10-08-2010 08:50 PM
10-08-2010 09:17 PM
I assume that you are running GRE tunnel on the 2811 behind the ASA, and ASA is establishing the IPSec tunnel.
I didn't see access-group command posted earlier, however, i assume that your 2811 router is connected to your ASA inside interface, and acl assigned is named "inside-in". I did not see ACL line that permits GRE that would allow the traffic through the ASA.
10-08-2010 09:37 PM
hi, yes, your assumptions are right--the 2811 is terminating gre tunnel--via eigrp.
Is this what i need to add?
access-list inside-in extended permit gre any any
10-08-2010 09:40 PM
i added it--to no avail:
access-list inside-in extended permit gre any any
10-08-2010 09:53 PM
at one of teh spoke offices:
000624: *Oct 9 00:39:02.471 GMT: ISAKMP:(2365):purging node 904887933
000625: *Oct 9 00:39:09.351 GMT: ISAKMP: DPD received KMI message.
000626: *Oct 9 00:39:09.351 GMT: ISAKMP: set new node 353388376 to QM_IDLE
000627: *Oct 9 00:39:09.351 GMT: crypto_engine: Generate IKE hash
000628: *Oct 9 00:39:09.351 GMT: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
000629: *Oct 9 00:39:09.355 GMT: ISAKMP:(2768):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 1706225560, message ID = 353388376
000630: *Oct 9 00:39:09.355 GMT: ISAKMP:(2768): seq. no 0x240F5391
000631: *Oct 9 00:39:09.355 GMT: crypto_engine: Encrypt IKE packet
000632: *Oct 9 00:39:09.355 GMT: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)
000633: *Oct 9 00:39:09.355 GMT: ISAKMP:(2768): sending packet to a.b.c.d my_port 500 peer_port 500 (I) QM_IDLE
000634: *Oct 9 00:39:09.355 GMT: ISAKMP:(2768):Sending an IKE IPv4 Packet.
000635: *Oct 9 00:39:09.355 GMT: ISAKMP:(2768):purging node 353388376
000636: *Oct 9 00:39:09.387 GMT: ISAKMP (2768): received packet from a.b.c.d dport 500 sport 500 Global (I) QM_IDLE
000637: *Oct 9 00:39:09.387 GMT: ISAKMP: set new node 1232564680 to QM_IDLE
000638: *Oct 9 00:39:09.387 GMT: crypto_engine: Decrypt IKE packet
000639: *Oct 9 00:39:09.387 GMT: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)
000640: *Oct 9 00:39:09.387 GMT: crypto_engine: Generate IKE hash
000641: *Oct 9 00:39:09.387 GMT: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
000642: *Oct 9 00:39:09.391 GMT: ISAKMP:(2768): processing HASH payload. message ID = 1232564680
000643: *Oct 9 00:39:09.391 GMT: ISAKMP:(2768): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 1232564680, sa = 66290A80
000644: *Oct 9 00:39:09.391 GMT: ISAKMP:(2768): DPD/R_U_THERE_ACK received from peer a.b.c.d, sequence 0x240F5391
000645: *Oct 9 00:39:09.391 GMT: ISAKMP:(2768):deleting node 1232564680 error FALSE reason "Informational (in) state 1"
000646: *Oct 9 00:39:09.391 GMT: ISAKMP:(2768):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
000647: *Oct 9 00:39:09.391 GMT: ISAKMP:(2768):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
And:
# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
NEWTOWN_1841# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
a.b.c.d y.y.y.y QM_IDLE 2768 ACTIVE
a.b.c.d y.y.y.y QM_IDLE 2365 ACTIVE
AND:
#show crypto ipsec sa | in encaps|decaps|Status|current
current_peer a.v.d.x port 500
#pkts encaps: 48, #pkts encrypt: 48, #pkts digest: 48
#pkts decaps: 47, #pkts decrypt: 47, #pkts verify: 47
current outbound spi: 0xBBF43896(3153344662)
Status: ACTIVE
Status: ACTIVE
current_peer a.b.c.d port 500
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
current outbound spi: 0xB8E117DD(3101759453)
Status: ACTIVE
Status: ACTIVE
current_peer y.y.y.y port 500
#pkts encaps: 65, #pkts encrypt: 65, #pkts digest: 65
#pkts decaps: 46, #pkts decrypt: 46, #pkts verify: 46
current outbound spi: 0x46118722(1175553826)
Status: ACTIVE
Status: ACTIVE
current_peer z.z.z.z port 500
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
current outbound spi: 0x167A7CD3(377126099)
Status: ACTIVE
Status: ACTIVE
10-08-2010 10:02 PM
Seems like the IPSec tunnel is up, only the GRE tunnel is down.
Try to shut/no shut the GRE tunnel on both ends.
10-09-2010 05:03 AM
didnt make a bit of difference...
the problem is on the asa---i just cannot find it...
10-09-2010 05:32 PM
From the following output:
current_peer a.b.c.d port 500
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
current outbound spi: 0xB8E117DD(3101759453)
Status: ACTIVE
Status: ACTIVE
current_peer z.z.z.z port 500
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
current outbound spi: 0x167A7CD3(377126099)
Status: ACTIVE
Status: ACTIVE
Assuming that the above is from the spoke router, that means traffic is being encrypted, however, the router does not receive any return traffic.
What does the corresponding show cry ipsec sa shows on the ASA?
You might want to try clearing the IPSEC tunnel SA on the ASA and re-establing the tunnel, and also "clear xlate". Otherwise, feel free to open a TAC case so it can be troubleshot live with an engineer.
10-10-2010 12:40 PM
Hi,
Cant open tac case as this device has no contract, and i would have to pay per incident.
i debugged ipsec and isakmp and got a phase 2 error---i had to debug level 200 to even see it.
cant recall the exact error, but i googled it, and basically, under the website, said to check acl--or the access list group is applied wrong.
we did not change a single entry on the remote routers, so it must be a problem on the asa itself--but i cannot find it....
i think its probably the access list group command, but not sure...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: