[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 103
  • Last Modified:

Can't get L2L tunnel up

Hello All,

Can anyone tell me why I can't get this tunnel up? I have full IP connectivity between the Loopbacks. I am able to ping from R2 Loopbacks to R4's Loopbacks and vica versa but when i do show cry isakmp sa I get nothing. When I do packettracer in inside icmp 192.168.10.10 0 18.18.18.148 detail i get all allowed across. Seems like the vpn map is not even applied although I have them on interfaces and seems like it's matching.  I provided an image of my network map and configs of the devices. I have created this scenario in GNS 3.

Thank you
ASA.txt
Router.txt
MAP.jpg
0
Shark Attack
Asked:
Shark Attack
  • 16
  • 7
1 Solution
 
Shark AttackAuthor Commented:
Also, when I do debug cry isakmp I dont get any output which also tells me that this isn't even trying to work
0
 
Jan SpringerCommented:
If you're doing a policy based VPN, you won't use loopbacks, you won't route the inside IPs of the other end and your crypto ACL should match at least for what you have on the ASA.

I haven't even taken a look at the router yet.
0
 
Shark AttackAuthor Commented:
Thanks, I have correct the errors. I have taken off the Loopbacks and have actual hosts on each end, I have taken off the routes you mentioned. My ACL matches exactly. Now, I can't ping each end though. I am sure routing might be screwed up between the asa and router but I tried few things but was unsuccessful, can you look now? I have attached new configs and map
Router.txt
ASA.txt
NewMap.jpg
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Jan SpringerCommented:
your crypto ACL has to permit ICMP at both ends.
0
 
Shark AttackAuthor Commented:
I added the icmp permit to crypto maps. When I ping 192.168.10.10 from 19.19.19.19 for example I get the below:


R11#ping 192.168.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)


R11#trace 192.168.10.10
Type escape sequence to abort.
Tracing the route to 192.168.10.10

  1 19.19.19.1 16 msec 20 msec 20 msec
  2 5.5.5.1 36 msec 44 msec 44 msec
  3  *


On R1 O have 0.0.0.0 0.0.0.0 interface f0/0 same on the other end. The asa is 0.0.0.0 0.0.0.0 outside int.
0
 
Shark AttackAuthor Commented:
atleast now i am getting debugs.

*Mar  1 03:07:13.179: ISAKMP (0:3): purging node -1424824910
*Mar  1 03:07:13.179: ISAKMP (0:3): purging node -297005755
*Mar  1 03:07:13.195: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE...
*Mar  1 03:07:13.195: ISAKMP (0:4): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 03:07:13.195: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE
*Mar  1 03:07:13.199: ISAKMP (0:4): sending packet to 16.16.16.1 my_port 500 peer_port 500 (I) MM_NO_STATE
R1#
*Mar  1 03:07:23.163: ISAKMP: received ke message (3/1)
*Mar  1 03:07:23.163: ISAKMP (0:4): peer does not do paranoid keepalives.

*Mar  1 03:07:23.167: ISAKMP (0:4): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 03:07:23.171: ISAKMP (0:3): peer does not do paranoid keepalives.

*Mar  1 03:07:23.175: ISAKMP (0:4): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 03:07:23.175: ISAKMP (0:4): deleting node -1842580298 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 03:07:23.179: ISAKMP (0:4): deleting node -917118891 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 03:07:23.179: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 03:07:23.183: ISAKMP (0:4): Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Mar  1 03:07:23.183: ISAKMP (0:3): purging SA., sa=82B1F78C, delme=82B1F78C
*Mar  1 03:07:23.207: ISAKMP: received ke message (1/1)
*Mar  1 03:07:23.207: ISAKMP (0:0): SA request profile is (NULL)
*Mar  1 03:07:23.207: ISAKMP: local port 500, remote port 500
*Mar  1 03:07:23.211: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 03:07:23.215: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82B1F78C
*Mar  1 03:07:23.215: ISAKMP (0:5): Can not start Aggressive mode, trying Main mode.
*Mar  1 03:07:23.215: ISAKMP: Looking for a matching key for 16.16.16.1 in default : success
*Mar  1 03:07:23.215: ISAKMP (0:5): found peer pre-shared key matching 16.16.16.1
*Mar  1 03:07:23.219: ISAKMP (0:5): constructed NAT-T vendor-07 ID
*Mar  1 03:07:23.219: ISAKMP (0:5): constructed NAT-T vendor-03 ID
*Mar  1 03:07:23.219: ISAKMP (0:5): constructed NAT-T vendor-02 ID
*Mar  1 03:07:23.223: ISAKMP (0:5): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 03:07:23.223: ISAKMP (0:5): Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 03:07:23.227: ISAKMP (0:5): beginning Main Mode exchange
*Mar  1 03:07:23.227: ISAKMP (0:5): sending packet to 16.16.16.1 my_port 500 peer_port 500 (I) MM_NO_STATE
0
 
Jan SpringerCommented:
Let's start with the ASA:

You have this crypto ACL:

   access-list LIST extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0
   access-list LIST extended permit ip 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0

There should be one entry from your inside subnet to their inside subnet.  You have it going both ways and that's wrong.

Also, I don't see where either 192.168.10.2/24 or 19.19.19.0/24 exist on the ASA.
0
 
Shark AttackAuthor Commented:
and on asa debug

Nov 30 00:48:51 [IKEv1 DEBUG]: IP = 16.16.16.2, IKE SA MM:d6df9aa9 terminating:  flags 0x01000022, refcnt 0, t                           uncnt 0
Nov 30 00:48:51 [IKEv1 DEBUG]: IP = 16.16.16.2, sending delete/delete with reason message
Nov 30 00:48:51 [IKEv1]: IP = 16.16.16.2, Removing peer from peer table failed, no match!
Nov 30 00:48:51 [IKEv1]: IP = 16.16.16.2, Error: Unable to remove PeerTblEntry
0
 
Shark AttackAuthor Commented:
OK, here is my ASA crypto acl
access-list LIST line 1 extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LIST line 2 extended permit icmp any any

Here is the routers
Extended IP access list LIST
    10 permit ip 192.168.10.0 0.0.0.255 19.19.19.0 0.0.0.255
    30 permit icmp any any (11 matches)

The  19.19.19.0 network is on the routers end and the 192.168.10.0 is at the asa's side.
The R4 has int 192.168.10.1 going to 192.168.10.10(host)
0
 
Shark AttackAuthor Commented:
This is how I have this configured.
192.168.10.10 > 192.168.10.1 > 9.9.9.2 >9.9.9.1 >16.16.16.1 || 16.16.16.2 < 5.5.5.1 <5.5.5.2 < 19.19.19.1 <19.19.19.19
0
 
Shark AttackAuthor Commented:
Also, my isakmp phase 1 on the router comes up  momentarily but no on the ASA


Router1#show crypto isakmp sa
dst             src             state          conn-id slot
16.16.16.1      16.16.16.2      MM_NO_STATE          1    0 (deleted)
0
 
Jan SpringerCommented:
The problem that I'm having with all of this is that none of your subnets for the inside interfaces and the subnets in the crypto ACL match.

If your inside interface on the ASA is 9.9.9.0/24, then *that* subnet needs to be permitted in the ACL to the inside subnet at the other end of the tunnel.
0
 
Shark AttackAuthor Commented:
9.9.9.0 is the inside.  So it should be more like this?
 
ASA
access-list LIST line 1 extended permit icmp any any (hitcnt=0) 0x76474e5f
access-list LIST line 2 extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0

ROUTER
Extended IP access list LIST
    30 permit icmp any any (38 matches)
    40 permit ip 9.9.9.0 0.0.0.255 19.19.19.0 0.0.0.255
0
 
Jan SpringerCommented:
and where do the 19.19.19.0/24 and 192.168.10.0/24 subnets come into play?
0
 
Shark AttackAuthor Commented:
I added these, am I still missing something?

ASA
access-list LIST line 1 extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LIST line 3 extended permit ip 5.5.5.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LIST line 2 extended permit icmp any any

Router
Extended IP access list LIST
    10 permit ip 192.168.10.0 0.0.0.255 19.19.19.0 0.0.0.255
    30 permit icmp any any
    40 permit ip 9.9.9.0 0.0.0.255 19.19.19.0 0.0.0.255
0
 
Jan SpringerCommented:
On the ASA, I see two subnets:  
   16.16.16.0/24
   9.9.9.0.24

The first cannot be a part of the encryption domain since it's also the peer IP.

I don't see 5.5.5.0/24 or 19.19.19.0/24 configured anywhere on the ASA.

On the router, I see two subnets:
   16.16.16.0/24
   5.5.5.0/24

The first cannot be a part of the encryption domain since it's also the peer IP

I don't see 192.168.10.0/24 or 9.9.9.0/24 configured anywhere on the router.

I would expect the ASA to look like this:
  access-list ASA extended permit icmp 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit ip 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0

I would expect the ROUTER to look like this:
  ip access-list extended ROUTER
   10 permit icmp 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255
   20 permit ip 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255

You keep referring to subnets in your configurations that I do not see.
0
 
Shark AttackAuthor Commented:
2015-02-06-14-58-23.jpg
I only showed you the configs of the ASA and the router that has the tunnel on. Did you look at the network map I attached? I also inserted the above image of it, There are two networks on the inside of the ASA. One network connect a ASA to router and then there is another network connecting that router to another network, The F0/1 on R4 is 192.168.10.1, R2 on the other end is 18.18.18.1 going to 18.18.18.2
0
 
Jan SpringerCommented:
No, I did not, my apologies.

I would expect the ASA to look like this:
  access-list ASA extended permit icmp 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit icmp 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0
  access-list ASA extended permit ip 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0

  access-list ASA extended permit icmp 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit ip 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit icmp 9.9.9.0 255.255.255.0 19.19.19.0 255.255.255.0
  access-list ASA extended permit ip 9.9.9.0 255.255.255.0 19.19.19.0 255.255.255.0

I would expect the ROUTER to look like this:
  ip access-list extended ROUTER
   10 permit icmp 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255
   15 permit ip 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255
   20 permit icmp 5.5.5.0 0.0.0.0.255 192.168.10.0 0.0.0.255
   25 permit ip 5.5.5.0 0.0.0.255 192.168.10.0 0.0.0.255
   30 permit icmp 19.19.19.0 0.0.0.255 9.9.9.0 0.0.0.255
   35 permit ip 19.19.19.19.0 0.0.0.255 9.9.9.0 0.0.0.255
   40 permit icmp 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255
   45 permit ip 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255
0
 
Shark AttackAuthor Commented:
thanks, unfortunately, I still can't get the tunnel up though.

here is what i get on the routers isakmp and debug

R1#show crypto isakmp sa
dst             src             state          conn-id slot
16.16.16.2      9.9.9.1         MM_NO_STATE          3    0
16.16.16.2      9.9.9.1         MM_NO_STATE          2    0 (deleted)

*Mar  1 01:17:31.271: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar  1 01:17:31.271: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 01:17:31.275: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar  1 01:17:31.275: ISAKMP (0:1): sending packet to 16.16.16.1 my_port 500 peer_port 500 (I) MM_NO_STATE
R1#
*Mar  1 01:17:41.219: ISAKMP: received ke message (3/1)
*Mar  1 01:17:41.219: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar  1 01:17:41.223: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 01:17:41.227: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 01:17:41.231: ISAKMP (0:1): deleting node -1746173240 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 01:17:41.231: ISAKMP (0:1): deleting node 112806183 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
R1#
*Mar  1 01:17:41.235: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 01:17:41.235: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_DEST_SA






ASA

DEBUG
Nov 30 00:02:53 [IKEv1 DEBUG]: IP = 16.16.16.2, IKE MM Initiator FSM error history (struct &0xd89d4c50)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 30 00:02:53 [IKEv1 DEBUG]: IP = 16.16.16.2, IKE SA MM:81ed1904 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Nov 30 00:02:53 [IKEv1 DEBUG]: IP = 16.16.16.2, sending delete/delete with reason message
Nov 30 00:02:53 [IKEv1]: IP = 16.16.16.2, Removing peer from peer table failed, no match!
Nov 30 00:02:53 [IKEv1]: IP = 16.16.16.2, Error: Unable to remove PeerTblEntry

We can work on this on Monday I have to leave the office. I am not sure what else could it be.
0
 
Shark AttackAuthor Commented:
the source on the output of show crypto isa sa is 9.9.9.1 is that even right?
0
 
Shark AttackAuthor Commented:
resolved.

Forgot the "crypto isakmp enable OUTSIDE"
0
 
Shark AttackAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for Zack Gil's comment #a40599608

for the following reason:

resolved.

Forgot the "crypto isakmp enable OUTSIDE"
0
 
Shark AttackAuthor Commented:
also, the only ACL statements I needed were these

ASA
ciscoasa(config)# show access-l LIST
access-list LIST; 2 elements
access-list LIST line 1 extended permit icmp 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0 (hitcnt=2)
access-list LIST line 2 extended permit ip 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0

Router

R1(config)#do show access-l LIST
Extended IP access list LIST
    70 permit icmp 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255 (64 matches)
    80 permit ip 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

  • 16
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now