Mark, i think "debug dmvpn detail all" would be more useful
-- Best regards, Andrey On Tue, May 17, 2011 at 11:01 PM, Mark Senteza <[email protected]>wrote: > So here's the "debug crypto isakmp" output of the DMVPN spoke when I change > the transform-set to transport mode: > > 1250096: May 17 16:44:58.279 UTC: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON > 1250097: May 17 16:44:58.291 UTC: ISAKMP:(0): SA request profile is (NULL) > 1250098: May 17 16:44:58.291 UTC: ISAKMP: Created a peer struct for > 111.111.111.111, peer port 500 > 1250099: May 17 16:44:58.291 UTC: ISAKMP: New peer created peer = > 0x47C2184C peer_handle = 0x8000B252 > 1250100: May 17 16:44:58.291 UTC: ISAKMP: Locking peer struct 0x47C2184C, > refcount 1 for isakmp_initiator > 1250101: May 17 16:44:58.291 UTC: ISAKMP: local port 500, remote port 500 > 1250102: May 17 16:44:58.291 UTC: ISAKMP: set new node 0 to QM_IDLE > 1250103: May 17 16:44:58.291 UTC: ISAKMP: Find a dup sa in the avl tree > during calling isadb_insert sa = 49C2CD74 > 1250104: May 17 16:44:58.291 UTC: ISAKMP:(0):Can not start Aggressive mode, > trying Main mode. > 1250105: May 17 16:44:58.291 UTC: ISAKMP:(0):found peer pre-shared key > matching 111.111.111.111 > 1250106: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T > vendor-rfc3947 ID > 1250107: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-07 > ID > 1250108: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-03 > ID > 1250109: May 17 16:44:58.291 UTC: ISAKMP:(0): constructed NAT-T vendor-02 > ID > 1250110: May 17 16:44:58.291 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, > IKE_SA_REQ_MM > 1250111: May 17 16:44:58.291 UTC: ISAKMP:(0):Old State = IKE_READY New > State = IKE_I_MM1 > > 1250112: May 17 16:44:58.291 UTC: ISAKMP:(0): beginning Main Mode exchange > 1250113: May 17 16:44:58.291 UTC: ISAKMP:(0): sending packet to > 204.108.14.201 my_port 500 peer_port 500 (I) MM_NO_STATE > 1250114: May 17 16:44:58.291 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet. > 1250116: May 17 16:45:06.467 UTC: ISAKMP:(0):purging node 81046127 > 1250117: May 17 16:45:06.467 UTC: ISAKMP:(0):purging node -1754295019 > 1250118: May 17 16:45:08.295 UTC: ISAKMP:(0): retransmitting phase 1 > MM_NO_STATE... > 1250119: May 17 16:45:08.295 UTC: ISAKMP (0): incrementing error counter on > sa, attempt 1 of 5: retransmit phase 1 > 1250120: May 17 16:45:08.295 UTC: ISAKMP:(0): retransmitting phase 1 > MM_NO_STATE > 1250121: May 17 16:45:08.295 UTC: ISAKMP:(0): sending packet to > 111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE > 1250122: May 17 16:45:08.295 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet. > 1250123: May 17 16:45:08.411 UTC: ISAKMP:(0):purging node 387403375 > 1250126: May 17 16:45:16.467 UTC: ISAKMP:(0):purging SA., sa=47BFEEA4, > delme=47BFEEA4 > 1250127: May 17 16:45:18.295 UTC: ISAKMP:(0): retransmitting phase 1 > MM_NO_STATE... > 1250128: May 17 16:45:18.295 UTC: ISAKMP (0): incrementing error counter on > sa, attempt 2 of 5: retransmit phase 1 > 1250129: May 17 16:45:18.295 UTC: ISAKMP:(0): retransmitting phase 1 > MM_NO_STATE > 1250130: May 17 16:45:18.295 UTC: ISAKMP:(0): sending packet to > 111.111.111.111 my_port 500 peer_port 500 (I) MM_NO_STATE > 1250131: May 17 16:45:18.295 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet. > 1250132: May 17 16:45:18.411 UTC: ISAKMP:(0):purging SA., sa=49BC4B84, > delme=49BC4B84 > > > On Mon, May 16, 2011 at 10:42 PM, Kingsley Charles < > [email protected]> wrote: > >> Can you try configuring the transform set of spokes behind NAT using >> transport mode. >> >> >> With regards >> Kings >> >> On Tue, May 17, 2011 at 3:16 AM, Mark Senteza <[email protected]>wrote: >> >>> Hey all, >>> >>> A real scenario that I'd appreciate your opinion on. >>> >>> I've got a DMVPN setup that I'm trying to deploy. The endpoints sit >>> inside the secure network, so I'm using NAT's on the ASAs to give them a >>> public presence. The VPN wont come up though, and I'm trying to figure out >>> what I'm missing and where I should be looking. Appreciate any responses. >>> >>> >>> The DMVPN routers sit behind ASAs on either end. The logical topology >>> looks like: >>> >>> *Router-R1 (DMVPN HUB) Gi0/0.600 -----Router-RA----------ASA-1* >>> --------------------INTERNET-------------------*ASA-2---------------Router-RB----------------Gi0/0.603 >>> Router-R2 (DMVPN Spoke)* >>> >>> The tunnel source interfaces at both ends have NAT'd IPs on the ASAs and >>> use these IPs for peering. >>> >>> Configs are as follows: >>> >>> *ROUTER-R1* (DMVPN Hub) >>> >>> crypto isakmp policy 10 >>> encr aes >>> authentication pre-share >>> group 2 >>> >>> crypto isakmp key dmvpnpasswd address 222.222.222.222 >>> >>> crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac >>> >>> crypto ipsec profile DMVPN >>> set transform-set AESSHA-TRANSFORM >>> >>> >>> interface Tunnel100 >>> description GI DMVPN Hub Interface >>> ip address 10.1.1.1 255.255.255.248 >>> no ip redirects >>> no ip next-hop-self eigrp 100 >>> ip nhrp map multicast dynamic >>> ip nhrp network-id 100 >>> no ip split-horizon eigrp 100 >>> delay 150000 >>> tunnel source GigabitEthernet0/0.600 >>> tunnel mode gre multipoint >>> tunnel key 100 >>> tunnel protection ipsec profile DMVPN >>> >>> interface GigabitEthernet0/0.600 >>> ip address 10.10.1.1 255.255.255.0 >>> >>> router eigrp 100 >>> passive-interface default >>> no passive-interface Tunnel100 >>> network 10.255.254.48 0.0.0.7 >>> no auto-summary >>> >>> >>> *ASA-1* >>> >>> static (inside,outside) 111.111.111.111 10.10.1.1 netmask 255.255.255.255 >>> >>> >>> access-list OUTSIDE line 66 extended permit esp host 222.222.222.222 >>> host 111.111.111.111 (hitcnt=0) 0x628ac306 >>> access-list OUTSIDE line 66 extended permit gre host 222.222.222.222 >>> host 111.111.111.111 (hitcnt=0) 0x1e349ff8 >>> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >>> host 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b >>> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >>> host 111.111.111.111 eq 4500 (hitcnt=0) >>> >>> ************************************** >>> >>> *ROUTER-R2* >>> >>> crypto isakmp policy 10 >>> encr aes >>> authentication pre-share >>> group 2 >>> >>> crypto isakmp key dmvpnpasswd address 111.111.111.111 >>> >>> crypto ipsec transform-set AESSHA-TRANSFORM esp-aes esp-sha-hmac >>> >>> crypto ipsec profile DMVPN >>> set transform-set AESSHA-TRANSFORM >>> >>> interface Tunnel100 >>> description GI DMVPN Spoke Interface >>> ip address 10.1.1.2 255.255.255.248 >>> no ip redirects >>> ip nhrp map 10.1.1.1 111.111.111.111 >>> ip nhrp map multicast 111.111.111.111 >>> ip nhrp network-id 100 >>> ip nhrp nhs 10.1.1.1 >>> delay 150000 >>> tunnel source GigabitEthernet0/0.603 >>> tunnel mode gre multipoint >>> tunnel key 100 >>> tunnel protection ipsec profile DMVPN >>> >>> interface GigabitEthernet0/0.603 >>> ip address 10.20.2.2 255.255.255.0 <- >>> This has been NAT'd to 222.222.222.222 on the ASA-B firewall, which I dont >>> have visibility into. >>> >>> router eigrp 100 >>> passive-interface default >>> no passive-interface Tunnel100 >>> network 10.1.1.0 0.0.0.7 >>> no auto-summary >>> >>> >>> *Observations:* >>> >>> 1. I can ping from the DMVPN spoke to the DMVPN hub, using the Public IPs >>> and I see the hit-count on the ASA increasing, so I know for sure that the >>> routing is fine and the NAT on the remote ASA that I dont manage are >>> correct. >>> 2. None of the crypto protocol traffic I'm allowing inbound shows any hit >>> count. >>> >>> 3. The following is the "show crypto isakmp sa" output from the DMVPN >>> spoke (Router-2) >>> >>> dst src state >>> conn-id status >>> 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE >>> 111.111.111.111 10.20.2.2 MM_NO_STATE 0 ACTIVE (deleted) >>> >>> >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
