When you ping 239.0.0.5 from R1, are you getting replies from R3?
With regards Kings On Sat, Jan 1, 2011 at 8:43 PM, manish ludhani <[email protected]>wrote: > yep r4 is configured with multicast routing and rp > > the thing is i can ping from r3 to the multicast IP but i just see r5 > replying not r1 > and i could see mroute all the way up to 1.1.1.1 > > but still i dont get rekeys. (not even cumulative while joining) > > on R5 without joining igmp group i am getting rekeys > > Regards > Manish > On Sat, Jan 1, 2011 at 7:06 PM, Kingsley Charles < > [email protected]> wrote: > >> Config looks fine. Can you post the R4's config. Have you configured >> multicasting routing and rp-address on it too? >> >> >> With regards >> Kings >> >> >> On Sat, Jan 1, 2011 at 5:46 PM, manish ludhani >> <[email protected]>wrote: >> >>> please find below the related config. >>> >>> apologies for raising it again however i ve tried everything suggested >>> in previous posts >>> >>> thanks regards >>> >>> >>> >>> R5 >>> | >>> (e0/0) >>> | >>> | >>> (l1 1.1.1.1)R1(fa0/0 10.10.10.1)--------(e0/0 .2)R2(e0/1 >>> .2)-------(e1)Pix(e0)----R4(e0/1)---(F0/0)R3(l1 2.2.2.2) >>> >>> >>> >>> *R1# >>> *R1#sh run | sec crypto >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0 >>> crypto ipsec transform-set TSET esp-3des esp-md5-hmac >>> crypto ipsec profile IPSEC_PRO >>> set transform-set TSET >>> crypto gdoi group GET_GRP >>> identity number 1234 >>> server local >>> rekey address ipv4 MULTI_GRP >>> rekey retransmit 10 number 2 >>> rekey authentication mypubkey rsa GETKEY >>> sa ipsec 1 >>> profile IPSEC_PRO >>> match address ipv4 GET_TRAFFIC >>> replay counter window-size 64 >>> ip multicast-routing >>> ip pim rp-address 1.1.1.1 >>> >>> interface Loopback1 >>> ip address 1.1.1.1 255.255.255.0 >>> ip pim sparse-mode >>> ! >>> interface FastEthernet0/0 >>> ip address 10.10.10.1 255.255.255.0 >>> ip pim sparse-mode >>> >>> >>> >>> R1#sh crypto gdoi ks members >>> >>> Group Member Information : >>> >>> Number of rekeys sent for group GET_GRP : 8 >>> >>> Group Member ID : 2.2.2.2 >>> Group ID : 1234 >>> Group Name : GET_GRP >>> Key Server ID : 0.0.0.0 >>> >>> Group Member ID : 5.5.5.5 >>> Group ID : 1234 >>> Group Name : GET_GRP >>> Key Server ID : 0.0.0.0 >>> >>> >>> R1#sh crypto gdoi ks rekey >>> Group GET_GRP (Multicast) >>> Number of Rekeys sent : 8 >>> Number of Rekeys retransmitted : 4 >>> KEK rekey lifetime (sec) : 86400 >>> Remaining lifetime (sec) : 86325 >>> Retransmit period : 10 >>> Number of retransmissions : 2 >>> IPSec SA 1 lifetime (sec) : 3600 >>> Remaining lifetime (sec) : 3526 >>> Number of registrations after rekey : 0 >>> Multicast destination address : 239.0.0.5 >>> >>> >>> R1#sh run | sec ip access >>> ip access-list extended GET_TRAFFIC >>> permit ip host 2.2.2.2 host 3.3.3.3 >>> permit ip host 2.2.2.2 host 5.5.5.5 >>> permit ip host 2.2.2.2 host 6.6.6.6 >>> ip access-list extended MULTI_GRP >>> permit udp host 1.1.1.1 eq 848 host 239.0.0.5 eq 848 >>> R1# >>> >>> >>> >>> >>> *pix* >>> >>> >>> ! >>> interface Ethernet0 >>> nameif outside >>> security-level 0 >>> ip address 30.30.30.1 255.255.255.0 >>> igmp access-group MULTI >>> ! >>> interface Ethernet1 >>> nameif inside >>> security-level 100 >>> ip address 20.20.20.1 255.255.255.0 >>> igmp access-group MULTI >>> ! >>> >>> >>> access-list MULTI standard permit host 239.0.0.5 >>> access-list OUTSIDE_IN extended permit ip any any log debugging >>> access-list OUTSIDE_IN extended permit pim any any >>> >>> >>> access-group OUTSIDE_IN in interface outside >>> access-group OUTSIDE_IN in interface inside >>> >>> pix1# sh run multicast-routing >>> multicast-routing >>> >>> pix1# sh run pim >>> pim rp-address 1.1.1.1 >>> >>> >>> >>> pix1# sh pim neighbor >>> >>> Neighbor Address Interface Uptime Expires DR pri Bidir >>> >>> 30.30.30.2 outside 00:36:04 00:01:28 1 (DR) >>> 20.20.20.2 inside 00:36:04 00:01:28 1 (DR) >>> >>> >>> >>> >>> *R3* >>> >>> >>> R3#sh run | sec crypto >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0 >>> crypto gdoi group GET_GRP >>> identity number 1234 >>> server address ipv4 1.1.1.1 >>> crypto map GET_MAP local-address Loopback1 >>> crypto map GET_MAP 10 gdoi >>> set group GET_GRP >>> crypto map GET_MAP >>> >>> >>> ! >>> ip multicast-routing >>> ! >>> interface Loopback1 >>> ip address 2.2.2.2 255.255.255.0 >>> ip pim sparse-mode >>> ip igmp join-group 239.0.0.5 >>> ! >>> interface FastEthernet0/0 >>> ip address 40.40.40.1 255.255.255.0 >>> ip pim sparse-mode >>> duplex auto >>> speed auto >>> crypto map GET_MAP >>> >>> >>> ip pim rp-address 1.1.1.1 >>> >>> R3#sh crypto gdoi >>> GROUP INFORMATION >>> >>> Group Name : GET_GRP >>> Group Identity : 1234 >>> Rekeys received : 0 >>> IPSec SA Direction : Both >>> Active Group Server : 1.1.1.1 >>> Group Server list : 1.1.1.1 >>> >>> GM Reregisters in : 1486 secs >>> Rekey Received : never >>> >>> >>> Rekeys received >>> Cumulative : 0 >>> After registration : 0 >>> >>> ACL Downloaded From KS 1.1.1.1: >>> access-list permit ip host 2.2.2.2 host 3.3.3.3 >>> >>> KEK POLICY: >>> Rekey Transport Type : Multicast >>> Lifetime (secs) : 86126 >>> Encrypt Algorithm : 3DES >>> Key Size : 192 >>> Sig Hash Algorithm : HMAC_AUTH_SHA >>> Sig Key Length (bits) : 1024 >>> >>> TEK POLICY for the current KS-Policy ACEs Downloaded: >>> FastEthernet0/0: >>> IPsec SA: >>> spi: 0x8213D0D6(2182336726) >>> transform: esp-3des esp-md5-hmac >>> sa timing:remaining key lifetime (sec): (1637) >>> Anti-Replay(Time Based) : 64 sec interval >>> >>> >>> >>> >>> >>> *R5* >>> >>> R5#sh run | sec crypto >>> crypto isakmp policy 10 >>> encr 3des >>> hash md5 >>> authentication pre-share >>> group 2 >>> crypto isakmp key cisco address 0.0.0.0 0.0.0.0 >>> crypto gdoi group GET_GRP >>> identity number 1234 >>> server address ipv4 1.1.1.1 >>> crypto map GET_MAP local-address Loopback1 >>> crypto map GET_MAP 10 gdoi >>> set group GET_GRP >>> crypto map GET_MAP >>> >>> interface Loopback1 >>> ip address 5.5.5.5 255.255.255.0 >>> ip pim sparse-mode >>> ! >>> interface FastEthernet0/0 >>> ip address 50.50.50.1 255.255.255.0 >>> ip pim sparse-mode >>> duplex auto >>> speed auto >>> crypto map GET_MAP >>> >>> >>> ip pim rp-address 1.1.1.1 >>> ip multicast-routing >>> >>> >>> R5#sh crypto gdoi >>> GROUP INFORMATION >>> >>> Group Name : GET_GRP >>> Group Identity : 1234 >>> Rekeys received : 2 >>> IPSec SA Direction : Both >>> Active Group Server : 1.1.1.1 >>> Group Server list : 1.1.1.1 >>> >>> GM Reregisters in : 1775 secs >>> Rekey Received(hh:mm:ss) : 00:27:41 >>> >>> >>> Rekeys received >>> Cumulative : 2 >>> After registration : 2 >>> >>> ACL Downloaded From KS 1.1.1.1: >>> access-list permit ip host 2.2.2.2 host 3.3.3.3 >>> access-list permit ip host 2.2.2.2 host 5.5.5.5 >>> access-list permit ip host 2.2.2.2 host 6.6.6.6 >>> >>> KEK POLICY: >>> Rekey Transport Type : Multicast >>> Lifetime (secs) : 86399 >>> Encrypt Algorithm : 3DES >>> Key Size : 192 >>> Sig Hash Algorithm : HMAC_AUTH_SHA >>> Sig Key Length (bits) : 1024 >>> >>> >>> On Sat, Jan 1, 2011 at 2:10 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> Can you post the configs of KS, ASA and GM on outside. >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Sat, Jan 1, 2011 at 2:52 AM, manish ludhani < >>>> [email protected]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> i am stuck at GETVPN multicast rekey through ASA seems a common >>>>> catch. i hv looked at all the previous posts but still not >>>>> able to make it work. >>>>> >>>>> i am using asa in routed mode and KS is inside the firewall. i receive >>>>> the Rekeys on the GMs which are inside the firewall but not on the outside >>>>> GMs >>>>> i hv enabled the routing on ASA inside outside interfaces and defined >>>>> RP. i tried to enable mpacket debug and noticed i was not receiving any >>>>> multicast traffic >>>>> packet tracer from inside source KS to multicast address fails (Early >>>>> security checks failed). >>>>> >>>>> i will b gr8ful if any1 please give me any clue. >>>>> >>>>> >>>>> Regards >>>>> Manish >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
