Lab 3.3 The Phase 1 Cannot complete

Hi!

 

I am working on VPN Section and the lab 3.3 is becoming frustrating for me.  The devices are sync with the ntp server but the devices has different hours than the NTP server 10.0.0.100.

I never receive the message = The certificate has been granted by CA! in the ASA.

I have authentications problems and cannot advance with labs pertaining CA.

In the debug output I see:

May  1 18:27:48.910: ISAKMP:(1018):Sending NOTIFY CERTIFICATE_UNAVAILABLE protocol 1

    spi 0, message ID = 931745642

Here are the configs.

====================================================================================================================================================

ASA1

Rack6ASA1# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname Rack6ASA1
domain-name INE.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 136.6.123.12 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 136.6.121.12 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 10.0.0.12 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name INE.com
access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit udp any any eq ntp
access-list OUTSIDE_IN extended permit tcp any any eq www
access-list VLAN121_TO_VLAN23 extended permit ip 136.6.121.0 255.255.255.0 136.6.23.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
!
router rip
 network 10.0.0.0
 network 136.6.0.0
 version 2
 no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN 10 match address VLAN121_TO_VLAN23
crypto map VPN 10 set peer 136.6.123.3
crypto map VPN 10 set transform-set 3DES_MD5
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000
crypto map VPN 10 set trustpoint IE1
crypto map VPN interface outside
crypto ca trustpoint IE1
 revocation-check crl none
 enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
 crl configure
crypto ca certificate chain IE1
 certificate ca 122272c6e4466092444cbc4709e79763
    308202b0 3082025a a0030201 02021012 2272c6e4 46609244 4cbc4709 e7976330
    0d06092a 864886f7 0d010105 05003079 311e301c 06092a86 4886f70d 01090116
    0f737570 706f7274 40696e65 2e636f6d 310b3009 06035504 06130255 53310b30
    09060355 04081302 4e56310d 300b0603 55040713 0452656e 6f310c30 0a060355
    040a1303 494e4531 0d300b06 0355040b 13044343 49453111 300f0603 55040313
    08736330 362d6161 61301e17 0d313030 36313130 30313833 385a170d 32303036
    31313030 32383230 5a307931 1e301c06 092a8648 86f70d01 0901160f 73757070
    6f727440 696e652e 636f6d31 0b300906 03550406 13025553 310b3009 06035504
    0813024e 56310d30 0b060355 04071304 52656e6f 310c300a 06035504 0a130349
    4e45310d 300b0603 55040b13 04434349 45311130 0f060355 04031308 73633036
    2d616161 305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d39a2d
    2b6278b9 402501b8 27e10b57 811617ec d4fa508d b59c299f 328d20f2 87ae9a91
    86a0dccc a0c9df6b f358b4ba 84260b1f c20997b6 0d6b83f4 a6b90ef8 b3020301
    0001a381 bd3081ba 300b0603 551d0f04 04030201 c6300f06 03551d13 0101ff04
    05300301 01ff301d 0603551d 0e041604 144a8c81 543a3582 6b0081d2 2b8a432a
    37ba7283 4e306906 03551d1f 04623060 302da02b a0298627 68747470 3a2f2f73
    6330362d 6161612f 43657274 456e726f 6c6c2f73 6330362d 6161612e 63726c30
    2fa02da0 2b862966 696c653a 2f2f5c5c 73633036 2d616161 5c436572 74456e72
    6f6c6c5c 73633036 2d616161 2e63726c 30100609 2b060104 01823715 01040302
    0100300d 06092a86 4886f70d 01010505 00034100 a8687304 b6193073 df479b37
    98630271 72adec66 64a5d902 595dae9e e7c21cec caf863e0 bb6ab8fa f93784f4
    90a8e23a ece5c5cc 6b02f5ea 0594787b e88a1450
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication rsa-sig
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.0.0.100
tunnel-group 136.6.123.3 type ipsec-l2l
tunnel-group 136.6.123.3 ipsec-attributes
 trust-point IE1
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e0b27c4f0c0dc8b06c437a82ca00e56c
: end
Rack6ASA1# 

====================================================================================================================================================
R3


Rack6R3#sh run
Building configuration...

Current configuration : 3602 bytes
!
! Last configuration change at 18:17:59 UTC Sun May 1 2011
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack6R3
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!        
!
no ip domain lookup
ip domain name INE.com
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint IE1
 enrollment mode ra
 enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
 revocation-check none
!
!
crypto pki certificate chain IE1
 certificate ca 122272C6E4466092444CBC4709E79763
  308202B0 3082025A A0030201 02021012 2272C6E4 46609244 4CBC4709 E7976330
  0D06092A 864886F7 0D010105 05003079 311E301C 06092A86 4886F70D 01090116
  0F737570 706F7274 40696E65 2E636F6D 310B3009 06035504 06130255 53310B30
  09060355 04081302 4E56310D 300B0603 55040713 0452656E 6F310C30 0A060355
  040A1303 494E4531 0D300B06 0355040B 13044343 49453111 300F0603 55040313
  08736330 362D6161 61301E17 0D313030 36313130 30313833 385A170D 32303036
  31313030 32383230 5A307931 1E301C06 092A8648 86F70D01 0901160F 73757070
  6F727440 696E652E 636F6D31 0B300906 03550406 13025553 310B3009 06035504
  0813024E 56310D30 0B060355 04071304 52656E6F 310C300A 06035504 0A130349
  4E45310D 300B0603 55040B13 04434349 45311130 0F060355 04031308 73633036
  2D616161 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D39A2D
  2B6278B9 402501B8 27E10B57 811617EC D4FA508D B59C299F 328D20F2 87AE9A91
  86A0DCCC A0C9DF6B F358B4BA 84260B1F C20997B6 0D6B83F4 A6B90EF8 B3020301
  0001A381 BD3081BA 300B0603 551D0F04 04030201 C6300F06 03551D13 0101FF04
  05300301 01FF301D 0603551D 0E041604 144A8C81 543A3582 6B0081D2 2B8A432A
  37BA7283 4E306906 03551D1F 04623060 302DA02B A0298627 68747470 3A2F2F73
  6330362D 6161612F 43657274 456E726F 6C6C2F73 6330362D 6161612E 63726C30
  2FA02DA0 2B862966 696C653A 2F2F5C5C 73633036 2D616161 5C436572 74456E72
  6F6C6C5C 73633036 2D616161 2E63726C 30100609 2B060104 01823715 01040302
  0100300D 06092A86 4886F70D 01010505 00034100 A8687304 B6193073 DF479B37
  98630271 72ADEC66 64A5D902 595DAE9E E7C21CEC CAF863E0 BB6AB8FA F93784F4
  90A8E23A ECE5C5CC 6B02F5EA 0594787B E88A1450
      quit
!
!
archive
 log config
  hidekeys
!
!
crypto isakmp policy 5
 encr 3des
 hash md5
 group 2
!
!
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
 set peer 136.6.123.12
 set transform-set 3DES_MD5
 match address VLAN23_TO_VLAN121
!
!
!
ip tcp synwait-time 5
ip ssh version 1
!
!
!
interface FastEthernet0/0
 ip address 136.6.123.3 255.255.255.0
 speed 100
 full-duplex
 crypto map VPN
!
interface FastEthernet0/1
 ip address 136.6.23.3 255.255.255.0
 speed 100
 full-duplex
!
interface Serial1/0
 no ip address
 encapsulation frame-relay IETF
 shutdown
 frame-relay lmi-type cisco
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!        
interface Serial1/3
 no ip address
 shutdown
!
router rip
 version 2
 network 136.6.0.0
 no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended VLAN23_TO_VLAN121
 permit ip 136.6.23.0 0.0.0.255 136.6.121.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
line vty 0 4
 password cisco
 login
!
ntp clock-period 17209262
ntp server 10.0.0.100
!
end

Rack6R3#

====================================================================================================================================================
Rack6ASA1# sh crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 136.6.123.3
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5
    Encrypt : 3des            Hash    : MD5      
    Auth    : rsa             Lifetime: 86400
    Lifetime Remaining: 2147419676

Rack6R3#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1017  136.6.123.3     136.6.123.12             ACTIVE 3des md5  rsig 2  0           
       Engine-id:Conn-id =  SW:17

IPv6 Crypto ISAKMP SA

Rack6R3#


====================================================================================================================================================
Rack6R3#debug crypto isakmp  
Crypto ISAKMP debugging is on
Rack6R3#ping 136.6.121.1 source fa 0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.6.121.1, timeout is 2 seconds:
Packet sent with a source address of 136.6.23.3

May  1 18:27:18.532: ISAKMP: set new node 0 to QM_IDLE     
May  1 18:27:18.532: ISAKMP:(1017):SA is still budding. Attached new ipsec request to it. (local 136.6.123.3, remote 136.6.123.12)
May  1 18:27:18.532: ISAKMP: Error while processing SA request: Failed to initialize SA
May  1 18:27:18.532: ISAKMP: Error while processing KMI message 0, error 2.
May  1 18:27:19.077: ISAKMP: quick mode timer expired.
May  1 18:27:19.077: ISAKMP:(1017):src 136.6.123.3 dst 136.6.123.12, SA is not authenticated
May  1 18:27:19.077: ISAKMP:(1017):peer does not do paranoid keepalives.

May  1 18:27:19.077: ISAKMP:(1017):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 136.6.123.12)
May  1 18:27:19.081: ISAKMP:(1017):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 136.6.123.12)
May  1 18:27:19.081: ISAKMP: Unlocking peer struct 0x8810CD44 for isadb_mark_sa_deleted(), count 0
May  1 18:27:19.081: ISAKMP: Deleting peer node by peer_reap for 136.6.123.12:. 8810CD44
May  1 18:27:19.085: ISAKMP:(1017):deleting node -1951043775 error FALSE reason "IKE deleted"
May  1 18:27:19.085: ISAKMP:(1017):deleting node -1309289369 error FALSE reason "IKE deleted"
May  1 18:27:19.085: ISAKMP:(1017):deleting node -1327221144 error FALSE reason "IKE deleted"
May  1 18:27:19.085: ISAKMP:(1017):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
May  1 18:27:19.089: ISAKMP:(1017):Old State = IKE_I_MM5  New State = IKE_DEST_SA
....
Success rate is 0 percent (0/5)
Rack6R3#
May  1 18:27:48.533: ISAKMP:(0): SA request profile is (NULL)
May  1 18:27:48.533: ISAKMP: Created a peer struct for 136.6.123.12, peer port 500
May  1 18:27:48.533: ISAKMP: New peer created peer = 0x8810CD44 peer_handle = 0x8000001B
May  1 18:27:48.537: ISAKMP: Locking peer struct 0x8810CD44, refcount 1 for isakmp_initiator
May  1 18:27:48.537: ISAKMP: local port 500, remote port 500
May  1 18:27:48.537: ISAKMP: set new node 0 to QM_IDLE     
May  1 18:27:48.537: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88273920
May  1 18:27:48.537: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
May  1 18:27:48.541: ISAKMP:(0):No pre-shared key with 136.6.123.12!
May  1 18:27:48.541: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
May  1 18:27:48.541: ISAKMP:(0): constructed NAT-T vendor-07 ID
May  1 18:27:48.541: ISAKMP:(0): constructed NAT-T vendor-03 ID
May  1 18:27:48.541: ISAKMP:(0): constructed NAT-T vendor-02 ID
May  1 18:27:48.541: IS
Rack6R3#AKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
May  1 18:27:48.545: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

May  1 18:27:48.545: ISAKMP:(0): beginning Main Mode exchange
May  1 18:27:48.545: ISAKMP:(0): sending packet to 136.6.123.12 my_port 500 peer_port 500 (I) MM_NO_STATE
May  1 18:27:48.545: ISAKMP:(0):Sending an IKE IPv4 Packet.
May  1 18:27:48.553: ISAKMP (0:0): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_NO_STATE
May  1 18:27:48.553: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May  1 18:27:48.553: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

May  1 18:27:48.557: ISAKMP:(0): processing SA payload. message ID = 0
May  1 18:27:48.557: ISAKMP:(0): processing vendor id payload
May  1 18:27:48.557: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May  1 18:27:48.557: ISAKMP:(0): vendor ID is NAT-T v2
May  1 18:27:48.557: ISAKMP:(0): processing vendor id payload
May  1 18:27:48.557: ISAKMP:(0): processing IKE frag vendor id payload
May  1 18:27:48.561: ISAKMP:(0): Support for IKE Fragmentation not enabled
May  1 18:27:48.561: ISAKMP : Scanning profiles for xauth ...
May  1 18:27:48.561: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
May  1 18:27:48.561: ISAKMP:      encryption 3DES-CBC
May  1 18:27:48.561: ISAKMP:      hash MD5
May  1 18:27:48.561: ISAKMP:      default group 2
May  1 18:27:48.561: ISAKMP:      auth RSA sig
May  1 18:27:48.561: ISAKMP:      life type in seconds
May  1 18:27:48.561: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
May  1 18:27:48.565: ISAKMP:(0):atts are acceptable. Next payload is 0
May  1 18:27:48.565: ISAKMP:(0):Acceptable atts:actual life: 0
May  1 18:27:48.565: ISAKMP:(0):Acceptable atts:life: 0
May  1 18:27:48.565: ISAKMP:(0):Fill atts in sa vpi_length:4
May  1 18:27:48.565: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
May  1 18:27:48.565: ISAKMP:(0):Returning Actual lifetime: 86400
May  1 18:27:48.565: ISAKMP:(0)::Started lifetime timer: 86400.

May  1 18:27:48.569: ISAKMP:(0): processing vendor id payload
May  1 18:27:48.569: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
May  1 18:27:48.569: ISAKMP:(0): vendor ID is NAT-T v2
May  1 18:27:48.569: ISAKMP:(0): processing vendor id payload
May  1 18:27:48.569: ISAKMP:(0): processing IKE frag vendor id payload
May  1 18:27:48.569: ISAKMP:(0): Support for IKE Fragmentation not enabled
May  1 18:27:48.573: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May  1 18:27:48.573: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

May  1 18:27:48.577: ISAKMP (0:0): constructing CERT_REQ for issuer cn=sc06-aaa,ou=CCIE,o=INE,l=Reno,st=NV,c=US,[email protected]
May  1 18:27:48.581: ISAKMP:(0): sending packet to 136.6.123.12 my_port 500 peer_port 500 (I) MM_SA_SETUP
May  1 18:27:48.581: ISAKMP:(0):Sending an IKE IPv4 Packet.
May  1 18:27:48.581: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May  1 18:27:48.581: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

May  1 18:27:48.585: ISAKMP (0:0): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_SA_SETUP
May  1 18:27:48.589: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May  1 18:27:48.589: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

May  1 18:27:48.593: ISAKMP:(0): processing KE payload. message ID = 0
May  1 18:27:48.882: ISAKMP:(0): processing NONCE payload. message ID = 0
May  1 18:27:48.886: ISAKMP:(1018): processing CERT_REQ payload. message ID = 0
May  1 18:27:48.886: ISAKMP:(1018): peer wants a CT_X509_SIGNATURE cert
May  1 18:27:48.890: ISAKMP:(1018): peer wants cert issued by cn=sc06-aaa,ou=CCIE,o=INE,l=Reno,st=NV,c=US,[email protected]
May  1 18:27:48.890: ISAKMP:(1018): issuer name is not a trusted root.
May  1 18:27:48.890: ISAKMP:(1018): processing vendor id payload
May  1 18:27:48.894: ISAKMP:(1018): vendor ID is Unity
May  1 18:27:48.894: ISAKMP:(1018): processing vendor id payload
May  1 18:27:48.894: ISAKMP:(1018): vendor ID seems Unity/DPD but major 229 mismatch
May  1 18:27:48.894: ISAKMP:(1018): vendor ID is XAUTH
May  1 18:27:48.894: ISAKMP:(1018): processing vendor id payload
May  1 18:27:48.894: ISAKMP:(1018): speaking to another IOS box!
May  1 18:27:48.898: ISAKMP:(1018): processing vendor id payload
May  1 18:27:48.898: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
May  1 18:27:48.898: ISAKMP:received payload type 20
May  1 18:27:48.898: ISAKMP:received payload type 20
May  1 18:27:48.898: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May  1 18:27:48.898: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM4

May  1 18:27:48.902: ISAKMP:(1018):Send initial contact
May  1 18:27:48.902: ISAKMP:(1018):Unable to get router cert or routerdoes not have a cert: needed to find DN!
May  1 18:27:48.906: ISAKMP:(1018):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
May  1 18:27:48.906: ISAKMP (0:1018): ID payload
    next-payload : 6
    type         : 1
    address      : 136.6.123.3
    protocol     : 17
    port         : 500
    length       : 12
May  1 18:27:48.906: ISAKMP:(1018):Total payload length: 12
May  1 18:27:48.906: ISAKMP:(1018): no valid cert found to return
May  1 18:27:48.910: ISAKMP: set new node 931745642 to QM_IDLE     
May  1 18:27:48.910: ISAKMP:(1018):Sending NOTIFY CERTIFICATE_UNAVAILABLE protocol 1
    spi 0, message ID = 931745642
May  1 18:27:48.910: ISAKMP:(1018): sending packet to 136.6.123.12 my_port 500 peer_port 500 (I) MM_KEY_EXCH
May  1 18:27:48.910: ISAKMP:(1018):Sending an IKE IPv4 Packet.
May  1 18:27:48.914: ISAKMP:(1018):purging node 931745642
May  1 18:27:48.914: ISAKMP (0:1018): FSM action returned error: 2
May  1 18:27:48.914: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May  1 18:27:48.914: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM5

Rack6R3#
Rack6R3#
May  1 18:27:56.584: ISAKMP (0:1018): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_KEY_EXCH
May  1 18:27:56.584: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
May  1 18:27:56.584: ISAKMP:(1018): retransmitting due to retransmit phase 1
May  1 18:27:56.584: ISAKMP:(1018): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Rack6R3#
May  1 18:27:58.584: ISAKMP:(1018): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Rack6R3#
May  1 18:28:04.094: ISAKMP (0:1017): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_NO_STATE
Rack6R3#
May  1 18:28:09.095: ISAKMP:(1017):purging node -1951043775
May  1 18:28:09.095: ISAKMP:(1017):purging node -1309289369
May  1 18:28:09.095: ISAKMP:(1017):purging node -1327221144
Rack6R3#
May  1 18:28:12.585: ISAKMP (0:1018): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_KEY_EXCH
May  1 18:28:12.585: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
May  1 18:28:12.585: ISAKMP:(1018): retransmitting due to retransmit phase 1
May  1 18:28:12.585: ISAKMP:(1018): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Rack6R3#
May  1 18:28:19.097: ISAKMP:(1017):purging SA., sa=8810C5B8, delme=8810C5B8
Rack6R3#





Rack6ASA1# sh crypto ca CErtificates
CA Certificate
  Status: Available
  Certificate Serial Number: 122272c6e4466092444cbc4709e79763
  Certificate Usage: Signature
  Public Key Type: RSA (512 bits)
  Issuer Name:
    cn=sc06-aaa
    ou=CCIE
    o=INE
    l=Reno
    st=NV
    c=US
    [email protected]
  Subject Name:
    cn=sc06-aaa
    ou=CCIE
    o=INE
    l=Reno
    st=NV
    c=US
    [email protected]
  CRL Distribution Points:
    [1]  http://sc06-aaa/CertEnroll/sc06-aaa.crl
    [2]  file://\sc06-aaaCertEnrollsc06-aaa.crl
  Validity Date:
    start date: 00:18:38 UTC Jun 11 2010
    end   date: 00:28:20 UTC Jun 11 2020
  Associated Trustpoints: IE1

Rack6ASA1#


Comments

  • Check the mscep page on the CA server, you may have to manually issue the certificate first. Also try changing to PSK authentication to make sure that there's nothing else wrong with the policy and that it's the CA server problem for sure. 

    Brian McGahan, CCIE #8593 (R&S/SP/Security)
     
    Internetwork Expert, Inc.
    Toll Free: 877-224-8987 x 705
    Outside US: 775-826-4344 x 705
    Online Community: http://www.IEOC.com

    On May 1, 2011, at 11:41 AM, "cmfigue" <[email protected]> wrote:

    Hi!

     

    I am working on VPN Section and the lab 3.3 is becoming frustrating for me.  The devices are sync with the ntp server but the devices has different hours than the NTP server 10.0.0.100.

    I never receive the message = The certificate has been granted by CA! in the ASA.

    I have authentications problems and cannot advance with labs pertaining CA.

    In the debug output I see:

    May  1 18:27:48.910: ISAKMP:(1018):Sending NOTIFY CERTIFICATE_UNAVAILABLE protocol 1

        spi 0, message ID = 931745642

    Here are the configs.

    ====================================================================================================================================================

    ASA1

    Rack6ASA1# sh run
    : Saved
    :
    ASA Version 8.0(4)
    !
    hostname Rack6ASA1
    domain-name INE.com
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
     nameif outside
     security-level 0
     ip address 136.6.123.12 255.255.255.0
    !
    interface Ethernet0/1
     nameif inside
     security-level 100
     ip address 136.6.121.12 255.255.255.0
    !
    interface Ethernet0/2
     nameif dmz
     security-level 50
     ip address 10.0.0.12 255.255.255.0
    !
    interface Ethernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Management0/0
     shutdown
     no nameif
     no security-level
     no ip address
     management-only
    !
    ftp mode passive
    dns server-group DefaultDNS
     domain-name INE.com
    access-list OUTSIDE_IN extended permit icmp any any
    access-list OUTSIDE_IN extended permit udp any any eq ntp
    access-list OUTSIDE_IN extended permit tcp any any eq www
    access-list VLAN121_TO_VLAN23 extended permit ip 136.6.121.0 255.255.255.0 136.6.23.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group OUTSIDE_IN in interface outside
    !
    router rip
     network 10.0.0.0
     network 136.6.0.0
     version 2
     no auto-summary
    !
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map VPN 10 match address VLAN121_TO_VLAN23
    crypto map VPN 10 set peer 136.6.123.3
    crypto map VPN 10 set transform-set 3DES_MD5
    crypto map VPN 10 set security-association lifetime seconds 28800
    crypto map VPN 10 set security-association lifetime kilobytes 4608000
    crypto map VPN 10 set trustpoint IE1
    crypto map VPN interface outside
    crypto ca trustpoint IE1
     revocation-check crl none
     enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
     crl configure
    crypto ca certificate chain IE1
     certificate ca 122272c6e4466092444cbc4709e79763
        308202b0 3082025a a0030201 02021012 2272c6e4 46609244 4cbc4709 e7976330
        0d06092a 864886f7 0d010105 05003079 311e301c 06092a86 4886f70d 01090116
        0f737570 706f7274 40696e65 2e636f6d 310b3009 06035504 06130255 53310b30
        09060355 04081302 4e56310d 300b0603 55040713 0452656e 6f310c30 0a060355
        040a1303 494e4531 0d300b06 0355040b 13044343 49453111 300f0603 55040313
        08736330 362d6161 61301e17 0d313030 36313130 30313833 385a170d 32303036
        31313030 32383230 5a307931 1e301c06 092a8648 86f70d01 0901160f 73757070
        6f727440 696e652e 636f6d31 0b300906 03550406 13025553 310b3009 06035504
        0813024e 56310d30 0b060355 04071304 52656e6f 310c300a 06035504 0a130349
        4e45310d 300b0603 55040b13 04434349 45311130 0f060355 04031308 73633036
        2d616161 305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00d39a2d
        2b6278b9 402501b8 27e10b57 811617ec d4fa508d b59c299f 328d20f2 87ae9a91
        86a0dccc a0c9df6b f358b4ba 84260b1f c20997b6 0d6b83f4 a6b90ef8 b3020301
        0001a381 bd3081ba 300b0603 551d0f04 04030201 c6300f06 03551d13 0101ff04
        05300301 01ff301d 0603551d 0e041604 144a8c81 543a3582 6b0081d2 2b8a432a
        37ba7283 4e306906 03551d1f 04623060 302da02b a0298627 68747470 3a2f2f73
        6330362d 6161612f 43657274 456e726f 6c6c2f73 6330362d 6161612e 63726c30
        2fa02da0 2b862966 696c653a 2f2f5c5c 73633036 2d616161 5c436572 74456e72
        6f6c6c5c 73633036 2d616161 2e63726c 30100609 2b060104 01823715 01040302
        0100300d 06092a86 4886f70d 01010505 00034100 a8687304 b6193073 df479b37
        98630271 72adec66 64a5d902 595dae9e e7c21cec caf863e0 bb6ab8fa f93784f4
        90a8e23a ece5c5cc 6b02f5ea 0594787b e88a1450
      quit
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication rsa-sig
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    crypto isakmp policy 65535
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 10.0.0.100
    tunnel-group 136.6.123.3 type ipsec-l2l
    tunnel-group 136.6.123.3 ipsec-attributes
     trust-point IE1
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:e0b27c4f0c0dc8b06c437a82ca00e56c
    : end
    Rack6ASA1# 

    ====================================================================================================================================================
    R3


    Rack6R3#sh run
    Building configuration...

    Current configuration : 3602 bytes
    !
    ! Last configuration change at 18:17:59 UTC Sun May 1 2011
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Rack6R3
    !
    boot-start-marker
    boot-end-marker
    !
    enable password cisco
    !
    no aaa new-model
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip cef
    !
    !
    !        
    !
    no ip domain lookup
    ip domain name INE.com
    !
    multilink bundle-name authenticated
    !
    !
    crypto pki trustpoint IE1
     enrollment mode ra
     enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
     revocation-check none
    !
    !
    crypto pki certificate chain IE1
     certificate ca 122272C6E4466092444CBC4709E79763
      308202B0 3082025A A0030201 02021012 2272C6E4 46609244 4CBC4709 E7976330
      0D06092A 864886F7 0D010105 05003079 311E301C 06092A86 4886F70D 01090116
      0F737570 706F7274 40696E65 2E636F6D 310B3009 06035504 06130255 53310B30
      09060355 04081302 4E56310D 300B0603 55040713 0452656E 6F310C30 0A060355
      040A1303 494E4531 0D300B06 0355040B 13044343 49453111 300F0603 55040313
      08736330 362D6161 61301E17 0D313030 36313130 30313833 385A170D 32303036
      31313030 32383230 5A307931 1E301C06 092A8648 86F70D01 0901160F 73757070
      6F727440 696E652E 636F6D31 0B300906 03550406 13025553 310B3009 06035504
      0813024E 56310D30 0B060355 04071304 52656E6F 310C300A 06035504 0A130349
      4E45310D 300B0603 55040B13 04434349 45311130 0F060355 04031308 73633036
      2D616161 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D39A2D
      2B6278B9 402501B8 27E10B57 811617EC D4FA508D B59C299F 328D20F2 87AE9A91
      86A0DCCC A0C9DF6B F358B4BA 84260B1F C20997B6 0D6B83F4 A6B90EF8 B3020301
      0001A381 BD3081BA 300B0603 551D0F04 04030201 C6300F06 03551D13 0101FF04
      05300301 01FF301D 0603551D 0E041604 144A8C81 543A3582 6B0081D2 2B8A432A
      37BA7283 4E306906 03551D1F 04623060 302DA02B A0298627 68747470 3A2F2F73
      6330362D 6161612F 43657274 456E726F 6C6C2F73 6330362D 6161612E 63726C30
      2FA02DA0 2B862966 696C653A 2F2F5C5C 73633036 2D616161 5C436572 74456E72
      6F6C6C5C 73633036 2D616161 2E63726C 30100609 2B060104 01823715 01040302
      0100300D 06092A86 4886F70D 01010505 00034100 A8687304 B6193073 DF479B37
      98630271 72ADEC66 64A5D902 595DAE9E E7C21CEC CAF863E0 BB6AB8FA F93784F4
      90A8E23A ECE5C5CC 6B02F5EA 0594787B E88A1450
          quit
    !
    !
    archive
     log config
      hidekeys
    !
    !
    crypto isakmp policy 5
     encr 3des
     hash md5
     group 2
    !
    !
    crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
    !
    crypto map VPN 10 ipsec-isakmp
     set peer 136.6.123.12
     set transform-set 3DES_MD5
     match address VLAN23_TO_VLAN121
    !
    !
    !
    ip tcp synwait-time 5
    ip ssh version 1
    !
    !
    !
    interface FastEthernet0/0
     ip address 136.6.123.3 255.255.255.0
     speed 100
     full-duplex
     crypto map VPN
    !
    interface FastEthernet0/1
     ip address 136.6.23.3 255.255.255.0
     speed 100
     full-duplex
    !
    interface Serial1/0
     no ip address
     encapsulation frame-relay IETF
     shutdown
     frame-relay lmi-type cisco
    !
    interface Serial1/1
     no ip address
     shutdown
    !
    interface Serial1/2
     no ip address
     shutdown
    !        
    interface Serial1/3
     no ip address
     shutdown
    !
    router rip
     version 2
     network 136.6.0.0
     no auto-summary
    !
    ip forward-protocol nd
    !
    !
    ip http server
    no ip http secure-server
    !
    ip access-list extended VLAN23_TO_VLAN121
     permit ip 136.6.23.0 0.0.0.255 136.6.121.0 0.0.0.255
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    line con 0
     exec-timeout 0 0
     privilege level 15
     logging synchronous
    line aux 0
     exec-timeout 0 0
     privilege level 15
    line vty 0 4
     password cisco
     login
    !
    ntp clock-period 17209262
    ntp server 10.0.0.100
    !
    end

    Rack6R3#

    ====================================================================================================================================================
    Rack6ASA1# sh crypto isakmp sa detail

       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1   IKE Peer: 136.6.123.3
        Type    : user            Role    : responder
        Rekey   : no              State   : MM_WAIT_MSG5
        Encrypt : 3des            Hash    : MD5      
        Auth    : rsa             Lifetime: 86400
        Lifetime Remaining: 2147419676

    Rack6R3#sh crypto isakmp sa detail
    Codes: C - IKE configuration mode, D - Dead Peer Detection
           K - Keepalives, N - NAT-traversal
           X - IKE Extended Authentication
           psk - Preshared key, rsig - RSA signature
           renc - RSA encryption
    IPv4 Crypto ISAKMP SA

    C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

    1017  136.6.123.3     136.6.123.12             ACTIVE 3des md5  rsig 2  0           
           Engine-id:Conn-id =  SW:17

    IPv6 Crypto ISAKMP SA

    Rack6R3#


    ====================================================================================================================================================
    Rack6R3#debug crypto isakmp  
    Crypto ISAKMP debugging is on
    Rack6R3#ping 136.6.121.1 source fa 0/1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 136.6.121.1, timeout is 2 seconds:
    Packet sent with a source address of 136.6.23.3

    May  1 18:27:18.532: ISAKMP: set new node 0 to QM_IDLE     
    May  1 18:27:18.532: ISAKMP:(1017):SA is still budding. Attached new ipsec request to it. (local 136.6.123.3, remote 136.6.123.12)
    May  1 18:27:18.532: ISAKMP: Error while processing SA request: Failed to initialize SA
    May  1 18:27:18.532: ISAKMP: Error while processing KMI message 0, error 2.
    May  1 18:27:19.077: ISAKMP: quick mode timer expired.
    May  1 18:27:19.077: ISAKMP:(1017):src 136.6.123.3 dst 136.6.123.12, SA is not authenticated
    May  1 18:27:19.077: ISAKMP:(1017):peer does not do paranoid keepalives.

    May  1 18:27:19.077: ISAKMP:(1017):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 136.6.123.12)
    May  1 18:27:19.081: ISAKMP:(1017):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer 136.6.123.12)
    May  1 18:27:19.081: ISAKMP: Unlocking peer struct 0x8810CD44 for isadb_mark_sa_deleted(), count 0
    May  1 18:27:19.081: ISAKMP: Deleting peer node by peer_reap for 136.6.123.12:. 8810CD44
    May  1 18:27:19.085: ISAKMP:(1017):deleting node -1951043775 error FALSE reason "IKE deleted"
    May  1 18:27:19.085: ISAKMP:(1017):deleting node -1309289369 error FALSE reason "IKE deleted"
    May  1 18:27:19.085: ISAKMP:(1017):deleting node -1327221144 error FALSE reason "IKE deleted"
    May  1 18:27:19.085: ISAKMP:(1017):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
    May  1 18:27:19.089: ISAKMP:(1017):Old State = IKE_I_MM5  New State = IKE_DEST_SA
    ....
    Success rate is 0 percent (0/5)
    Rack6R3#
    May  1 18:27:48.533: ISAKMP:(0): SA request profile is (NULL)
    May  1 18:27:48.533: ISAKMP: Created a peer struct for 136.6.123.12, peer port 500
    May  1 18:27:48.533: ISAKMP: New peer created peer = 0x8810CD44 peer_handle = 0x8000001B
    May  1 18:27:48.537: ISAKMP: Locking peer struct 0x8810CD44, refcount 1 for isakmp_initiator
    May  1 18:27:48.537: ISAKMP: local port 500, remote port 500
    May  1 18:27:48.537: ISAKMP: set new node 0 to QM_IDLE     
    May  1 18:27:48.537: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 88273920
    May  1 18:27:48.537: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
    May  1 18:27:48.541: ISAKMP:(0):No pre-shared key with 136.6.123.12!
    May  1 18:27:48.541: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
    May  1 18:27:48.541: ISAKMP:(0): constructed NAT-T vendor-07 ID
    May  1 18:27:48.541: ISAKMP:(0): constructed NAT-T vendor-03 ID
    May  1 18:27:48.541: ISAKMP:(0): constructed NAT-T vendor-02 ID
    May  1 18:27:48.541: IS
    Rack6R3#AKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    May  1 18:27:48.545: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

    May  1 18:27:48.545: ISAKMP:(0): beginning Main Mode exchange
    May  1 18:27:48.545: ISAKMP:(0): sending packet to 136.6.123.12 my_port 500 peer_port 500 (I) MM_NO_STATE
    May  1 18:27:48.545: ISAKMP:(0):Sending an IKE IPv4 Packet.
    May  1 18:27:48.553: ISAKMP (0:0): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_NO_STATE
    May  1 18:27:48.553: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    May  1 18:27:48.553: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

    May  1 18:27:48.557: ISAKMP:(0): processing SA payload. message ID = 0
    May  1 18:27:48.557: ISAKMP:(0): processing vendor id payload
    May  1 18:27:48.557: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    May  1 18:27:48.557: ISAKMP:(0): vendor ID is NAT-T v2
    May  1 18:27:48.557: ISAKMP:(0): processing vendor id payload
    May  1 18:27:48.557: ISAKMP:(0): processing IKE frag vendor id payload
    May  1 18:27:48.561: ISAKMP:(0): Support for IKE Fragmentation not enabled
    May  1 18:27:48.561: ISAKMP : Scanning profiles for xauth ...
    May  1 18:27:48.561: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
    May  1 18:27:48.561: ISAKMP:      encryption 3DES-CBC
    May  1 18:27:48.561: ISAKMP:      hash MD5
    May  1 18:27:48.561: ISAKMP:      default group 2
    May  1 18:27:48.561: ISAKMP:      auth RSA sig
    May  1 18:27:48.561: ISAKMP:      life type in seconds
    May  1 18:27:48.561: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
    May  1 18:27:48.565: ISAKMP:(0):atts are acceptable. Next payload is 0
    May  1 18:27:48.565: ISAKMP:(0):Acceptable atts:actual life: 0
    May  1 18:27:48.565: ISAKMP:(0):Acceptable atts:life: 0
    May  1 18:27:48.565: ISAKMP:(0):Fill atts in sa vpi_length:4
    May  1 18:27:48.565: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
    May  1 18:27:48.565: ISAKMP:(0):Returning Actual lifetime: 86400
    May  1 18:27:48.565: ISAKMP:(0)::Started lifetime timer: 86400.

    May  1 18:27:48.569: ISAKMP:(0): processing vendor id payload
    May  1 18:27:48.569: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
    May  1 18:27:48.569: ISAKMP:(0): vendor ID is NAT-T v2
    May  1 18:27:48.569: ISAKMP:(0): processing vendor id payload
    May  1 18:27:48.569: ISAKMP:(0): processing IKE frag vendor id payload
    May  1 18:27:48.569: ISAKMP:(0): Support for IKE Fragmentation not enabled
    May  1 18:27:48.573: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    May  1 18:27:48.573: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

    May  1 18:27:48.577: ISAKMP (0:0): constructing CERT_REQ for issuer cn=sc06-aaa,ou=CCIE,o=INE,l=Reno,st=NV,c=US,[email protected]
    May  1 18:27:48.581: ISAKMP:(0): sending packet to 136.6.123.12 my_port 500 peer_port 500 (I) MM_SA_SETUP
    May  1 18:27:48.581: ISAKMP:(0):Sending an IKE IPv4 Packet.
    May  1 18:27:48.581: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    May  1 18:27:48.581: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

    May  1 18:27:48.585: ISAKMP (0:0): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_SA_SETUP
    May  1 18:27:48.589: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
    May  1 18:27:48.589: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

    May  1 18:27:48.593: ISAKMP:(0): processing KE payload. message ID = 0
    May  1 18:27:48.882: ISAKMP:(0): processing NONCE payload. message ID = 0
    May  1 18:27:48.886: ISAKMP:(1018): processing CERT_REQ payload. message ID = 0
    May  1 18:27:48.886: ISAKMP:(1018): peer wants a CT_X509_SIGNATURE cert
    May  1 18:27:48.890: ISAKMP:(1018): peer wants cert issued by cn=sc06-aaa,ou=CCIE,o=INE,l=Reno,st=NV,c=US,[email protected]
    May  1 18:27:48.890: ISAKMP:(1018): issuer name is not a trusted root.
    May  1 18:27:48.890: ISAKMP:(1018): processing vendor id payload
    May  1 18:27:48.894: ISAKMP:(1018): vendor ID is Unity
    May  1 18:27:48.894: ISAKMP:(1018): processing vendor id payload
    May  1 18:27:48.894: ISAKMP:(1018): vendor ID seems Unity/DPD but major 229 mismatch
    May  1 18:27:48.894: ISAKMP:(1018): vendor ID is XAUTH
    May  1 18:27:48.894: ISAKMP:(1018): processing vendor id payload
    May  1 18:27:48.894: ISAKMP:(1018): speaking to another IOS box!
    May  1 18:27:48.898: ISAKMP:(1018): processing vendor id payload
    May  1 18:27:48.898: ISAKMP:(1018):vendor ID seems Unity/DPD but hash mismatch
    May  1 18:27:48.898: ISAKMP:received payload type 20
    May  1 18:27:48.898: ISAKMP:received payload type 20
    May  1 18:27:48.898: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
    May  1 18:27:48.898: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM4

    May  1 18:27:48.902: ISAKMP:(1018):Send initial contact
    May  1 18:27:48.902: ISAKMP:(1018):Unable to get router cert or routerdoes not have a cert: needed to find DN!
    May  1 18:27:48.906: ISAKMP:(1018):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
    May  1 18:27:48.906: ISAKMP (0:1018): ID payload
        next-payload : 6
        type         : 1
        address      : 136.6.123.3
        protocol     : 17
        port         : 500
        length       : 12
    May  1 18:27:48.906: ISAKMP:(1018):Total payload length: 12
    May  1 18:27:48.906: ISAKMP:(1018): no valid cert found to return
    May  1 18:27:48.910: ISAKMP: set new node 931745642 to QM_IDLE     
    May  1 18:27:48.910: ISAKMP:(1018):Sending NOTIFY CERTIFICATE_UNAVAILABLE protocol 1
        spi 0, message ID = 931745642
    May  1 18:27:48.910: ISAKMP:(1018): sending packet to 136.6.123.12 my_port 500 peer_port 500 (I) MM_KEY_EXCH
    May  1 18:27:48.910: ISAKMP:(1018):Sending an IKE IPv4 Packet.
    May  1 18:27:48.914: ISAKMP:(1018):purging node 931745642
    May  1 18:27:48.914: ISAKMP (0:1018): FSM action returned error: 2
    May  1 18:27:48.914: ISAKMP:(1018):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
    May  1 18:27:48.914: ISAKMP:(1018):Old State = IKE_I_MM4  New State = IKE_I_MM5

    Rack6R3#
    Rack6R3#
    May  1 18:27:56.584: ISAKMP (0:1018): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_KEY_EXCH
    May  1 18:27:56.584: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
    May  1 18:27:56.584: ISAKMP:(1018): retransmitting due to retransmit phase 1
    May  1 18:27:56.584: ISAKMP:(1018): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
    Rack6R3#
    May  1 18:27:58.584: ISAKMP:(1018): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
    Rack6R3#
    May  1 18:28:04.094: ISAKMP (0:1017): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_NO_STATE
    Rack6R3#
    May  1 18:28:09.095: ISAKMP:(1017):purging node -1951043775
    May  1 18:28:09.095: ISAKMP:(1017):purging node -1309289369
    May  1 18:28:09.095: ISAKMP:(1017):purging node -1327221144
    Rack6R3#
    May  1 18:28:12.585: ISAKMP (0:1018): received packet from 136.6.123.12 dport 500 sport 500 Global (I) MM_KEY_EXCH
    May  1 18:28:12.585: ISAKMP:(1018): phase 1 packet is a duplicate of a previous packet.
    May  1 18:28:12.585: ISAKMP:(1018): retransmitting due to retransmit phase 1
    May  1 18:28:12.585: ISAKMP:(1018): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
    Rack6R3#
    May  1 18:28:19.097: ISAKMP:(1017):purging SA., sa=8810C5B8, delme=8810C5B8
    Rack6R3#





    Rack6ASA1# sh crypto ca CErtificates
    CA Certificate
      Status: Available
      Certificate Serial Number: 122272c6e4466092444cbc4709e79763
      Certificate Usage: Signature
      Public Key Type: RSA (512 bits)
      Issuer Name:
        cn=sc06-aaa
        ou=CCIE
        o=INE
        l=Reno
        st=NV
        c=US
        [email protected]
      Subject Name:
        cn=sc06-aaa
        ou=CCIE
        o=INE
        l=Reno
        st=NV
        c=US
        [email protected]
      CRL Distribution Points:
        [1]  http://sc06-aaa/CertEnroll/sc06-aaa.crl
        [2]  file://\sc06-aaaCertEnrollsc06-aaa.crl
      Validity Date:
        start date: 00:18:38 UTC Jun 11 2010
        end   date: 00:28:20 UTC Jun 11 2020
      Associated Trustpoints: IE1

    Rack6ASA1#





    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hi!

    I did the lab again and in a different rack.  With psk cool, with CA no working.  The asa still do not show the message = The certificate has been granted by CA!

    Other thing is that the time in the routers synched with the ntp server is different than the CA server.

    The CA Server is on May 1 and the devices show May 2.

    Rack4ASA1(config)# sh ntp status
    Clock is synchronized, stratum 5, reference is 10.0.0.100
    nominal freq is 99.9984 Hz, actual freq is 99.9941 Hz, precision is 2**6
    reference time is d1688d01.ac836b4b (01:53:05.673 UTC Mon May 2 2011)
    clock offset is 29.3163 msec, root delay is 0.82 msec
    root dispersion is 56.55 msec, peer dispersion is 16.04 msec
    Rack4ASA1(config)#

    Rack4R3#sh ntp status
    Clock is synchronized, stratum 5, reference is 10.0.0.100
    nominal freq is 249.5901 Hz, actual freq is 249.5811 Hz, precision is 2**16
    reference time is D1688D0C.DAAE4183 (01:53:16.854 UTC Mon May 2 2011)
    clock offset is 45.4517 msec, root delay is 2.81 msec
    root dispersion is 57.28 msec, peer dispersion is 0.47 msec
    Rack4R3#

    image

  • 3.3 Authentication using Digital Signatures WB VOL I:

    Here is the deal, I lost 1.5hs on the lab to make this crap to work, its a bug.

    I removed the CA and installed back with SCEP. It asks to reload the server after but if you do it breaks.

    My suggestion is to do this lab you have to remove the CA and then install again with SCEP and do not reload the server. it will work.

    Once you reinstalled the CA go on properties and make sure that the configuration to issue a certificate automatic is checked, the default is to wait for the admin to accept the certificate.

    When installing the SCEP back again note to unchecked the box that asks for a phase one time password for SCEP otherwise you will have to do this onetime passwd on the router or ASA and its a pain on the...

     

    CA can be installed from the windows apps and its located on the folder called i386

    SCEP was located on an folder called data on c:

  • Thanks for this response, after taking a much longer amount of time than I probably should have in trying to troubleshoot, I finally searched the forums to find this reply, which solved the issue.

    The bright side is that, once I got the CA enabled for SCEP (another hint is to browse to http://10.0.0.100/certsrv/mscep/ locally on the windows server  to find the SCEP server setup instructions and then do a search in windows explorer for mscep.exe to find the executable you need to run), I was able to quickly get through the exercise and 3.4 and 3.5 with no further issues.

     

Sign In or Register to comment.