Re: L2L Tunnel wont come up!! from Steve Di Bias on 2011-05-21 (Ccielab archives 05/2011)

From: Steve Di Bias <sdibias_at_gmail.com>
Date: Sat, 21 May 2011 16:58:36 -0700

So I just ran a debug crypto isakmp while using the packet tracer command on
my ASA and see the following:

ASA# packet-tracer in inside icmp 10.186.56.6 8 0 192.168.100.1

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
May 21 16:55:00 [IKEv1 DEBUG]Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.100.0 255.255.255.0 outside

Phase: 3
: Pitcher: received a key acquire message, spi 0x0
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (inside) 0 access-list inside_nat0_outbound
  match ip inside 10.186.0.0 255.255.0.0 outside any
    NAT exempt
    translate_hits = 497, untranslate_hits = 139
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 10 (10.70.100.100 [Interface PAT])
    translate_hits = 656, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 10 (10.70.100.100 [Interface PAT])
    translate_hits = 656, untranslate_hits = 0
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

<--- More --->: Pitcher: received a key acquire message, spi 0x0
May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, IKE Initiator: New Phase 1, Intf
inside, IKE Peer 10.70.100.55 local Proxy Address 10.186.56.6, remote Proxy
Address 192.168.100.0, Crypto map (outside_map)
May 21 16:48:47 [IKEv1 DEBUG]: IP = 10.70.100.55, Oakley proposal is
acceptable
May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, Connection landed on
tunnel_group 10.70.100.55
May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Automatic
NAT Detection Status: Remote end is NOT behind a NAT device This
end is NOT behind a NAT device
May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, Connection landed on
tunnel_group 10.70.100.55
May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Freeing
previously allocated memory for authorization-dn-attributes
May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, PHASE 1
COMPLETED
May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, Keep-alive type for this
connection: DPD
May 21 16:48:47 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55,
Starting P1 rekey timer: 82080 seconds.
May 21 16:48:47 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, IKE
got SPI from key engine: SPI = 0x2c116ca3
May 21 16:48:47 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55,
Transmitting Proxy Id:
Local host: 10.186.56.6 Protocol 0 Port 0
Remote subnet: 192.168.100.0 Mask 255.255.255.0 Protocol 0 Port 0
May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Received
non-routine Notify message: No proposal chosen (14)

ASA# May 21 16:49:19 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, QM
FSM error (P2 struct &0xd6a17ca0, mess id 0x7ddc86ac)!
May 21 16:49:19 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, IKE
QM Initiator FSM error history (struct &0xd6a17ca0) <state>, <event>:
QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2,
NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1,
EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2,
EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
May 21 16:49:19 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55,
construct_ipsec_delete(): No SPI to identify Phase 2 SA!
May 21 16:49:19 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, IKE
Deleting SA: Remote Proxy 192.168.100.0, Local Proxy 10.186.56.6
May 21 16:49:19 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Removing
peer from correlator table failed, no match!
May 21 16:49:19 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi
0x2c116ca3
May 21 16:49:19 [IKEv1]: Ignoring msg to mark SA with dsID 3694592 dead
because SA deleted
May 21 16:49:19 [IKEv1]: IP = 10.70.100.55, Received encrypted packet with
no matching SA, dropping

Blogs and organic groups at http://www.ccie.net
Received on Sat May 21 2011 - 16:58:36 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART