Re: [OSL | CCIE_Security] [Troubleshooting Issie ] router --------> asa (single mode) ----------> router "plz help"

Mon, 14 Feb 2011 22:14:19 -0800 

On which interface u are unable to get show arp output?

Thanks

Leon Lai

Sent from my iPad

On Feb 15, 2011, at 11:23 AM, kamran shakil <[email protected]> wrote:

> Dears,
> 
> I am not running GNS3. This is real-life RACK setup. My ASA version is 8.2(1) 
> and running in single mode with "no nat-control".... In SHOW ARP , i am 
> getting nothing !!! 
> 
> This was a techonology setup.  Can there be a VLAN issue underneath or SVI 
> missing or is there anything in my configs so far ?????
> 
> setup is simple
> ================
> 
> router 5  --------- (inside) ASA (outside) ------------- router 1
> 
> 
> ASA 
> ======
> 
> interface Ethernet0/1
>  nameif inside
>  security-level 100
>  ip address 100.100.7.10 255.255.255.0
> !
> 
> interface Redundant1
>  member-interface Ethernet0/0
>  member-interface Ethernet0/2
>  nameif outside
>  security-level 0
>  allow-ssc-mgmt
>  ip address 100.100.6.10 255.255.255.0
> 
> 
> access-list outside extended permit icmp any any
> access-list outside extended permit tcp host 100.100.6.4 host 100.100.52.5 eq 
> 
> telnet
> access-list outside extended permit tcp host 100.100.51.1 host 100.100.52.5 
> eq 
> 
> telnet
> access-list outside extended permit esp host 192.168.1.1 host 192.168.5.5
> access-list outside extended permit udp host 192.168.1.1 host 192.168.5.5 eq 
> isakmp
> access-list R1-R5 extended permit ip host 100.100.51.1 host 100.100.52.5
> access-list R4-R5 extended permit ip host 100.100.6.4 host 100.100.52.5
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> no asdm history enable
> arp timeout 14400
> static (outside,inside) 100.100.3.70  access-list R1-R5
> static (outside,inside) 100.100.7.31  access-list R4-R5
> access-group outside in interface outside
> 
> router ospf 1
>  network 100.100.6.0 255.255.255.0 area 0
>  network 100.100.7.0 255.255.255.0 area 0
>  log-adj-changes
> 
> 
> 
> R1 CONFIG
> ==========
> crypto isakmp policy 10
>  encr 3des
>  authentication pre-share
>  group 2
> crypto isakmp key cisco address 100.100.7.5
> !
> !
> crypto ipsec transform-set tset esp-des esp-md5-hmac
> !
> crypto ipsec profile vpn
>  set transform-set tset
> 
> int lo0
> ip add 192.168.1.1 255.255.255.0
> 
> interface Tunnel0
>  ip address 123.1.1.1 255.255.255.0
>  tunnel source 100.100.6.1
>  tunnel destination 100.100.7.5
>  tunnel mode ipsec ipv4
>  tunnel protection ipsec profile vpn
> 
> 
> router eigrp 199
>  network 123.1.1.0 0.0.0.255
>  network 192.168.1.0
>  no auto-summary
> 
> 
> R5 CONFIG
> ==========
> 
> crypto isakmp policy 10
>  encr 3des
>  authentication pre-share
>  group 2
> crypto isakmp key cisco address 100.100.6.1
> !
> !
> crypto ipsec transform-set tset esp-des esp-md5-hmac
> !
> crypto ipsec profile vpn
>  set transform-set tset
> 
> 
> interface Loopback0
>  ip address 192.168.5.5 255.255.255.0
> !
> 
> 
> !
> interface Tunnel0
>  ip address 123.1.1.5 255.255.255.0
>  tunnel source 100.100.7.5
>  tunnel destination 100.100.6.1
>  tunnel mode ipsec ipv4
>  tunnel protection ipsec profile vpn
> 
> router ospf 1
>  router-id 5.5.5.5
>  log-adjacency-changes
>  network 100.100.7.5 0.0.0.0 area 0
>  network 100.100.8.5 0.0.0.0 area 0
>  network 100.100.52.5 0.0.0.0 area 0
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Upon debug cry isa  , and loggin console 7, i m getting following messages:
> 
> Rack05R5#sh cry isa sa
> IPv4 Crypto ISAKMP SA
> dst             src             state          conn-id slot status
> 100.100.6.1       100.100.7.5       MM_NO_STATE          0    0 ACTIVE
> 
> IPv6 Crypto ISAKMP SA
> 
> Rack05R5#
> *Jan  5 12:11:31.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
> *Jan  5 12:11:31.912: ISAKMP (0:0): incrementing error counter on sa, attempt 
> 2 of 
> 
> 5: retransmit phase 1
> *Jan  5 12:11:31.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
> *Jan  5 12:11:31.912: ISAKMP:(0): sending packet to 100.100.6.1 my_port 500 
> 
> peer_port 500 (I) MM_NO_STATE
> *Jan  5 12:11:31.912: ISAKMP:(0):Sending an IKE IPv4 Packet.
> *Jan  5 12:11:41.900: ISAKMP: set new node 0 to QM_IDLE
> *Jan  5 12:11:41.900: ISAKMP:(0):SA is still budding. Attached new ipsec 
> request to 
> 
> it. (local 100.100.7.5, remote 100.100.6.1)
> *Jan  5 12:11:41.900: ISAKMP: Error while processing SA request: Failed to 
> 
> initialize SA
> *Jan  5 12:11:41.904: ISAKMP: Error while processing KMI message 0, error 2.
> *Jan  5 12:11:41.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
> *Jan  5 12:11:41.912: ISAKMP (0:0): incrementing error counter on sa, attempt 
> 3 of 
> 
> 5: retransmit phase 1
> *Jan  5 12:11:41.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
> *Jan  5 12:11:41.912: ISAKMP:(0): sending packet to 100.100.6.1 my_port 500 
> 
> peer_port 500 (I) MM_NO_STATE
> *Jan  5 12:11:41.912: ISAKMP:(0):Sending an IKE IPv4 Packet.
> 
> 
> 
> 
> 
> 
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please 
> visit www.ipexpert.com

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to