Triplejolt
IS-IT--Management
Hi gang.
I have 2 S2S tunnels going, but one of them can't seem to work properly. I upgraded from 6.3(4) to 7.0.4 and only one of them worked after that. I've reset the config, rewritten the entire thing both using the ASDM and manually (CLI). I'm only able to get one of them up, The Stonegate VPN tunnel, which is the same one each time. So... I'm out of ideas of what to try next.
Here's my config (IP-addresses masked):
Looking through the syslog, I see these statements:
PHASE 1 COMPLETED
QM IsRekeyed old sa not found by addr
Static Crypto Map check, checking map = VPN, seq = 1...
Static Crypto Map check, map = VPN, seq = 1, ACL does not match proxy IDs src:172.16.0.1 dst:1.1.1.1
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.1/255.255.255.255/0/0 local proxy 1.1.1.1/255.255.255.255/0/0 on interface outside
sending notify message
constructing blank hash payload
constructing qm hash payload
IKE_DECODE SENDING Message (msgid=23d6c12a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 196
QM FSM error (P2 struct &0x232aa90, mess id 0xc26c7550)!
IKE QM Responder FSM error history (struct &0x232aa90) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
sending delete/delete with reason message
Removing peer from correlator table failed, no match!
IKE SA MM:4c1dcfda rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 0
IKE SA MM:4c1dcfda terminating: flags 0x01010002, refcnt 0, tuncnt 0
sending delete/delete with reason message
constructing blank hash payload
constructing IKE delete payload
constructing qm hash payload
IKE_DECODE SENDING Message (msgid=664a13f1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
IP = Nortel_VPNnode_IP, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
Received encrypted packet with no matching SA, dropping
Teardown ICMP connection for faddr 172.16.0.1/0 gaddr 1.1.1.1/6 laddr inside_PC/512
Teardown local-host outside:172.16.0.1 duration 0:00:02
I have a cryptomap policy for the failing VPN tunnel, so these statements are confusing me.
Let me know if you have questions, and I'll try to answer them to the best of my ability
A firm beleiver of "Keep it Simple" philosophy
Cheers
/T
I have 2 S2S tunnels going, but one of them can't seem to work properly. I upgraded from 6.3(4) to 7.0.4 and only one of them worked after that. I've reset the config, rewritten the entire thing both using the ASDM and manually (CLI). I'm only able to get one of them up, The Stonegate VPN tunnel, which is the same one each time. So... I'm out of ideas of what to try next.
Here's my config (IP-addresses masked):
Code:
PIX Version 7.0(4)
!
hostname PIX
domain-name mydomain.com
!
interface Ethernet0
speed 10
duplex half
nameif outside
security-level 0
ip address [PIX_outside]
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address [PIX_inside]
!
interface Ethernet2
speed 100
duplex full
nameif DMZ
security-level 50
ip address [PIX_DMZ]
!
boot system flash:/image.bin
ftp mode passive
clock timezone CET 1
same-security-traffic permit intra-interface
access-list dmz extended permit ip any any
access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 dmz_hosts
access-list NoNat extended permit ip 192.168.0.0 255.255.255.0 host Stonegate_VPNnode_IP
access-list NoNat extended permit ip inside_hosts 172.16.1.0 255.255.255.0
access-list outside extended deny ip any any
access-list inside extended permit ip any any
access-list Nortel extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list Stonegate extended permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging console errors
logging monitor errors
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm alerts
logging host inside 192.168.0.1
no logging message 106015
no logging message 305012
no logging message 305011
no logging message 710005
no logging message 111009
no logging message 111008
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 111007
no logging message 302016
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
no failover
icmp permit any unreachable outside
icmp permit any inside
icmp permit any DMZ
asdm image flash:/asdm-504.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 3 1.1.1.1
global (DMZ) 2 interface
nat (inside) 0 access-list NoNat
nat (inside) 2 access-list Stonegate
nat (inside) 3 access-list Nortel
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 [ISP] 1
route DMZ Stonegate_VPNnode_IP 255.255.255.255 [next_hop] 1
route DMZ 172.16.1.0 255.255.255.0 [next_hop] 1
timeout xlate 2:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 2:00:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS host inside_PC
key *
authentication-port 1812
accounting-port 1813
aaa-server ACS protocol radius
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
username * password * encrypted privilege 15
username * password * encrypted privilege 1
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.1 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map TCVPN 2 match address Stonegate
crypto map TCVPN 2 set peer Stonegate_Node
crypto map TCVPN 2 set transform-set ESP-3DES-MD5
crypto map TCVPN interface DMZ
crypto map VPN 1 match address Nortel
crypto map VPN 1 set peer Nortel_VPNnode_IP
crypto map VPN 1 set transform-set ESP-3DES-MD5
crypto map VPN interface outside
isakmp identity address
isakmp enable outside
isakmp enable DMZ
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) LOCAL
authentication-server-group (DMZ) LOCAL
tunnel-group Nortel type ipsec-l2l
tunnel-group Nortel ipsec-attributes
pre-shared-key *
tunnel-group Stonegate type ipsec-l2l
tunnel-group Stonegate ipsec-attributes
pre-shared-key *
!
telnet 192.168.0.1 inside
telnet timeout 30
ssh inside_PC inside
ssh timeout 30
ssh version 1
console timeout 30
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcpLooking through the syslog, I see these statements:
PHASE 1 COMPLETED
QM IsRekeyed old sa not found by addr
Static Crypto Map check, checking map = VPN, seq = 1...
Static Crypto Map check, map = VPN, seq = 1, ACL does not match proxy IDs src:172.16.0.1 dst:1.1.1.1
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.1/255.255.255.255/0/0 local proxy 1.1.1.1/255.255.255.255/0/0 on interface outside
sending notify message
constructing blank hash payload
constructing qm hash payload
IKE_DECODE SENDING Message (msgid=23d6c12a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 196
QM FSM error (P2 struct &0x232aa90, mess id 0xc26c7550)!
IKE QM Responder FSM error history (struct &0x232aa90) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
sending delete/delete with reason message
Removing peer from correlator table failed, no match!
IKE SA MM:4c1dcfda rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 0
IKE SA MM:4c1dcfda terminating: flags 0x01010002, refcnt 0, tuncnt 0
sending delete/delete with reason message
constructing blank hash payload
constructing IKE delete payload
constructing qm hash payload
IKE_DECODE SENDING Message (msgid=664a13f1) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
IP = Nortel_VPNnode_IP, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
Received encrypted packet with no matching SA, dropping
Teardown ICMP connection for faddr 172.16.0.1/0 gaddr 1.1.1.1/6 laddr inside_PC/512
Teardown local-host outside:172.16.0.1 duration 0:00:02
I have a cryptomap policy for the failing VPN tunnel, so these statements are confusing me.
Let me know if you have questions, and I'll try to answer them to the best of my ability
A firm beleiver of "Keep it Simple" philosophy
Cheers
/T
