L2L VPN using digital certificates giving me some trouble. Its built between an ASA and Router (R3). When I ping from the router (R1) behind the ASA to the remote router (R2) behind R3 the tunnel doesnt come up. When I ping in the reverse direction, the tunnel comes up. i.e when R3 is the initiator and the ASA is the responder.
Why would it fail to initiate from the ASA side, and yet come up when initiate from R3 side ? *Below is a basic topology layout* *R1* (Fa0/0 136.4.121.1) --------- (136.4.121.12 Inside) *ASA* (Outside 136.4.123.12) ------- (136.4.123.3 Fa0/0) *R3* (Fa0/1 136.4.23.3) ----------- (136.4.23.2 Fa0/0) *R2* *ASA VPN Config* access-list VPN ext permit ip 136.4.121.0 255.255.255.0 136.4.23.0 255.255.255.0 crypto isakmp policy 10 auth rsa-sig encr 3des hash md5 grou 2 crypto ca trustpoint CISCOCCIE enrollment url http://136.4.23.2:80 crl configure tunnel-group 136.4.123.3 type ipsec-l2l tunnel-group 136.4.123.3 ipsec-attributes trust-point CISCOCCIE crypto isakmp enable outside crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac crypto map VPN 10 match address VPN crypto map VPN 10 set peer 136.4.123.3 crypto map VPN 10 set transform-set 3DESMD5 crypto map VPN outside *** *R3 VPN Config:* ip access-list ext VPN permit ip 136.4.23.0 0.0.0.255 136.4.121.0 0.0.0.255 crypto isakmp policy 10 auth rsa-sig encr 3des hash md5 grou 2 crypto isakmp identity dn crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac crypto map VPN 10 ipsec-isakmp set peer 136.4.123.12 set transform-set 3DESMD5 match address VPN interface fa 0/0 crypto map VPN *** *When I ping from R2* Rack4R3#show crypto isa sa IPv4 Crypto ISAKMP SA dst src state conn-id slot status 136.4.123.12 136.4.123.3 QM_IDLE 1004 0 ACTIVE Rack4ASA1# show crypto isa sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 136.4.123.3 Type : L2L Role : responder Rekey : no State : MM_ACTIVE *** *When I clear the SAs and ping from R1* Rack4R1#ping 136.4.23.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 136.4.23.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) *The debug output from ASA* %ASA-7-609001: Built local-host inside:136.4.121.1 %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 %ASA-5-713041: IP = 136.4.123.3, IKE Initiator: New Phase 1, Intf inside, IKE Peer 136.4.123.3 local Proxy Address 136.4.121.0, remote Proxy Address 136.4.23.0, Crypto map (VPN) %ASA-7-715046: IP = 136.4.123.3, constructing ISAKMP SA payload %ASA-7-715046: IP = 136.4.123.3, constructing NAT-Traversal VID ver 02 payload %ASA-7-715046: IP = 136.4.123.3, constructing NAT-Traversal VID ver 03 payload %ASA-7-715046: IP = 136.4.123.3, constructing Fragmentation VID + extended capabilities payload %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152 %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 100 %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 100 %ASA-5-713904: IP = 136.4.123.3, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping %ASA-4-713903: IP = 136.4.123.3, Information Exchange processing failed %ASA-7-609001: Built local-host inside:136.4.121.1 %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 %ASA-6-713219: IP = 136.4.123.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. %ASA-7-609001: Built local-host inside:136.4.121.1 %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 %ASA-6-713219: IP = 136.4.123.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. %ASA-7-609001: Built local-host inside:136.4.121.1 %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 %ASA-6-713219: IP = 136.4.123.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152 %ASA-7-609001: Built local-host inside:136.4.121.1 %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 %ASA-6-713219: IP = 136.4.123.3, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete. %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152 %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152 %ASA-7-715065: IP = 136.4.123.3, IKE MM Initiator FSM error history (struct &0xd5a20aa8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY %ASA-7-713906: IP = 136.4.123.3, IKE SA MM:a9e93e5e terminating: flags 0x01000022, refcnt 0, tuncnt 0 %ASA-7-713906: IP = 136.4.123.3, sending delete/delete with reason message %ASA-3-713902: IP = 136.4.123.3, Removing peer from peer table failed, no match! %ASA-4-713903: IP = 136.4.123.3, Error: Unable to remove PeerTblEntry
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
