Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

L2L problems

Posted on 2009-04-26
18
Medium Priority
?
486 Views
Last Modified: 2012-05-06
Work network: 172.16.1.0/24, 172.16.10.0/24 and 172.16.101.0/24
remote site: 192.168.3.0/24

The problem:

The tunnel is established, but I cannot ping anything on either side. Doing "ping insides" don't do anything but get the tunnel up. ICMP is allowed through.

I need the remote site, to be able to connect to every subnet at the corporate office.
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password uCC7HvYx68qN0nG5 encrypted
passwd TWxhtD9jxzEIi1Fx encrypted
hostname fwall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.101.0 255.255.255.0
access-list outside-to-inside permit icmp any any
access-list outside-to-inside permit tcp any interface outside eq 9090
access-list outside-to-inside permit tcp any interface outside eq www
access-list split_tunnel_acl permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz permit icmp any any echo-reply
pager lines 24
logging on
logging timestamp
logging buffered informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.50.10-192.168.50.13 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.4.0 255.255.255.0 0 0
static (inside,outside) tcp interface www 192.168.3.130 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9090 192.168.3.131 9090 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0 0 0
access-group outside-to-inside in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 71.200.32.1 1
route outside 172.16.0.0 255.255.0.0 71.200.32.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
crypto dynamic-map vpn 65535 set transform-set aesmap
crypto dynamic-map vpn 65535 set security-association lifetime seconds 84600 kilobytes 4608000
crypto map mymap 88 ipsec-isakmp
crypto map mymap 88 match address ipsec
crypto map mymap 88 set peer 75.140.145.225
crypto map mymap 88 set transform-set aesmap
crypto map mymap interface outside
crypto map vpn 65535 ipsec-isakmp dynamic vpn
crypto map vpn client configuration address initiate
crypto map vpn client authentication LOCAL
isakmp enable outside
isakmp key ******** address 75.140.145.225 netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup family address-pool vpn-pool
vpngroup family split-tunnel split_tunnel_acl
vpngroup family idle-time 14400
vpngroup family password ********
vpngroup password idle-time 1800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
 
terminal width 80
Cryptochecksum:f67d225477275bbdfcb8447d483b88b2
: end
----------------------------------------------------------------------
Work:
 
ASA Version 8.0(3)
!
hostname ColoASA
 
enable password odfQnoVkJM3R6uNm encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.101.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.140.145.225 255.255.255.240
!
interface Vlan3
 shutdown
 nameif dmz
 security-level 50
 ip address 10.10.11.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd /jDqcmU1oIx7745D encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 
 
 
object-group network sl-ipsec-net
 network-object 172.16.1.0 255.255.255.0
 network-object 172.16.10.0 255.255.255.0
 network-object 172.16.101.0 255.255.255.0
 
object-group network smyrna
 network-object 192.168.3.0 255.255.255.0
 
 
access-list outside-to-inside extended permit icmp any any
access-list outside-to-inside extended permit tcp any host 75.150.145.226 eq smtp
access-list citrus-acl extended permit ip object-group sl-ipsec-net object-group Citrus
access-list Easton-acl extended permit ip object-group sl-ipsec-net object-group Easton
access-list Valley_Colo_splitTunnelAcl_1 standard permit 172.16.0.0 255.255.0.0
access-list deny-ospf-out standard permit 172.16.0.0 255.255.0.0
access-list deny-ospf-out standard permit 10.80.8.0 255.255.255.0
access-list deny-ospf-out standard permit 192.168.100.0 255.255.255.0
access-list permit-ospf-out standard permit any
access-list private-inbound extended deny ip any 10.10.10.0 255.255.255.0
access-list private-inbound extended permit ip 172.16.0.0 255.255.0.0 any
access-list honeybrook-acl extended permit ip object-group sl-ipsec-net object-group Honeybrook
access-list oceanview-acl extended permit ip object-group sl-ipsec-net object-group Oceanview
access-list georgetown-acl extended permit ip object-group sl-ipsec-net object-group georgetown-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group georgetown-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group tcp-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group wh-ipsec-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group smyrna
access-list nonat extended permit ip object-group sl-ipsec-net object-group Allentown
access-list nonat extended permit ip object-group sl-ipsec-net object-group Chincoteague
access-list nonat extended permit ip object-group sl-ipsec-net object-group Citrus
access-list nonat extended permit ip object-group sl-ipsec-net object-group Easton
access-list nonat extended permit ip object-group sl-ipsec-net object-group Honeybrook
access-list nonat extended permit ip object-group sl-ipsec-net object-group Oceanview
access-list nonat extended permit ip object-group wh-ipsec-net object-group tcp-net
access-list nonat extended permit ip object-group sl-ipsec-net object-group Bravepoint
access-list nonat extended permit ip any object-group RAS
access-list bellhaven-acl extended permit ip object-group sl-ipsec-net object-group Bell-Haven-net
access-list wh_to_tcp-acl extended permit ip object-group wh-ipsec-net object-group tcp-net
access-list bravepoint-acl extended permit ip object-group corporate_to_bravepoint object-group Bravepoint
access-list tcp-acl extended permit ip object-group sl-ipsec-net object-group tcp-net
access-list wh-acl extended permit ip object-group sl-ipsec-net object-group wh-ipsec-net
access-list ryan-acl extended permit ip object-group sl-ipsec-net object-group smyrna
access-list allentown-acl extended permit ip object-group sl-ipsec-net object-group Allentown
access-list Chincoteague-acl extended permit ip object-group sl-ipsec-net object-group Chincoteague
pager lines 24
 
 
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_Subnet 172.16.201.10-172.16.201.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 172.16.1.20 inside
icmp permit any inside
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,dmz) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
static (inside,dmz) 172.16.2.0 172.16.2.0 netmask 255.255.255.0
static (dmz,outside) 75.150.145.228 10.10.11.12 netmask 255.255.255.255
static (dmz,outside) 75.150.145.227 10.10.11.11 netmask 255.255.255.255
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
static (outside,dmz) 172.16.53.0 172.16.53.0 netmask 255.255.255.0
static (dmz,outside) 75.150.145.230 10.10.11.14 netmask 255.255.255.255
static (dmz,outside) 75.150.145.229 10.10.11.10 netmask 255.255.255.255
static (inside,outside) 75.150.145.226 172.16.101.49 netmask 255.255.255.255
access-group private-inbound in interface inside
access-group outside-to-inside in interface outside
!
route-map ospf-out deny 10
 match ip address deny-ospf-out
!
route-map ospf-out permit 20
 match ip address permit-ospf-out
 set metric 100
 set metric-type type-1
!
!
router ospf 1
 router-id 172.16.101.254
 network 172.16.101.0 255.255.255.0 area 2
 log-adj-changes
 redistribute static subnets route-map ospf-out
 default-information originate
!
route outside 0.0.0.0 0.0.0.0 75.150.145.238 1
route outside 10.80.8.0 255.255.255.0 75.150.145.238 1
route outside 172.16.25.0 255.255.255.0 75.150.145.238 1
route outside 172.16.35.0 255.255.255.0 75.150.145.238 1
route outside 172.16.36.0 255.255.255.0 75.150.145.238 1
route outside 172.16.37.0 255.255.255.0 75.150.145.238 1
route outside 172.16.53.0 255.255.255.0 75.150.145.238 1
route outside 172.16.54.0 255.255.255.0 75.150.145.238 1
route outside 172.16.57.0 255.255.255.0 75.150.145.238 1
route outside 172.16.60.0 255.255.255.0 75.150.145.238 1
route outside 172.16.65.0 255.255.255.0 75.150.145.238 1
route outside 172.16.70.0 255.255.255.0 75.150.145.238 1
route outside 172.16.71.0 255.255.255.0 75.150.145.238 1
route outside 192.168.3.0 255.255.255.0 75.150.145.238 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server DC_Radius protocol radius
aaa-server DC_Radius host 172.16.101.23
 timeout 5
 key silverlake
aaa authentication ssh console LOCAL
http server enable
 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set aes256 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
 
crypto map mymap 3 match address ryan-acl
crypto map mymap 3 set peer 71.100.37.168
crypto map mymap 3 set transform-set aes128
 
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 10
ssh 172.16.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
management-access inside
dhcpd dns 68.87.64.146 68.87.75.194
dhcpd auto_config outside
dhcpd update dns both
!
 
threat-detection basic-threat
threat-detection statistics access-list
 vpn-tunnel-protocol IPSec
 
tunnel-group 71.100.37.168 type ipsec-l2l
tunnel-group 71.100.37.168 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:5e674b250595264c1cce3131cfa3941e
: end

Open in new window

0
Comment
Question by:dissolved
  • 12
  • 3
  • 3
18 Comments
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 240 total points
ID: 24236406
Right off it seems ok.
After sending pings from one side, what does "sh ipsec sa" for the tunnel in question give in terms of packet encrypted/decrypted on either end?
Could you try to run a "debug icmp trace" on the receiving end while doing the pings?
Could you maybe try some logging (perhaps on the remote site, if that doesn't have so much traffic)?
0
 

Author Comment

by:dissolved
ID: 24236535
this is from the remote side (192.168.3.0/24  public ip 71.100.37.168) . I was pinging the other end
fwall# sh ipsec sa
 
 
interface: outside
    Crypto map tag: mymap, local addr. 71.100.37.168
 
   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer: 75.140.145.225:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 71.100.37.168, remote crypto endpt.: 75.140.145.225
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
 
     inbound esp sas:
 
 
     inbound ah sas:
 
 
     inbound pcp sas:
 
 
     outbound esp sas:
 
 
     outbound ah sas:
 
 
     outbound pcp sas:
 
 
 
   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
   current_peer: 75.150.145.225:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 71.100.37.168, remote crypto endpt.: 75.150.145.225
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
 
     inbound esp sas:
 
 
     inbound ah sas:
 
 
     inbound pcp sas:
 
 
     outbound esp sas:
 
 
     outbound ah sas:
 
 
     outbound pcp sas:
 
 
 
   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.101.0/255.255.255.0/0/0)
   current_peer: 75.140.145.225:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0
 
     local crypto endpt.: 71.100.37.168, remote crypto endpt.: 75.140.145.225
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0
 
     inbound esp sas:
 
 
     inbound ah sas:
 
 
     inbound pcp sas:
 
 
     outbound esp sas:
 
 
     outbound ah sas:

Open in new window

0
 

Author Comment

by:dissolved
ID: 24236543
Now the other end (headquarters) shows the tunnel up, but nothing when I do sh ipsec sa


ColoASA# sh isa sa

There are no isakmp sas
ColoASA# ping inside 192.168.3.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.5, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ColoASA# sh isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 71.100.37.168
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
ColoASA# sh ipsec sa
ColoASA# sh ipsec sa
ColoASA# sh ipsec sa
ColoASA#
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:dissolved
ID: 24236553
when I try to ping from remote (192.168.3.), to headquarters (172.16.1.0), this is what showed with debugging on (cry isa and cry ipsec)
fwall# ping inside 172.16.1.20
 
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
 
ISAKMP (0): Checking ISAKMP transform 1 against priority 50 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 256
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
 
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
 
ISAKMP (0): processing NONCE payload. message ID = 0
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): received xauth v6 vendor id
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): speaking to another IOS box!
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): speaking to a VPN3000 concentrator
 
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 22
ISAKMP (0): Total payload length: 26
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): remote peer supports dead peer detection
 
ISAKMP (0): SA has been authenticated
 
ISAKMP (0): beginning Quick Mode exchange, M-ID of 551048689:20d855f1IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0xc8ce4131(3368960305) for SA
        from  75.140.145.225 to   71.100.37.168 for prot 3
 
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:75.140.145.225/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:75.140.145.225/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
        spi 0, message ID = 4230708872
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 2790627003, spi size = 16
ISAKMP (0): deleting SA: src 71.100.37.168, dst 75.140.145.225
return status is IKMP_NO_ERR_NO_TRANS   172.16.1.20 NO response received -- 1000ms
 
ISADB: reaper checking SA 0xfd53a4, conn_id = 0  DELETE IT!
 
VPN Peer: ISAKMP: Peer ip:75.140.145.225/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:75.140.145.225/500 Total VPN peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  75.140.145.225
        172.16.1.20 NO response received -- 1000ms
        172.16.1.20 NO response received -- 1000ms
fwall# IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 71.100.37.168, remote= 75.140.145.225,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4)
 
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
 
ISAKMP (0): Checking ISAKMP transform 1 against priority 50 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      keylength of 256
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
 
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
 
ISAKMP (0): processing NONCE payload. message ID = 0
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): received xauth v6 vendor id
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): speaking to another IOS box!
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): speaking to a VPN3000 concentrator
 
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0): ID payload
        next-payload : 8
        type         : 2
        protocol     : 17
        port         : 500
        length       : 22
ISAKMP (0): Total payload length: 26
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): remote peer supports dead peer detection
 
ISAKMP (0): SA has been authenticated
 
ISAKMP (0): beginning Quick Mode exchange, M-ID of -421444199:e6e14599IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x3acae046(986374214) for SA
        from  75.140.145.225 to   71.100.37.168 for prot 3
 
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:75.140.145.225/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:75.140.145.225/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 3
        spi 0, message ID = 538630808
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:75.140.145.225, dest:71.100.37.168 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 446109293, spi size = 16
ISAKMP (0): deleting SA: src 71.100.37.168, dst 75.140.145.225
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xfd53a4, conn_id = 0  DELETE IT!
 
VPN Peer: ISAKMP: Peer ip:75.140.145.225/500 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:75.140.145.225/500 Total VPN peers:0IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  75.140.145.225
IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 71.100.37.168, remote= 75.140.145.225,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.1.0/255.255.255.0/0/0 (type=4)

Open in new window

0
 

Author Comment

by:dissolved
ID: 24236556
pinging from remote to headquarters

fwall# ping inside 172.16.101.254
IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x9cad7cb9(2628615353) for SA
        from  75.140.145.225 to   71.100.37.168 for prot 3
        172.16.101.254 NO response received -- 1000ms
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  75.140.145.225
        172.16.101.254 NO response received -- 1000ms
        172.16.101.254 NO response received -- 1000ms
fwall#
0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 240 total points
ID: 24236717
They are using different transform-sets at least. (first one uses aes-256, the other uses standard 128) Please fix that.

crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
crypto map mymap 88 set transform-set aesmap
---
crypto ipsec transform-set aes256 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
 
crypto map mymap 3 set transform-set aes128
0
 

Author Comment

by:dissolved
ID: 24237112
ok I fixed the transform set type. Still can't get it up
0
 
LVL 15

Assisted Solution

by:Voltz-dk
Voltz-dk earned 240 total points
ID: 24237714
But does it fail in the same place?  Could you post a new debug?
0
 

Author Comment

by:dissolved
ID: 24237814
Ok, remote side cannot initiate the tunnel. When I ping to corporate, nothing happens.
When I ping from corporate------------->remote, the tunnel establishes, but I still can't do anything

Also, when I pinged from corporate to remote, the following message showed up in the remotes console

fwall# IPSEC(validate_proposal): invalid local address 71.100.37.168
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  75.140.145.225


from remote:
fwall# debug cry ipsec
fwall# ping inside 172.16.101.254
        172.16.101.254 NO response received -- 1000ms
        172.16.101.254 NO response received -- 1000ms
        172.16.101.254 NO response received -- 1000ms
fwall# ping inside 172.16.101.254
        172.16.101.254 NO response received -- 1000ms
        172.16.101.254 NO response received -- 1000ms
        172.16.101.254 NO response received -- 1000ms
fwall# sh isa sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created
fwall# sh ipsec sa
fwall#
 
------------------------
from corporate:
 
 
ColoASA# ping inside 192.168.3.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.5, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ColoASA# sh isa sa
 
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
 
1   IKE Peer: 71.100.37.168
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
ColoASA# sh ipsec sa
ColoASA#

Open in new window

0
 

Author Comment

by:dissolved
ID: 24237830
icmp trace with debugging, from remote to corporate:

fwall# ping inside 172.16.101.254
1031: ICMP echo request (len 32 id 9233 seq 0) 192.168.3.1 > 172.16.101.254
        172.16.101.254 NO response received -- 1000ms
1032: ICMP echo request (len 32 id 9233 seq 1) 192.168.3.1 > 172.16.101.254
        172.16.101.254 NO response received -- 1000ms
1033: ICMP echo request (len 32 id 9233 seq 2) 192.168.3.1 > 172.16.101.254
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  75.140.145.225
        172.16.101.254 NO response received -- 1000ms
fwall#


icmp debug trace from corporate to remote

fwall# ping inside 172.16.101.254
1031: ICMP echo request (len 32 id 9233 seq 0) 192.168.3.1 > 172.16.101.254
        172.16.101.254 NO response received -- 1000ms
1032: ICMP echo request (len 32 id 9233 seq 1) 192.168.3.1 > 172.16.101.254
        172.16.101.254 NO response received -- 1000ms
1033: ICMP echo request (len 32 id 9233 seq 2) 192.168.3.1 > 172.16.101.254
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with  75.140.145.225
        172.16.101.254 NO response received -- 1000ms
fwall#
0
 

Author Comment

by:dissolved
ID: 24237832
disregard second icmp debug trace, here it is
icmp debug trace for corporate to remote


ColoASA# Apr 26 17:08:54 [IKEv1]: Group = 71.100.37.168, IP = 71.100.37.168, QM FSM error (P2 struct &0xdba0df68, mess id 0xe9ad5bc4)!
Apr 26 17:08:54 [IKEv1]: Group = 71.100.37.168, IP = 71.100.37.168, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Apr 26 17:08:54 [IKEv1]: Group = 71.100.37.168, IP = 71.100.37.168, Removing peer from correlator table failed, no match!

0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1760 total points
ID: 24240995
The config looks good as long as you changed the Transforms to match (AES 256 MD5 on both ends).  Can you test using a 192.168.3.x PC and a 172.16.x.x PC instead of testing Firewall to Firewall to rule out any oddities they impose.  If it still isn't working, post the crypto config from both Firewalls again just so we can double check things and to make sure something hasn't changed in the troubleshooting process.
0
 

Author Comment

by:dissolved
ID: 24242986

corporate:
 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set aes256 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set aes128
crypto map mymap 3 match address ryan-acl
crypto map mymap 3 set peer 71.100.37.168
crypto map mymap 3 set transform-set aes128
 
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
 
----------------------------------------------------------------------------------------------------
home:
 
 
crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto ipsec transform-set aes128 esp-aes esp-md5-hmac
crypto dynamic-map vpn 65535 set transform-set aesmap
crypto dynamic-map vpn 65535 set security-association lifetime seconds 84600 kil                                                                             obytes 4608000
crypto map vpn 65535 ipsec-isakmp dynamic vpn
crypto map vpn client configuration address initiate
crypto map vpn client authentication LOCAL
crypto map mymap 3 ipsec-isakmp
crypto map mymap 3 match address ipsec
crypto map mymap 3 set peer 75.140.145.225
crypto map mymap 3 set transform-set aes128
isakmp enable outside
isakmp key ******** address 75.140.145.225 netmask 255.255.255.255 no-xauth no-c                                                                             onfig-mode
isakmp nat-traversal 20
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400

Open in new window

0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 1760 total points
ID: 24243068
The config looks good.

Can you post a "show version" and a "show ip address" from the PIX/home side.
0
 

Author Comment

by:dissolved
ID: 24243510

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Thu 04-Aug-05 21:40 by morlee

fwall up 8 days 16 hours

Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000f.242a.4b30, irq 10
1: ethernet1: address is 000f.242a.4b31, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          4
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.



fwall# sh ip address
System IP Addresses:
        ip address outside 71.100.37.168 255.255.248.0
        ip address inside 192.168.3.1 255.255.255.0
        ip address dmz 192.168.4.1 255.255.255.0
Current IP Addresses:
        ip address outside 71.100.37.168 255.255.248.0
        ip address inside 192.168.3.1 255.255.255.0
        ip address dmz 192.168.4.1 255.255.255.0
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1760 total points
ID: 24243618
Hmm.  Looks good.  Just wanted to make sure your dynamic IP hadn't changed at some point.

Have you tried testing from a 192.168.3.x PC to a 172.16.1.x or 172.16.10.x PC?  Leave an extended ping going and post a new "sh cry isa sa" and "sh crypto ipsec sa" from both boxes.
0
 

Author Comment

by:dissolved
ID: 24244067
pinging from computer to computer got the tunnel up. thanks guys
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month20 days, 18 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question