Solved: Trouble with site to site vpn

akamatai12345 · ‎10-07-2010

Hi Everyone,

I recently got the task assigned to setup site-to-site vpn and this is my first time. I am trying to setup site to site vpn with pix 501 but running into issues. I have managed to get as far as below but I am stuck right now and don't know what the problem could be. The following is the debug output.

Any help is greatly appreciated on what the potential problem could be.

-AK

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing keep alive: proposal=32767/32767 sec., actual=3276/2 sec.

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 413131006:189fe0feIPSEC(key_e
ngine): got a queue event...
IPSEC(spi_response): getting spi 0x3e9451fa(1049907706) for SA
from 208.249.117.203 to 70.91.20.245 for prot 3

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:208.249.117.203/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:208.249.117.203/500 Ref cnt incremented to:1 Total VPN
Peers:1
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
ISAKMP (0): processing DELETE payload. message ID = 3425658127, spi size = 16
ISAKMP (0): deleting SA: src 70.91.20.245, dst 208.249.117.203
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xac149c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:208.249.117.203/500 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:208.249.117.203/500 Total VPN peers:0IPSEC(ke
y_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 208.249.117.203
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 70.91.20.245, remote= 208.249.117.203,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 206.200.22.0/255.255.255.0/0/0 (type=4)

Rudresh Veerappaji · ‎10-09-2010

Hi ,

From the logs i see that you are using a VPN 3000 concentrator as the remote vpn end point. Now, also from the debugs following section is interesting:

(identity) local= 70.91.20.245, remote= 208.249.117.203,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 206.200.22.0/255.255.255.0/0/0 (type=4)

--Seems like our interesting traffic at the PIX and the concentrator are not mirrors of each other and not matching. Can you please paste the crypto access-lists from the PIX here, so that i can analyze the entries.

--Also please make sure you have followed all the steps while configuring the vpn as per the following links:

If your PIX is running at 7.x version and above : http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml

If your PIX is running version 6.3.x: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Once you verify the config on both PIX and Concentrator, please provide me the output of "sh cry isa sa" and "sh cry ipsec sa" from the PIX. With this output, we can further troubleshoot if there are more issues.

Let me know if this helps,

Cheers,

Rudresh V

View solution in original post

mmandeka · ‎10-07-2010

>>In the site to site tunnel, if one end is the PIX, whats is the remote device?

>> After initiating the tunnel, can you paste the output of "sh crypto isa sa" and "sh crypto ipsec sa" from the PIX.

>> Please paste the output of the crypto config from both the devices.

>> Also, when you enable debugs for isakmp and ipsec, please collect the debugs in level 127.

On the PIX, use the command:

debug cry isa 127

debug cry ips 127

Regards,

Manisha Mandekar

akamatai12345 · ‎10-08-2010

The problem looks different today although I don't know why. Nothing has changed on our site.

IPSEC(key_engine_sa_req): setting timer running retry <2>

crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
isadb_create_sa:
crypto_isakmp_init_phase1_fields: initiator
is_auth_policy_configured: auth 4
6.n_cookie: 20
0 2i0p0.s22.2e35c N_Od bre_spaondsde _rsecae_ivreed --q 10:0
misp
eccp5_01#d b_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
is_auth_policy_configured: auth 4
construct_header: message_id 0x0
construct_isakmp_sa: auth 1
set_proposal: protocol 0x1, proposal_num 1, extra_info 0x1
init_set_oakley_atts:
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
begin phase one
sa->state 0x0
ISAKMP (0): beginning Main Mode exchange
throw: mess_id 0x0
send_response:
isakmp_send: ip 208.249.117.203, port 500

ISAKMP msg received
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:isadb_search returned sa = 0x9fea14

validate_payload: len 104
valid_payload:
valid_sa:
valid_transform:
valid_payload:
OAK_MM exchange
oakley_process_mm:
OAK_MM_NO_STATE
process_isakmp_packet:
process_sa: mess_id 0x0
ISAKMP (0): processing SA payload. message ID = 0

check_isakmp_proposal:
is_auth_policy_configured: auth 1
is_auth_policy_configured: auth 4
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
crypto_generate_DH_parameters: dhset 0x9feccc, phase 0
DH_ALG_PHASE1
process_sa: DONE - status 0x0
delete_sa_offers:
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

not cisco peer
process_udp_enc_vendor_id:
process_isakmp_packet: OAK_MM
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

construct_header: message_id 0x0
construct_ke:
need_cert_from_peer:
construct_nonce:
construct_xauthv6_vendor_id:
construct_dpd_vendor_id:
construct_unity_vendor_id:
construct_vendor_id:
return status is IKMP_NO_ERROR
throw: mess_id 0x0
send_response:
isakmp_send: ip 208.249.117.203, port 500

ISAKMP msg received
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:isadb_search returned sa = 0x9fea14

validate_payload: len 256
valid_payload:
valid_payload:
valid_payload:
valid_payload:
valid_payload:
valid_payload:
OAK_MM exchange
oakley_process_mm:
OAK_MM_SA_SETUP
process_isakmp_packet:
process_ke:
ISAKMP (0): processing KE payload. message ID = 0

crypto_generate_DH_parameters: dhset 0x9feccc, phase 1
DH_ALG_PHASE2
process_isakmp_packet: OAK_MM
process_nonce:
ISAKMP (0): processing NONCE payload. message ID = 0

process_isakmp_packet: OAK_MM
pix_create_skeys:
skey_pre_shar:
process_vendor_id:
ISAKMP (0): processing vendor id payload

not cisco peer
process_udp_enc_vendor_id:
process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

cisco peer
ISAKMP (0): speaking to another IOS box!

process_isakmp_packet: OAK_MM
process_vendor_id:
ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

process_isakmp_packet: OAK_MM
construct_header: message_id 0x0
ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 0
        length       : 8
ISAKMP (0): Total payload length: 12
construct_hash:
compute_hash:

ISAKMP msg received
crypto_isakmp_process_block:src:208.249.117.203, dest:70.91.20.245 spt:500 dpt:5
00
gen_cookie:
fill_sa_key:isadb_search returned sa = 0x9fea14

isakmp_ce_decrypt_payload:

ISAKMP msg received
REAPER_TIMER
ISADB: reaper checking SA 0x9fea14, conn_id = 0 DELETE IT!

crypto_gen_isakmp_delete:
isadb_free_isakmp_sa:
VPN Peer: ISAKMP: Peer ip:208.249.117.203/500 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:208.249.117.203/500 Total VPN peers:0IPSEC(ke
y_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 208.249.117.203

ipsec_db_delete_sa_list_entry:
ipsec_db_free_ipsec_sa_list:
PEER_REAPER_TIMER
PEER_REAPER_TIMERIPSEC(key_engine): request timer fired: count = 2,
(identity) local= 70.91.20.245, remote= 208.249.117.203,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 206.200.22.0/255.255.255.0/0/0 (type=4)

crypto_ke_process_block:
crypto_gen_ipsec_isakmp_delete:

Rudresh Veerappaji · ‎10-09-2010

Hi ,

From the logs i see that you are using a VPN 3000 concentrator as the remote vpn end point. Now, also from the debugs following section is interesting:

(identity) local= 70.91.20.245, remote= 208.249.117.203,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 206.200.22.0/255.255.255.0/0/0 (type=4)

--Seems like our interesting traffic at the PIX and the concentrator are not mirrors of each other and not matching. Can you please paste the crypto access-lists from the PIX here, so that i can analyze the entries.

--Also please make sure you have followed all the steps while configuring the vpn as per the following links:

If your PIX is running at 7.x version and above : http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008064a06f.shtml

If your PIX is running version 6.3.x: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

Once you verify the config on both PIX and Concentrator, please provide me the output of "sh cry isa sa" and "sh cry ipsec sa" from the PIX. With this output, we can further troubleshoot if there are more issues.

Let me know if this helps,

Cheers,

Rudresh V

akamatai12345 · ‎10-12-2010

Thanks rudresh for the information. I have a 6.3 version. I cleared everything to factory default and redid as per the link provided. I added an extra setting.

The address is a public address range because the other side expects the internal server to be public ip.

static (inside,outside) 69.64.67.0 69.64.67.0 netmask 255.255.255.0

The following is the output of access list and other commands you asked to run.

pixfirewall(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 2 elements
access-list 101 line 1 permit ip 69.64.67.0 255.255.255.0 206.200.22.0 255.255.2
55.0 (hitcnt=8)
access-list 101 line 2 permit icmp 69.64.67.0 255.255.255.0 206.200.22.0 255.255
.255.0 (hitcnt=0)

pixfirewall(config)# sh cry isa sa

Total : 0

Embryonic : 0

dst src state pending created

pixfirewall(config)# sh cry ipsec sa

interface: outside

Crypto map tag: aptmap, local addr. 70.91.20.245

local ident (addr/mask/prot/port): (69.64.67.0/255.255.255.0/1/0)

remote ident (addr/mask/prot/port): (206.200.22.0/255.255.255.0/1/0)

current_peer: 208.249.117.203:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 70.91.20.245, remote crypto endpt.: 208.249.117.203

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (69.64.67.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (206.200.22.0/255.255.255.0/0/0)

current_peer: 208.249.117.203:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 4, #recv errors 0

local crypto endpt.: 70.91.20.245, remote crypto endpt.: 208.249.117.203

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Rudresh Veerappaji · ‎10-13-2010

Hi Ak,

Can you please post the complete configuration of the PIX (ofcourse take out the outside interface and other sensitive info out), so that i can analyse the config.

Cheers,

Rudresh V

akamatai12345 · ‎10-13-2010

Hi Rudresh,

Your first response forced to look at the access list again and this time it worked. I changed the access list from using a subnet to using a host.