Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Cisco 3000 L2L Tunnel Troubles (http://www.velocityreviews.com/forums/t30888-cisco-3000-l2l-tunnel-troubles.html)

Rick B. 12-11-2003 03:24 PM

Cisco 3000 L2L Tunnel Troubles
 
I need some help all. I have several L2L sites configured the same way
and they all work perfectly except for this one. Any insight would be
GREATLY, GREATLY appreciated. I'm banging my head against the wall.
Below is some log info...


34629 12/11/143 05:28:14.120 SEV=5 IKE/34 RPT=2420 14.255.61.33
Received local IP Proxy Subnet data in ID Payload:
Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0

34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
Group [14.255.61.33]
Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
10.23.0.0!

34633 12/11/143 05:28:14.120 SEV=4 IKEDBG/0 RPT=2199
QM FSM error (P2 struct &0x7fa3f98, mess id 0x9cc3d4d9)!

34634 12/11/143 05:28:14.120 SEV=4 IKEDBG/65 RPT=2377 14.255.61.33
Group [14.255.61.33]
IKE QM Responder FSM error history (struct &0x7fa3f98)
<state>, <event>:
QM_DONE, EV_ERROR
QM_BLD_MSG2, EV_NEGO_SA
QM_BLD_MSG2, EV_IS_REKEY
QM_BLD_MSG2, EV_CONFIRM_SA

34639 12/11/143 05:28:24.110 SEV=5 IKE/50 RPT=678 14.255.61.33
Group [14.255.61.33]
Connection terminated for peer 14.255.61.33 (Peer Terminate)
Remote Proxy N/A, Local Proxy N/A

34642 12/11/143 05:28:24.140 SEV=4 AUTH/23 RPT=688 14.255.61.33
User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
0:29:13

34643 12/11/143 05:28:31.660 SEV=4 IKE/119 RPT=729 14.255.61.33
Group [14.255.61.33]
PHASE 1 COMPLETED

34644 12/11/143 05:28:31.660 SEV=4 AUTH/22 RPT=691
User [14.255.61.33] Group [14.255.61.33] connected

34645 12/11/143 05:28:31.900 SEV=5 IKE/35 RPT=465 14.255.61.33
Group [14.255.61.33]
Received remote IP Proxy Subnet data in ID Payload:
Address 10.2.136.0, Mask 255.255.248.0, Protocol 0, Port 0

34648 12/11/143 05:28:31.900 SEV=5 IKE/34 RPT=2421 14.255.61.33
Group [14.255.61.33]
Received local IP Proxy Subnet data in ID Payload:
Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0

34651 12/11/143 05:28:31.900 SEV=5 IKE/66 RPT=444 14.255.61.33
Group [14.255.61.33]
IKE Remote Peer configured for SA: L2L: Brazil

34652 12/11/143 05:28:32.240 SEV=4 IKE/49 RPT=5015 14.255.61.33
Group [14.255.61.33]
Security negotiation complete for LAN-to-LAN Group (14.255.61.33)
Responder, Inbound SPI = 0x5afc4ac6, Outbound SPI = 0xdb9c5462

34655 12/11/143 05:28:32.250 SEV=4 IKE/120 RPT=5015 14.255.61.33
Group [14.255.61.33]
PHASE 2 COMPLETED (msgid=e8ba0e65)

34656 12/11/143 05:28:44.150 SEV=5 IKE/50 RPT=679 14.255.61.33
Group [14.255.61.33]
Connection terminated for peer 14.255.61.33 (Peer Terminate)
Remote Proxy N/A, Local Proxy N/A

34659 12/11/143 05:28:44.160 SEV=4 AUTH/23 RPT=689 14.255.61.33
User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
0:00:12

Mike Gallagher 12-12-2003 06:09 PM

Re: Cisco 3000 L2L Tunnel Troubles
 
This message is easy:

34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
Group [14.255.61.33]
Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
10.23.0.0!

You don't have an L2L tunnel defined where your remote network list is
14.255.61.33/32 and the local network list is 10.23.0.0/16.

The second termination could be many different things, but you can tell for
sure the remote device is terminating the connection. What kind of device
is on the other side and do you manage it?

Mike


"Rick B." <wrickk@hotmail.com> wrote in message
news:2c1819ac.0312110724.2aeb1bec@posting.google.c om...
> I need some help all. I have several L2L sites configured the same way
> and they all work perfectly except for this one. Any insight would be
> GREATLY, GREATLY appreciated. I'm banging my head against the wall.
> Below is some log info...
>
>
> 34629 12/11/143 05:28:14.120 SEV=5 IKE/34 RPT=2420 14.255.61.33
> Received local IP Proxy Subnet data in ID Payload:
> Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0
>
> 34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
> Group [14.255.61.33]
> Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
> 10.23.0.0!
>
> 34633 12/11/143 05:28:14.120 SEV=4 IKEDBG/0 RPT=2199
> QM FSM error (P2 struct &0x7fa3f98, mess id 0x9cc3d4d9)!
>
> 34634 12/11/143 05:28:14.120 SEV=4 IKEDBG/65 RPT=2377 14.255.61.33
> Group [14.255.61.33]
> IKE QM Responder FSM error history (struct &0x7fa3f98)
> <state>, <event>:
> QM_DONE, EV_ERROR
> QM_BLD_MSG2, EV_NEGO_SA
> QM_BLD_MSG2, EV_IS_REKEY
> QM_BLD_MSG2, EV_CONFIRM_SA
>
> 34639 12/11/143 05:28:24.110 SEV=5 IKE/50 RPT=678 14.255.61.33
> Group [14.255.61.33]
> Connection terminated for peer 14.255.61.33 (Peer Terminate)
> Remote Proxy N/A, Local Proxy N/A
>
> 34642 12/11/143 05:28:24.140 SEV=4 AUTH/23 RPT=688 14.255.61.33
> User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
> 0:29:13
>
> 34643 12/11/143 05:28:31.660 SEV=4 IKE/119 RPT=729 14.255.61.33
> Group [14.255.61.33]
> PHASE 1 COMPLETED
>
> 34644 12/11/143 05:28:31.660 SEV=4 AUTH/22 RPT=691
> User [14.255.61.33] Group [14.255.61.33] connected
>
> 34645 12/11/143 05:28:31.900 SEV=5 IKE/35 RPT=465 14.255.61.33
> Group [14.255.61.33]
> Received remote IP Proxy Subnet data in ID Payload:
> Address 10.2.136.0, Mask 255.255.248.0, Protocol 0, Port 0
>
> 34648 12/11/143 05:28:31.900 SEV=5 IKE/34 RPT=2421 14.255.61.33
> Group [14.255.61.33]
> Received local IP Proxy Subnet data in ID Payload:
> Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0
>
> 34651 12/11/143 05:28:31.900 SEV=5 IKE/66 RPT=444 14.255.61.33
> Group [14.255.61.33]
> IKE Remote Peer configured for SA: L2L: Brazil
>
> 34652 12/11/143 05:28:32.240 SEV=4 IKE/49 RPT=5015 14.255.61.33
> Group [14.255.61.33]
> Security negotiation complete for LAN-to-LAN Group (14.255.61.33)
> Responder, Inbound SPI = 0x5afc4ac6, Outbound SPI = 0xdb9c5462
>
> 34655 12/11/143 05:28:32.250 SEV=4 IKE/120 RPT=5015 14.255.61.33
> Group [14.255.61.33]
> PHASE 2 COMPLETED (msgid=e8ba0e65)
>
> 34656 12/11/143 05:28:44.150 SEV=5 IKE/50 RPT=679 14.255.61.33
> Group [14.255.61.33]
> Connection terminated for peer 14.255.61.33 (Peer Terminate)
> Remote Proxy N/A, Local Proxy N/A
>
> 34659 12/11/143 05:28:44.160 SEV=4 AUTH/23 RPT=689 14.255.61.33
> User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
> 0:00:12




joe 12-13-2003 07:04 AM

Re: Cisco 3000 L2L Tunnel Troubles
 
You overlapped 10.23.0.0/16 ? (i.e. your using a longer prefix in another
tunnel !)... check your wild card mask statements in your
lan to lan config for this tunnel...

how are you doing this, statically defined peers (smartest way)
i.e. you both put each others networks in the opposite place in the
configs, or are you using network autodiscovery, or network lists ? ?


check everything, or delete and re-create from scratch..

Clearly all those logs indicate is a mismatch in what the peer is
asserting, expecting...

"Mike Gallagher" <mike@ieee.org> wrote in message news:<MZCdnbG16a_PmUeiRVn-sQ@comcast.com>...
> This message is easy:
>
> 34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
> Group [14.255.61.33]
> Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
> 10.23.0.0!
>
> You don't have an L2L tunnel defined where your remote network list is
> 14.255.61.33/32 and the local network list is 10.23.0.0/16.
>
> The second termination could be many different things, but you can tell for
> sure the remote device is terminating the connection. What kind of device
> is on the other side and do you manage it?
>
> Mike
>
>
> "Rick B." <wrickk@hotmail.com> wrote in message
> news:2c1819ac.0312110724.2aeb1bec@posting.google.c om...
> > I need some help all. I have several L2L sites configured the same way
> > and they all work perfectly except for this one. Any insight would be
> > GREATLY, GREATLY appreciated. I'm banging my head against the wall.
> > Below is some log info...
> >
> >
> > 34629 12/11/143 05:28:14.120 SEV=5 IKE/34 RPT=2420 14.255.61.33
> > Received local IP Proxy Subnet data in ID Payload:
> > Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0
> >
> > 34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
> > Group [14.255.61.33]
> > Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
> > 10.23.0.0!
> >
> > 34633 12/11/143 05:28:14.120 SEV=4 IKEDBG/0 RPT=2199
> > QM FSM error (P2 struct &0x7fa3f98, mess id 0x9cc3d4d9)!
> >
> > 34634 12/11/143 05:28:14.120 SEV=4 IKEDBG/65 RPT=2377 14.255.61.33
> > Group [14.255.61.33]
> > IKE QM Responder FSM error history (struct &0x7fa3f98)
> > <state>, <event>:
> > QM_DONE, EV_ERROR
> > QM_BLD_MSG2, EV_NEGO_SA
> > QM_BLD_MSG2, EV_IS_REKEY
> > QM_BLD_MSG2, EV_CONFIRM_SA
> >
> > 34639 12/11/143 05:28:24.110 SEV=5 IKE/50 RPT=678 14.255.61.33
> > Group [14.255.61.33]
> > Connection terminated for peer 14.255.61.33 (Peer Terminate)
> > Remote Proxy N/A, Local Proxy N/A
> >
> > 34642 12/11/143 05:28:24.140 SEV=4 AUTH/23 RPT=688 14.255.61.33
> > User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
> > 0:29:13
> >
> > 34643 12/11/143 05:28:31.660 SEV=4 IKE/119 RPT=729 14.255.61.33
> > Group [14.255.61.33]
> > PHASE 1 COMPLETED
> >
> > 34644 12/11/143 05:28:31.660 SEV=4 AUTH/22 RPT=691
> > User [14.255.61.33] Group [14.255.61.33] connected
> >
> > 34645 12/11/143 05:28:31.900 SEV=5 IKE/35 RPT=465 14.255.61.33
> > Group [14.255.61.33]
> > Received remote IP Proxy Subnet data in ID Payload:
> > Address 10.2.136.0, Mask 255.255.248.0, Protocol 0, Port 0
> >
> > 34648 12/11/143 05:28:31.900 SEV=5 IKE/34 RPT=2421 14.255.61.33
> > Group [14.255.61.33]
> > Received local IP Proxy Subnet data in ID Payload:
> > Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0
> >
> > 34651 12/11/143 05:28:31.900 SEV=5 IKE/66 RPT=444 14.255.61.33
> > Group [14.255.61.33]
> > IKE Remote Peer configured for SA: L2L: Brazil
> >
> > 34652 12/11/143 05:28:32.240 SEV=4 IKE/49 RPT=5015 14.255.61.33
> > Group [14.255.61.33]
> > Security negotiation complete for LAN-to-LAN Group (14.255.61.33)
> > Responder, Inbound SPI = 0x5afc4ac6, Outbound SPI = 0xdb9c5462
> >
> > 34655 12/11/143 05:28:32.250 SEV=4 IKE/120 RPT=5015 14.255.61.33
> > Group [14.255.61.33]
> > PHASE 2 COMPLETED (msgid=e8ba0e65)
> >
> > 34656 12/11/143 05:28:44.150 SEV=5 IKE/50 RPT=679 14.255.61.33
> > Group [14.255.61.33]
> > Connection terminated for peer 14.255.61.33 (Peer Terminate)
> > Remote Proxy N/A, Local Proxy N/A
> >
> > 34659 12/11/143 05:28:44.160 SEV=4 AUTH/23 RPT=689 14.255.61.33
> > User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
> > 0:00:12


Rick B. 12-16-2003 03:39 PM

Re: Cisco 3000 L2L Tunnel Troubles
 
Mike,

I have a L2L tunnel defined where his remote network list contains all
his private IP's and the local list I'm using is the same one I use
for all the other tunnels, it contains all our private IP's. The
14.255.61.33 is defined as the remote peer. I'm pretty sure the remote
device is a checkpoint box, I don't manage it, so unfortunately I do
not have access to look at it's config. :-(

Rick B. 12-16-2003 03:45 PM

Re: Cisco 3000 L2L Tunnel Troubles
 
Joe,

I'm using Network Lists. I'm using the same local network list for all
my tunnels, and all the other tunnels are functioning properly. I
think the problem may be on the other side, but I don't have access to
that device.

Rick B. 12-16-2003 03:49 PM

Re: Cisco 3000 L2L Tunnel Troubles
 
I guess the real question is why does the tunnel come up and work
properly for up to 30 minutes at a time and the drop back off until it
goes throught that re-negotiation process?


All times are GMT. The time now is 05:20 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.