cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1013
Views
0
Helpful
6
Replies

L2L VPN issues with new network

James Dykes
Level 1
Level 1

I've added a new network for a customer's firewall and I'm trying to get that network across the existing VPN tunnel to their DR site. The new network is 10.133.133.0/24 and I'm trying to get it to connect to 10.1.14.0/24 on the other side of the tunnel.

I'm missing something, though, because when I do a packet-tracer to simulate traffic, it dies before getting encrypted. The output is below.

What am I missing to get this traffic to even attempt to go across the tunnel?

-----

4344-FWL001#packet-tracer input backup icmp 10.133.133.10 0 0 10.1.14.20

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group backup_acl in interface backup

access-list backup_acl extended permit ip 10.133.133.0 255.255.255.0 10.1.14.0 255.255.255.0

Additional Information:

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip backup 10.133.133.0 255.255.255.0 outside 10.1.14.0 255.255.255.0

    NAT exempt

    translate_hits = 40, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (backup) 1 0.0.0.0 0.0.0.0

  match ip backup any outside any

    dynamic translation to pool 1 (216.211.133.59 [Interface PAT])

    translate_hits = 254, untranslate_hits = 18

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (backup) 1 0.0.0.0 0.0.0.0

  match ip backup any outside any

    dynamic translation to pool 1 (216.211.133.59 [Interface PAT])

    translate_hits = 254, untranslate_hits = 18

Additional Information:

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: backup

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

6 Replies 6

James,

Just to make sure... Did you add the same ACE to the remote site's crypto ACL?

HTH.

I don't have access to the other device. They say they've added the ACLs, but I can't confirm.

I should still see a packet-tracer command at least try to encrypt the traffic, though, right? It's only simulating what a packet would do.

You are correct.

What does the "debug crypto ipsec 127" tell you?

Here's what I'm getting from debug:

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC: New embryonic SA created @ 0xC9D5AC10,

    SCB: 0xCA7F3CA0,

    Direction: inbound

    SPI      : 0xC404C4D2

    Session ID: 0x034F6000

    VPIF num  : 0x00000002

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC: New embryonic SA created @ 0xC9F32960,

    SCB: 0xCA7DCFC0,

    Direction: inbound

    SPI      : 0x25646462

    Session ID: 0x034F6000

    VPIF num  : 0x00000002

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

And what I get from isakmp debug:

Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, QM FSM error (P2 struct &0xc9f39e68, mess id 0xe0ba04c)!

Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE QM Initiator FSM error history (struct &0xc9f39e68)  , :  QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, sending delete/delete with reason message

Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload

Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec delete payload

Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload

Feb 28 13:41:26 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=216bc3cb) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Deleting SA: Remote Proxy 10.1.14.0, Local Proxy 10.133.133.0

Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Removing peer from correlator table failed, no match!

Feb 28 13:41:26 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xb161983b

Feb 28 13:41:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, IKE Initiator: New Phase 2, Intf backup, IKE Peer 216.203.46.252  local Proxy Address 10.133.133.0, remote Proxy Address 10.1.14.0,  Crypto map (outside_map)

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Oakley begin quick mode

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE got SPI from key engine: SPI = 0x9b973b9b

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, oakley constucting quick mode

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing blank hash payload

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec SA payload

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing IPSec nonce payload

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing proxy ID

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, Transmitting Proxy Id:

  Local subnet:  10.133.133.0  mask 255.255.255.0 Protocol 0  Port 0

  Remote subnet: 10.1.14.0  Mask 255.255.255.0 Protocol 0  Port 0

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, constructing qm hash payload

Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE SENDING Message (msgid=150b2ab3) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168

Feb 28 13:41:29 [IKEv1]: IP = 216.203.46.252, IKE_DECODE RECEIVED Message (msgid=cabc11c) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 224

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing hash payload

Feb 28 13:41:29 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, processing notify payload

Feb 28 13:41:29 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, Received non-routine Notify message: Invalid ID info (18)

I suspect the configs don't match on both sides, but getting info from the other side of the tunnel is like pulling teeth.

Feb 28 13:41:26 [IKEv1]: Group = 216.203.46.252, IP = 216.203.46.252, QM FSM error (P2 struct &0xc9f39e68, mess id 0xe0ba04c)!

Feb 28 13:41:26 [IKEv1 DEBUG]: Group = 216.203.46.252, IP = 216.203.46.252, IKE QM Initiator FSM error history (struct &0xc9f39e68)  , :  QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent

The remote peer does not seem to respond.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: