Associate the trustpoint to the crypto map too on the ASA. With regards Kings
On Mon, Feb 14, 2011 at 7:20 AM, Mark Senteza <[email protected]>wrote: > L2L VPN using digital certificates giving me some trouble. Its built > between an ASA and Router (R3). When I ping from the router (R1) behind the > ASA to the remote router (R2) behind R3 the tunnel doesnt come up. When I > ping in the reverse direction, the tunnel comes up. i.e when R3 is the > initiator and the ASA is the responder. > > Why would it fail to initiate from the ASA side, and yet come up when > initiate from R3 side ? > > *Below is a basic topology layout* > > *R1* (Fa0/0 136.4.121.1) --------- (136.4.121.12 Inside) *ASA* (Outside > 136.4.123.12) ------- (136.4.123.3 Fa0/0) *R3* (Fa0/1 136.4.23.3) > ----------- (136.4.23.2 Fa0/0) *R2* > > *ASA VPN Config* > > access-list VPN ext permit ip 136.4.121.0 255.255.255.0 136.4.23.0 > 255.255.255.0 > > crypto isakmp policy 10 > auth rsa-sig > encr 3des > hash md5 > grou 2 > > crypto ca trustpoint CISCOCCIE > enrollment url http://136.4.23.2:80 > crl configure > > tunnel-group 136.4.123.3 type ipsec-l2l > tunnel-group 136.4.123.3 ipsec-attributes > trust-point CISCOCCIE > > crypto isakmp enable outside > > crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac > > crypto map VPN 10 match address VPN > crypto map VPN 10 set peer 136.4.123.3 > crypto map VPN 10 set transform-set 3DESMD5 > > > crypto map VPN outside > > *** > > *R3 VPN Config:* > > ip access-list ext VPN > permit ip 136.4.23.0 0.0.0.255 136.4.121.0 0.0.0.255 > > crypto isakmp policy 10 > auth rsa-sig > encr 3des > hash md5 > grou 2 > > crypto isakmp identity dn > > crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac > > crypto map VPN 10 ipsec-isakmp > set peer 136.4.123.12 > set transform-set 3DESMD5 > match address VPN > > interface fa 0/0 > crypto map VPN > > *** > > *When I ping from R2* > > Rack4R3#show crypto isa sa > IPv4 Crypto ISAKMP SA > dst src state conn-id slot status > 136.4.123.12 136.4.123.3 QM_IDLE 1004 0 ACTIVE > > Rack4ASA1# show crypto isa sa > > Active SA: 1 > Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) > Total IKE SA: 1 > > 1 IKE Peer: 136.4.123.3 > Type : L2L Role : responder > Rekey : no State : MM_ACTIVE > > *** > > *When I clear the SAs and ping from R1* > > Rack4R1#ping 136.4.23.2 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 136.4.23.2, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > > *The debug output from ASA* > > %ASA-7-609001: Built local-host inside:136.4.121.1 > %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 > %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 > %ASA-5-713041: IP = 136.4.123.3, IKE Initiator: New Phase 1, Intf inside, > IKE Peer 136.4.123.3 local Proxy Address 136.4.121.0, remote Proxy Address > 136.4.23.0, Crypto map (VPN) > %ASA-7-715046: IP = 136.4.123.3, constructing ISAKMP SA payload > %ASA-7-715046: IP = 136.4.123.3, constructing NAT-Traversal VID ver 02 > payload > %ASA-7-715046: IP = 136.4.123.3, constructing NAT-Traversal VID ver 03 > payload > %ASA-7-715046: IP = 136.4.123.3, constructing Fragmentation VID + extended > capabilities payload > %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE SENDING Message (msgid=0) with > payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) > total length : 152 > %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RECEIVED Message (msgid=0) with > payloads : HDR + NOTIFY (11) + NONE (0) total length : 100 > %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RECEIVED Message (msgid=0) with > payloads : HDR + NOTIFY (11) + NONE (0) total length : 100 > %ASA-5-713904: IP = 136.4.123.3, Received an un-encrypted > NO_PROPOSAL_CHOSEN notify message, dropping > %ASA-4-713903: IP = 136.4.123.3, Information Exchange processing failed > %ASA-7-609001: Built local-host inside:136.4.121.1 > %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 > %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 > %ASA-6-713219: IP = 136.4.123.3, Queuing KEY-ACQUIRE messages to be > processed when P1 SA is complete. > %ASA-7-609001: Built local-host inside:136.4.121.1 > %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 > %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 > %ASA-6-713219: IP = 136.4.123.3, Queuing KEY-ACQUIRE messages to be > processed when P1 SA is complete. > %ASA-7-609001: Built local-host inside:136.4.121.1 > %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 > %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 > %ASA-6-713219: IP = 136.4.123.3, Queuing KEY-ACQUIRE messages to be > processed when P1 SA is complete. > %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RESENDING Message (msgid=0) > with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + > NONE (0) total length : 152 > %ASA-7-609001: Built local-host inside:136.4.121.1 > %ASA-7-609002: Teardown local-host inside:136.4.121.1 duration 0:00:00 > %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 > %ASA-6-713219: IP = 136.4.123.3, Queuing KEY-ACQUIRE messages to be > processed when P1 SA is complete. > %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RESENDING Message (msgid=0) > with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + > NONE (0) total length : 152 > %ASA-7-713236: IP = 136.4.123.3, IKE_DECODE RESENDING Message (msgid=0) > with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + > NONE (0) total length : 152 > %ASA-7-715065: IP = 136.4.123.3, IKE MM Initiator FSM error history (struct > &0xd5a20aa8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, > EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, > EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, > EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY > %ASA-7-713906: IP = 136.4.123.3, IKE SA MM:a9e93e5e terminating: flags > 0x01000022, refcnt 0, tuncnt 0 > %ASA-7-713906: IP = 136.4.123.3, sending delete/delete with reason message > %ASA-3-713902: IP = 136.4.123.3, Removing peer from peer table failed, no > match! > %ASA-4-713903: IP = 136.4.123.3, Error: Unable to remove PeerTblEntry > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
