Link to home
Start Free TrialLog in
Avatar of Eric Greene
Eric GreeneFlag for United States of America

asked on

Crypto debug message help (ASA to Multiple 1941 L2L)

I am trying to bring up my second of four tunnels. The first one was easy, but adding on from there is where things get gamey for me. After configuring the routers identically, and adding the appropriate peer list entries and tunnel groups to the ASA,

Here is all information pertinent to the L2Ls:
!!!!THE ENTRIES WHICH BRING ME SANITY!!!!
name 2.2.2.2 BLDG2EX
name 1.1.1.1 BLDG1EX

!!!!NETWORK OBJECTS!!!!
object-group network MYORGNET
 network-object 10.10.0.0 255.255.252.0
object-group network BLDG1NET
 network-object 192.168.253.0 255.255.255.0
object-group network BLDG2NET
 network-object 192.168.251.0 255.255.255.0

!!!!ACLs!!!! 
access-list 101 extended permit ip object-group MYORGNET object-group BLDG1NET
access-list 101 extended permit ip object-group MYORGNET object-group VPNNET
access-list 101 extended permit ip object-group MYORGNET object-group BLDG2NET
access-list split_tunnel standard permit 10.10.0.0 255.255.252.0
access-list split_tunnel standard permit 192.168.253.0 255.255.255.0
access-list L2LSITES extended permit ip object-group MYORGNET object-group BLDG1NET
access-list L2LSITES extended permit ip object-group MYORGNET object-group BLDG2NET

!!!!NAT!!!!
nat (inside) 0 access-list 101

!!!!CRYPTO!!!!
crypto ipsec transform-set MYORGSET esp-3des esp-md5-hmac
crypto ipsec transform-set L2LSET esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 65535 set transform-set MYORGSET
crypto dynamic-map dynmap 65535 set reverse-route
crypto map MYORGMAP 10 match address L2LSITES
crypto map MYORGMAP 10 set peer BLDG1EX BLDG2EX
crypto map MYORGMAP 10 set transform-set L2LSET
crypto map MYORGMAP 10 set reverse-route
crypto map MYORGMAP 65535 ipsec-isakmp dynamic dynmap
crypto map MYORGMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 864000
crypto isakmp policy 20
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400

!!!!POLICIES!!!!
group-policy L2LPOLICY internal
group-policy L2LPOLICY attributes
 dns-server value 10.10.3.241
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value CORP.MYORG.TLD

!!!!TUNNELS!!!!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
 default-group-policy L2LPOLICY
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *****
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy L2LPOLICY
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *****

Open in new window


For BLDG1 I have a tunnel that's grinding away without a hitch. However, when it comes to BLDG2, I have no tunnel. The routers are configured the exact same way. The only things that have been changed are the router name, and the IPs. All ACLs are named the same. Basically, I took the config from the working site, and modified it for the second site. I have internet, I have access to local devices, but I have no tunnel.

I'm getting this message when I debug crypto isakmp 200 (keep in mind that 192.168.251.xxx is the tunnel I can't seem to bring up).
Oct 11 22:48:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Oct 11 22:48:29 [IKEv1]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, IKE Initiator: New Phase 2, Intf inside, IKE Peer <FirstTunnel_IP>  local Proxy Address 10.10.0.0, remote Proxy Address 192.168.251.0,  Crypto map (L2LMAP)
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, Oakley begin quick mode
Oct 11 22:48:29 [IKEv1 DECODE]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, IKE Initiator starting QM: msg id = 7cb81fc                               2
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, IKE got SPI from key engine: SPI = 0xd6c362c                               2
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, oakley constucting quick mode
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, constructing blank hash payload
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, constructing IPSec SA payload
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, constructing IPSec nonce payload
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, constructing proxy ID
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, Transmitting Proxy Id:
 >>>>>>LOOK HERE>>>>>> Local subnet:  10.10.0.0  mask 255.255.252.0 Protocol 0  Port 0
 >>>>>>LOOK HERE>>>>>> Remote subnet: 192.168.251.0  Mask 255.255.255.0 Protocol 0  Port 0
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, constructing qm hash payload
Oct 11 22:48:29 [IKEv1 DECODE]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, IKE Initiator sending 1st QM pkt: msg id =7cb81fc2
Oct 11 22:48:29 [IKEv1]: IP = <FirstTunnel_IP>, IKE_DECODE SENDING Message (msgid=7cb81fc2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
Oct 11 22:48:29 [IKEv1]: IP = <FirstTunnel_IP>, IKE_DECODE RECEIVED Message (msgid=9777578d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, processing hash payload
Oct 11 22:48:29 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, processing notify payload
Oct 11 22:48:29 [IKEv1]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, Received non-routine Notify message: No proposal chosen (14)
Oct 11 22:48:32 [IKEv1]: IP = <FirstTunnel_IP>, IKE_DECODE RECEIVED Message (msgid=ba9254a2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Oct 11 22:48:32 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, processing hash payload
Oct 11 22:48:32 [IKEv1 DEBUG]: Group = <FirstTunnel_IP>, IP = <FirstTunnel_IP>, processing notify payload

Open in new window

Would someone please be willing to help out the poor dunce over here in the corner?
ASKER CERTIFIED SOLUTION
Avatar of max_the_king
max_the_king

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Eric Greene

ASKER

Thank you, Max. This was the solution to my issue.