yep r4 is configured with multicast routing and rp the thing is i can ping from r3 to the multicast IP but i just see r5 replying not r1 and i could see mroute all the way up to 1.1.1.1
but still i dont get rekeys. (not even cumulative while joining) on R5 without joining igmp group i am getting rekeys Regards Manish On Sat, Jan 1, 2011 at 7:06 PM, Kingsley Charles <[email protected] > wrote: > Config looks fine. Can you post the R4's config. Have you configured > multicasting routing and rp-address on it too? > > > With regards > Kings > > > On Sat, Jan 1, 2011 at 5:46 PM, manish ludhani > <[email protected]>wrote: > >> please find below the related config. >> >> apologies for raising it again however i ve tried everything suggested in >> previous posts >> >> thanks regards >> >> >> >> R5 >> | >> (e0/0) >> | >> | >> (l1 1.1.1.1)R1(fa0/0 10.10.10.1)--------(e0/0 .2)R2(e0/1 >> .2)-------(e1)Pix(e0)----R4(e0/1)---(F0/0)R3(l1 2.2.2.2) >> >> >> >> *R1# >> *R1#sh run | sec crypto >> crypto isakmp policy 10 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> crypto isakmp key cisco address 0.0.0.0 0.0.0.0 >> crypto ipsec transform-set TSET esp-3des esp-md5-hmac >> crypto ipsec profile IPSEC_PRO >> set transform-set TSET >> crypto gdoi group GET_GRP >> identity number 1234 >> server local >> rekey address ipv4 MULTI_GRP >> rekey retransmit 10 number 2 >> rekey authentication mypubkey rsa GETKEY >> sa ipsec 1 >> profile IPSEC_PRO >> match address ipv4 GET_TRAFFIC >> replay counter window-size 64 >> ip multicast-routing >> ip pim rp-address 1.1.1.1 >> >> interface Loopback1 >> ip address 1.1.1.1 255.255.255.0 >> ip pim sparse-mode >> ! >> interface FastEthernet0/0 >> ip address 10.10.10.1 255.255.255.0 >> ip pim sparse-mode >> >> >> >> R1#sh crypto gdoi ks members >> >> Group Member Information : >> >> Number of rekeys sent for group GET_GRP : 8 >> >> Group Member ID : 2.2.2.2 >> Group ID : 1234 >> Group Name : GET_GRP >> Key Server ID : 0.0.0.0 >> >> Group Member ID : 5.5.5.5 >> Group ID : 1234 >> Group Name : GET_GRP >> Key Server ID : 0.0.0.0 >> >> >> R1#sh crypto gdoi ks rekey >> Group GET_GRP (Multicast) >> Number of Rekeys sent : 8 >> Number of Rekeys retransmitted : 4 >> KEK rekey lifetime (sec) : 86400 >> Remaining lifetime (sec) : 86325 >> Retransmit period : 10 >> Number of retransmissions : 2 >> IPSec SA 1 lifetime (sec) : 3600 >> Remaining lifetime (sec) : 3526 >> Number of registrations after rekey : 0 >> Multicast destination address : 239.0.0.5 >> >> >> R1#sh run | sec ip access >> ip access-list extended GET_TRAFFIC >> permit ip host 2.2.2.2 host 3.3.3.3 >> permit ip host 2.2.2.2 host 5.5.5.5 >> permit ip host 2.2.2.2 host 6.6.6.6 >> ip access-list extended MULTI_GRP >> permit udp host 1.1.1.1 eq 848 host 239.0.0.5 eq 848 >> R1# >> >> >> >> >> *pix* >> >> >> ! >> interface Ethernet0 >> nameif outside >> security-level 0 >> ip address 30.30.30.1 255.255.255.0 >> igmp access-group MULTI >> ! >> interface Ethernet1 >> nameif inside >> security-level 100 >> ip address 20.20.20.1 255.255.255.0 >> igmp access-group MULTI >> ! >> >> >> access-list MULTI standard permit host 239.0.0.5 >> access-list OUTSIDE_IN extended permit ip any any log debugging >> access-list OUTSIDE_IN extended permit pim any any >> >> >> access-group OUTSIDE_IN in interface outside >> access-group OUTSIDE_IN in interface inside >> >> pix1# sh run multicast-routing >> multicast-routing >> >> pix1# sh run pim >> pim rp-address 1.1.1.1 >> >> >> >> pix1# sh pim neighbor >> >> Neighbor Address Interface Uptime Expires DR pri Bidir >> >> 30.30.30.2 outside 00:36:04 00:01:28 1 (DR) >> 20.20.20.2 inside 00:36:04 00:01:28 1 (DR) >> >> >> >> >> *R3* >> >> >> R3#sh run | sec crypto >> crypto isakmp policy 10 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> crypto isakmp key cisco address 0.0.0.0 0.0.0.0 >> crypto gdoi group GET_GRP >> identity number 1234 >> server address ipv4 1.1.1.1 >> crypto map GET_MAP local-address Loopback1 >> crypto map GET_MAP 10 gdoi >> set group GET_GRP >> crypto map GET_MAP >> >> >> ! >> ip multicast-routing >> ! >> interface Loopback1 >> ip address 2.2.2.2 255.255.255.0 >> ip pim sparse-mode >> ip igmp join-group 239.0.0.5 >> ! >> interface FastEthernet0/0 >> ip address 40.40.40.1 255.255.255.0 >> ip pim sparse-mode >> duplex auto >> speed auto >> crypto map GET_MAP >> >> >> ip pim rp-address 1.1.1.1 >> >> R3#sh crypto gdoi >> GROUP INFORMATION >> >> Group Name : GET_GRP >> Group Identity : 1234 >> Rekeys received : 0 >> IPSec SA Direction : Both >> Active Group Server : 1.1.1.1 >> Group Server list : 1.1.1.1 >> >> GM Reregisters in : 1486 secs >> Rekey Received : never >> >> >> Rekeys received >> Cumulative : 0 >> After registration : 0 >> >> ACL Downloaded From KS 1.1.1.1: >> access-list permit ip host 2.2.2.2 host 3.3.3.3 >> >> KEK POLICY: >> Rekey Transport Type : Multicast >> Lifetime (secs) : 86126 >> Encrypt Algorithm : 3DES >> Key Size : 192 >> Sig Hash Algorithm : HMAC_AUTH_SHA >> Sig Key Length (bits) : 1024 >> >> TEK POLICY for the current KS-Policy ACEs Downloaded: >> FastEthernet0/0: >> IPsec SA: >> spi: 0x8213D0D6(2182336726) >> transform: esp-3des esp-md5-hmac >> sa timing:remaining key lifetime (sec): (1637) >> Anti-Replay(Time Based) : 64 sec interval >> >> >> >> >> >> *R5* >> >> R5#sh run | sec crypto >> crypto isakmp policy 10 >> encr 3des >> hash md5 >> authentication pre-share >> group 2 >> crypto isakmp key cisco address 0.0.0.0 0.0.0.0 >> crypto gdoi group GET_GRP >> identity number 1234 >> server address ipv4 1.1.1.1 >> crypto map GET_MAP local-address Loopback1 >> crypto map GET_MAP 10 gdoi >> set group GET_GRP >> crypto map GET_MAP >> >> interface Loopback1 >> ip address 5.5.5.5 255.255.255.0 >> ip pim sparse-mode >> ! >> interface FastEthernet0/0 >> ip address 50.50.50.1 255.255.255.0 >> ip pim sparse-mode >> duplex auto >> speed auto >> crypto map GET_MAP >> >> >> ip pim rp-address 1.1.1.1 >> ip multicast-routing >> >> >> R5#sh crypto gdoi >> GROUP INFORMATION >> >> Group Name : GET_GRP >> Group Identity : 1234 >> Rekeys received : 2 >> IPSec SA Direction : Both >> Active Group Server : 1.1.1.1 >> Group Server list : 1.1.1.1 >> >> GM Reregisters in : 1775 secs >> Rekey Received(hh:mm:ss) : 00:27:41 >> >> >> Rekeys received >> Cumulative : 2 >> After registration : 2 >> >> ACL Downloaded From KS 1.1.1.1: >> access-list permit ip host 2.2.2.2 host 3.3.3.3 >> access-list permit ip host 2.2.2.2 host 5.5.5.5 >> access-list permit ip host 2.2.2.2 host 6.6.6.6 >> >> KEK POLICY: >> Rekey Transport Type : Multicast >> Lifetime (secs) : 86399 >> Encrypt Algorithm : 3DES >> Key Size : 192 >> Sig Hash Algorithm : HMAC_AUTH_SHA >> Sig Key Length (bits) : 1024 >> >> >> On Sat, Jan 1, 2011 at 2:10 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Can you post the configs of KS, ASA and GM on outside. >>> >>> >>> >>> With regards >>> Kings >>> >>> On Sat, Jan 1, 2011 at 2:52 AM, manish ludhani < >>> [email protected]> wrote: >>> >>>> Hi all, >>>> >>>> i am stuck at GETVPN multicast rekey through ASA seems a common catch. i >>>> hv looked at all the previous posts but still not >>>> able to make it work. >>>> >>>> i am using asa in routed mode and KS is inside the firewall. i receive >>>> the Rekeys on the GMs which are inside the firewall but not on the outside >>>> GMs >>>> i hv enabled the routing on ASA inside outside interfaces and defined >>>> RP. i tried to enable mpacket debug and noticed i was not receiving any >>>> multicast traffic >>>> packet tracer from inside source KS to multicast address fails (Early >>>> security checks failed). >>>> >>>> i will b gr8ful if any1 please give me any clue. >>>> >>>> >>>> Regards >>>> Manish >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
