Re: L2L Tunnel wont come up!!

sh run access-list | in nat0_outbound|NetEngCCIE

access-list inside_nat0_outbound extended permit ip host 10.186.56.6
192.168.100.0 255.255.255.0

access-list outside_1_cryptomap_NetEngCCIE extended permit ip host
10.186.56.6 192.168.100.0 255.255.255.0

ASA# sh ro out | in 192.168.100.0
S 192.168.100.0 255.255.255.0 [1/0] via 10.70.100.55, outside

Nothing in access-group though, however there are a few other tunnels
running OK through this box for testing purposes, this one just doesn't want
to play nice

On Sat, May 21, 2011 at 5:01 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> Show run access-list and
> Show run access-group on asa please.
>
> Also,
>
> These devices have routes to each other for the destination inside network,
> right? (Or better a default route to each other)
>
> Joe
>
>
> *From*: Steve Di Bias [mailto:sdibias_at_gmail.com]
> *Sent*: Saturday, May 21, 2011 07:58 PM
> *To*: Joseph L. Brunner
> *Cc*: ccielab_at_groupstudy.com <ccielab_at_groupstudy.com>
> *Subject*: Re: L2L Tunnel wont come up!!
>
> So I just ran a debug crypto isakmp while using the packet tracer
> command on my ASA and see the following:
>
> ASA# packet-tracer in inside icmp 10.186.56.6 8 0 192.168.100.1
>
> Phase: 1
> Type: FLOW-LOOKUP
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
> Found no matching flow, creating a new flow
>
> Phase: 2
> Type: ROUTE-LOOKUP
> May 21 16:55:00 [IKEv1 DEBUG]Subtype: input
> Result: ALLOW
> Config:
> Additional Information:
> in 192.168.100.0 255.255.255.0 outside
>
> Phase: 3
> : Pitcher: received a key acquire message, spi 0x0
> Type: IP-OPTIONS
> Subtype:
> Result: ALLOW
> Config:
> Additional Information:
>
> Phase: 4
> Type: INSPECT
> Subtype: np-inspect
> Result: ALLOW
> Config:
> class-map inspection_default
> match default-inspection-traffic
> policy-map global_policy
> class inspection_default
> inspect icmp
> service-policy global_policy global
> Additional Information:
>
> Phase: 5
> Type: INSPECT
> Subtype: np-inspect
> Result: ALLOW
> Config:
> Additional Information:
>
> Phase: 6
> Type: NAT-EXEMPT
> Subtype:
> Result: ALLOW
> Config:
> nat (inside) 0 access-list inside_nat0_outbound
> match ip inside 10.186.0.0 255.255.0.0 outside any
> NAT exempt
> translate_hits = 497, untranslate_hits = 139
> Additional Information:
>
> Phase: 7
> Type: NAT
> Subtype:
> Result: ALLOW
> Config:
> nat (inside) 10 0.0.0.0 0.0.0.0
> match ip inside any outside any
> dynamic translation to pool 10 (10.70.100.100 [Interface PAT])
> translate_hits = 656, untranslate_hits = 0
> Additional Information:
>
> Phase: 8
> Type: NAT
> Subtype: host-limits
> Result: ALLOW
> Config:
> nat (inside) 10 0.0.0.0 0.0.0.0
> match ip inside any outside any
> dynamic translation to pool 10 (10.70.100.100 [Interface PAT])
> translate_hits = 656, untranslate_hits = 0
> Additional Information:
>
> Phase: 9
> Type: VPN
> Subtype: encrypt
> Result: DROP
> Config:
> Additional Information:
>
> Result:
> input-interface: inside
> input-status: up
> input-line-status: up
> output-interface: outside
> output-status: up
> output-line-status: up
> Action: drop
> Drop-reason: (acl-drop) Flow is denied by configured rule
>
>
> <--- More --->: Pitcher: received a key acquire message, spi 0x0
> May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, IKE Initiator: New Phase 1,
> Intf inside, IKE Peer 10.70.100.55 local Proxy Address 10.186.56.6, remote
> Proxy Address 192.168.100.0, Crypto map (outside_map)
> May 21 16:48:47 [IKEv1 DEBUG]: IP = 10.70.100.55, Oakley proposal is
> acceptable
> May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, Connection landed on
> tunnel_group 10.70.100.55
> May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Automatic
> NAT Detection Status: Remote end is NOT behind a NAT device This
> end is NOT behind a NAT device
> May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, Connection landed on
> tunnel_group 10.70.100.55
> May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Freeing
> previously allocated memory for authorization-dn-attributes
> May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, PHASE 1
> COMPLETED
> May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, Keep-alive type for this
> connection: DPD
> May 21 16:48:47 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55,
> Starting P1 rekey timer: 82080 seconds.
> May 21 16:48:47 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, IKE
> got SPI from key engine: SPI = 0x2c116ca3
> May 21 16:48:47 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55,
> Transmitting Proxy Id:
> Local host: 10.186.56.6 Protocol 0 Port 0
> Remote subnet: 192.168.100.0 Mask 255.255.255.0 Protocol 0 Port 0
> May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Received
> non-routine Notify message: No proposal chosen (14)
>
>
> ASA# May 21 16:49:19 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55,
> QM FSM error (P2 struct &0xd6a17ca0, mess id 0x7ddc86ac)!
> May 21 16:49:19 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, IKE
> QM Initiator FSM error history (struct &0xd6a17ca0) <state>, <event>:
> QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2,
> NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1,
> EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2,
> EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
> May 21 16:49:19 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55,
> construct_ipsec_delete(): No SPI to identify Phase 2 SA!
> May 21 16:49:19 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, IKE
> Deleting SA: Remote Proxy 192.168.100.0, Local Proxy 10.186.56.6
> May 21 16:49:19 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Removing
> peer from correlator table failed, no match!
> May 21 16:49:19 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi
> 0x2c116ca3
> May 21 16:49:19 [IKEv1]: Ignoring msg to mark SA with dsID 3694592 dead
> because SA deleted
> May 21 16:49:19 [IKEv1]: IP = 10.70.100.55, Received encrypted packet with
> no matching SA, dropping
>
>

-- 
-Steve Di Bias
Blogs and organic groups at http://www.ccie.net