALSE reason "IKE deleted"
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> >>>> IKE_PHASE1_DEL
> >>>> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Old State = IKE_I_MM1 New
> >>>> State =
> >>>> IKE_DEST_SA
> >>>>
> >>>>
> >>>>
> >>>> Any ideas on what is causing this?? Thanks in advance!
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> -Steve Di Bias
> >>>>
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> KJ
> >>>
> >>
> >>
> >>
> >> --
> >> -Steve Di Bias
> >>
> >
> >
> >
> > --
> > KJ
> >
>
>
>
> --
> -Steve Di Bias
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>

-- 
-Steve Di Bias
Blogs and organic groups at http://www.ccie.net

Received on Sun May 22 2011 - 08:47:34 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART