Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
0
Helpful
3
Replies

DEBUG OUPTPU ANALYSIS

habibnoubissi
Level 1
Level 1

‎05-29-2012 08:56 PM

Hi,

please find attached the debug given by my router. please help me to decipher it, because my tunnel is not comming up and I dont know what it is wrong.

crdlt

Labels:
128917-MY DEBUG OUTPUT.txt.zip
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-30-2012 05:50 AM

Please kindly share the config from both ends.

0 Helpful

habibnoubissi
Level 1
Level 1
In response to Jennifer Halim

‎05-30-2012 07:21 AM

Hi Jennifer,

please below  the configs from both ends:

site 1

afb>en

Password:

afb#sh run

Building configuration...

Current configuration : 2461 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname afb

!

boot-start-marker

boot-end-marker

!

logging console informational

enable secret 5 $1$hNFM$nwqVpHlH/hy1gGrLW8vyI1

!

username cisco password 7 0822455D0A16

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

ip cef

!

!

!

!

ip ips po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

  protocol pppoe

!

no ftp-server write-enable

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 70

encr aes 256

authentication pre-share

group 2

lifetime 86070

crypto isakmp key test1 address 41.204.95.12

crypto isakmp aggressive-mode disable

!

!

crypto ipsec transform-set vpn_yde esp-aes 256 esp-sha-hmac

!

crypto map vpn_paris 70 ipsec-isakmp

description tunnel_to_yaounde

set peer 41.204.95.12

set transform-set vpn_yde

match address 100

!

!

!

!

interface Loopback0

no ip address

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

ip address 192.168.48.254 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface Dialer1

mtu 1492

ip address 80.15.109.174 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap hostname fti/3hbfurh

ppp chap password 7 0877584F5D1E1303

ppp multilink

crypto map vpn_paris

!

ip classless

ip route 0.0.0.0 0.0.0.0 193.253.160.3

!

no ip http server

no ip http secure-server

ip nat inside source route-map nat interface Dialer1 overload

!

ip access-list extended IPSEC

permit udp any any eq isakmp

permit ahp any any

permit esp any any

permit udp any any eq non500-isakmp

permit ip any any

!

access-list 100 remark VPN-access

access-list 100 permit ip 192.168.48.0 0.0.0.255 172.21.0.0 0.0.255.255

access-list 102 remark internet-access

access-list 102 deny   ip 192.168.48.0 0.0.0.255 172.21.0.0 0.0.255.255

access-list 102 permit ip 192.168.48.0 0.0.0.255 any

!

route-map nat permit 10

match ip address 102

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

line con 0

login local

line aux 0

line vty 0 4

login local

transport input telnet ssh

!

end

site 2-------------

object-group network remote_network

network-object 192.168.48.0 255.255.255.0

object-group network local_host

network-object host 172.21.254.28

network-object host 172.21.254.31

access-list inside_access_in extended permit ip object-group local_host object-group remote_network

access-list inside_access_in extended permit icmp object-group local_host object-group remote_network

access-list vpn extended permit ip object-group local_host object-group remote_network

access-list vpn extended permit icmp icmp object-group local_host object-group remote_network

nat (inside) 0 172.21.254.28 255.255.255.255

nat (inside) 0 172.21.254.31 255.255.255.255

crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac

crypto map afriland_map 80 match address vpn

crypto map afriland_map 80 set peer 80.15.109.174 255.255.255.255

crypto map afriland_map 80 set transform-set vpn

crypto map afriland_map 80 set security-association lifetime seconds 3600

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 28800

crypto isakmp policy 70

encr aes 256

authentication pre-share

group 2

lifetime 86070

tunnel-group 80.15.109.174 type ipsec-l2l

tunnel-group 80.15.109.174 ipsec-attributes

pre-shared-key *

Regards

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to habibnoubissi

‎05-30-2012 02:08 PM

The acl on the ASA is incorrect as it needs to mirror image the router, it should just be one line of:

access-list vpn permit ip 172.21.0.0 255.255.0.0 192.168.48.0 255.255.255.0

You would also need to have NAT exemption configured on the ASA as follows:

access-list nonat permit ip 172.21.0.0 255.255.0.0 192.168.48.0 255.255.255.0

nat (inside) 0 access-list nonat

Please clear the tunnel: clear cry ipsec sa

and "clear xlate" to clear the existing translation.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents