Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
708
Views
0
Helpful
3
Replies

Site-Site VPN: 3005 to IOS 3745 - Finicky tunnel

a.harvey
Level 1
Level 1

‎01-03-2005 05:28 AM

We're attempting to set up a tunnel to allow http traffic between two LANs via an IPSEC tunnel. Unfortunately, the tunnel only comes up when I select "network autodiscovery" routing under the lan-to-lan connection. I would prefer to simply use network lists for the local and remote sites, but as soon as I select the lists I've set up, the tunnel goes down and stays down.

In addition, when the tunnel comes up (with network autodiscovery selected), I can ping the peer on the other side from the VPN concentrator but cannot ping any hosts on networks behind that router. My traceroute to those hosts goes to the public interface and then to the Internet, instead of heading to the peer IP address on the other end of the tunnel.

Any thoughts?

Labels:
0 Helpful
3 Replies 3

aftermath
Level 1
Level 1

‎01-04-2005 05:20 AM

Have you run any debugs!

debug crypto isakmp/ipsec?

debugging the src IP ??

0 Helpful

a.harvey
Level 1
Level 1
In response to aftermath

‎01-04-2005 07:08 AM

Since I only have access to the VPN concentrator, here are the results of the debug I was able to run.

8801 01/04/2005 08:03:40.270 SEV=7 IPSECDBG/1 RPT=2712

Could not find assigned address for tunnel!

8802 01/04/2005 08:03:43.250 SEV=7 IPSECDBG/10 RPT=191

IPSEC ipsec_output() can call key_acquire() because 3 seconds have elapsed since

last IKE negotiation began (src 0xc0a83787, dst 0x023aa0c4)

8804 01/04/2005 08:03:43.260 SEV=7 IPSECDBG/14 RPT=193

Sending KEY_ACQUIRE to IKE for src 192.168.55.135, dst 166.89.199.178

8805 01/04/2005 08:03:43.260 SEV=4 IKE/41 RPT=163

IKE Initiator: New Phase 2, Intf 2, IKE Peer 166.89.101.254

local Proxy Address 192.168.55.0, remote Proxy Address 166.89.192.0,

SA (L2L: TPD.)

8809 01/04/2005 08:03:43.260 SEV=9 IPSECDBG/6 RPT=744

IPSEC key message parse - msgtype 6, len 208, vers 1, pid 00000000, seq 172, err

0, type 2, mode 0, state 32, label 0, pad 0, spi 0x00000000, encrKeyLen 0, hash

KeyLen 0, ivlen 0, alg 0, hmacAlg 0, lifetype 0, lifetime1 1118540, lifetime2 0,

dsId 300

8813 01/04/2005 08:03:43.260 SEV=9 IPSECDBG/1 RPT=2713

Processing KEY_GETSPI msg!

8814 01/04/2005 08:03:43.270 SEV=7 IPSECDBG/13 RPT=165

Reserved SPI 0x54b45ce7

8815 01/04/2005 08:03:46.750 SEV=7 IPSECDBG/10 RPT=192

IPSEC ipsec_output() can call key_acquire() because 3 seconds have elapsed since

last IKE negotiation began (src 0xc0a83787, dst 0x023aa0c4)

8817 01/04/2005 08:03:46.760 SEV=7 IPSECDBG/14 RPT=194

Sending KEY_ACQUIRE to IKE for src 192.168.55.135, dst 166.89.199.178

8818 01/04/2005 08:03:50.250 SEV=7 IPSECDBG/10 RPT=193

IPSEC ipsec_output() can call key_acquire() because 3 seconds have elapsed since

last IKE negotiation began (src 0xc0a83787, dst 0x023aa0c4)

8820 01/04/2005 08:03:50.260 SEV=7 IPSECDBG/14 RPT=195

Sending KEY_ACQUIRE to IKE for src 192.168.55.135, dst 166.89.199.178

0 Helpful

a.harvey
Level 1
Level 1
In response to a.harvey

‎01-04-2005 10:48 AM

Although my tunnel is showing as "up", I'm getting this debug result when I tracert to the peer at teh other end:

(Note that the source interface for the traceroute and ping is showing as my "private" interface.

10395 01/04/2005 11:44:52.480 SEV=7 IPSECDBG/1 RPT=2906

Could not find assigned address for tunnel!

What exactly does this mean?

0 Helpful
Customers Also Viewed These Support Documents