Understanding the output of debug crypto isakmp on ASA 7.x (EZ VPN Server)

Document

Nov 1, 2010 6:34 AM
Nov 1st, 2010

Purpose

Establishing a Remote Access Connection to an Easy VPN Server Running 7.0

[IKEv1 DEBUG]: IP = 192.1.1.77, processing SA payload             (1)

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: IP = 192.1.1.77, IKE Peer included IKE

   fragmentation capability flags:  Main Mode:        True

   Aggressive Mode:  False

[IKEv1 DEBUG]: IP = 192.1.1.77, processing VID payload

[IKEv1 DEBUG]: IP = 192.1.1.77, Received Cisco Unity client VID   (2)

[IKEv1]: IP = 192.1.1.77, Connection landed on tunnel_

    group salesgroup

[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, processing

    IKE SA

[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, IKE SA        (3)

    Proposal # 1, Transform # 5 acceptable  Matches global

    IKE entry # 1

[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, constructing

    ISA_SA for isakmp

[IKEv1 DEBUG]: Group = salesgroup, IP = 192.1.1.77, constructing

    nonce payload

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: Processing MODE_CFG Reply attributes.              (4)

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, IKEGetUserAttributes: primary DNS = 4.2.2.1

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, IKEGetUserAttributes: secondary DNS = cleared

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, IKEGetUserAttributes: primary WINS = cleared

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, IKEGetUserAttributes: secondary WINS = cleared

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, IKEGetUserAttributes: IP Compression = disabled

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, IKEGetUserAttributes: Split Tunneling

    Policy = Disabled

[IKEv1]: Group = salesgroup, Username = salesuser,                (5)

    IP = 192.1.1.77, User (salesuser) authenticated.

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: Processing cfg Request attributes                 (6)

[IKEv1 DEBUG]: MODE_CFG: Received request for IPV4 address!

[IKEv1 DEBUG]: MODE_CFG: Received request for IPV4 net mask!

[IKEv1 DEBUG]: MODE_CFG: Received request for DNS server address!

[IKEv1 DEBUG]: MODE_CFG: Received request for WINS server address!

[IKEv1]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Received unsupported transaction mode

    attribute: 5

[IKEv1 DEBUG]: MODE_CFG: Received request for Banner!

[IKEv1 DEBUG]: MODE_CFG: Received request for Save PW setting!

[IKEv1 DEBUG]: MODE_CFG: Received request for Default Domain Name!

[IKEv1 DEBUG]: MODE_CFG: Received request for Split Tunnel List!

[IKEv1 DEBUG]: MODE_CFG: Received request for Split DNS!

[IKEv1 DEBUG]: MODE_CFG: Received request for PFS setting!

[IKEv1]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Received unknown transaction mode attribute: 28683

[IKEv1 DEBUG]: MODE_CFG: Received request for backup ip-sec peer

    list!

[IKEv1 DEBUG]: MODE_CFG: Received request for Application         (7)

    Version!

[IKEv1]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Client Type: WinNT  Client Application

    Version: 4.6.01.0019

[IKEv1 DEBUG]: MODE_CFG: Received request for FWTYPE!

[IKEv1 DEBUG]: MODE_CFG: Received request for DHCP hostname for

    DDNS is: i7500!

[IKEv1 DEBUG]: MODE_CFG: Received request for UDP Port!

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,          (8)

    IP = 192.1.1.77, constructing blank hash

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, constructing qm hash

[IKEv1]: IP = 192.1.1.77, IKE DECODE SENDING Message

    (msgid=e9f26b16) with payloads : HDR + HASH (8) + ATTR (14)

    + NONE (0) total length : 170

[IKEv1 DECODE]: IP = 192.1.1.77, IKE Responder starting QM:

    msg id = d9fcc34b

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Delay Quick Mode processing, Cert/Trans

    Exch/RM DSID in progress

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

   IP = 192.1.1.77, Resume Quick Mode processing, Cert/Trans

    Exch/RM DSID completed

[IKEv1]: Group = salesgroup, Username = salesuser,                (9)

    IP = 192.1.1.77, PHASE 1 COMPLETED

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,         (10)

    IP = 192.1.1.77, constructing blank hash

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, constructing qm hash

[IKEv1]: IP = 192.1.1.77, IKE DECODE SENDING Message

    (msgid=3b776e14) with payloads : HDR + HASH (8) +

    NOTIFY (11) + NONE (0) total length : 92

[IKEv1]: IP = 192.1.1.77, IKE DECODE RECEIVED Message

    (msgid=d9fcc34b) with payloads : HDR + HASH (8) + SA (1)

    + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1026

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, processing hash

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, processing SA payload

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, processing nonce payload

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Processing ID

[IKEv1 DECODE]: ID_IPV4_ADDR ID received 192.168.2.200           (11)

[IKEv1]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Received remote Proxy Host data in ID

    Payload:  Address 192.168.2.200, Protocol 0, Port 0

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Processing ID

[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received--

    0.0.0.0--0.0.0.0

[IKEv1]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Received local IP Proxy Subnet data in ID

    Payload:   Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

[IKEv1]: QM IsRekeyed old sa not found by addr                   (12)

[IKEv1]: Group = salesgroup, Username = salesuser,               (13)

    IP = 192.1.1.77, Static Crypto Map check, checking

    map = mymap, seq = 10...

[IKEv1]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Static Crypto Map check, map = mymap,

    seq = 10, ACL does not match proxy IDs src:192.168.2.200

    dst:0.0.0.0

[IKEv1]: Group = salesgroup, Username = salesuser,               (14)

    IP = 192.1.1.77, IKE Remote Peer configured for SA: dynmap

[IKEv1]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, processing IPSEC SA

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,         (15)

    IP = 192.1.1.77, IPsec SA Proposal # 11, Transform # 1

    acceptable  Matches global IPsec SA entry # 1

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1]: Group = salesgroup, Username = salesuser,               (16)

    IP = 192.1.1.77, Overriding Initiator's IPsec rekeying

    duration from 2147483 to 28800 seconds

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1]: Group = salesgroup, Username = salesuser,               (17)

    IP = 192.1.1.77, Security negotiation complete for

    User (salesuser)  Responder, Inbound SPI = 0x46ffd888,

    Outbound SPI = 0xfc4dd2f3

[IKEv1 DEBUG]: IKE got a KEY_ADD msg for SA: SPI = 0xfc4dd2f3

[IKEv1 DEBUG]: pitcher: rcv KEY_UPDATE, spi 0x46ffd888

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1]: Group = salesgroup, Username = salesuser,               (18)

    IP = 192.1.1.77, Adding static route for client address:

    192.168.2.200

[IKEv1]: Group = salesgroup, Username = salesuser,               (19)

    IP = 192.1.1.77, PHASE 2 COMPLETED (msgid=d9fcc34b)

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,         (20)

    IP = 192.1.1.77, Received keep-alive of type DPD R-U-THERE

    (seq number 0xa780a31f)

[IKEv1 DEBUG]: Group = salesgroup, Username = salesuser,

    IP = 192.1.1.77, Sending keep-alive of type DPD R-U-THERE-ACK

    (seq number 0xa780a31f)

http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

Here's an explanation of the debug output:

1.

The   Remote (192.1.1.77) initiates a session to the appliance (acting as a   Server).

2.

The   Remote sends its identity type to the Server, along with the group it wants   to connect to ("salesgroup").

3.

A   matching Phase 1 policy is found: policy 5 of the Remote matches the first   policy of the Server).

4.

The   Remote initiates IKE Mode Config and the appliance is determining which   parameters it has configured for the associated group.

5.

The   group authentication is successful, as is the XAUTH authentication via the   user account "salesuser"; notice that this message appears here   rather than before IKE Mode Config, because the appliance needs to verify   whether or not the user is allowed access to the group.

6.

The   Remote sends an IKE Mode Config request for the policies defined for the   salesgroup group.

7.

During   IKE Mode Config, the appliance learns the client type and version.

8.

The   Server sends back the IKE Mode Config parameters.

9.

This   completes ISAKMP/IKE Phase 1.

10.

Quick   mode begins with an exchange of policies.

11.

The   internal address of the client is 192.168.2.200 and the proxy message it   sends indicates that all of its traffic is to be protected (the group policy   is split tunneling disabled).

12.

A   check is performed to make sure that the client isn't reconnecting (the   Initial Contact feature for Easy VPN); in this example, the client is   initiating a new connection.

13.

The   appliance compares the proxy information with its first crypto map entry   (which is a static one) and finds that it doesn't match this entry (the proxy   information doesn't match).

14.

The   appliance compares the proxy information with its second crypto map entry,   which is a dynamic crypto map for remote access users.

15.

A   matching data transform is found.

16.

There   is a difference in the data SA lifetime values between the two devices: the   lower one (28,800 seconds) is negotiated.

17.

The   two IPsec data SAs (inbound and outbound) are created and SPIs are assigned.

18.

Because   RRI is enabled, a static route for the Remote's internal address   (192.168.2.200) is added to the Server's local routing table.

19.

Phase   2 has completed.

20.

Because DPD was negotiated in Phase 1, DPD now takes place; in   this instance, the Remote is initiating DPD (however, both sides of the   tunnel will do this periodically based on their local keepalive counters).

References----

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

Average Rating: 5 (2 ratings)

Comments

Actions

Login or Register to take actions

This Document

Posted November 1, 2010 at 6:34 AM
Stats:
Comments:1 Avg. Rating:5
Views:2462 Contributors:1
Shares:0
Categories: ASA
+

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
10