Config looks fine. Can you post the R4's config. Have you configured multicasting routing and rp-address on it too?
With regards Kings On Sat, Jan 1, 2011 at 5:46 PM, manish ludhani <[email protected]>wrote: > please find below the related config. > > apologies for raising it again however i ve tried everything suggested in > previous posts > > thanks regards > > > > R5 > | > (e0/0) > | > | > (l1 1.1.1.1)R1(fa0/0 10.10.10.1)--------(e0/0 .2)R2(e0/1 > .2)-------(e1)Pix(e0)----R4(e0/1)---(F0/0)R3(l1 2.2.2.2) > > > > *R1# > *R1#sh run | sec crypto > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key cisco address 0.0.0.0 0.0.0.0 > crypto ipsec transform-set TSET esp-3des esp-md5-hmac > crypto ipsec profile IPSEC_PRO > set transform-set TSET > crypto gdoi group GET_GRP > identity number 1234 > server local > rekey address ipv4 MULTI_GRP > rekey retransmit 10 number 2 > rekey authentication mypubkey rsa GETKEY > sa ipsec 1 > profile IPSEC_PRO > match address ipv4 GET_TRAFFIC > replay counter window-size 64 > ip multicast-routing > ip pim rp-address 1.1.1.1 > > interface Loopback1 > ip address 1.1.1.1 255.255.255.0 > ip pim sparse-mode > ! > interface FastEthernet0/0 > ip address 10.10.10.1 255.255.255.0 > ip pim sparse-mode > > > > R1#sh crypto gdoi ks members > > Group Member Information : > > Number of rekeys sent for group GET_GRP : 8 > > Group Member ID : 2.2.2.2 > Group ID : 1234 > Group Name : GET_GRP > Key Server ID : 0.0.0.0 > > Group Member ID : 5.5.5.5 > Group ID : 1234 > Group Name : GET_GRP > Key Server ID : 0.0.0.0 > > > R1#sh crypto gdoi ks rekey > Group GET_GRP (Multicast) > Number of Rekeys sent : 8 > Number of Rekeys retransmitted : 4 > KEK rekey lifetime (sec) : 86400 > Remaining lifetime (sec) : 86325 > Retransmit period : 10 > Number of retransmissions : 2 > IPSec SA 1 lifetime (sec) : 3600 > Remaining lifetime (sec) : 3526 > Number of registrations after rekey : 0 > Multicast destination address : 239.0.0.5 > > > R1#sh run | sec ip access > ip access-list extended GET_TRAFFIC > permit ip host 2.2.2.2 host 3.3.3.3 > permit ip host 2.2.2.2 host 5.5.5.5 > permit ip host 2.2.2.2 host 6.6.6.6 > ip access-list extended MULTI_GRP > permit udp host 1.1.1.1 eq 848 host 239.0.0.5 eq 848 > R1# > > > > > *pix* > > > ! > interface Ethernet0 > nameif outside > security-level 0 > ip address 30.30.30.1 255.255.255.0 > igmp access-group MULTI > ! > interface Ethernet1 > nameif inside > security-level 100 > ip address 20.20.20.1 255.255.255.0 > igmp access-group MULTI > ! > > > access-list MULTI standard permit host 239.0.0.5 > access-list OUTSIDE_IN extended permit ip any any log debugging > access-list OUTSIDE_IN extended permit pim any any > > > access-group OUTSIDE_IN in interface outside > access-group OUTSIDE_IN in interface inside > > pix1# sh run multicast-routing > multicast-routing > > pix1# sh run pim > pim rp-address 1.1.1.1 > > > > pix1# sh pim neighbor > > Neighbor Address Interface Uptime Expires DR pri Bidir > > 30.30.30.2 outside 00:36:04 00:01:28 1 (DR) > 20.20.20.2 inside 00:36:04 00:01:28 1 (DR) > > > > > *R3* > > > R3#sh run | sec crypto > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key cisco address 0.0.0.0 0.0.0.0 > crypto gdoi group GET_GRP > identity number 1234 > server address ipv4 1.1.1.1 > crypto map GET_MAP local-address Loopback1 > crypto map GET_MAP 10 gdoi > set group GET_GRP > crypto map GET_MAP > > > ! > ip multicast-routing > ! > interface Loopback1 > ip address 2.2.2.2 255.255.255.0 > ip pim sparse-mode > ip igmp join-group 239.0.0.5 > ! > interface FastEthernet0/0 > ip address 40.40.40.1 255.255.255.0 > ip pim sparse-mode > duplex auto > speed auto > crypto map GET_MAP > > > ip pim rp-address 1.1.1.1 > > R3#sh crypto gdoi > GROUP INFORMATION > > Group Name : GET_GRP > Group Identity : 1234 > Rekeys received : 0 > IPSec SA Direction : Both > Active Group Server : 1.1.1.1 > Group Server list : 1.1.1.1 > > GM Reregisters in : 1486 secs > Rekey Received : never > > > Rekeys received > Cumulative : 0 > After registration : 0 > > ACL Downloaded From KS 1.1.1.1: > access-list permit ip host 2.2.2.2 host 3.3.3.3 > > KEK POLICY: > Rekey Transport Type : Multicast > Lifetime (secs) : 86126 > Encrypt Algorithm : 3DES > Key Size : 192 > Sig Hash Algorithm : HMAC_AUTH_SHA > Sig Key Length (bits) : 1024 > > TEK POLICY for the current KS-Policy ACEs Downloaded: > FastEthernet0/0: > IPsec SA: > spi: 0x8213D0D6(2182336726) > transform: esp-3des esp-md5-hmac > sa timing:remaining key lifetime (sec): (1637) > Anti-Replay(Time Based) : 64 sec interval > > > > > > *R5* > > R5#sh run | sec crypto > crypto isakmp policy 10 > encr 3des > hash md5 > authentication pre-share > group 2 > crypto isakmp key cisco address 0.0.0.0 0.0.0.0 > crypto gdoi group GET_GRP > identity number 1234 > server address ipv4 1.1.1.1 > crypto map GET_MAP local-address Loopback1 > crypto map GET_MAP 10 gdoi > set group GET_GRP > crypto map GET_MAP > > interface Loopback1 > ip address 5.5.5.5 255.255.255.0 > ip pim sparse-mode > ! > interface FastEthernet0/0 > ip address 50.50.50.1 255.255.255.0 > ip pim sparse-mode > duplex auto > speed auto > crypto map GET_MAP > > > ip pim rp-address 1.1.1.1 > ip multicast-routing > > > R5#sh crypto gdoi > GROUP INFORMATION > > Group Name : GET_GRP > Group Identity : 1234 > Rekeys received : 2 > IPSec SA Direction : Both > Active Group Server : 1.1.1.1 > Group Server list : 1.1.1.1 > > GM Reregisters in : 1775 secs > Rekey Received(hh:mm:ss) : 00:27:41 > > > Rekeys received > Cumulative : 2 > After registration : 2 > > ACL Downloaded From KS 1.1.1.1: > access-list permit ip host 2.2.2.2 host 3.3.3.3 > access-list permit ip host 2.2.2.2 host 5.5.5.5 > access-list permit ip host 2.2.2.2 host 6.6.6.6 > > KEK POLICY: > Rekey Transport Type : Multicast > Lifetime (secs) : 86399 > Encrypt Algorithm : 3DES > Key Size : 192 > Sig Hash Algorithm : HMAC_AUTH_SHA > Sig Key Length (bits) : 1024 > > > On Sat, Jan 1, 2011 at 2:10 PM, Kingsley Charles < > [email protected]> wrote: > >> Can you post the configs of KS, ASA and GM on outside. >> >> >> >> With regards >> Kings >> >> On Sat, Jan 1, 2011 at 2:52 AM, manish ludhani < >> [email protected]> wrote: >> >>> Hi all, >>> >>> i am stuck at GETVPN multicast rekey through ASA seems a common catch. i >>> hv looked at all the previous posts but still not >>> able to make it work. >>> >>> i am using asa in routed mode and KS is inside the firewall. i receive >>> the Rekeys on the GMs which are inside the firewall but not on the outside >>> GMs >>> i hv enabled the routing on ASA inside outside interfaces and defined RP. >>> i tried to enable mpacket debug and noticed i was not receiving any >>> multicast traffic >>> packet tracer from inside source KS to multicast address fails (Early >>> security checks failed). >>> >>> i will b gr8ful if any1 please give me any clue. >>> >>> >>> Regards >>> Manish >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
