07-22-2010 02:46 AM - edited 02-21-2020 04:45 PM
Hi,
we are trying to establish the VPN between Cisco 2811 router (Version 12.4(13r)T ) and PIX 515 E 7.01 and 7.23
but we are able to get the VPN status UP but unable to ping the IP ( encrpt the IP on the router side )
IPv4 Crypto ISAKMP SA
dst src state conn-id status
XX.XX.202.161 XXX.XX.37.10 QM_IDLE 1023 ACTIVE
Sh cry ipsec sa on Router side :
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.148.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (10.215.0.0/255.255.0.0/0/0)
current_peer XXX.XX.37.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1764, #pkts decrypt: 1764, #pkts verify: 1764
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: XXX.XXX.202.161, remote crypto endpt.: XXX.XXX.37.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x4D0B702(80787202)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3861D560(945935712)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2015, flow_id: NETGX:15, sibling_flags 80000046, crypto map: St
oS-VPN
sa timing: remaining key lifetime (k/sec): (4438146/704)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4D0B702(80787202)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: NETGX:16, sibling_flags 80000046, crypto map: St
oS-VPN
sa timing: remaining key lifetime (k/sec): (4438204/704)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
kindly suggest us what might be the issue
07-22-2010 02:51 AM
Base on the output of "show cry ipsec sa" on the router, traffic arrives in the router and getting decrypted, however, it doesn't get encrypted to be sent towards the PIX end.
You might want to check if NAT exemption has been configured on the router for traffic between 192.168.148.0/22 towards 10.215.0.0/16.
If you can share the router config, we might be able to spot something.
Hope that helps.
07-22-2010 02:58 AM
Thanks for your reply
router config:
Building configuration...
Current configuration : 3345 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
boot-start-marker
boot-end-marker
no aaa new-model
dot11 syslog
ip source-route
ip cef
ip domain name yourdomain.com
multilink bundle-name authenticated
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp policy 3
authentication pre-share
group 2
crypto isakmp policy 4
hash md5
authentication pre-share
crypto isakmp policy 5
encr 3des
authentication pre-share
crypto isakmp key XXXXXX address XXX.XX.37.10
crypto ipsec transform-set TEST_VPN esp-3des esp-md5-hmac
crypto map StoS-VPN 21 ipsec-isakmp
set peer XXX.XXX.37.10
set transform-set TEST_VPN
match address 116
interface FastEthernet0/1
ip address XXX.XXX.202.161 255.255.255.240
ip nat outside
ip virtual-reassembly
load-interval 30
duplex full
speed 100
crypto map StoS-VPN
interface FastEthernet0/3/0
switchport access vlan 100
interface FastEthernet0/3/1
interface FastEthernet0/3/2
interface FastEthernet0/3/3
interface Vlan1
no ip address
interface Vlan100
ip address 192.168.151.3 255.255.255.0
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XXX.XXX.203.162
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool TEST XXX.XXX.202.161 XXX.XXX.202.161 netmask 255.255.255.252
ip nat inside source route-map nonat pool TEST overload
logging 192.168.151.220
access-list 102 deny ip 192.168.148.0 0.0.3.255 10.215.0.0 0.0.255.255
access-list 102 permit ip 192.168.148.0 0.0.3.255 any
access-list 116 permit ip 192.168.148.0 0.0.3.255 10.215.0.0 0.0.255.255
route-map nonat permit 10
match ip address 102
07-22-2010 09:23 AM
question :- why do you have the ip address of interface vlan 100 subnet mask as /24 instead of /22 ?
can you please post some debugs ( isakmp , ipsec ) and also sh ip route on this router ?
thanks
manish
07-22-2010 09:27 PM
HI
Thanks for your reply
We have L3 swicth from there we are routing remote subnet to the router
interface 192.168.151.3
routing table in L3 :
#sh ip route
===============================================================================
Ip Route
===============================================================================
DST MASK NEXT COST VLAN PORT PROT
TYPE
07-22-2010 10:27 PM
are you able to ping the vlan 100 ip
also just wondering if you will need a route for the 192.168.148 network point to the next hop on inside
also what we need to see is if the return traffic is actually coming to the router
can you apply this access-list on the vlan 100
ip access-list extended 199
10 permit ip 192.168.148.0 /22 10.x.x.x
20 permit ip any any
int vlan 100
ip access-group 199 in
lets see if we see any hit counts on the 199
please note the line 10 in 199 is the interesting traffic.
07-23-2010 03:05 AM
Hi,
please find the result after applied to interface
Extended IP access list 199
10 permit ip 192.168.148.0 0.0.3.255 10.215.0.0 0.0.255.255 (31 matches)
20 permit ip any any (780 matches)
#sh version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version
12.4(24)T3,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 23-Mar-10 06:43 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
is there any issue with IOS platform
thanks
Vinu
On Fri, Jul 23, 2010 at 10:57 AM, jathaval <
07-23-2010 04:33 AM
can you take the debugs and attach it please
we would require both isakmp and ipsec debug if possible
07-23-2010 06:59 AM
HI
Can u pls find the below debug log
*Jul 23 14:01:16.895: ISAKMP:(1025):Old State = IKE_QM_SPI_STARVE New State
= I
KE_QM_R_QM2
*Jul 23 14:01:16.895: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
*Jul 23 14:01:16.895: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
*Jul 23 14:01:16.895: Crypto mapdb : proxy_match
src addr : 192.168.148.0
dst addr : 10.215.0.0
protocol : 0
src port : 0
dst port : 0
*Jul 23 14:01:16.899: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting
with
the same proxies and peer XXX.XXX.37.10
*Jul 23 14:01:16.899: IPSEC(policy_db_add_ident): src 192.168.148.0, dest
10.215
.0.0, dest_port 0
*Jul 23 14:01:16.899: IPSEC(create_sa): sa created,
(sa) sa_dest= XXX.XXX.202.161, sa_proto= 50,
sa_spi= 0x802AB1AF(2150281647),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2077
sa_lifetime(k/sec)= (4576146/3600)
*Jul 23 14:01:16.899: IPSEC(create_sa): sa created,
(sa) sa_dest= XXX.XXX.37.10, sa_proto= 50,
sa_spi= 0x9319ECF9(2467949817),
sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2078
sa_lifetime(k/sec)= (4576146/3600)
*Jul 23 14:01:17.115: ISAKMP (1025): received packet from XXX.XXX.37.10
dport 500
sport 500 Global (R) QM_IDLE
*Jul 23 14:01:17.119: ISAKMP:(1025):deleting node 1232130872 error FALSE
reason
"QM done (await)"
*Jul 23 14:01:17.119: ISAKMP:(1025):Node 1232130872, Input =
IKE_MESG_FROM_PEER,
IKE_QM_EXCH
*Jul 23 14:01:17.119: ISAKMP:(1025):Old State = IKE_QM_R_QM2 New State =
IKE_QM
PHASE2COMPLETE
*Jul 23 14:01:17.119: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
*Jul 23 14:01:17.119: IPSEC(key_engine_enable_outbound): rec'd enable notify
fro
m ISAKMP
*Jul 23 14:01:17.119: IPSEC(key_engine_enable_outbound): enable SA with spi
2467
949817/50
*Jul 23 14:01:17.119: IPSEC(update_current_outbound_sa): updated peer
XXX.XXX.37.
10 current outbound sa to SPI 9319ECF9
*Jul 23 14:01:36.091: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet
dropp
ed because cryptomap is currently being created
*Jul 23 14:01:36.091: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet
dropp
ed because cryptomap is currently being created
*Jul 23 14:01:36.095: IPSEC(crypto_map_check_decrypt_core): CRYPTO: Packet
dropp
ed because cryptomap si currently being created
*Jul 23 14:01:36.095: IPSEC(crypto_map_check_decrypt_core): CRYPTO: Packet
dropp
ed because cryptomap si currently being created
Thanks
Vinu
On Fri, Jul 23, 2010 at 5:03 PM, jathaval <
07-23-2010 10:30 AM
Try adjusting the MTU on both sides PIX as well as your router. It appears that the packets are coming in DF bit set to 1. try using extended ping with diffrent MTU and debug ip icmp. post config of both sides router & PIX. also make sure if you are running remote vpn access on any side , its crypto map is higher than L2L.
I am more than confident that it is a MTU issue + DF set do not fragment, as the phase 1 and phase 2 are completed as per the debug on router side.
thanks
Manish
07-23-2010 11:09 AM
sometimes we see crypto map being still applied message due to mis match in crypto identities
can you please paste the config on the other end as weel
looks like crypto acl mismatch can you please confirm again that the phase 2 config is matching on both end, i am particular worried about 192.168.148 network bcoz that has /23 mask and in the identitied it looks like it might have /24
can yo uplease confirm that
07-26-2010 12:14 AM
HI,
i have small quey that whether the router required any activation key
somthing like to encry and decrpty the traffic
kinldy advice
On Fri, Jul 23, 2010 at 11:40 PM, jathaval <
07-26-2010 12:14 AM
HI,
i have small quey that whether the router required any activation key
somthing like to encry and decrpty the traffic
kinldy advice
On Fri, Jul 23, 2010 at 11:00 PM, manisharora111 <
07-26-2010 05:19 AM
i dont think so u need anytihng of tht sort, it depends on image and probably if you didnt have the right image it wouldnt let u enter the commands in the first place
it looks like a config issue in phase 2
can you please paste the config on both ends
07-26-2010 05:39 AM
Hi,
Pls find the below config
Router config
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
!
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
group 2
!
crypto isakmp policy 3
authentication pre-share
group 2
!
crypto isakmp policy 4
hash md5
authentication pre-share
!
crypto isakmp policy 5
encr 3des
authentication pre-share
crypto isakmp key XXXXXX address XXX.XXX.37.10
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXXXX-VPN esp-3des esp-md5-hmac
!
crypto map StoS-VPN 21 ipsec-isakmp
set peer XX.XX.37.10
set transform-set XXXXX-VPN
match address 116
!
!
!
!
!
!
interface FastEthernet0/0
description PTP TO ISP
ip address XXX.XXX.203.161 255.255.255.252
load-interval 30
duplex auto
speed 100
!
interface FastEthernet0/1
description WAN_INTERFACE
ip address XXX.XXX.202.161 255.255.255.240
ip nat outside
ip virtual-reassembly
load-interval 30
duplex full
speed 100
crypto map StoS-VPN
!
interface FastEthernet0/3/0
switchport access vlan 100
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 192.168.151.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router bgp 17488
no synchronization
bgp log-neighbor-changes
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XXX.XXX.203.162
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool TEST XXX.XXX.202.161 XXX.XXX.202.161 netmask 255.255.255.252
ip nat inside source route-map nonat pool TEST overload
!
logging 192.168.151.220
access-list 102 deny ip 192.168.151.0 0.0.0.255 10.215.0.0 0.0.255.255
access-list 102 permit ip 192.168.151.0 0.0.0.255 any
access-list 116 permit ip 192.168.151.0 0.0.0.255 10.215.0.0 0.0.255.255
!
!
!
route-map nonat permit 10
match ip address 102
!
!
snmp-server community public RW
snmp-server enable traps snmp authentication linkdown linkup coldstart
warmstart
snmp-server enable traps cpu threshold
snmp-server host 10.89.2.10 public
!
control-plane
!
!
line con 0
line aux 0
!
scheduler allocate 20000 1000
PIX Config
: Saved
:
PIX Version 8.0(4)
!
hostname PRI-PIX-FW-SYD1
domain-name SYD-GS
enable password MSV2FjMCpOHCDb7R encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
description PIX WAN INTERFACE
nameif outside
security-level 0
ip address XXX.XXX.37.10 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.215.1.10 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
security-level 80
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
description STATE Failover Interface
speed 100
duplex full
!
ftp mode passive
dns server-group DefaultDNS
access-list VPN-XXX extended permit ip 10.215.0.0 255.255.0.0 192.168.151.0
255.255.255.0
access-list NO_NAT extended permit ip 10.215.0.0 255.255.0.0 192.168.151.0
255.255.255.0
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
ip local pool RemoteVPNpool 10.215.254.241-10.215.254.246
failover
failover link state Ethernet5
failover interface ip state 172.16.50.1 255.255.255.0 standby 172.16.50.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image flash:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 XXX.XXX.37.6
nat (inside) 0 access-list NO_NAT
access-group Outside_inside in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.37.1 1
route inside 10.215.10.0 255.255.255.0 10.215.1.1 1
route inside 10.215.11.0 255.255.255.0 10.215.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set XXXXXXX-set esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_IPSEC 5 match address VPN-XXX
crypto map VPN_IPSEC 5 set peer XXX.XXX.202.161
crypto map VPN_IPSEC 5 set transform-set XXXXXXX-set
crypto map VPN_IPSEC 5 set security-association lifetime seconds 28800
crypto map VPN_IPSEC 5 set security-association lifetime kilobytes 4608000
crypto map VPN_IPSEC interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 13
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 16
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group XXX.XXX.202.161 type ipsec-l2l
tunnel-group XXX.XXX.202.161 ipsec-attributes
pre-shared-key X
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
thanks
Vinu
On Mon, Jul 26, 2010 at 5:49 PM, jathaval <
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide