IPsec pomiędzy ISR4331 a ASA5545-X

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
Wiadomość
Autor
jinx_20
wannabe
wannabe
Posty: 210
Rejestracja: 15 wrz 2009, 09:51

IPsec pomiędzy ISR4331 a ASA5545-X

#1

#1 Post autor: jinx_20 »

Mam problem z IPsec pomiędzy ISR4331, a ASA5545-X. Sprawa jest na tyle ciekawa, że nie wstaje nawet P1, ale jak tylko dam "shut" i "no shut" na interfejscie routera od strony WAN to wszystko się podnosi. Potem jak SA wygaśnie to dalej jest to samo :(

Sprawdzałem na 2 wersjach softu:
-isr4300-universalk9.03.16.05.S.155-3.S5-ext.SPA.bin
-isr4300-universalk9.03.13.07.S.154-3.S7-ext.SPA.bin

Ma ktoś jakiś pomysł? Miał ktoś podobny problem?

Kod: Zaznacz cały

Mar 16 15:40:59.882 CET: ISAKMP:(0): SA request profile is (NULL)
Mar 16 15:40:59.882 CET: ISAKMP: Created a peer struct for X.X.X.X, peer port 500
Mar 16 15:40:59.882 CET: ISAKMP: New peer created peer = 0x7F97DDC01C10 peer_handle = 0x8000000F
Mar 16 15:40:59.882 CET: ISAKMP: Locking peer struct 0x7F97DDC01C10, refcount 1 for isakmp_initiator
Mar 16 15:40:59.882 CET: ISAKMP: local port 500, remote port 500
Mar 16 15:40:59.882 CET: ISAKMP: set new node 0 to QM_IDLE      
Mar 16 15:40:59.883 CET: ISAKMP:(0):insert sa successfully sa = 7F97E6571000
Mar 16 15:40:59.883 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Mar 16 15:40:59.883 CET: ISAKMP:(0):found peer pre-shared key matching X.X.X.X
Mar 16 15:40:59.883 CET: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 16 15:40:59.883 CET: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 16 15:40:59.883 CET: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 16 15:40:59.883 CET: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 16 15:40:59.883 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 16 15:40:59.883 CET: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

Mar 16 15:40:59.883 CET: ISAKMP:(0): beginning Main Mode exchange
hostname#
Mar 16 15:40:59.883 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:40:59.883 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:41:09.883 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:41:09.883 CET: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 16 15:41:09.883 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 16 15:41:09.883 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:41:09.883 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:41:19.883 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:41:19.883 CET: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 16 15:41:19.883 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 16 15:41:19.883 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:41:19.883 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:41:29.882 CET: ISAKMP: set new node 0 to QM_IDLE      
Mar 16 15:41:29.882 CET: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local Y.Y.Y.Y, remote X.X.X.X)
Mar 16 15:41:29.885 CET: ISAKMP: Error while processing SA request: Failed to initialize SA
Mar 16 15:41:29.885 CET: ISAKMP: Error while processing KMI message 0, error 2.
Mar 16 15:41:29.885 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:41:29.885 CET: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Mar 16 15:41:29.885 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
hostname#
Mar 16 15:41:29.885 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:41:29.885 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:41:39.886 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:41:39.886 CET: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 16 15:41:39.886 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 16 15:41:39.886 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:41:39.886 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:41:49.887 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:41:49.887 CET: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 16 15:41:49.887 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 16 15:41:49.887 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:41:49.887 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:41:59.887 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:41:59.887 CET: ISAKMP:(0):peer does not do paranoid keepalives.

Mar 16 15:41:59.887 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X)
Mar 16 15:41:59.887 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X) 
Mar 16 15:41:59.887 CET: ISAKMP: Unlocking peer struct 0x7F97DDC01C10 for isadb_mark_sa_deleted(), count 0
Mar 16 15:41:59.887 CET: ISAKMP: Deleting peer node by peer_reap for X.X.X.X: 7F97DDC01C10
hostname#
Mar 16 15:41:59.897 CET: ISAKMP:(0):deleting node 1094552573 error FALSE reason "IKE deleted"
Mar 16 15:41:59.897 CET: ISAKMP:(0):deleting node 4253300267 error FALSE reason "IKE deleted"
Mar 16 15:41:59.897 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 16 15:41:59.897 CET: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA 

hostname#
Mar 16 15:42:09.431 CET: ISAKMP:(0): SA request profile is (NULL)
Mar 16 15:42:09.431 CET: ISAKMP: Created a peer struct for X.X.X.X, peer port 500
Mar 16 15:42:09.431 CET: ISAKMP: New peer created peer = 0x7F97EB9481D0 peer_handle = 0x80000010
Mar 16 15:42:09.431 CET: ISAKMP: Locking peer struct 0x7F97EB9481D0, refcount 1 for isakmp_initiator
Mar 16 15:42:09.431 CET: ISAKMP: local port 500, remote port 500
Mar 16 15:42:09.431 CET: ISAKMP: set new node 0 to QM_IDLE      
Mar 16 15:42:09.431 CET: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F97EB9501E0
Mar 16 15:42:09.431 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Mar 16 15:42:09.431 CET: ISAKMP:(0):found peer pre-shared key matching X.X.X.X
Mar 16 15:42:09.431 CET: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 16 15:42:09.432 CET: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 16 15:42:09.432 CET: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 16 15:42:09.432 CET: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 16 15:42:09.432 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 16 15:42:09.432 CET: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

Mar 16 15:42:09.432 CET: ISAKMP:(0): beginning Main Mode exchange
hostname#
Mar 16 15:42:09.432 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:42:09.432 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:42:19.432 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:42:19.432 CET: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Mar 16 15:42:19.432 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 16 15:42:19.432 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:42:19.432 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:42:29.432 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:42:29.432 CET: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Mar 16 15:42:29.432 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 16 15:42:29.432 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:42:29.432 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:42:39.431 CET: ISAKMP: set new node 0 to QM_IDLE      
Mar 16 15:42:39.431 CET: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local Y.Y.Y.Y, remote X.X.X.X)
Mar 16 15:42:39.434 CET: ISAKMP: Error while processing SA request: Failed to initialize SA
Mar 16 15:42:39.434 CET: ISAKMP: Error while processing KMI message 0, error 2.
Mar 16 15:42:39.434 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:42:39.434 CET: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Mar 16 15:42:39.434 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
hostname#
Mar 16 15:42:39.434 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:42:39.434 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
hostname#
Mar 16 15:42:49.434 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:42:49.435 CET: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Mar 16 15:42:49.435 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 16 15:42:49.435 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:42:49.435 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 16 15:42:49.897 CET: ISAKMP:(0):purging node 1094552573
Mar 16 15:42:49.897 CET: ISAKMP:(0):purging node 4253300267
hostname#
Mar 16 15:42:59.435 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:42:59.435 CET: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Mar 16 15:42:59.435 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Mar 16 15:42:59.435 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:42:59.435 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 16 15:42:59.897 CET: ISAKMP:(0):purging SA., sa=7F97E6571000, delme=7F97E6571000
hostname#
Mar 16 15:43:09.435 CET: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Mar 16 15:43:09.435 CET: ISAKMP:(0):peer does not do paranoid keepalives.

Mar 16 15:43:09.435 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X)
Mar 16 15:43:09.436 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer X.X.X.X) 
Mar 16 15:43:09.436 CET: ISAKMP: Unlocking peer struct 0x7F97EB9481D0 for isadb_mark_sa_deleted(), count 0
Mar 16 15:43:09.436 CET: ISAKMP: Deleting peer node by peer_reap for X.X.X.X: 7F97EB9481D0
hostname#
Mar 16 15:43:09.445 CET: ISAKMP:(0):deleting node 4235652090 error FALSE reason "IKE deleted"
Mar 16 15:43:09.446 CET: ISAKMP:(0):deleting node 3291526272 error FALSE reason "IKE deleted"
Mar 16 15:43:09.446 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar 16 15:43:09.446 CET: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA 

hostname#
Mar 16 15:43:18.980 CET: ISAKMP:(0): SA request profile is (NULL)
Mar 16 15:43:18.980 CET: ISAKMP: Created a peer struct for X.X.X.X, peer port 500
Mar 16 15:43:18.980 CET: ISAKMP: New peer created peer = 0x7F97DDC01C10 peer_handle = 0x80000011
Mar 16 15:43:18.980 CET: ISAKMP: Locking peer struct 0x7F97DDC01C10, refcount 1 for isakmp_initiator
Mar 16 15:43:18.980 CET: ISAKMP: local port 500, remote port 500
Mar 16 15:43:18.980 CET: ISAKMP: set new node 0 to QM_IDLE      
Mar 16 15:43:18.980 CET: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 7F97EB950EF8
Mar 16 15:43:18.980 CET: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Mar 16 15:43:18.980 CET: ISAKMP:(0):found peer pre-shared key matching X.X.X.X
Mar 16 15:43:18.980 CET: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 16 15:43:18.980 CET: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 16 15:43:18.980 CET: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 16 15:43:18.980 CET: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 16 15:43:18.980 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 16 15:43:18.980 CET: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1 

Mar 16 15:43:18.980 CET: ISAKMP:(0): beginning Main Mode exchange
hostname#
Mar 16 15:43:18.980 CET: ISAKMP:(0): sending packet to X.X.X.X my_port 500 peer_port 500 (I) MM_NO_STATE
Mar 16 15:43:18.980 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Pozdrawiam,
jinx

Awatar użytkownika
drake
CCIE
CCIE
Posty: 1593
Rejestracja: 06 maja 2005, 01:32
Lokalizacja: Dortmund, DE
Kontakt:

Re: IPsec pomiędzy ISR4331 a ASA5545-X

#2

#2 Post autor: drake »

Hej,
sprawdzales IOS/XE na tym ISR pod katem bugow zwiazanych z ISAKMP/IPSec??
Jesli wiesz ze masz poprawna konfiguracje, to wlasnie od tego bym zaczal.

Pozdruffka!
Never stop exploring :)

https://iverion.de

jinx_20
wannabe
wannabe
Posty: 210
Rejestracja: 15 wrz 2009, 09:51

Re: IPsec pomiędzy ISR4331 a ASA5545-X

#3

#3 Post autor: jinx_20 »

drake pisze:Hej,
sprawdzales IOS/XE na tym ISR pod katem bugow zwiazanych z ISAKMP/IPSec??
Jesli wiesz ze masz poprawna konfiguracje, to wlasnie od tego bym zaczal.

Pozdruffka!
Co do szukania bugów to trochę grzebałem, ale wstępnie nic nie dopasowałem. Właśnie udało mi się zawęzić problem - wygląda na to, że problem znika jak wyłącze IPsec HA.

Ktoś może przerabiał już ten temat?
Pozdrawiam,
jinx

jinx_20
wannabe
wannabe
Posty: 210
Rejestracja: 15 wrz 2009, 09:51

Re: IPsec pomiędzy ISR4331 a ASA5545-X

#4

#4 Post autor: jinx_20 »

Problem jest nie tylko na linii ISR4331<>ASA5545-X, ale na ISR4331<>reszta świata.

Próbujemy z Partnerem/Cisco dogadać temat. Dam znać jak się skończyło.
Pozdrawiam,
jinx

jinx_20
wannabe
wannabe
Posty: 210
Rejestracja: 15 wrz 2009, 09:51

Re: IPsec pomiędzy ISR4331 a ASA5545-X

#5

#5 Post autor: jinx_20 »

Po 3 miesiącach jest stanowisko Cisco "Unsupported configuration" :)

Podsumowując i oszczędzając innym długiego labowania i szukania przyczyny - na IOS XE w przypadku IPsec HA nie wspierana jest konfiguracja w której cały ruch NATowany jest na adres HSRP (VIP). Taka sama konfiguracja na ISR2 działa bez problemu.

Pozdr.
Gabriel
Pozdrawiam,
jinx

ODPOWIEDZ