SSH is not working. Seeing the following message in output.
 
R1#ssh -l ipexpert 10.5.5.55
 
*Dec 30 01:06:41.675: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Informational mode failed with peer at 10.5.5.55
R1#
R1#

R1#ssh -l ipexpert 192.1.49.55
 
R1#
 
First of all, why R1 is not pinging ASA1? Secondly, If R1 is able to
ping ASA2 then why ssh connection did not establish (as seen in the
above output)?
 
Attaching sh crypto output and pings from R1 suggesting that peer
relationship with both ASAs is established but still tunnel is not
formed.
 
Appreciate any help.
-Anshul


________________________________

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joshua
Walton
Sent: Saturday, December 29, 2007 10:21 AM
To: [email protected]
Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 18, Issue
13


verify by SSH'ing to ASA1 and ASA2 from R1
 
R1# ssh -l ipexpert 192.1.49.55 
 
 
R1# ssh -l ipexpert 10.5.5.55



Best Regards,
 
- Joshua R. Walton
  Senior Network Engineer 
  CCNP, CCSP, CCVP, INFOSEC


> From: [EMAIL PROTECTED]
> Subject: CCIE_Security Digest, Vol 18, Issue 13
> To: [email protected]
> Date: Sat, 29 Dec 2007 12:00:03 -0500
> 
> Send CCIE_Security mailing list submissions to
> [email protected]
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> http://onlinestudylist.com/mailman/listinfo/ccie_security
> or, via email, send a message with subject or body 'help' to
> [EMAIL PROTECTED]
> 
> You can reach the person managing the list at
> [EMAIL PROTECTED]
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of CCIE_Security digest..."
> 
> 
> Today's Topics:
> 
> 1. Section 15 Task 7.6 (a): Management VPN (Anshul Arora (akarora))
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Fri, 28 Dec 2007 20:22:21 -0800
> From: "Anshul Arora (akarora)" <[EMAIL PROTECTED]>
> Subject: [OSL | CCIE_Security] Section 15 Task 7.6 (a): Management VPN
> To: <[email protected]>
> Message-ID:
> <[EMAIL PROTECTED]>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi All,
> 
> I've R1 and ASA1 configured for secured communication through IPsec
> tunnel. The basic problem is that ASA1 can't ping R1 public IP
> 192.1.12.15 and visa versa. Although R4 can ping R1.
> Where do I enable ping from ASA1 to R1 so as to bring up the tunnel?
> 
> The same setup is working for R1 and ASA2 tunnel communication (Task
b)
> verifying that configuration on R1 and ASA is configured correctly.
> 
> Attaching R1, R4 and ASA2 configs.
> 
> Appreciate any input.
> -Anshul
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/attachment-0001.html
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: ASA1.txt
> Url:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/ASA1-0001.txt
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: R1.txt
> Url:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/R1-0001.txt
> -------------- next part --------------
> An embedded and charset-unspecified text was scrubbed...
> Name: R4.txt
> Url:
http://onlinestudylist.com/pipermail/ccie_security/attachments/20071228/
63c485b9/R4-0001.txt
> 
> End of CCIE_Security Digest, Vol 18, Issue 13
> *********************************************

R1#sh crypto ipsec sa

interface: FastEthernet0
    Crypto map tag: MYMAP, local addr 10.2.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.1.49.55/255.255.255.255/0/0)
   current_peer 192.1.49.55 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 10.2.2.1, remote crypto endpt.: 192.1.49.55
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:
          
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.5.5.55/255.255.255.255/0/0)
   current_peer 10.5.5.55 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 10.2.2.1, remote crypto endpt.: 10.5.5.55
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
R1#sh crypto isak    

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

R1#

R1#ping 10.5.5.55             

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.5.5.55, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/8 ms

R1#ping 192.1.24.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R1#ping 192.1.49.55

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.49.55, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASA2# sh run
: Saved
:
ASA Version 7.2(2) 
!
firewall transparent
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
!
interface Ethernet0/1
 nameif inside
 security-level 100
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list allow extended permit eigrp any any 
access-list allow extended permit icmp any any echo 
access-list allow extended permit icmp any any echo-reply 
access-list L2L extended permit ip host 10.5.5.55 10.1.1.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 10.5.5.55 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
access-group allow in interface outside
access-group allow out interface inside
route outside 0.0.0.0 0.0.0.0 10.5.5.5 1
username ipexpert password yZj422lmSITORjHo encrypted
aaa authentication ssh console LOCAL 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set MYTRANS esp-3des esp-sha-hmac 
crypto map MYMAP 10 match address L2L
crypto map MYMAP 10 set connection-type answer-only
crypto map MYMAP 10 set peer 10.2.2.1 
crypto map MYMAP 10 set transform-set MYTRANS
crypto map MYMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2      
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 10.2.2.1 type ipsec-l2l
tunnel-group 10.2.2.1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 10.1.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
!
service-policy global_policy global
mac-address-table static inside 001a.a29e.6fd0
mac-address-table static outside 001a.e254.5130
: end
ASA2#  

Reply via email to