Re: L2L Tunnel wont come up!!

Remove ALL lower crypto map seq on asa or make sure you are not sending traffic for to diff. Peer. For router's network

Make sure asa routes to a next hop out interface with crypto map to reach 192.168.100.0 255.255.255.0

From: Steve Di Bias [mailto:sdibias_at_gmail.com]
Sent: Saturday, May 21, 2011 08:37 PM
To: Joseph L. Brunner
Cc: ccielab_at_groupstudy.com <ccielab_at_groupstudy.com>
Subject: Re: L2L Tunnel wont come up!!

sh run access-list | in nat0_outbound|NetEngCCIE

access-list inside_nat0_outbound extended permit ip host 10.186.56.6 192.168.100.0 255.255.255.0

access-list outside_1_cryptomap_NetEngCCIE extended permit ip host 10.186.56.6 192.168.100.0 255.255.255.0

ASA# sh ro out | in 192.168.100.0
S 192.168.100.0 255.255.255.0 [1/0] via 10.70.100.55, outside

Nothing in access-group though, however there are a few other tunnels running OK through this box for testing purposes, this one just doesn't want to play nice

On Sat, May 21, 2011 at 5:01 PM, Joseph L. Brunner <joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>> wrote:
Show run access-list and
Show run access-group on asa please.

Also,

These devices have routes to each other for the destination inside network, right? (Or better a default route to each other)

Joe

From: Steve Di Bias [mailto:sdibias_at_gmail.com<mailto:sdibias_at_gmail.com>]
Sent: Saturday, May 21, 2011 07:58 PM
To: Joseph L. Brunner
Cc: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com> <ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
Subject: Re: L2L Tunnel wont come up!!

So I just ran a debug crypto isakmp while using the packet tracer command on my ASA and see the following:

ASA# packet-tracer in inside icmp 10.186.56.6 8 0 192.168.100.1

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
May 21 16:55:00 [IKEv1 DEBUG]Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.100.0 255.255.255.0 outside

Phase: 3
: Pitcher: received a key acquire message, spi 0x0
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (inside) 0 access-list inside_nat0_outbound
  match ip inside 10.186.0.0 255.255.0.0 outside any
    NAT exempt
    translate_hits = 497, untranslate_hits = 139
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 10 (10.70.100.100 [Interface PAT])
    translate_hits = 656, untranslate_hits = 0
Additional Information:

Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 10 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 10 (10.70.100.100 [Interface PAT])
    translate_hits = 656, untranslate_hits = 0
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

<--- More --->: Pitcher: received a key acquire message, spi 0x0
May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.70.100.55 local Proxy Address 10.186.56.6, remote Proxy Address 192.168.100.0, Crypto map (outside_map)
May 21 16:48:47 [IKEv1 DEBUG]: IP = 10.70.100.55, Oakley proposal is acceptable
May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, Connection landed on tunnel_group 10.70.100.55
May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, Connection landed on tunnel_group 10.70.100.55
May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Freeing previously allocated memory for authorization-dn-attributes
May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, PHASE 1 COMPLETED
May 21 16:48:47 [IKEv1]: IP = 10.70.100.55, Keep-alive type for this connection: DPD
May 21 16:48:47 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, Starting P1 rekey timer: 82080 seconds.
May 21 16:48:47 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, IKE got SPI from key engine: SPI = 0x2c116ca3
May 21 16:48:47 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, Transmitting Proxy Id:
  Local host: 10.186.56.6 Protocol 0 Port 0
  Remote subnet: 192.168.100.0 Mask 255.255.255.0 Protocol 0 Port 0
May 21 16:48:47 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Received non-routine Notify message: No proposal chosen (14)

ASA# May 21 16:49:19 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, QM FSM error (P2 struct &0xd6a17ca0, mess id 0x7ddc86ac)!
May 21 16:49:19 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, IKE QM Initiator FSM error history (struct &0xd6a17ca0) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
May 21 16:49:19 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
May 21 16:49:19 [IKEv1 DEBUG]: Group = 10.70.100.55, IP = 10.70.100.55, IKE Deleting SA: Remote Proxy 192.168.100.0, Local Proxy 10.186.56.6
May 21 16:49:19 [IKEv1]: Group = 10.70.100.55, IP = 10.70.100.55, Removing peer from correlator table failed, no match!
May 21 16:49:19 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x2c116ca3
May 21 16:49:19 [IKEv1]: Ignoring msg to mark SA with dsID 3694592 dead because SA deleted
May 21 16:49:19 [IKEv1]: IP = 10.70.100.55, Received encrypted packet with no matching SA, dropping

--
-Steve Di Bias
Blogs and organic groups at http://www.ccie.net