Re: L2L Tunnel wont come up!!

Yo, Steve!
 
It looks like you partially get P1 (IKE), but it fails before you
get to P2. Can you send me the full config (minus the keys) to me directly?
 
Also, you'll definately need to remove the deny on ACL 151 for your 850
router. It's implied and it will cause P2 to fail since you don't have it on
the other side (and don't need it, either).
 
FYI- IKE default is 86400 and so
is the IPSEC P2. Since you haven't specified either, that's what they are set
to. You'll need to reduce the IKE timer to be half of the IPSEC key to ensure
stability.

 
Regards,
Jay McMickle- CCNP, CCSP, CCDP, MCSE
http://mycciepursuit.wordpress.com/

From: Steve Di Bias <sdibias_at_gmail.com>
To: Joseph L. Brunner <joe_at_affirmedsystems.com>
Cc: "ccielab_at_groupstudy.com"
<ccielab_at_groupstudy.com>
Sent: Saturday, May 21, 2011 3:43 PM
Subject: Re: L2L
Tunnel wont come up!!

Joe, here you go

show run crypto (ASA)

crypto map
outside_map 7 match address outside_1_cryptomap_NetEngCCIE
crypto map
outside_map 7 set peer 71.2.66.243
crypto map outside_map 7 set transform-set
ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

show ip access-list (Router)
access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list
120 permit ip 192.168.100.0 0.0.0.255 any
access-list 120 deny ip any any log
access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list
151 deny ip any any lo

On Sat, May 21, 2011 at 1:32 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> Why is this being logged on your router?
>
> Let's see the rest of your configurations... especially the ACCESS LIST on
>
the ROUTER
>
> *May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120
denied udp
> 10.70.100.55(0) -> 10.70.100.100(0), 5 packets
> *May 16 2011
01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
>
10.70.100.100(500) -> 10.70.100.55(500), 7 packets
>
> Also on the ASA
>
>
Show run crypto
>
> (paste result)
>
> -----Original Message-----
> From:
nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Steve Di
Bias
> Sent: Saturday, May 21, 2011 4:22 PM
> To: ccielab_at_groupstudy.com
>
Subject: OT: L2L Tunnel wont come up!!
>
> Hello Experts!
>
> I just finished
building a tunnel between a Cisco 850 running IOS
> 12.4(15)T14 and an ASA
5510 running 8.0(3). Here are my configs::
>
> On the Router
>
> crypto isakmp
policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp
key * address 10.70.100.100
> !
> crypto ipsec security-association lifetime
seconds 28800
> !
> crypto ipsec transform-set vpn esp-3des
> !
> crypto map
vpn 10 ipsec-isakmp
> set peer 10.70.100.100
> set transform-set vpn
>
match address 151
>
> access-list 120 deny ip 192.168.100.0 0.0.0.255 host
10.186.56.6
> access-list 120 permit ip 192.168.100.0 0.0.0.255 any
>
access-list 120 deny ip any any log
> access-list 151 permit ip 192.168.100.0
0.0.0.255 host 10.186.56.6
> access-list 151 deny ip any any log
>
>
route-map NO-NAT permit 10
> match ip address 120
>
> ip nat inside source
route-map NO-NAT interface FastEthernet4 overload
>
>
> On the ASA
>
>
tunnel-group 10.70.100.55 type ipsec-l2l
> tunnel-group 10.70.100.55
ipsec-attributes
> pre-shared-key *
>
> access-list
outside_1_cryptomap_NetEngCCIE extended permit ip host
> 10.186.56.6
192.168.100.0 255.255.255.0
> access-list outside_1_cryptomap_NetEngCCIE
remark CCIE_Tunnel
>
> access-list inside_nat0_outbound extended permit ip
host 10.186.56.6
> 192.168.100.0 255.255.255.0
>
> crypto map outside_map 7
match address outside_1_cryptomap_NetEngCCIE
> crypto map outside_map 7 set
peer 10.70.100.55
> crypto map outside_map 7 set transform-set ESP-3DES-SHA
>
>
>
> And here are the debugs when I try to bring the tunnel up:
>
>
> *May 16
2011 01:34:26.880 PDT: ISAKMP:(0): SA request profile is (NULL)
> *May 16 2011
01:34:26.880 PDT: ISAKMP: Created a peer struct for
> 10.70.100.100, peer port
500
> *May 16 2011 01:34:26.880 PDT: ISAKMP: New peer created peer =
0x81FB0F04
> peer_handle = 0x8000000A
> *May 16 2011 01:34:26.880 PDT: ISAKMP:
Locking peer struct 0x81FB0F04,
> refcount 1 for isakmp_initiator
> *May 16
2011 01:34:26.880 PDT: ISAKMP: local port 500, remote port 500
> *May 16 2011
01:34:26.880 PDT: ISAKMP: set new node 0 to QM_IDLE
> *May 16 2011
01:34:26.880 PDT: insert sa successfully sa = 82FBBE5C
> *May 16 2011
01:34:26.880 PDT: ISAKMP:(0):Can not start Aggressive mode,
> trying Main
mode.
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):found peer pre-shared key
>
matching
> 10.70.100.100
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0):
constructed NAT-T vendor-rfc3947
> ID
> *May 16 2011 01:34:26.880 PDT:
ISAKMP:(0): constructed NAT-T vendor-07 ID
> *May 16 2011 01:34:26.880 PDT:
ISAKMP:(0): constructed NAT-T vendor-03 ID
> *May 16 2011 01:34:26.880 PDT:
ISAKMP:(0): constructed NAT-T vendor-02 ID
> *May 16 2011 01:34:26.880 PDT:
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
> IKE_SA_REQ_MM
> *May 16 2011
01:34:26.880 PDT: ISAKMP:(0):Old State = IKE_READY New State
> =
> IKE_I_MM1
>
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): beginning Main Mode exchange
>
SD-c850-Edge#
> *May 16 2011 01:34:26.880 PDT: ISAKMP:(0): sending packet to
10.70.100.100
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *May 16 2011
01:34:26.880 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> SD-c850-Edge#
>
SD-c850-Edge#
> SD-c850-Edge#
> SD-c850-Edge#
> SD-c850-Edge#
> *May 16 2011
01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE...
> *May
16 2011 01:34:36.882 PDT: ISAKMP (0:0): incrementing error counter on
> sa,
attempt 1 of 5: retransmit phase 1
> *May 16 2011 01:34:36.882 PDT:
ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE
> *May 16 2011 01:34:36.882
PDT: ISAKMP:(0): sending packet to 10.70.100.100
> my_port 500 peer_port 500
(I) MM_NO_STATE
> *May 16 2011 01:34:36.882 PDT: ISAKMP:(0):Sending an IKE
IPv4 Packet.
> SD-c850-Edge#
> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0):
retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011 01:34:46.885 PDT:
ISAKMP (0:0): incrementing error counter on
> sa, attempt 2 of 5: retransmit
phase 1
> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
>
MM_NO_STATE
> *May 16 2011 01:34:46.885 PDT: ISAKMP:(0): sending packet to
10.70.100.100
> my_port 500 peer_port 500 (I) MM_NO_STATE
> *May 16 2011
01:34:46.885 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
> SD-c850-Edge#
>
*May 16 2011 01:34:56.879 PDT: ISAKMP: set new node 0 to QM_IDLE
> *May 16
2011 01:34:56.879 PDT: ISAKMP:(0):SA is still budding. Attached new
> ipsec
request to it. (local 10.70.100.55, remote 10.70.100.100)
> *May 16 2011
01:34:56.879 PDT: ISAKMP: Error while processing SA request:
> Failed to
initialize SA
> *May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing
KMI message
> 0,
> error 2.
> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0):
retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011 01:34:56.887 PDT:
ISAKMP (0:0): incrementing error counter on
> sa, attempt 3 of 5: retransmit
phase 1
> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
>
MM_NO_STATE
> SD-c850-Edge#
> *May 16 2011 01:34:56.887 PDT: ISAKMP:(0):
sending packet to 10.70.100.100
> my_port 500 peer_port 500 (I) MM_NO_STATE
>
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
>
SD-c850-Edge#
> *May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting
phase 1
> MM_NO_STATE...
> *May 16 2011 01:35:06.889 PDT: ISAKMP (0:0):
incrementing error counter on
> sa, attempt 4 of 5: retransmit phase 1
> *May
16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE
>
*May 16 2011 01:35:06.889 PDT: ISAKMP:(0): sending packet to 10.70.100.100
>
my_port 500 peer_port 500 (I) MM_NO_STATE
> *May 16 2011 01:35:06.889 PDT:
ISAKMP:(0):Sending an IKE IPv4 Packet.
> SD-c850-Edge#
> *May 16 2011
01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
> 10.70.100.55(0)
-> 10.70.100.100(0), 5 packets
> *May 16 2011 01:35:09.394 PDT:
%SEC-6-IPACCESSLOGP: list 101 denied udp
> 10.70.100.100(500) ->
10.70.100.55(500), 7 packets
> SD-c850-Edge#
> *May 16 2011 01:35:16.891 PDT:
ISAKMP:(0): retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011
01:35:16.891 PDT: ISAKMP (0:0): incrementing error counter on
> sa, attempt 5
of 5: retransmit phase 1
> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0):
retransmitting phase 1
> MM_NO_STATE
> *May 16 2011 01:35:16.891 PDT:
ISAKMP:(0): sending packet to 10.70.100.100
> my_port 500 peer_port 500 (I)
MM_NO_STATE
> *May 16 2011 01:35:16.891 PDT: ISAKMP:(0):Sending an IKE IPv4
Packet.
> SD-c850-Edge#
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):
retransmitting phase 1
> MM_NO_STATE...
> *May 16 2011 01:35:26.894 PDT:
ISAKMP:(0):peer does not do paranoid
> keepalives.
>
> *May 16 2011
01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
> retransmission P1"
state (I) MM_NO_STATE (peer 10.70.100.100)
> *May 16 2011 01:35:26.894 PDT:
ISAKMP:(0):deleting SA reason "Death by
> retransmission P1" state (I)
MM_NO_STATE (peer 10.70.100.100)
> *May 16 2011 01:35:26.894 PDT: ISAKMP:
Unlocking peer struct 0x81FB0F04 for
> isadb_mark_sa_deleted(), count 0
> *May
16 2011 01:35:26.894 PDT: ISAKMP: Deleting peer node by peer_reap for
>
10.70.100.100: 81FB0F04
> SD-c850-Edge#
> *May 16 2011 01:35:26.894 PDT:
ISAKMP:(0):deleting node 1945611004 error
> FALSE reason "IKE deleted"
> *May
16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1604588444 error
> FALSE
reason "IKE deleted"
> *May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Input =
IKE_MESG_INTERNAL,
> IKE_PHASE1_DEL
> *May 16 2011 01:35:26.894 PDT:
ISAKMP:(0):Old State = IKE_I_MM1 New State
> =
> IKE_DEST_SA
>
>
>
> Any
ideas on what is causing this?? Thanks in advance!
>
>
>
> --
> -Steve Di Bias
>
>
> Blogs and organic groups at http://www.ccie.net
>
>
Received on Sat May 21 2011 - 15:16:27 ART