Task 4.1 Not work when try to initiate from Vlan 3

Refer to old forum http://forum.internetworkexpert.com/ubbthreads.php/ubb/showflat/Number/16076/page/1#Post16076

http://forum.internetworkexpert.com/ubbthreads.php/ubb/showflat/Number/16140/page/2#Post16140


I found the same problem that i cant initiate the vpn traffic from Vlan 3 to Vlan 19. But i can initiate the traffic from Vlan 19 to Vlan 3


I found that when i try to do from V3. It's seem that ASA said there is no key match with this peer. But if no match why in the opposite way can do it ?


%PIX-7-609002: Teardown local-host outside:10.35.35.3 duration 0:00:00
%PIX-7-609002: Teardown local-host outside:162.1.19.1 duration 0:00:00
%PIX-7-715077: Pitcher: received a key acquire message, spi 0x0
%PIX-6-713905: There is no valid IKE proposal available, check IPSec SA configuration!
%PIX-3-713902: Removing peer from peer table failed, no match!
%PIX-4-713903: Error: Unable to remove PeerTblEntry


-----------------------------------------------------------------


Here is the config


Rack1ASA1# sh run
: Saved
:
PIX Version 7.2(2)
!
hostname Rack1ASA1
domain-name test.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 162.1.123.12 255.255.255.0
 ospf message-digest-key 1 md5 <removed>
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 162.1.128.12 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address

!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name test.com
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host 10.0.0.100 eq www
access-list outside_in extended permit ip 10.35.35.0 255.255.255.0 162.1.19.0 255.255.255.0
access-list vpn extended permit ip 10.35.35.0 255.255.255.0 162.1.19.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_in in interface outside
route outside 10.35.35.0 255.255.255.0 162.1.123.3 1
!
router ospf 1
 network 162.1.123.12 255.255.255.255 area 0
 area 0 authentication message-digest
 log-adj-changes
 redistribute rip subnets
!
router rip
 network 162.1.0.0
 redistribute ospf 1 metric 1
 default-information originate
 version 2
 no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tf esp-3des esp-md5-hmac
crypto map vpn 10 match address vpn
crypto map vpn 10 set peer 162.1.13.1
crypto map vpn 10 set transform-set tf
crypto map vpn interface outside
crypto ca trustpoint tp
 revocation-check crl none
 enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
 crl configure
crypto ca certificate chain tp
 certificate 6102282f00000000000e
    3082038c 30820336 a0030201 02020a61 02282f00 00000000 0e300d06 092a8648
    86f70d01 01050500 305f310b 30090603 55040613 02555331 0d300b06 03550407
    13046369 74793115 30130603 55040a13 0c6f7267 616e697a 6174696f 6e311930
    17060355 040b1310 6f726761 6e697a61 74696f6e 756e6974 310f300d 06035504
    03130663 616e616d 65301e17 0d303930 31303830 35333835 325a170d 31303031
    30383035 34383532 5a302331 21301f06 092a8648 86f70d01 09021312 5261636b
    31415341 312e7465 73742e63 6f6d305c 300d0609 2a864886 f70d0101 01050003
    4b003048 024100e1 edee5089 396035e8 8a80df73 d5e0647c 1e71ecd1 56e78ed5
    dbd28ba9 d807dede 8829359c eb87fb87 cc332e1b dafb83cd c33d1dc6 5e2e2add
    ec214dcf dd8b3102 03010001 a382020e 3082020a 300b0603 551d0f04 04030205
    a0301d06 03551d11 04163014 82125261 636b3141 5341312e 74657374 2e636f6d
    301d0603 551d0e04 16041420 d8584f03 0ac181dd 0eb37f19 8df085d2 7d961c30
    81980603 551d2304 81903081 8d80147f b3c2225b 175efc52 c4ab966b c45068ea
    29620da1 63a46130 5f310b30 09060355 04061302 5553310d 300b0603 55040713
    04636974 79311530 13060355 040a130c 6f726761 6e697a61 74696f6e 31193017
    06035504 0b13106f 7267616e 697a6174 696f6e75 6e697431 0f300d06 03550403
    13066361 6e616d65 82100120 ee8f8bff bf824261 ca92d3e1 965e3075 0603551d
    1f046e30 6c3033a0 31a02f86 2d687474 703a2f2f 61637331 2e686f6e 64612e63
    6f2e7468 2f436572 74456e72 6f6c6c2f 63616e61 6d652e63 726c3035 a033a031
    862f6669 6c653a2f 2f5c5c61 6373312e 686f6e64 612e636f 2e74685c 43657274
    456e726f 6c6c5c63 616e616d 652e6372 6c3081aa 06082b06 01050507 01010481
    9d30819a 304a0608 2b060105 05073002 863e6874 74703a2f 2f616373 312e686f
    6e64612e 636f2e74 682f4365 7274456e 726f6c6c 2f616373 312e686f 6e64612e
    636f2e74 685f6361 6e616d65 2e637274 304c0608 2b060105 05073002 86406669
    6c653a2f 2f5c5c61 6373312e 686f6e64 612e636f 2e74685c 43657274 456e726f
    6c6c5c61 6373312e 686f6e64 612e636f 2e74685f 63616e61 6d652e63 7274300d
    06092a86 4886f70d 01010505 00034100 4ea7b29d 4dbb59c2 804b443c fd7bf5e8
    06300e62 17482a1e 139705d8 583edabc f1b6706c da7c2f46 18c61568 a007b9a6
    a288fc3c 30b8668e b2ccc0fc 46323799
  quit
 certificate ca 0120ee8f8bffbf824261ca92d3e1965e
    3082029d 30820247 a0030201 02021001 20ee8f8b ffbf8242 61ca92d3 e1965e30
    0d06092a 864886f7 0d010105 0500305f 310b3009 06035504 06130255 53310d30
    0b060355 04071304 63697479 31153013 06035504 0a130c6f 7267616e 697a6174
    696f6e31 19301706 0355040b 13106f72 67616e69 7a617469 6f6e756e 6974310f
    300d0603 55040313 0663616e 616d6530 1e170d30 38313231 37303933 3732355a
    170d3130 31323137 30393435 32395a30 5f310b30 09060355 04061302 5553310d
    300b0603 55040713 04636974 79311530 13060355 040a130c 6f726761 6e697a61
    74696f6e 31193017 06035504 0b13106f 7267616e 697a6174 696f6e75 6e697431
    0f300d06 03550403 13066361 6e616d65 305c300d 06092a86 4886f70d 01010105
    00034b00 30480241 00dbb938 5120f505 d8ac40f1 15294b1c 12261b25 81e796be
    c915397e 9a503944 6916f4e0 11e51415 6d5b3bc2 f81106f2 5f07dfec af4be3ca
    a695933b 575ccd0a ff020301 0001a381 de3081db 30130609 2b060104 01823714
    0204061e 04004300 41300b06 03551d0f 04040302 0186300f 0603551d 130101ff
    04053003 0101ff30 1d060355 1d0e0416 04147fb3 c2225b17 5efc52c4 ab966bc4
    5068ea29 620d3075 0603551d 1f046e30 6c3033a0 31a02f86 2d687474 703a2f2f
    61637331 2e686f6e 64612e63 6f2e7468 2f436572 74456e72 6f6c6c2f 63616e61
    6d652e63 726c3035 a033a031 862f6669 6c653a2f 2f5c5c61 6373312e 686f6e64
    612e636f 2e74685c 43657274 456e726f 6c6c5c63 616e616d 652e6372 6c301006
    092b0601 04018237 15010403 02010030 0d06092a 864886f7 0d010105 05000341
    0001a876 a899871d 636fd548 a98fe663 1a48f751 ced58054 438987d7 58bd07e3
    3a286aeb 9d97bdc8 e109f0fb 7ca6be78 b25f8650 ba456631 de7b05ee 0228e863 06
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication rsa-sig
 encryption 3des
 hash md5
 group 2
 lifetime 86400
tunnel-group 162.1.13.1 type ipsec-l2l
tunnel-group 162.1.13.1 ipsec-attributes
 trust-point tp
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp authentication-key 1 md5 *
ntp authenticate
ntp trusted-key 1
ntp server 162.1.13.1 key 1
prompt hostname context
Cryptochecksum:a7e1666ec7e7bad08508bcde045ea495
: end


-------------------------


Rack1R1#sh run
Building configuration...

Current configuration : 6407 bytes
!
! Last configuration change at 12:13:18 UTC Thu Jan 8 2009
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip domain lookup
ip domain name test.com
!
ip audit po max-events 100
!
crypto ca trustpoint tp
 enrollment mode ra
 enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
 crl optional
!
crypto ca certificate chain tp
 certificate 0EB9665E00000000000B
  3082038B 30820335 A0030201 02020A0E B9665E00 00000000 0B300D06 092A8648
  86F70D01 01050500 305F310B 30090603 55040613 02555331 0D300B06 03550407
  13046369 74793115 30130603 55040A13 0C6F7267 616E697A 6174696F 6E311930
  17060355 040B1310 6F726761 6E697A61 74696F6E 756E6974 310F300D 06035504
  03130663 616E616D 65301E17 0D303930 31303830 35303434 365A170D 31303031
  30383035 31343436 5A302131 1F301D06 092A8648 86F70D01 09021310 5261636B
  3152312E 74657374 2E636F6D 305C300D 06092A86 4886F70D 01010105 00034B00
  30480241 00D5A764 FEEEB013 51AB70BD 7894ED60 D60B3810 C0BF60DE 6850A743
  9FC0A2DA 11540FC9 E511F7BB 99AD0607 64838409 F49984A2 B11B62A5 078C3B3A
  6D5A42C3 A3020301 0001A382 020F3082 020B300B 0603551D 0F040403 0205A030
  1D060355 1D0E0416 0414A3BA 4F3DE717 3D3BB783 1966CBAE 77D75CB4 EB3D3081
  98060355 1D230481 9030818D 80147FB3 C2225B17 5EFC52C4 AB966BC4 5068EA29
  620DA163 A461305F 310B3009 06035504 06130255 53310D30 0B060355 04071304
  63697479 31153013 06035504 0A130C6F 7267616E 697A6174 696F6E31 19301706
  0355040B 13106F72 67616E69 7A617469 6F6E756E 6974310F 300D0603 55040313
  0663616E 616D6582 100120EE 8F8BFFBF 824261CA 92D3E196 5E301E06 03551D11
  0101FF04 14301282 10526163 6B315231 2E746573 742E636F 6D307506 03551D1F
  046E306C 3033A031 A02F862D 68747470 3A2F2F61 6373312E 686F6E64 612E636F
  2E74682F 43657274 456E726F 6C6C2F63 616E616D 652E6372 6C3035A0 33A03186
  2F66696C 653A2F2F 5C5C6163 73312E68 6F6E6461 2E636F2E 74685C43 65727445
  6E726F6C 6C5C6361 6E616D65 2E63726C 3081AA06 082B0601 05050701 0104819D
  30819A30 4A06082B 06010505 07300286 3E687474 703A2F2F 61637331 2E686F6E
  64612E63 6F2E7468 2F436572 74456E72 6F6C6C2F 61637331 2E686F6E 64612E63
  6F2E7468 5F63616E 616D652E 63727430 4C06082B 06010505 07300286 4066696C
  653A2F2F 5C5C6163 73312E68 6F6E6461 2E636F2E 74685C43 65727445 6E726F6C
  6C5C6163 73312E68 6F6E6461 2E636F2E 74685F63 616E616D 652E6372 74300D06
  092A8648 86F70D01 01050500 03410005 4B684F07 A4CA488F 7BB2A3A1 E5331335
  9D3F3493 AE1A07E0 B5D81586 527C6474 FCA2D204 D156015B 7CDACFC8 2F5717C8
  F661BE37 E80D58AC 54E174BD 043F4B
  quit
 certificate ca 0120EE8F8BFFBF824261CA92D3E1965E
  3082029D 30820247 A0030201 02021001 20EE8F8B FFBF8242 61CA92D3 E1965E30
  0D06092A 864886F7 0D010105 0500305F 310B3009 06035504 06130255 53310D30
  0B060355 04071304 63697479 31153013 06035504 0A130C6F 7267616E 697A6174
  696F6E31 19301706 0355040B 13106F72 67616E69 7A617469 6F6E756E 6974310F
  300D0603 55040313 0663616E 616D6530 1E170D30 38313231 37303933 3732355A
  170D3130 31323137 30393435 32395A30 5F310B30 09060355 04061302 5553310D
  300B0603 55040713 04636974 79311530 13060355 040A130C 6F726761 6E697A61
  74696F6E 31193017 06035504 0B13106F 7267616E 697A6174 696F6E75 6E697431
  0F300D06 03550403 13066361 6E616D65 305C300D 06092A86 4886F70D 01010105
  00034B00 30480241 00DBB938 5120F505 D8AC40F1 15294B1C 12261B25 81E796BE
  C915397E 9A503944 6916F4E0 11E51415 6D5B3BC2 F81106F2 5F07DFEC AF4BE3CA
  A695933B 575CCD0A FF020301 0001A381 DE3081DB 30130609 2B060104 01823714
  0204061E 04004300 41300B06 03551D0F 04040302 0186300F 0603551D 130101FF
  04053003 0101FF30 1D060355 1D0E0416 04147FB3 C2225B17 5EFC52C4 AB966BC4
  5068EA29 620D3075 0603551D 1F046E30 6C3033A0 31A02F86 2D687474 703A2F2F
  61637331 2E686F6E 64612E63 6F2E7468 2F436572 74456E72 6F6C6C2F 63616E61
  6D652E63 726C3035 A033A031 862F6669 6C653A2F 2F5C5C61 6373312E 686F6E64
  612E636F 2E74685C 43657274 456E726F 6C6C5C63 616E616D 652E6372 6C301006
  092B0601 04018237 15010403 02010030 0D06092A 864886F7 0D010105 05000341
  0001A876 A899871D 636FD548 A98FE663 1A48F751 CED58054 438987D7 58BD07E3
  3A286AEB 9D97BDC8 E109F0FB 7CA6BE78 B25F8650 BA456631 DE7B05EE 0228E863 06
  quit
!
!
!
!
!
!       
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 group 2
!
!
crypto ipsec transform-set tf esp-3des esp-md5-hmac
!
crypto map vpn 10 ipsec-isakmp
 set peer 162.1.123.12
 set transform-set tf
 match address vpn
!       
!
!
!
interface Loopback0
 ip address 150.1.1.1 255.255.255.0
!
interface Ethernet0/0
 ip address 162.1.19.1 255.255.255.0
 full-duplex
!
interface Ethernet0/1
 no ip address
 shutdown
 full-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
interface Serial1/0
 no ip address
 encapsulation frame-relay
 serial restart-delay 0
 no frame-relay inverse-arp
!
interface Serial1/0.13 point-to-point
 ip address 162.1.13.1 255.255.255.0
 frame-relay interface-dlci 113 
 crypto map vpn
!
interface Serial1/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!       
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
router ospf 1
 router-id 150.1.1.1
 log-adjacency-changes
 area 13 virtual-link 150.1.3.3 authentication message-digest
 area 13 virtual-link 150.1.3.3 message-digest-key 1 md5 CISCO
 network 150.1.1.1 0.0.0.0 area 13
 network 162.1.13.1 0.0.0.0 area 13
 network 162.1.19.1 0.0.0.0 area 19
!
router bgp 100
 no synchronization
 bgp router-id 150.1.1.1
 bgp log-neighbor-changes
 neighbor 150.1.4.4 remote-as 100
 neighbor 150.1.4.4 update-source Loopback0
 neighbor 150.1.4.4 route-reflector-client
 neighbor 150.1.6.6 remote-as 100
 neighbor 150.1.6.6 update-source Loopback0
 neighbor 150.1.6.6 password CISCO
 no auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 10.35.35.0 255.255.255.0 162.1.13.3
!
!
!
ip access-list extended vpn
 permit ip 162.1.19.0 0.0.0.255 10.35.35.0 0.0.0.255
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 login
!
ntp authentication-key 1 md5 112A3036343D 7
ntp master 1
!


Thank for input

Marut

Comments

  • What do the debug crypto pki or ca on both sides look like?

  • On the ASA add

    crypto map vpn 10 set trustpoint TP

     

    It took me also quite some time to realize it. In fact I had to google for the error message - which would not work on the actual LAB.

     

    HTH

    Gabor

Sign In or Register to comment.