forum.opennet.ru - "IPSEC ASA5510<--->ROUTER871" (1)

форумы

помощь

поиск

регистрация

майллист

вход/выход

слежка

"IPSEC ASA5510<--->ROUTER871"

Форум Маршрутизаторы CISCO и др. оборудование. (VPN, VLAN, туннель)
Вариант для распечатки		Пред. тема \| След. тема
Изначальное сообщение		[ Отслеживать ]

"IPSEC ASA5510<--->ROUTER871"	+/–
Сообщение от serg (??) on 25-Фев-11, 19:44
HELP! Не создается ipsec между 5510 ASA и 871 ROUTER. ASA: 1.1.1.26 внешний айпи 1.1.1.254 гейтвей 3.3.3.0 внутренняя подсеть 3.3.3.250 внутренний интерфейс 3.3.3.20 пингуемый компьютер в сети LAN ROUTER 871 2.2.2.226 внешний айпи 2.2.2.225 гейтвей 4.4.4.0 внутреняя подсеть 4.4.4.254 внутренний интерфейс 4.4.4.28 пингуемый комп в сети LAN 5510 ASA CONFIG: interface Ethernet0/0 description WAN nameif AI_WAN security-level 0 ip address 1.1.1.26 255.255.255.248 interface GigabitEthernet1/0 description AB LAN network nameif AB_LAN security-level 100 ip address 3.3.3.250 255.255.255.0 crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route crypto map AI_WAN_map 1 match address AI_WAN_1_cryptomap crypto map AI_WAN_map 1 set peer 2.2.2.226 crypto map AI_WAN_map 1 set transform-set ESP-DES-MD5 crypto map AI_WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map AI_WAN_map interface AI_WAN crypto isakmp enable AI_WAN crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp ipsec-over-tcp port 10000 crypto isakmp disconnect-notify route AI_WAN 0.0.0.0 0.0.0.0 1.1.1.254 route AI_WAN 4.4.4.0 255.255.255.0 2.2.2.226 access-list AI_WAN_1_cryptomap extended permit ip 3.3.3.0 255.255.255.0 4.4.4.0 255.255.255.0 tunnel-group 2.2.2.226 type ipsec-l2l tunnel-group 2.2.2.226 general-attributes tunnel-group 2.2.2.226 ipsec-attributes pre-shared-key *** 871 ROUTER CONFIG: crypto isakmp policy 2 authentication pre-share group 2 crypto isakmp key *** address 1.1.1.26 crypto ipsec transform-set des-md5 esp-des esp-md5-hmac crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to1.1.1.26 set peer 1.1.1.26 set transform-set des-md5 match address 100 interface FastEthernet4 ip address 2.2.2.226 255.255.255.0 ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1 interface Vlan1 ip address 4.4.4.254 255.255.255.0 ip virtual-reassembly ip route 0.0.0.0 0.0.0.0 2.2.2.225 ip route 3.3.3.0 255.255.255.0 1.1.1.26 access-list 100 permit ip 4.4.4.0 0.0.0.255 3.3.3.0 0.0.0.255 5510 ASA DEBUGGING ciscoasa(config)# Feb 25 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 180 Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing SA payload Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, Received NAT-Traversal ver 03 VID Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, Received NAT-Traversal ver 02 VID Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, processing IKE SA payload Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:07 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 4 Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing ISAKMP SA payload Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing NAT-Traversal VID ver 02 payload Feb 25 21:58:07 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing Fragmentation VID + extended capabilities payload Feb 25 21:58:07 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Feb 25 21:58:15 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Feb 25 21:58:17 [IKEv1]: IP = 2.2.2.226, Duplicate first packet detected. Ignoring packet. Feb 25 21:58:23 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Feb 25 21:58:27 [IKEv1]: IP = 2.2.2.226, Duplicate first packet detected. Ignoring packet. Feb 25 21:58:31 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Feb 25 21:58:37 [IKEv1]: IP = 2.2.2.226, Duplicate first packet detected. Ignoring packet. Feb 25 21:58:39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE MM Responder FSM error history (struct &0xadb2fdf8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent Feb 25 21:58:39 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:8d4057b1 terminating: flags 0x01000002, refcnt 0, tuncnt 0 Feb 25 21:58:39 [IKEv1 DEBUG]: IP = 2.2.2.226, sending delete/delete with reason message Feb 25 21:58:47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 180 Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing SA payload Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, Oakley proposal is acceptable Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, Received NAT-Traversal ver 03 VID Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing VID payload Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, Received NAT-Traversal ver 02 VID Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, processing IKE SA payload Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:47 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2 Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 4 Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing ISAKMP SA payload Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing NAT-Traversal VID ver 02 payload Feb 25 21:58:47 [IKEv1 DEBUG]: IP = 2.2.2.226, constructing Fragmentation VID + extended capabilities payload Feb 25 21:58:47 [IKEv1]: IP = 2.2.2.226, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Feb 25 21:58:55 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Feb 25 21:58:57 [IKEv1]: IP = 2.2.2.226, Duplicate first packet detected. Ignoring packet. Feb 25 21:59:03 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Feb 25 21:59:11 [IKEv1]: IP = 2.2.2.226, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128 Feb 25 21:59:19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE MM Responder FSM error history (struct &0xadb2fdf8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent Feb 25 21:59:19 [IKEv1 DEBUG]: IP = 2.2.2.226, IKE SA MM:7622a639 terminating: flags 0x01000002, refcnt 0, tuncnt 0 Feb 25 21:59:19 [IKEv1 DEBUG]: IP = 2.2.2.226, sending delete/delete with reason message 871 ROUTER DEBUGGING 871_router#debu cry isa 871_router#ping 3.3.3.20 source 4.4.4.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.20, timeout is 2 seconds: Packet sent with a source address of 4.4.4.254 Feb 25 21:58:06.799: ISAKMP:(0): SA request profile is (NULL) Feb 25 21:58:06.799: ISAKMP: Created a peer struct for 1.1.1.26, peer port 500 Feb 25 21:58:06.799: ISAKMP: New peer created peer = 0x834B2AB4 peer_handle = 0x8000000C Feb 25 21:58:06.799: ISAKMP: Locking peer struct 0x834B2AB4, refcount 1 for isakmp_initiator Feb 25 21:58:06.799: ISAKMP: local port 500, remote port 500 Feb 25 21:58:06.799: ISAKMP: set new node 0 to QM_IDLE Feb 25 21:58:06.799: insert sa successfully sa = 83476114 Feb 25 21:58:06.799: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. Feb 25 21:58:06.799: ISAKMP:(0):found peer pre-shared key matching 1.1.1.26 Feb 25 21:58:06.799: ISAKMP:(0): constructed NAT-T vendor-07 ID Feb 25 21:58:06.799: ISAKMP:(0): constructed NAT-T vendor-03 ID Feb 25 21:58:06.799: ISAKMP:(0): constructed NAT-T vendor-02 ID Feb 25 21:58:06.799: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Feb 25 21:58:06.799: ISAKMP:(0):Old State = IKE_READY New State = IKE._I_MM1 Feb 25 21:58:06.803: ISAKMP:(0): beginning Main Mode exchange Feb 25 21:58:06.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE.... Success rate is 0 percent (0/5) sokuluk# Feb 25 21:58:16.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... Feb 25 21:58:16.803: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 Feb 25 21:58:16.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE Feb 25 21:58:16.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE Feb 25 21:58:26.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... Feb 25 21:58:26.803: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 Feb 25 21:58:26.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE Feb 25 21:58:26.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE Feb 25 21:58:36.799: ISAKMP: set new node 0 to QM_IDLE Feb 25 21:58:36.799: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2.2.2.226, remote 1.1.1.26) Feb 25 21:58:36.799: ISAKMP: Error while processing SA request: Failed to initialize SA Feb 25 21:58:36.799: ISAKMP: Error while processing KMI message 0, error 2. Feb 25 21:58:36.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... Feb 25 21:58:36.803: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 Feb 25 21:58:36.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE Feb 25 21:58:36.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE Feb 25 21:58:46.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... Feb 25 21:58:46.803: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 Feb 25 21:58:46.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE Feb 25 21:58:46.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE Feb 25 21:58:56.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... Feb 25 21:58:56.803: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 Feb 25 21:58:56.803: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE Feb 25 21:58:56.803: ISAKMP:(0): sending packet to 1.1.1.26 my_port 500 peer_port 500 (I) MM_NO_STATE Feb 25 21:59:06.799: ISAKMP:(0):peer does not do paranoid keepalives. Feb 25 21:59:06.799: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 1.1.1.26) Feb 25 21:59:06.799: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 1.1.1.26) Feb 25 21:59:06.799: ISAKMP: Unlocking peer struct 0x834B2AB4 for isadb_mark_sa_deleted(), count 0 Feb 25 21:59:06.799: ISAKMP: Deleting peer node by peer_reap for 1.1.1.26: 834B2AB4 Feb 25 21:59:06.799: ISAKMP:(0):deleting node -254301187 error FALSE reason "IKE deleted" Feb 25 21:59:06.799: ISAKMP:(0):deleting node -1584635621 error FALSE reason "IKE deleted" Feb 25 21:59:06.799: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Feb 25 21:59:06.799: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Ответить \| Правка \| Cообщить модератору

Оглавление

IPSEC ASA5510<--->ROUTER871, serg, 01:36 , 01-Мрт-11, (1)

Сообщения по теме [Сортировка по времени | RSS]

1. "IPSEC ASA5510<--->ROUTER871" +/–

Сообщение от serg (??) on 01-Мрт-11, 01:36

Обновление IOS маршрутки решило проблему.

>[оверквотинг удален]
> MM_NO_STATE (peer 1.1.1.26)
> Feb 25 21:59:06.799: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I)
> MM_NO_STATE (peer 1.1.1.26)
> Feb 25 21:59:06.799: ISAKMP: Unlocking peer struct 0x834B2AB4 for isadb_mark_sa_deleted(),
> count 0
> Feb 25 21:59:06.799: ISAKMP: Deleting peer node by peer_reap for 1.1.1.26: 834B2AB4
> Feb 25 21:59:06.799: ISAKMP:(0):deleting node -254301187 error FALSE reason "IKE deleted"
> Feb 25 21:59:06.799: ISAKMP:(0):deleting node -1584635621 error FALSE reason "IKE deleted"
> Feb 25 21:59:06.799: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
> Feb 25 21:59:06.799: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору

Архив | Удалить

Рекомендовать для помещения в FAQ | Индекс форумов | Темы | Пред. тема | След. тема

Партнёры:

Хостинг:

Закладки на сайте
Проследить за страницей

Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру

1. "IPSEC ASA5510<--->ROUTER871"	+/–
Сообщение от serg (??) on 01-Мрт-11, 01:36
Обновление IOS маршрутки решило проблему. >[оверквотинг удален] > MM_NO_STATE (peer 1.1.1.26) > Feb 25 21:59:06.799: ISAKMP:(0):deleting SA reason "P1 delete notify (in)" state (I) > MM_NO_STATE (peer 1.1.1.26) > Feb 25 21:59:06.799: ISAKMP: Unlocking peer struct 0x834B2AB4 for isadb_mark_sa_deleted(), > count 0 > Feb 25 21:59:06.799: ISAKMP: Deleting peer node by peer_reap for 1.1.1.26: 834B2AB4 > Feb 25 21:59:06.799: ISAKMP:(0):deleting node -254301187 error FALSE reason "IKE deleted" > Feb 25 21:59:06.799: ISAKMP:(0):deleting node -1584635621 error FALSE reason "IKE deleted" > Feb 25 21:59:06.799: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL > Feb 25 21:59:06.799: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
Ответить \| Правка \| ^ к родителю #0 \| Наверх \| Cообщить модератору