02-25-2014 02:23 PM
I've added a new network for a customer's firewall and I'm trying to get that network across the existing VPN tunnel to their DR site. The new network is 10.133.133.0/24 and I'm trying to get it to connect to 10.1.14.0/24 on the other side of the tunnel.
I'm missing something, though, because when I do a packet-tracer to simulate traffic, it dies before getting encrypted. The output is below.
What am I missing to get this traffic to even attempt to go across the tunnel?
-----
4344-FWL001#packet-tracer input backup icmp 10.133.133.10 0 0 10.1.14.20
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group backup_acl in interface backup
access-list backup_acl extended permit ip 10.133.133.0 255.255.255.0 10.1.14.0 255.255.255.0
Additional Information:
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip backup 10.133.133.0 255.255.255.0 outside 10.1.14.0 255.255.255.0
NAT exempt
translate_hits = 40, untranslate_hits = 0
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (backup) 1 0.0.0.0 0.0.0.0
match ip backup any outside any
dynamic translation to pool 1 (216.211.133.59 [Interface PAT])
translate_hits = 254, untranslate_hits = 18
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (backup) 1 0.0.0.0 0.0.0.0
match ip backup any outside any
dynamic translation to pool 1 (216.211.133.59 [Interface PAT])
translate_hits = 254, untranslate_hits = 18
Additional Information:
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: backup
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-26-2014 05:55 AM
James,
Just to make sure... Did you add the same ACE to the remote site's crypto ACL?
HTH.
02-26-2014 11:01 AM
I don't have access to the other device. They say they've added the ACLs, but I can't confirm.
I should still see a packet-tracer command at least try to encrypt the traffic, though, right? It's only simulating what a packet would do.
02-26-2014 11:08 AM
You are correct.
What does the "debug crypto ipsec 127" tell you?
02-28-2014 01:39 PM
Here's what I'm getting from debug:
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC: New embryonic SA created @ 0xC9D5AC10,
SCB: 0xCA7F3CA0,
Direction: inbound
SPI : 0xC404C4D2
Session ID: 0x034F6000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC: New embryonic SA created @ 0xC9F32960,
SCB: 0xCA7DCFC0,
Direction: inbound
SPI : 0x25646462
Session ID: 0x034F6000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.
02-28-2014 01:42 PM
And what I get from isakmp debug:
Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, QM FSM error (P2 struct &0xc9f39e68, mess id 0xe0ba04c)!
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE QM Initiator FSM error history (struct &0xc9f39e68)
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, sending delete/delete with reason message
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec delete payload
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload
Feb 28 13:41:26 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=216bc3cb) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Deleting SA: Remote Proxy 10.1.14.0, Local Proxy 10.133.133.0
Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Removing peer from correlator table failed, no match!
Feb 28 13:41:26 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xb161983b
Feb 28 13:41:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Initiator: New Phase 2, Intf backup, IKE Peer 216.203.46.252 local Proxy Address 10.133.133.0, remote Proxy Address 10.1.14.0, Crypto map (outside_map)
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Oakley begin quick mode
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE got SPI from key engine: SPI = 0x9b973b9b
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, oakley constucting quick mode
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec SA payload
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec nonce payload
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing proxy ID
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Transmitting Proxy Id:
Local subnet: 10.133.133.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.1.14.0 Mask 255.255.255.0 Protocol 0 Port 0
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload
Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=150b2ab3) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE RECEIVED Message (msgid=cabc11c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 224
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing hash payload
Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing notify payload
Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Received non-routine Notify message: Invalid ID info (18)
I suspect the configs don't match on both sides, but getting info from the other side of the tunnel is like pulling teeth.
02-28-2014 01:47 PM
Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, QM FSM error (P2 struct &0xc9f39e68, mess id 0xe0ba04c)!
Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE QM Initiator FSM error history (struct &0xc9f39e68)
The remote peer does not seem to respond.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: