what did you configure under tunnel-group? On Tue, Mar 22, 2011 at 2:19 AM, Eugene Pefti <[email protected]>wrote:
> Hello folks, > > I’m at the point of questioning my sanity while doing this task. > > The design is very simple: > > > > Host1 ------- ASA--------Router--------Host2 > > > > ASA and Router are IPSec VPN gateways, enrolled with CA and got their > certificates. > > Trying to make the router check two attributes in the ASA certificate by > the certificate map. > > > > My problem is that when I initiate the traffic from Host1 I the tunnel goes > up but there’s no traffic. I see that main mode has been completed: > > > > ASA1(config)# sh crypto isa sa > > > > 1 IKE Peer: 192.168.6.3 > > Type : L2L Role : initiator > > Rekey : no State : MM_ACTIVE > > > > But there are no ipsec sa. > > > > On the other hand, when I initiate traffic from Host2 the tunnel > successfully comes up, ipsec sa are established and Host2 can reach Host1 > > > > I noticed that it takes a lot more time to see anything on the ASA while > debugging isakmp, “pitcher: received a key acquire message” shows a number > of times and then I see that Quick Mode can’t be constructed. > > > > “debug crypto isakmp 200” run on ASA > > ================================================================= > > Mar 21 21:08:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, QM FSM > error (P2 struct &0xccf3edb0, mess id 0xc2b8e870)! > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > QM Initiator FSM error history (struct &0xccf3edb0) <state>, <event>: > QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, > NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, > EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, > EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > sending delete/delete with reason message > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing blank hash payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing IPSec delete payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing qm hash payload > > Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message > (msgid=2f605835) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) > total length : 64 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > Deleting SA: Remote Proxy 192.168.5.0, Local Proxy 192.168.4.0 > > Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Removing > peer from correlator table failed, no match! > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > SA MM:c3ed91f7 rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, > tuncnt 0 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > SA MM:c3ed91f7 terminating: flags 0x0100c022, refcnt 0, tuncnt 0 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > sending delete/delete with reason message > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing blank hash payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing IKE delete payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing qm hash payload > > Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message > (msgid=e67eb622) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) > total length : 76 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi > 0x43b5a2b0 > > Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Session is > being torn down. Reason: Lost Service > > Mar 21 21:08:37 [IKEv1]: Ignoring msg to mark SA with dsID 118784 dead > because SA deleted > > Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, Received encrypted packet with > no matching SA, dropping > > ==================================================================== > > > > Now my question is if it has to do with ipsec proposals then why it works > from Host2 ? I would understand that authentication phase completes and two > peers establish isakmp tunnel in both cases. > > > > This is what I see on the router when debugging isakmp while sending > traffic from Host1 > > > > ==================================================================== > > > > Mar 22 05:12:32.843: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, > IKE_PHASE1_COMPLETE > > Mar 22 05:12:32.843: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = > IKE_P1_COMPLETE > > > > Mar 22 05:12:32.851: ISAKMP (1028): received packet from 192.168.6.200 > dport 500 sport 500 Global (R) QM_IDLE > > Mar 22 05:12:32.851: ISAKMP: set new node -3974482 to QM_IDLE > > Mar 22 05:12:32.851: ISAKMP:(1028): processing HASH payload. message ID = > -3974482 > > Mar 22 05:12:32.851: ISAKMP:(1028): processing SA payload. message ID = > -3974482 > > Mar 22 05:12:32.851: ISAKMP:(1028):Checking IPSec proposal 1 > > Mar 22 05:12:32.851: ISAKMP: transform 1, ESP_3DES > > Mar 22 05:12:32.851: ISAKMP: attributes in transform: > > Mar 22 05:12:32.851: ISAKMP: SA life type in seconds > > Mar 22 05:12:32.851: ISAKMP: SA life duration (basic) of 28800 > > Mar 22 05:12:32.851: ISAKMP: SA life type in kilobytes > > Mar 22 05:12:32.851: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 > 0x0 > > Mar 22 05:12:32.855: ISAKMP: encaps is 1 (Tunnel) > > Mar 22 05:12:32.855: ISAKMP: authenticator is HMAC-MD5 > > Mar 22 05:12:32.855: ISAKMP:(1028):atts are acceptable. > > Mar 22 05:12:32.855: ISAKMP:(1028): IPSec policy invalidated proposal with > error 32 > > Mar 22 05:12:32.855: ISAKMP:(1028): phase 2 SA policy not acceptable! > (local 192.168.6.3 remote 192.168.6.200) > > Mar 22 05:12:32.855: ISAKMP: set new node 363315004 to QM_IDLE > > Mar 22 05:12:32.855: ISAKMP:(1028):Sending NOTIFY PROPOSAL_NOT_CHOSEN > protocol 3 > > spi 1173572576, message ID = 363315004 > > Mar 22 05:12:32.855: ISAKMP:(1028): sending packet to 192.168.6.200 my_port > 500 peer_port 500 (R) QM_IDLE > > Mar 22 05:12:32.855: ISAKMP:(1028):Sending an IKE IPv4 Packet. > > Mar 22 05:12:32.855: ISAKMP:(1028):purging node 363315004 > > Mar 22 05:12:32.855: ISAKMP:(1028):deleting node -3974482 error TRUE reason > "QM rejected" > > ======================================================================= > > > > If it has to do with crypto ACL then they are mirrored as they should be: > > > > Router: access-list 111 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 > 0.0.0.255 > > ASA: access-list 111 extended permit ip 192.168.4.0 255.255.255.0 > 192.168.5.0 255.255.255.0 > > > > ASA1(config)# sh run crypto map > > crypto map MAP1 10 match address 111 > > crypto map MAP1 10 set peer 192.168.6.3 > > crypto map MAP1 10 set transform-set ESP-3DES-MD5 > > crypto map MAP1 10 set trustpoint CA1 > > crypto map MAP1 interface outside > > > > crypto map MAP1 10 ipsec-isakmp > > set peer 192.168.6.200 > > set transform-set ESP-3DES-MD5 > > set isakmp-profile ISAKMP-PROFILE > > match address 111 > > crypto map MAP1 > > > > Help please !!! > > > > Eugene > > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
