hotchkissj
asked on
Cisco 871W to ASA5100 ipsec tunnel fails in Phase 1
We have a VPN between a Cisco 871W to an ASA5100 at partner company that will not build.
We have worked on this for 8 hrs+ and gets seem to get it resolved
Here is the debug and configs
871w config (Southland is the VPN in question)
Current configuration : 8036 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Synergy-SC
!
boot-start-marker
boot system flash:c870-advsecurityk9-m z.124-15.T 5.bin
boot-end-marker
!
logging buffered 4096
logging console critical
enable secret 5 $1$HTSD$2LnMa4nr/0YABU7uUh jQh1
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-481808195
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-48180 8195
revocation-check none
rsakeypair TP-self-signed-481808195
!
!
crypto pki certificate chain TP-self-signed-481808195
certificate self-signed 01
*****
dot11 syslog
!
dot11 ssid Synergy
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 03454812080A334B575D4A5746 53
!
dot11 ssid Synergywep
vlan 2
authentication open
!
dot11 ssid Synergywpa
vlan 3
authentication open
!
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name OUTSIDE_IN ftp timeout 300
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name synergy.com
ip name-server 206.13.28.12
ip name-server 206.13.31.12
!
!
!
username admin privilege 15 secret 5 $1$TLn8$gEWuTUgsXAoCP5FWkX NnD0
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
lifetime 2000
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key g3t0utn0w1 address 12.68.96.178
crypto isakmp key g3t0utn0w1 address 74.211.157.130
crypto isakmp keepalive 30
rypto ipsec transform-set southland esp-3des esp-md5-hmac
crypto ipsec transform-set westrux esp-3des esp-sha-hmac
!
crypto map outside_crypto_75_48_112_2 33 11 ipsec-isakmp
description *** Tunnel to Southland
set peer 12.68.96.178
set transform-set southland
match address 104
crypto map outside_crypto_75_48_112_2 33 20 ipsec-isakmp
description *** Tunnel to Westrux
set peer 74.211.157.130
set transform-set westrux
match address 105
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 75.48.112.233 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
crypto map outside_crypto_75_48_112_2 33
!
interface Dot11Radio0
no ip address
ip helper-address 192.168.220.100
ip route-cache flow
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 45
!
!
ssid Synergy
!
ssid Synergywep
!
ssid Synergywpa
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
rts threshold 2312
no cdp enable
!
interface Dot11Radio0.1
description Cisco Open
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO- HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.220.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.48.112.238
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map RMAP_1 interface FastEthernet4 overload
ip nat inside source static 192.168.220.100 75.48.112.233 extendable
ip nat inside source static 192.168.220.100 75.48.112.234 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 permit 192.168.220.0 0.0.0.255
access-list 100 remark Outbound list applied to Inside
access-list 100 deny ip 75.48.112.232 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 103 deny ip 192.168.220.0 0.0.0.255 172.21.2.0 0.0.0.255
access-list 103 deny ip 192.168.220.0 0.0.0.255 10.16.222.0 0.0.0.255
access-list 103 permit ip 192.168.220.0 0.0.0.255 any
access-list 104 remark *** Tunnel to Southland
access-list 104 permit ip 192.168.220.0 0.0.0.255 172.21.2.0 0.0.0.255
access-list 105 remark *** Test Tunnel to Westrux
access-list 105 permit ip 192.168.220.0 0.0.0.255 10.16.222.0 0.0.0.255
no cdp run
!
!
route-map RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
AS5100 Config Summary
access-list 103 extended permit ip 172.21.2.0 255.255.255.0 192.168.220.0 255.255.255.0 -- identifies traffic to be encrypted
access-list nonat extended permit ip 172.21.2.0 255.255.255.0 192.168.220.0 255.255.255.0 identifies traffic not to NATed for internet services purposes
nat (inside) 0 access-list nonat --prevents the NATing of select inside ip addresses to the public interface of ASA firewall
nat (inside) 1 0.0.0.0 0.0.0.0 ALL other ip addresses on the inside are NATed.
route outside 0.0.0.0 0.0.0.0 12.68.96.177 1 route to external networks
crypto ipsec transform-set UC2 esp-3des esp-sha-hmac
crypto map newmap 13 match address 103
crypto map newmap 13 set peer 75.48.112.233
crypto map newmap 13 set transform-set UC2
crypto map newmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 2000
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 11
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
tunnel-group 75.48.112.233 type ipsec-l2l
tunnel-group 75.48.112.233 ipsec-attributes
pre-shared-key *
and on the internal router where inside network resides, there is a ip route 192.168.220.0 255.255.255.0 172.21.2.29 statement, where 172.21.2.29 is the inside interface
DEBUG
001121: *May 6 02:10:59.811 PCTime: ISAKMP:(0): SA request profile is (NULL)
001122: *May 6 02:10:59.811 PCTime: ISAKMP: Created a peer struct for 12.68.96.178, peer port 500
001123: *May 6 02:10:59.811 PCTime: ISAKMP: New peer created peer = 0x837528C4 peer_handle = 0x80000012
001124: *May 6 02:10:59.811 PCTime: ISAKMP: Locking peer struct 0x837528C4, refcount 1 for isakmp_initiator
001125: *May 6 02:10:59.811 PCTime: ISAKMP: local port 500, remote port 500
001126: *May 6 02:10:59.811 PCTime: ISAKMP: set new node 0 to QM_IDLE
001127: *May 6 02:10:59.811 PCTime: insert sa successfully sa = 836E2400
001128: *May 6 02:10:59.811 PCTime: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001129: *May 6 02:10:59.811 PCTime: ISAKMP:(0):found peer pre-shared key matching 12.68.96.178
001130: *May 6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001131: *May 6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-07 ID
001132: *May 6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-03 ID
001133: *May 6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-02 ID
001134: *May 6 02:10:59.815 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001135: *May 6 02:10:59.815 PCTime: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
001136: *May 6 02:10:59.815 PCTime: ISAKMP:(0): beginning Main Mode exchange
001137: *May 6 02:10:59.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001138: *May 6 02:10:59.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001139: *May 6 02:11:09.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001140: *May 6 02:11:09.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
001141: *May 6 02:11:09.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001142: *May 6 02:11:09.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001143: *May 6 02:11:09.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001144: *May 6 02:11:19.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001145: *May 6 02:11:19.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
001146: *May 6 02:11:19.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001147: *May 6 02:11:19.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001148: *May 6 02:11:19.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001149: *May 6 02:11:29.811 PCTime: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 75.48.112.233, remote= 12.68.96.178,
local_proxy= 192.168.220.0/255.255.255. 0/0/0 (type=4),
remote_proxy= 172.21.2.0/255.255.255.0/0 /0 (type=4)
001150: *May 6 02:11:29.811 PCTime: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 75.48.112.233, remote= 12.68.96.178,
local_proxy= 192.168.220.0/255.255.255. 0/0/0 (type=4),
remote_proxy= 172.21.2.0/255.255.255.0/0 /0 (type=4),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001151: *May 6 02:11:29.811 PCTime: ISAKMP: set new node 0 to QM_IDLE
001152: *May 6 02:11:29.811 PCTime: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 75.48.112.233, remote 12.68.96.178)
001153: *May 6 02:11:29.811 PCTime: ISAKMP: Error while processing SA request: Failed to initialize SA
001154: *May 6 02:11:29.811 PCTime: ISAKMP: Error while processing KMI message 0, error 2.
001155: *May 6 02:11:29.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001156: *May 6 02:11:29.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
001157: *May 6 02:11:29.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001158: *May 6 02:11:29.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001159: *May 6 02:11:29.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001160: *May 6 02:11:39.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001161: *May 6 02:11:39.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
001162: *May 6 02:11:39.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001163: *May 6 02:11:39.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001164: *May 6 02:11:39.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001165: *May 6 02:11:49.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001166: *May 6 02:11:49.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001167: *May 6 02:11:49.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001168: *May 6 02:11:49.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001169: *May 6 02:11:49.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001170: *May 6 02:11:59.811 PCTime: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 75.48.112.233, remote= 12.68.96.178,
local_proxy= 192.168.220.0/255.255.255. 0/0/0 (type=4),
remote_proxy= 172.21.2.0/255.255.255.0/0 /0 (type=4)
001171: *May 6 02:11:59.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001172: *May 6 02:11:59.815 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.
001173: *May 6 02:11:59.815 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 12.68.96.178)
001174: *May 6 02:11:59.815 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 12.68.96.178)
001175: *May 6 02:11:59.815 PCTime: ISAKMP: Unlocking peer struct 0x837528C4 for isadb_mark_sa_deleted(), count 0
001176: *May 6 02:11:59.815 PCTime: ISAKMP: Deleting peer node by peer_reap for 12.68.96.178: 837528C4
001177: *May 6 02:11:59.815 PCTime: ISAKMP:(0):deleting node -985450246 error FALSE reason "IKE deleted"
001178: *May 6 02:11:59.815 PCTime: ISAKMP:(0):deleting node 288664037 error FALSE reason "IKE deleted"
001179: *May 6 02:11:59.815 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001180: *May 6 02:11:59.815 PCTime: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
001181: *May 6 02:11:59.815 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001182: *May 6 02:12:01.379 PCTime: crypto_engine: Generate public/private keypair
001183: *May 6 02:12:49.815 PCTime: ISAKMP:(0):purging node -985450246
001184: *May 6 02:12:49.815 PCTime: ISAKMP:(0):purging node 288664037
Thanks for any recommendations.
We have worked on this for 8 hrs+ and gets seem to get it resolved
Here is the debug and configs
871w config (Southland is the VPN in question)
Current configuration : 8036 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Synergy-SC
!
boot-start-marker
boot system flash:c870-advsecurityk9-m
boot-end-marker
!
logging buffered 4096
logging console critical
enable secret 5 $1$HTSD$2LnMa4nr/0YABU7uUh
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-481808195
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-481808195
!
!
crypto pki certificate chain TP-self-signed-481808195
certificate self-signed 01
*****
dot11 syslog
!
dot11 ssid Synergy
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 03454812080A334B575D4A5746
!
dot11 ssid Synergywep
vlan 2
authentication open
!
dot11 ssid Synergywpa
vlan 3
authentication open
!
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name OUTSIDE_IN ftp timeout 300
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name synergy.com
ip name-server 206.13.28.12
ip name-server 206.13.31.12
!
!
!
username admin privilege 15 secret 5 $1$TLn8$gEWuTUgsXAoCP5FWkX
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
lifetime 2000
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key g3t0utn0w1 address 12.68.96.178
crypto isakmp key g3t0utn0w1 address 74.211.157.130
crypto isakmp keepalive 30
rypto ipsec transform-set southland esp-3des esp-md5-hmac
crypto ipsec transform-set westrux esp-3des esp-sha-hmac
!
crypto map outside_crypto_75_48_112_2
description *** Tunnel to Southland
set peer 12.68.96.178
set transform-set southland
match address 104
crypto map outside_crypto_75_48_112_2
description *** Tunnel to Westrux
set peer 74.211.157.130
set transform-set westrux
match address 105
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 75.48.112.233 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
crypto map outside_crypto_75_48_112_2
!
interface Dot11Radio0
no ip address
ip helper-address 192.168.220.100
ip route-cache flow
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 45
!
!
ssid Synergy
!
ssid Synergywep
!
ssid Synergywpa
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
rts threshold 2312
no cdp enable
!
interface Dot11Radio0.1
description Cisco Open
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.220.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.48.112.238
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map RMAP_1 interface FastEthernet4 overload
ip nat inside source static 192.168.220.100 75.48.112.233 extendable
ip nat inside source static 192.168.220.100 75.48.112.234 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 permit 192.168.220.0 0.0.0.255
access-list 100 remark Outbound list applied to Inside
access-list 100 deny ip 75.48.112.232 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 103 deny ip 192.168.220.0 0.0.0.255 172.21.2.0 0.0.0.255
access-list 103 deny ip 192.168.220.0 0.0.0.255 10.16.222.0 0.0.0.255
access-list 103 permit ip 192.168.220.0 0.0.0.255 any
access-list 104 remark *** Tunnel to Southland
access-list 104 permit ip 192.168.220.0 0.0.0.255 172.21.2.0 0.0.0.255
access-list 105 remark *** Test Tunnel to Westrux
access-list 105 permit ip 192.168.220.0 0.0.0.255 10.16.222.0 0.0.0.255
no cdp run
!
!
route-map RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
exec-timeout 30 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
AS5100 Config Summary
access-list 103 extended permit ip 172.21.2.0 255.255.255.0 192.168.220.0 255.255.255.0 -- identifies traffic to be encrypted
access-list nonat extended permit ip 172.21.2.0 255.255.255.0 192.168.220.0 255.255.255.0 identifies traffic not to NATed for internet services purposes
nat (inside) 0 access-list nonat --prevents the NATing of select inside ip addresses to the public interface of ASA firewall
nat (inside) 1 0.0.0.0 0.0.0.0 ALL other ip addresses on the inside are NATed.
route outside 0.0.0.0 0.0.0.0 12.68.96.177 1 route to external networks
crypto ipsec transform-set UC2 esp-3des esp-sha-hmac
crypto map newmap 13 match address 103
crypto map newmap 13 set peer 75.48.112.233
crypto map newmap 13 set transform-set UC2
crypto map newmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 2000
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 11
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
tunnel-group 75.48.112.233 type ipsec-l2l
tunnel-group 75.48.112.233 ipsec-attributes
pre-shared-key *
and on the internal router where inside network resides, there is a ip route 192.168.220.0 255.255.255.0 172.21.2.29 statement, where 172.21.2.29 is the inside interface
DEBUG
001121: *May 6 02:10:59.811 PCTime: ISAKMP:(0): SA request profile is (NULL)
001122: *May 6 02:10:59.811 PCTime: ISAKMP: Created a peer struct for 12.68.96.178, peer port 500
001123: *May 6 02:10:59.811 PCTime: ISAKMP: New peer created peer = 0x837528C4 peer_handle = 0x80000012
001124: *May 6 02:10:59.811 PCTime: ISAKMP: Locking peer struct 0x837528C4, refcount 1 for isakmp_initiator
001125: *May 6 02:10:59.811 PCTime: ISAKMP: local port 500, remote port 500
001126: *May 6 02:10:59.811 PCTime: ISAKMP: set new node 0 to QM_IDLE
001127: *May 6 02:10:59.811 PCTime: insert sa successfully sa = 836E2400
001128: *May 6 02:10:59.811 PCTime: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
001129: *May 6 02:10:59.811 PCTime: ISAKMP:(0):found peer pre-shared key matching 12.68.96.178
001130: *May 6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
001131: *May 6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-07 ID
001132: *May 6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-03 ID
001133: *May 6 02:10:59.815 PCTime: ISAKMP:(0): constructed NAT-T vendor-02 ID
001134: *May 6 02:10:59.815 PCTime: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
001135: *May 6 02:10:59.815 PCTime: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
001136: *May 6 02:10:59.815 PCTime: ISAKMP:(0): beginning Main Mode exchange
001137: *May 6 02:10:59.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001138: *May 6 02:10:59.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001139: *May 6 02:11:09.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001140: *May 6 02:11:09.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
001141: *May 6 02:11:09.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001142: *May 6 02:11:09.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001143: *May 6 02:11:09.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001144: *May 6 02:11:19.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001145: *May 6 02:11:19.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
001146: *May 6 02:11:19.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001147: *May 6 02:11:19.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001148: *May 6 02:11:19.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001149: *May 6 02:11:29.811 PCTime: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 75.48.112.233, remote= 12.68.96.178,
local_proxy= 192.168.220.0/255.255.255.
remote_proxy= 172.21.2.0/255.255.255.0/0
001150: *May 6 02:11:29.811 PCTime: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 75.48.112.233, remote= 12.68.96.178,
local_proxy= 192.168.220.0/255.255.255.
remote_proxy= 172.21.2.0/255.255.255.0/0
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001151: *May 6 02:11:29.811 PCTime: ISAKMP: set new node 0 to QM_IDLE
001152: *May 6 02:11:29.811 PCTime: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 75.48.112.233, remote 12.68.96.178)
001153: *May 6 02:11:29.811 PCTime: ISAKMP: Error while processing SA request: Failed to initialize SA
001154: *May 6 02:11:29.811 PCTime: ISAKMP: Error while processing KMI message 0, error 2.
001155: *May 6 02:11:29.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001156: *May 6 02:11:29.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
001157: *May 6 02:11:29.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001158: *May 6 02:11:29.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001159: *May 6 02:11:29.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001160: *May 6 02:11:39.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001161: *May 6 02:11:39.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
001162: *May 6 02:11:39.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001163: *May 6 02:11:39.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001164: *May 6 02:11:39.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001165: *May 6 02:11:49.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001166: *May 6 02:11:49.815 PCTime: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
001167: *May 6 02:11:49.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
001168: *May 6 02:11:49.815 PCTime: ISAKMP:(0): sending packet to 12.68.96.178 my_port 500 peer_port 500 (I) MM_NO_STATE
001169: *May 6 02:11:49.815 PCTime: ISAKMP:(0):Sending an IKE IPv4 Packet.
001170: *May 6 02:11:59.811 PCTime: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 75.48.112.233, remote= 12.68.96.178,
local_proxy= 192.168.220.0/255.255.255.
remote_proxy= 172.21.2.0/255.255.255.0/0
001171: *May 6 02:11:59.815 PCTime: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
001172: *May 6 02:11:59.815 PCTime: ISAKMP:(0):peer does not do paranoid keepalives.
001173: *May 6 02:11:59.815 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 12.68.96.178)
001174: *May 6 02:11:59.815 PCTime: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 12.68.96.178)
001175: *May 6 02:11:59.815 PCTime: ISAKMP: Unlocking peer struct 0x837528C4 for isadb_mark_sa_deleted(), count 0
001176: *May 6 02:11:59.815 PCTime: ISAKMP: Deleting peer node by peer_reap for 12.68.96.178: 837528C4
001177: *May 6 02:11:59.815 PCTime: ISAKMP:(0):deleting node -985450246 error FALSE reason "IKE deleted"
001178: *May 6 02:11:59.815 PCTime: ISAKMP:(0):deleting node 288664037 error FALSE reason "IKE deleted"
001179: *May 6 02:11:59.815 PCTime: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
001180: *May 6 02:11:59.815 PCTime: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
001181: *May 6 02:11:59.815 PCTime: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001182: *May 6 02:12:01.379 PCTime: crypto_engine: Generate public/private keypair
001183: *May 6 02:12:49.815 PCTime: ISAKMP:(0):purging node -985450246
001184: *May 6 02:12:49.815 PCTime: ISAKMP:(0):purging node 288664037
Thanks for any recommendations.
ASKER
Thanks for pointing that out. We have changed it so many times. I had the wrong transform in the post.
I did as you suggested and received the same debug info. Seems to be failing before Phase 2.
Any ideas?
I did as you suggested and received the same debug info. Seems to be failing before Phase 2.
Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, it did allow me to this. Good call.
The previous Cisco tech had port translation.
ip nat inside source static tcp 192.168.220.100 21 75.48.112.233 20 extendable
ip nat inside source static tcp 192.168.220.100 21 75.48.112.233 21 extendable
ip nat inside source static tcp 192.168.220.100 25 75.48.112.233 25 extendable
ip nat inside source static tcp 192.168.220.100 80 75.48.112.233 80 extendable
ip nat inside source static tcp 192.168.220.100 443 75.48.112.233 443 extendable
ip nat inside source static tcp 192.168.220.100 3389 75.48.112.233 3389 extendable
When I switch back to this, the tunnel worked.
Is this port translation config recommended? It had been like this for awhile.
The previous Cisco tech had port translation.
ip nat inside source static tcp 192.168.220.100 21 75.48.112.233 20 extendable
ip nat inside source static tcp 192.168.220.100 21 75.48.112.233 21 extendable
ip nat inside source static tcp 192.168.220.100 25 75.48.112.233 25 extendable
ip nat inside source static tcp 192.168.220.100 80 75.48.112.233 80 extendable
ip nat inside source static tcp 192.168.220.100 443 75.48.112.233 443 extendable
ip nat inside source static tcp 192.168.220.100 3389 75.48.112.233 3389 extendable
When I switch back to this, the tunnel worked.
Is this port translation config recommended? It had been like this for awhile.
>When I switch back to this, the tunnel worked.
OK, so first problem solved, no?
>Is this port translation config recommended?
Yes. It allows you to use the same public IP for multiple purposes, like forwarding some ports to an internal server and using VPN at the same time.
OK, so first problem solved, no?
>Is this port translation config recommended?
Yes. It allows you to use the same public IP for multiple purposes, like forwarding some ports to an internal server and using VPN at the same time.
There is no matching policy on either end. Change the transform for southland to the same 3des/sha as the other one
no crypto ipsec transform-set southland esp-3des esp-md5-hmac
crypto ipsec transform-set southland esp-3des esp-sha-hmac
crypto map outside_crypto_75_48_112_2
set transform-set southland <== you'll have to put this back in after you remove/replace it above