DEBUG OUPTPU ANALYSIS

habibnoubissi · ‎05-29-2012

Hi,

please find attached the debug given by my router. please help me to decipher it, because my tunnel is not comming up and I dont know what it is wrong.

crdlt

Jennifer Halim · ‎05-30-2012

Please kindly share the config from both ends.

habibnoubissi · ‎05-30-2012

Hi Jennifer,

please below the configs from both ends:

site 1

afb>en

Password:

afb#sh run

Building configuration...

Current configuration : 2461 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname afb

!

boot-start-marker

boot-end-marker

!

logging console informational

enable secret 5 $1$hNFM$nwqVpHlH/hy1gGrLW8vyI1

!

username cisco password 7 0822455D0A16

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

ip cef

!

ip ips po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

no ftp-server write-enable

!

crypto isakmp policy 10

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 70

encr aes 256

authentication pre-share

group 2

lifetime 86070

crypto isakmp key test1 address 41.204.95.12

crypto isakmp aggressive-mode disable

!

crypto ipsec transform-set vpn_yde esp-aes 256 esp-sha-hmac

!

crypto map vpn_paris 70 ipsec-isakmp

description tunnel_to_yaounde

set peer 41.204.95.12

set transform-set vpn_yde

match address 100

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

ip address 192.168.48.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface Dialer1

mtu 1492

ip address 80.15.109.174 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap hostname fti/3hbfurh

ppp chap password 7 0877584F5D1E1303

ppp multilink

crypto map vpn_paris

!

ip classless

ip route 0.0.0.0 0.0.0.0 193.253.160.3

!

no ip http server

no ip http secure-server

ip nat inside source route-map nat interface Dialer1 overload

!

ip access-list extended IPSEC

permit udp any any eq isakmp

permit ahp any any

permit esp any any

permit udp any any eq non500-isakmp

permit ip any any

!

access-list 100 remark VPN-access

access-list 100 permit ip 192.168.48.0 0.0.0.255 172.21.0.0 0.0.255.255

access-list 102 remark internet-access

access-list 102 deny ip 192.168.48.0 0.0.0.255 172.21.0.0 0.0.255.255

access-list 102 permit ip 192.168.48.0 0.0.0.255 any

!

route-map nat permit 10

match ip address 102

!

control-plane

!

line con 0

login local

line aux 0

line vty 0 4

login local

transport input telnet ssh

!

end

site 2-------------

object-group network remote_network

network-object 192.168.48.0 255.255.255.0

object-group network local_host

network-object host 172.21.254.28

network-object host 172.21.254.31

access-list inside_access_in extended permit ip object-group local_host object-group remote_network

access-list inside_access_in extended permit icmp object-group local_host object-group remote_network

access-list vpn extended permit ip object-group local_host object-group remote_network

access-list vpn extended permit icmp icmp object-group local_host object-group remote_network

nat (inside) 0 172.21.254.28 255.255.255.255

nat (inside) 0 172.21.254.31 255.255.255.255

crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac

crypto map afriland_map 80 match address vpn

crypto map afriland_map 80 set peer 80.15.109.174 255.255.255.255

crypto map afriland_map 80 set transform-set vpn

crypto map afriland_map 80 set security-association lifetime seconds 3600

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 28800

crypto isakmp policy 70

encr aes 256

authentication pre-share

group 2

lifetime 86070

tunnel-group 80.15.109.174 type ipsec-l2l

tunnel-group 80.15.109.174 ipsec-attributes

pre-shared-key *

Regards

Jennifer Halim · ‎05-30-2012

The acl on the ASA is incorrect as it needs to mirror image the router, it should just be one line of:

access-list vpn permit ip 172.21.0.0 255.255.0.0 192.168.48.0 255.255.255.0

You would also need to have NAT exemption configured on the ASA as follows:

access-list nonat permit ip 172.21.0.0 255.255.0.0 192.168.48.0 255.255.255.0

nat (inside) 0 access-list nonat

Please clear the tunnel: clear cry ipsec sa

and "clear xlate" to clear the existing translation.