Solved

Can't get L2L tunnel up

Posted on 2015-02-04
23
84 Views
Last Modified: 2015-02-10
Hello All,

Can anyone tell me why I can't get this tunnel up? I have full IP connectivity between the Loopbacks. I am able to ping from R2 Loopbacks to R4's Loopbacks and vica versa but when i do show cry isakmp sa I get nothing. When I do packettracer in inside icmp 192.168.10.10 0 18.18.18.148 detail i get all allowed across. Seems like the vpn map is not even applied although I have them on interfaces and seems like it's matching.  I provided an image of my network map and configs of the devices. I have created this scenario in GNS 3.

Thank you
ASA.txt
Router.txt
MAP.jpg
0
Comment
Question by:Shark Attack
  • 16
  • 7
23 Comments
 
LVL 1

Author Comment

by:Shark Attack
ID: 40589466
Also, when I do debug cry isakmp I dont get any output which also tells me that this isn't even trying to work
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40591264
If you're doing a policy based VPN, you won't use loopbacks, you won't route the inside IPs of the other end and your crypto ACL should match at least for what you have on the ASA.

I haven't even taken a look at the router yet.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40591524
Thanks, I have correct the errors. I have taken off the Loopbacks and have actual hosts on each end, I have taken off the routes you mentioned. My ACL matches exactly. Now, I can't ping each end though. I am sure routing might be screwed up between the asa and router but I tried few things but was unsuccessful, can you look now? I have attached new configs and map
Router.txt
ASA.txt
NewMap.jpg
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40591530
your crypto ACL has to permit ICMP at both ends.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40592060
I added the icmp permit to crypto maps. When I ping 192.168.10.10 from 19.19.19.19 for example I get the below:


R11#ping 192.168.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.10, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)


R11#trace 192.168.10.10
Type escape sequence to abort.
Tracing the route to 192.168.10.10

  1 19.19.19.1 16 msec 20 msec 20 msec
  2 5.5.5.1 36 msec 44 msec 44 msec
  3  *


On R1 O have 0.0.0.0 0.0.0.0 interface f0/0 same on the other end. The asa is 0.0.0.0 0.0.0.0 outside int.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40592070
atleast now i am getting debugs.

*Mar  1 03:07:13.179: ISAKMP (0:3): purging node -1424824910
*Mar  1 03:07:13.179: ISAKMP (0:3): purging node -297005755
*Mar  1 03:07:13.195: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE...
*Mar  1 03:07:13.195: ISAKMP (0:4): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 03:07:13.195: ISAKMP (0:4): retransmitting phase 1 MM_NO_STATE
*Mar  1 03:07:13.199: ISAKMP (0:4): sending packet to 16.16.16.1 my_port 500 peer_port 500 (I) MM_NO_STATE
R1#
*Mar  1 03:07:23.163: ISAKMP: received ke message (3/1)
*Mar  1 03:07:23.163: ISAKMP (0:4): peer does not do paranoid keepalives.

*Mar  1 03:07:23.167: ISAKMP (0:4): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 03:07:23.171: ISAKMP (0:3): peer does not do paranoid keepalives.

*Mar  1 03:07:23.175: ISAKMP (0:4): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 03:07:23.175: ISAKMP (0:4): deleting node -1842580298 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 03:07:23.179: ISAKMP (0:4): deleting node -917118891 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 03:07:23.179: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 03:07:23.183: ISAKMP (0:4): Old State = IKE_I_MM1  New State = IKE_DEST_SA

*Mar  1 03:07:23.183: ISAKMP (0:3): purging SA., sa=82B1F78C, delme=82B1F78C
*Mar  1 03:07:23.207: ISAKMP: received ke message (1/1)
*Mar  1 03:07:23.207: ISAKMP (0:0): SA request profile is (NULL)
*Mar  1 03:07:23.207: ISAKMP: local port 500, remote port 500
*Mar  1 03:07:23.211: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 03:07:23.215: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82B1F78C
*Mar  1 03:07:23.215: ISAKMP (0:5): Can not start Aggressive mode, trying Main mode.
*Mar  1 03:07:23.215: ISAKMP: Looking for a matching key for 16.16.16.1 in default : success
*Mar  1 03:07:23.215: ISAKMP (0:5): found peer pre-shared key matching 16.16.16.1
*Mar  1 03:07:23.219: ISAKMP (0:5): constructed NAT-T vendor-07 ID
*Mar  1 03:07:23.219: ISAKMP (0:5): constructed NAT-T vendor-03 ID
*Mar  1 03:07:23.219: ISAKMP (0:5): constructed NAT-T vendor-02 ID
*Mar  1 03:07:23.223: ISAKMP (0:5): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 03:07:23.223: ISAKMP (0:5): Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 03:07:23.227: ISAKMP (0:5): beginning Main Mode exchange
*Mar  1 03:07:23.227: ISAKMP (0:5): sending packet to 16.16.16.1 my_port 500 peer_port 500 (I) MM_NO_STATE
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40592078
Let's start with the ASA:

You have this crypto ACL:

   access-list LIST extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0
   access-list LIST extended permit ip 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0

There should be one entry from your inside subnet to their inside subnet.  You have it going both ways and that's wrong.

Also, I don't see where either 192.168.10.2/24 or 19.19.19.0/24 exist on the ASA.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40592080
and on asa debug

Nov 30 00:48:51 [IKEv1 DEBUG]: IP = 16.16.16.2, IKE SA MM:d6df9aa9 terminating:  flags 0x01000022, refcnt 0, t                           uncnt 0
Nov 30 00:48:51 [IKEv1 DEBUG]: IP = 16.16.16.2, sending delete/delete with reason message
Nov 30 00:48:51 [IKEv1]: IP = 16.16.16.2, Removing peer from peer table failed, no match!
Nov 30 00:48:51 [IKEv1]: IP = 16.16.16.2, Error: Unable to remove PeerTblEntry
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40592093
OK, here is my ASA crypto acl
access-list LIST line 1 extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LIST line 2 extended permit icmp any any

Here is the routers
Extended IP access list LIST
    10 permit ip 192.168.10.0 0.0.0.255 19.19.19.0 0.0.0.255
    30 permit icmp any any (11 matches)

The  19.19.19.0 network is on the routers end and the 192.168.10.0 is at the asa's side.
The R4 has int 192.168.10.1 going to 192.168.10.10(host)
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40592103
This is how I have this configured.
192.168.10.10 > 192.168.10.1 > 9.9.9.2 >9.9.9.1 >16.16.16.1 || 16.16.16.2 < 5.5.5.1 <5.5.5.2 < 19.19.19.1 <19.19.19.19
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40592105
Also, my isakmp phase 1 on the router comes up  momentarily but no on the ASA


Router1#show crypto isakmp sa
dst             src             state          conn-id slot
16.16.16.1      16.16.16.2      MM_NO_STATE          1    0 (deleted)
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 28

Expert Comment

by:Jan Springer
ID: 40592124
The problem that I'm having with all of this is that none of your subnets for the inside interfaces and the subnets in the crypto ACL match.

If your inside interface on the ASA is 9.9.9.0/24, then *that* subnet needs to be permitted in the ACL to the inside subnet at the other end of the tunnel.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40592171
9.9.9.0 is the inside.  So it should be more like this?
 
ASA
access-list LIST line 1 extended permit icmp any any (hitcnt=0) 0x76474e5f
access-list LIST line 2 extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0

ROUTER
Extended IP access list LIST
    30 permit icmp any any (38 matches)
    40 permit ip 9.9.9.0 0.0.0.255 19.19.19.0 0.0.0.255
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40592179
and where do the 19.19.19.0/24 and 192.168.10.0/24 subnets come into play?
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40592459
I added these, am I still missing something?

ASA
access-list LIST line 1 extended permit ip 19.19.19.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LIST line 3 extended permit ip 5.5.5.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list LIST line 2 extended permit icmp any any

Router
Extended IP access list LIST
    10 permit ip 192.168.10.0 0.0.0.255 19.19.19.0 0.0.0.255
    30 permit icmp any any
    40 permit ip 9.9.9.0 0.0.0.255 19.19.19.0 0.0.0.255
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40592522
On the ASA, I see two subnets:  
   16.16.16.0/24
   9.9.9.0.24

The first cannot be a part of the encryption domain since it's also the peer IP.

I don't see 5.5.5.0/24 or 19.19.19.0/24 configured anywhere on the ASA.

On the router, I see two subnets:
   16.16.16.0/24
   5.5.5.0/24

The first cannot be a part of the encryption domain since it's also the peer IP

I don't see 192.168.10.0/24 or 9.9.9.0/24 configured anywhere on the router.

I would expect the ASA to look like this:
  access-list ASA extended permit icmp 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit ip 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0

I would expect the ROUTER to look like this:
  ip access-list extended ROUTER
   10 permit icmp 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255
   20 permit ip 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255

You keep referring to subnets in your configurations that I do not see.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40594619
2015-02-06-14-58-23.jpg
I only showed you the configs of the ASA and the router that has the tunnel on. Did you look at the network map I attached? I also inserted the above image of it, There are two networks on the inside of the ASA. One network connect a ASA to router and then there is another network connecting that router to another network, The F0/1 on R4 is 192.168.10.1, R2 on the other end is 18.18.18.1 going to 18.18.18.2
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40594648
No, I did not, my apologies.

I would expect the ASA to look like this:
  access-list ASA extended permit icmp 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit ip 192.168.10.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit icmp 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0
  access-list ASA extended permit ip 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0

  access-list ASA extended permit icmp 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit ip 9.9.9.0 255.255.255.0 5.5.5.0 255.255.255.0
  access-list ASA extended permit icmp 9.9.9.0 255.255.255.0 19.19.19.0 255.255.255.0
  access-list ASA extended permit ip 9.9.9.0 255.255.255.0 19.19.19.0 255.255.255.0

I would expect the ROUTER to look like this:
  ip access-list extended ROUTER
   10 permit icmp 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255
   15 permit ip 5.5.5.0 0.0.0.255 9.9.9.0 0.0.0.255
   20 permit icmp 5.5.5.0 0.0.0.0.255 192.168.10.0 0.0.0.255
   25 permit ip 5.5.5.0 0.0.0.255 192.168.10.0 0.0.0.255
   30 permit icmp 19.19.19.0 0.0.0.255 9.9.9.0 0.0.0.255
   35 permit ip 19.19.19.19.0 0.0.0.255 9.9.9.0 0.0.0.255
   40 permit icmp 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255
   45 permit ip 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40594750
thanks, unfortunately, I still can't get the tunnel up though.

here is what i get on the routers isakmp and debug

R1#show crypto isakmp sa
dst             src             state          conn-id slot
16.16.16.2      9.9.9.1         MM_NO_STATE          3    0
16.16.16.2      9.9.9.1         MM_NO_STATE          2    0 (deleted)

*Mar  1 01:17:31.271: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar  1 01:17:31.271: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 01:17:31.275: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar  1 01:17:31.275: ISAKMP (0:1): sending packet to 16.16.16.1 my_port 500 peer_port 500 (I) MM_NO_STATE
R1#
*Mar  1 01:17:41.219: ISAKMP: received ke message (3/1)
*Mar  1 01:17:41.219: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar  1 01:17:41.223: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 01:17:41.227: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 16.16.16.1) input queue 0
*Mar  1 01:17:41.231: ISAKMP (0:1): deleting node -1746173240 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar  1 01:17:41.231: ISAKMP (0:1): deleting node 112806183 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
R1#
*Mar  1 01:17:41.235: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 01:17:41.235: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_DEST_SA






ASA

DEBUG
Nov 30 00:02:53 [IKEv1 DEBUG]: IP = 16.16.16.2, IKE MM Initiator FSM error history (struct &0xd89d4c50)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 30 00:02:53 [IKEv1 DEBUG]: IP = 16.16.16.2, IKE SA MM:81ed1904 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Nov 30 00:02:53 [IKEv1 DEBUG]: IP = 16.16.16.2, sending delete/delete with reason message
Nov 30 00:02:53 [IKEv1]: IP = 16.16.16.2, Removing peer from peer table failed, no match!
Nov 30 00:02:53 [IKEv1]: IP = 16.16.16.2, Error: Unable to remove PeerTblEntry

We can work on this on Monday I have to leave the office. I am not sure what else could it be.
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40594755
the source on the output of show crypto isa sa is 9.9.9.1 is that even right?
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40599608
resolved.

Forgot the "crypto isakmp enable OUTSIDE"
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40600755
I've requested that this question be closed as follows:

Accepted answer: 0 points for Zack Gil's comment #a40599608

for the following reason:

resolved.

Forgot the "crypto isakmp enable OUTSIDE"
0
 
LVL 1

Author Comment

by:Shark Attack
ID: 40600754
also, the only ACL statements I needed were these

ASA
ciscoasa(config)# show access-l LIST
access-list LIST; 2 elements
access-list LIST line 1 extended permit icmp 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0 (hitcnt=2)
access-list LIST line 2 extended permit ip 192.168.10.0 255.255.255.0 19.19.19.0 255.255.255.0

Router

R1(config)#do show access-l LIST
Extended IP access list LIST
    70 permit icmp 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255 (64 matches)
    80 permit ip 19.19.19.0 0.0.0.255 192.168.10.0 0.0.0.255
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now