02-25-2014 02:23 PM
I've added a new network for a customer's firewall and I'm trying to get that network across the existing VPN tunnel to their DR site. The new network is 10.133.133.0/24 and I'm trying to get it to connect to 10.1.14.0/24 on the other side of the tunnel.
I'm missing something, though, because when I do a packet-tracer to simulate traffic, it dies before getting encrypted. The output is below.
What am I missing to get this traffic to even attempt to go across the tunnel?
-----
4344-FWL001#packet-tracer input backup icmp 10.133.133.10 0 0 10.1.14.20
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group backup_acl in interface backup
access-list backup_acl extended permit ip 10.133.133.0 255.255.255.0 10.1.14.0 255.255.255.0
Additional Information:
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip backup 10.133.133.0 255.255.255.0 outside 10.1.14.0 255.255.255.0
NAT exempt
translate_hits = 40, untranslate_hits = 0
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (backup) 1 0.0.0.0 0.0.0.0
match ip backup any outside any
dynamic translation to pool 1 (216.211.133.59 [Interface PAT])
translate_hits = 254, untranslate_hits = 18
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (backup) 1 0.0.0.0 0.0.0.0
match ip backup any outside any
dynamic translation to pool 1 (216.211.133.59 [Interface PAT])
translate_hits = 254, untranslate_hits = 18
Additional Information:
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: backup
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-26-2014 05:55 AM
James,
Just to make sure... Did you add the same ACE to the remote site's crypto ACL?
HTH.
02-26-2014 11:01 AM
I don't have access to the other device. They say they've added the ACLs, but I can't confirm.
I should still see a packet-tracer command at least try to encrypt the traffic, though, right? It's only simulating what a packet would do.
02-26-2014 11:08 AM
You are correct.
What does the "debug crypto ipsec 127" tell you?
02-28-2014 01:39 PM
Here's what I'm getting from debug:
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC: New embryonic SA created @ 0xC9D5AC10,
SCB: 0xCA7F3CA0,
Direction: inbound
SPI : 0xC404C4D2
Session ID: 0x034F6000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC: New embryonic SA created @ 0xC9F32960,
SCB: 0xCA7DCFC0,
Direction: inbound
SPI : 0x25646462
Session ID: 0x034F6000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
02-28-2014 01:42 PM
And what I get from isakmp debug:
Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, QM FSM error (P2 struct &0xc9f39e68, mess id 0xe0ba04c)!
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE QM Initiator FSM error history (struct &0xc9f39e68)
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, sending delete/delete with reason message
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec delete payload
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload
Feb 28 13:41:26 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=216bc3cb) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Deleting SA: Remote Proxy 10.1.14.0, Local Proxy 10.133.133.0
Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Removing peer from correlator table failed, no match!
Feb 28 13:41:26 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xb161983b
Feb 28 13:41:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Initiator: New Phase 2, Intf backup, IKE Peer 216.203.46.252 local Proxy Address 10.133.133.0, remote Proxy Address 10.1.14.0, Crypto map (outside_map)
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Oakley begin quick mode
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE got SPI from key engine: SPI = 0x9b973b9b
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, oakley constucting quick mode
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec SA payload
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec nonce payload
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing proxy ID
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Transmitting Proxy Id:
Local subnet: 10.133.133.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.14.0 Mask 255.255.255.0 Protocol 0 Port 0
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload
Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=150b2ab3) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE RECEIVED Message (msgid=cabc11c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 224
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing hash payload
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing notify payload
Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Received non-routine Notify message: Invalid ID info (18)
I suspect the configs don't match on both sides, but getting info from the other side of the tunnel is like pulling teeth.
02-28-2014 01:47 PM
Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, QM FSM error (P2 struct &0xc9f39e68, mess id 0xe0ba04c)!
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE QM Initiator FSM error history (struct &0xc9f39e68)
The remote peer does not seem to respond.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide