Cisco 3000 L2L Tunnel Troubles

Discussion in 'Cisco' started by Rick B., Dec 11, 2003.

  1. Rick B.

    Rick B. Guest

    I need some help all. I have several L2L sites configured the same way
    and they all work perfectly except for this one. Any insight would be
    GREATLY, GREATLY appreciated. I'm banging my head against the wall.
    Below is some log info...


    34629 12/11/143 05:28:14.120 SEV=5 IKE/34 RPT=2420 14.255.61.33
    Received local IP Proxy Subnet data in ID Payload:
    Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0

    34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
    Group [14.255.61.33]
    Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
    10.23.0.0!

    34633 12/11/143 05:28:14.120 SEV=4 IKEDBG/0 RPT=2199
    QM FSM error (P2 struct &0x7fa3f98, mess id 0x9cc3d4d9)!

    34634 12/11/143 05:28:14.120 SEV=4 IKEDBG/65 RPT=2377 14.255.61.33
    Group [14.255.61.33]
    IKE QM Responder FSM error history (struct &0x7fa3f98)
    <state>, <event>:
    QM_DONE, EV_ERROR
    QM_BLD_MSG2, EV_NEGO_SA
    QM_BLD_MSG2, EV_IS_REKEY
    QM_BLD_MSG2, EV_CONFIRM_SA

    34639 12/11/143 05:28:24.110 SEV=5 IKE/50 RPT=678 14.255.61.33
    Group [14.255.61.33]
    Connection terminated for peer 14.255.61.33 (Peer Terminate)
    Remote Proxy N/A, Local Proxy N/A

    34642 12/11/143 05:28:24.140 SEV=4 AUTH/23 RPT=688 14.255.61.33
    User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
    0:29:13

    34643 12/11/143 05:28:31.660 SEV=4 IKE/119 RPT=729 14.255.61.33
    Group [14.255.61.33]
    PHASE 1 COMPLETED

    34644 12/11/143 05:28:31.660 SEV=4 AUTH/22 RPT=691
    User [14.255.61.33] Group [14.255.61.33] connected

    34645 12/11/143 05:28:31.900 SEV=5 IKE/35 RPT=465 14.255.61.33
    Group [14.255.61.33]
    Received remote IP Proxy Subnet data in ID Payload:
    Address 10.2.136.0, Mask 255.255.248.0, Protocol 0, Port 0

    34648 12/11/143 05:28:31.900 SEV=5 IKE/34 RPT=2421 14.255.61.33
    Group [14.255.61.33]
    Received local IP Proxy Subnet data in ID Payload:
    Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0

    34651 12/11/143 05:28:31.900 SEV=5 IKE/66 RPT=444 14.255.61.33
    Group [14.255.61.33]
    IKE Remote Peer configured for SA: L2L: Brazil

    34652 12/11/143 05:28:32.240 SEV=4 IKE/49 RPT=5015 14.255.61.33
    Group [14.255.61.33]
    Security negotiation complete for LAN-to-LAN Group (14.255.61.33)
    Responder, Inbound SPI = 0x5afc4ac6, Outbound SPI = 0xdb9c5462

    34655 12/11/143 05:28:32.250 SEV=4 IKE/120 RPT=5015 14.255.61.33
    Group [14.255.61.33]
    PHASE 2 COMPLETED (msgid=e8ba0e65)

    34656 12/11/143 05:28:44.150 SEV=5 IKE/50 RPT=679 14.255.61.33
    Group [14.255.61.33]
    Connection terminated for peer 14.255.61.33 (Peer Terminate)
    Remote Proxy N/A, Local Proxy N/A

    34659 12/11/143 05:28:44.160 SEV=4 AUTH/23 RPT=689 14.255.61.33
    User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
    0:00:12
    Rick B., Dec 11, 2003
    #1
    1. Advertising

  2. This message is easy:

    34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
    Group [14.255.61.33]
    Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
    10.23.0.0!

    You don't have an L2L tunnel defined where your remote network list is
    14.255.61.33/32 and the local network list is 10.23.0.0/16.

    The second termination could be many different things, but you can tell for
    sure the remote device is terminating the connection. What kind of device
    is on the other side and do you manage it?

    Mike


    "Rick B." <> wrote in message
    news:...
    > I need some help all. I have several L2L sites configured the same way
    > and they all work perfectly except for this one. Any insight would be
    > GREATLY, GREATLY appreciated. I'm banging my head against the wall.
    > Below is some log info...
    >
    >
    > 34629 12/11/143 05:28:14.120 SEV=5 IKE/34 RPT=2420 14.255.61.33
    > Received local IP Proxy Subnet data in ID Payload:
    > Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0
    >
    > 34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
    > Group [14.255.61.33]
    > Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
    > 10.23.0.0!
    >
    > 34633 12/11/143 05:28:14.120 SEV=4 IKEDBG/0 RPT=2199
    > QM FSM error (P2 struct &0x7fa3f98, mess id 0x9cc3d4d9)!
    >
    > 34634 12/11/143 05:28:14.120 SEV=4 IKEDBG/65 RPT=2377 14.255.61.33
    > Group [14.255.61.33]
    > IKE QM Responder FSM error history (struct &0x7fa3f98)
    > <state>, <event>:
    > QM_DONE, EV_ERROR
    > QM_BLD_MSG2, EV_NEGO_SA
    > QM_BLD_MSG2, EV_IS_REKEY
    > QM_BLD_MSG2, EV_CONFIRM_SA
    >
    > 34639 12/11/143 05:28:24.110 SEV=5 IKE/50 RPT=678 14.255.61.33
    > Group [14.255.61.33]
    > Connection terminated for peer 14.255.61.33 (Peer Terminate)
    > Remote Proxy N/A, Local Proxy N/A
    >
    > 34642 12/11/143 05:28:24.140 SEV=4 AUTH/23 RPT=688 14.255.61.33
    > User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
    > 0:29:13
    >
    > 34643 12/11/143 05:28:31.660 SEV=4 IKE/119 RPT=729 14.255.61.33
    > Group [14.255.61.33]
    > PHASE 1 COMPLETED
    >
    > 34644 12/11/143 05:28:31.660 SEV=4 AUTH/22 RPT=691
    > User [14.255.61.33] Group [14.255.61.33] connected
    >
    > 34645 12/11/143 05:28:31.900 SEV=5 IKE/35 RPT=465 14.255.61.33
    > Group [14.255.61.33]
    > Received remote IP Proxy Subnet data in ID Payload:
    > Address 10.2.136.0, Mask 255.255.248.0, Protocol 0, Port 0
    >
    > 34648 12/11/143 05:28:31.900 SEV=5 IKE/34 RPT=2421 14.255.61.33
    > Group [14.255.61.33]
    > Received local IP Proxy Subnet data in ID Payload:
    > Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0
    >
    > 34651 12/11/143 05:28:31.900 SEV=5 IKE/66 RPT=444 14.255.61.33
    > Group [14.255.61.33]
    > IKE Remote Peer configured for SA: L2L: Brazil
    >
    > 34652 12/11/143 05:28:32.240 SEV=4 IKE/49 RPT=5015 14.255.61.33
    > Group [14.255.61.33]
    > Security negotiation complete for LAN-to-LAN Group (14.255.61.33)
    > Responder, Inbound SPI = 0x5afc4ac6, Outbound SPI = 0xdb9c5462
    >
    > 34655 12/11/143 05:28:32.250 SEV=4 IKE/120 RPT=5015 14.255.61.33
    > Group [14.255.61.33]
    > PHASE 2 COMPLETED (msgid=e8ba0e65)
    >
    > 34656 12/11/143 05:28:44.150 SEV=5 IKE/50 RPT=679 14.255.61.33
    > Group [14.255.61.33]
    > Connection terminated for peer 14.255.61.33 (Peer Terminate)
    > Remote Proxy N/A, Local Proxy N/A
    >
    > 34659 12/11/143 05:28:44.160 SEV=4 AUTH/23 RPT=689 14.255.61.33
    > User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
    > 0:00:12
    Mike Gallagher, Dec 12, 2003
    #2
    1. Advertising

  3. Rick B.

    joe Guest

    You overlapped 10.23.0.0/16 ? (i.e. your using a longer prefix in another
    tunnel !)... check your wild card mask statements in your
    lan to lan config for this tunnel...

    how are you doing this, statically defined peers (smartest way)
    i.e. you both put each others networks in the opposite place in the
    configs, or are you using network autodiscovery, or network lists ? ?


    check everything, or delete and re-create from scratch..

    Clearly all those logs indicate is a mismatch in what the peer is
    asserting, expecting...

    "Mike Gallagher" <> wrote in message news:<>...
    > This message is easy:
    >
    > 34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
    > Group [14.255.61.33]
    > Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
    > 10.23.0.0!
    >
    > You don't have an L2L tunnel defined where your remote network list is
    > 14.255.61.33/32 and the local network list is 10.23.0.0/16.
    >
    > The second termination could be many different things, but you can tell for
    > sure the remote device is terminating the connection. What kind of device
    > is on the other side and do you manage it?
    >
    > Mike
    >
    >
    > "Rick B." <> wrote in message
    > news:...
    > > I need some help all. I have several L2L sites configured the same way
    > > and they all work perfectly except for this one. Any insight would be
    > > GREATLY, GREATLY appreciated. I'm banging my head against the wall.
    > > Below is some log info...
    > >
    > >
    > > 34629 12/11/143 05:28:14.120 SEV=5 IKE/34 RPT=2420 14.255.61.33
    > > Received local IP Proxy Subnet data in ID Payload:
    > > Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0
    > >
    > > 34631 12/11/143 05:28:14.120 SEV=4 IKE/61 RPT=1978 14.255.61.33
    > > Group [14.255.61.33]
    > > Tunnel rejected: Policy not found for Src:14.255.61.33, Dst:
    > > 10.23.0.0!
    > >
    > > 34633 12/11/143 05:28:14.120 SEV=4 IKEDBG/0 RPT=2199
    > > QM FSM error (P2 struct &0x7fa3f98, mess id 0x9cc3d4d9)!
    > >
    > > 34634 12/11/143 05:28:14.120 SEV=4 IKEDBG/65 RPT=2377 14.255.61.33
    > > Group [14.255.61.33]
    > > IKE QM Responder FSM error history (struct &0x7fa3f98)
    > > <state>, <event>:
    > > QM_DONE, EV_ERROR
    > > QM_BLD_MSG2, EV_NEGO_SA
    > > QM_BLD_MSG2, EV_IS_REKEY
    > > QM_BLD_MSG2, EV_CONFIRM_SA
    > >
    > > 34639 12/11/143 05:28:24.110 SEV=5 IKE/50 RPT=678 14.255.61.33
    > > Group [14.255.61.33]
    > > Connection terminated for peer 14.255.61.33 (Peer Terminate)
    > > Remote Proxy N/A, Local Proxy N/A
    > >
    > > 34642 12/11/143 05:28:24.140 SEV=4 AUTH/23 RPT=688 14.255.61.33
    > > User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
    > > 0:29:13
    > >
    > > 34643 12/11/143 05:28:31.660 SEV=4 IKE/119 RPT=729 14.255.61.33
    > > Group [14.255.61.33]
    > > PHASE 1 COMPLETED
    > >
    > > 34644 12/11/143 05:28:31.660 SEV=4 AUTH/22 RPT=691
    > > User [14.255.61.33] Group [14.255.61.33] connected
    > >
    > > 34645 12/11/143 05:28:31.900 SEV=5 IKE/35 RPT=465 14.255.61.33
    > > Group [14.255.61.33]
    > > Received remote IP Proxy Subnet data in ID Payload:
    > > Address 10.2.136.0, Mask 255.255.248.0, Protocol 0, Port 0
    > >
    > > 34648 12/11/143 05:28:31.900 SEV=5 IKE/34 RPT=2421 14.255.61.33
    > > Group [14.255.61.33]
    > > Received local IP Proxy Subnet data in ID Payload:
    > > Address 10.23.0.0, Mask 255.255.0.0, Protocol 0, Port 0
    > >
    > > 34651 12/11/143 05:28:31.900 SEV=5 IKE/66 RPT=444 14.255.61.33
    > > Group [14.255.61.33]
    > > IKE Remote Peer configured for SA: L2L: Brazil
    > >
    > > 34652 12/11/143 05:28:32.240 SEV=4 IKE/49 RPT=5015 14.255.61.33
    > > Group [14.255.61.33]
    > > Security negotiation complete for LAN-to-LAN Group (14.255.61.33)
    > > Responder, Inbound SPI = 0x5afc4ac6, Outbound SPI = 0xdb9c5462
    > >
    > > 34655 12/11/143 05:28:32.250 SEV=4 IKE/120 RPT=5015 14.255.61.33
    > > Group [14.255.61.33]
    > > PHASE 2 COMPLETED (msgid=e8ba0e65)
    > >
    > > 34656 12/11/143 05:28:44.150 SEV=5 IKE/50 RPT=679 14.255.61.33
    > > Group [14.255.61.33]
    > > Connection terminated for peer 14.255.61.33 (Peer Terminate)
    > > Remote Proxy N/A, Local Proxy N/A
    > >
    > > 34659 12/11/143 05:28:44.160 SEV=4 AUTH/23 RPT=689 14.255.61.33
    > > User [14.255.61.33] Group [14.255.61.33] disconnected: duration:
    > > 0:00:12
    joe, Dec 13, 2003
    #3
  4. Rick B.

    Rick B. Guest

    Mike,

    I have a L2L tunnel defined where his remote network list contains all
    his private IP's and the local list I'm using is the same one I use
    for all the other tunnels, it contains all our private IP's. The
    14.255.61.33 is defined as the remote peer. I'm pretty sure the remote
    device is a checkpoint box, I don't manage it, so unfortunately I do
    not have access to look at it's config. :-(
    Rick B., Dec 16, 2003
    #4
  5. Rick B.

    Rick B. Guest

    Joe,

    I'm using Network Lists. I'm using the same local network list for all
    my tunnels, and all the other tunnels are functioning properly. I
    think the problem may be on the other side, but I don't have access to
    that device.
    Rick B., Dec 16, 2003
    #5
  6. Rick B.

    Rick B. Guest

    I guess the real question is why does the tunnel come up and work
    properly for up to 30 minutes at a time and the drop back off until it
    goes throught that re-negotiation process?
    Rick B., Dec 16, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jspr

    vpn 3000 pix L2L Trouble

    jspr, Feb 6, 2006, in forum: Cisco
    Replies:
    0
    Views:
    511
  2. mattsnow
    Replies:
    5
    Views:
    5,934
    mattsnow
    Apr 5, 2007
  3. Replies:
    1
    Views:
    535
    Martin Bilgrav
    May 1, 2008
  4. David Kerber
    Replies:
    4
    Views:
    3,104
    venkatb76
    Mar 27, 2009
  5. LVsFINEST
    Replies:
    0
    Views:
    678
    LVsFINEST
    Apr 24, 2009
Loading...

Share This Page