Twitter Facebook

Jump to content



For Support/complaints mail to [email protected]

For Data center questions: Datacenter-IE.com & DC-IE.com & CCIEDatacenter-IE.com
For Routing and Switching questions: Router-IE.com & CCIERNS-IE.com
For Security questions: Security-IE.com & CCIESecurity-IE.com
For Wireless questions: Wireless-IE.com & CCIEWireless-IE.com
For Service Provider questions: ServiceProvider-IE.com & SP-IE.com & CCIEServiceProvider-IE.com
For Collaboration-IE questions : Collaboration-IE.com & CollaborationIE.com & CCIECollaboration-IE.com
For CCDE-IE questions - CCDE-IE.com
For JUNIPER-IE questions : JUNIPER-IE.com & JUNIPERIE.com


Photo

LAB 6 Section 3.1 GETVPN


10 replies to this topic

#1 rihom

 
rihom

    Newbie

  • Members
  • Pip
  • 1 posts
  • 0 thanks
 

Posted 26 August 2015 - 08:26 AM

am getting the following error in GETVPN Task..My configuration looks fine but not sure what is wrong.  Please look in the debugs.

R4
--------------

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 600
crypto isakmp key ccie address 172.16.110.1
crypto isakmp key ccie address 172.16.110.3
crypto isakmp key ccie address 172.16.120.1
crypto isakmp key ccie address 172.16.120.3
crypto ipsec transform-set Cisco1 esp-aes 256 esp-sha-hmac
crypto ipsec profile GDOI-PROFILE
set security-association lifetime seconds 600
set transform-set Cisco1
crypto gdoi group GET-GROUP1
identity number 1
server local
  rekey algorithm aes 256
  rekey lifetime seconds 600
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa R4.ccie.com
  rekey transport unicast
  sa ipsec 1
   profile GDOI-PROFILE
   match address ipv4 Site-1
   replay counter window-size 64
  address ipv4 150.1.7.4
crypto gdoi group GET-GROUP2
identity number 2
server local
  rekey algorithm aes 256
  rekey lifetime seconds 600
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa R4.ccie.com
  rekey transport unicast
  sa ipsec 1
   profile GDOI-PROFILE
   match address ipv4 Site-2
   replay counter window-size 64
  address ipv4 150.1.7.4
!
ip access-list extended Site-1
permit ip 109.10.0.0 0.0.255.255 109.10.0.0 0.0.255.255
ip access-list extended Site-2
permit ip 109.10.0.0 0.0.255.255 109.10.0.0 0.0.255.255
!

CSL-R4#debug crypto gdoi ks all-features det
CSL-R4#debug crypto gdoi ks all-features detail
GDOI All KS Features Debug level: (Detail)

CSL-R4#clear cry
CSL-R4#clear crypto gdoi
CSL-R4#clear crypto gdoi
% The Key Server and Group Member will destroy created and downloaded policies.
% All Group Members are required to re-register.

Are you sure you want to proceed ? [yes/no]: yes
CSL-R4#

*Aug  9 04:30:49.578: GDOI:INFRA:ERR:(GET-GROUP1:0):rekey SA not found for group GET-GROUP1
*Aug  9 04:30:49.578: GDOI:KS REPLAY:TER:(GET-GROUP1:0):gdoi_ks_start_stop_sync_timer: Not running TBAR
*Aug  9 04:30:49.578: GDOI:KS REPLAY:EVT:(GET-GROUP1:0):Update ks pseudotime, new time is 0.00 (secs)

*Aug  9 04:30:49.578: GDOI:INFRA:DET:(GET-GROUP1:0):del ks node data:  Success group hdl 2147483650 server hdl 2147483650

*Aug  9 04:30:49.578: GDOI:INFRA:DET:(GET-GROUP1:0):del data in all ks nodes:  Success group GET-GROUP1

*Aug  9 04:30:49.578: GDOI:KS COOP:DET:(GET-GROUP1:0):clear coop ks: redun not configured or incomplete for group GET-GROUP1

*Aug  9 04:30:49.578: GDOI:KS COOP:DET:(GET-GROUP1:0):clear coop ks: Success for group GET-GROUP1

*Aug  9 04:30:49.578: GDOI:INFRA:ERR:(GET-GROUP2:0):rekey SA not found for group GET-GROUP2
*Aug  9 04:30:49.578: GDOI:KS REPLAY:TER:(GET-GROUP2:0):gdoi_ks_start_stop_sync_timer: Not running TBAR
*Aug  9 04:30:49.578: GDOI:KS REPLA
CSL-R4#Y:EVT:(GET-GROUP2:0):Update ks pseudotime, new time is 0.00 (secs)

*Aug  9 04:30:49.578: GDOI:INFRA:DET:(GET-GROUP2:0):del ks node data:  Success group hdl 2147483651 server hdl 2147483651

*Aug  9 04:30:49.578: GDOI:INFRA:DET:(GET-GROUP2:0):del data in all ks nodes:  Success group GET-GROUP2

*Aug  9 04:30:49.582: GDOI:KS COOP:DET:(GET-GROUP2:0):clear coop ks: redun not configured or incomplete for group GET-GROUP2

*Aug  9 04:30:49.582: GDOI:KS COOP:DET:(GET-GROUP2:0):clear coop ks: Success for group GET-GROUP2




R3/R1
--------

CSL-R1#show run | sec crypto

crypto keyring Site-1 vrf Site-1
  pre-shared-key address 150.1.7.4 key ccie
crypto keyring Site-2 vrf Site-2
  pre-shared-key address 150.1.7.4 key ccie
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 600
crypto isakmp key ccie address 150.1.7.4
crypto isakmp profile Site-1
   vrf Site-1
   keyring Site-1
   match identity address 150.1.7.4 255.255.255.255 Site-1
crypto isakmp profile Site-2
   vrf Site-2
   keyring Site-2
   match identity address 150.1.7.4 255.255.255.255 Site-2
crypto gdoi group GET-GROUP1
identity number 1
server address ipv4 150.1.7.4
crypto gdoi group GET-GROUP2
identity number 2
server address ipv4 150.1.7.4
crypto map Site-1 isakmp-profile Site-1
crypto map Site-1 10 gdoi
set group GET-GROUP1
crypto map Site-2 isakmp-profile Site-2
crypto map Site-2 10 gdoi
set group GET-GROUP2
crypto map Site-1
crypto map Site-2
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 110
ip vrf forwarding Site-1
ip address 172.16.110.1 255.255.255.248
crypto map Site-1
interface GigabitEthernet0/1.2
encapsulation dot1Q 120
ip vrf forwarding Site-2
ip address 172.16.120.1 255.255.255.248
crypto map Site-2
!
CSL-R1#clear crypto gdoi
% The Key Server and Group Member will destroy created and downloaded policies.
% All Group Members are required to re-register.

Are you sure you want to proceed ? [yes/no]: yes
CSL-R1#
*Aug  9 04:52:55.669: GDOI:GM REGISTRATION:ERR:(GET-GROUP1:0):rekey SA not found for group GET-GROUP1
*Aug  9 04:52:55.669: GDOI:GM REGISTRATION:ERR:(GET-GROUP1:0):rekey SA not found for group GET-GROUP1
*Aug  9 04:52:55.669: GDOI:GM REGISTRATION:ERR:(GET-GROUP1:0):rekey SA not found for group GET-GROUP1
*Aug  9 04:52:55.669: GDOI:GM REGISTRATION:ERR:(GET-GROUP1:0):rekey SA not found for group GET-GROUP1
*Aug  9 04:52:55.669: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GET-GROUP1 may have expired/been cleared, or didn't go through. Re-register to KS.
*Aug  9 04:52:55.669: %CRYPTO-5-GM_REGSTER: Start registration to KS 150.1.7.4 for group GET-GROUP1 using address 172.16.110.1
*Aug  9 04:52:55.669: GDOI:GM REGISTRATION:ERR:(GET-GROUP2:0):rekey SA not found for group GET-GROUP2
*Aug  9 04:52:55.669: GDOI:GM REGISTRATION:ERR:(GET-GROUP2:0):rekey SA not found for group GET-GROUP2
*Aug  9 04:52:55.669: GDOI:GM REGISTRATION:ERR:(GET-GROUP2:0):rekey SA not found for group
CSL-R1# GET-GROUP2
*Aug  9 04:52:55.669: GDOI:GM REGISTRATION:ERR:(GET-GROUP2:0):rekey SA not found for group GET-GROUP2
*Aug  9 04:52:55.669: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GET-GROUP2 may have expired/been cleared, or didn't go through. Re-register to KS.
*Aug  9 04:52:55.669: %CRYPTO-5-GM_REGSTER: Start registration to KS 150.1.7.4 for group GET-GROUP2 using address 172.16.120.1


ASA1
!
access-list dmz extended permit udp host 172.16.110.1 host 150.1.7.4 eq 848
access-list dmz extended permit udp host 172.16.120.1 host 150.1.7.4 eq 848
access-list dmz extended permit udp host 172.16.110.3 host 150.1.7.4 eq 848
access-list dmz extended permit udp host 172.16.120.3 host 150.1.7.4 eq 848
access-list dmz extended permit udp host 172.16.110.1 host 150.1.7.4 eq isakmp
access-list dmz extended permit udp host 172.16.120.1 host 150.1.7.4 eq isakmp
access-list dmz extended permit udp host 172.16.110.3 host 150.1.7.4 eq isakmp
access-list dmz extended permit udp host 172.16.120.3 host 150.1.7.4 eq isakmp
!


  • car insurance rates, Payday Loans Online, Online Loan and 2 others like this

#2 redaa

 
redaa

    Newbie

  • Members
  • Pip
  • 1 posts
  • 0 thanks
 

Posted 26 August 2015 - 08:27 AM

seems you forgot to define isakmp key on r1/r3

Edit:

its there , check acl are hitting or not , check respective vlans are on sw or not , if everything looks fine still not working reapply config or reboot routers



#3 immy

 
immy

    Newbie

  • Members
  • Pip
  • 1 posts
  • 0 thanks
 

Posted 26 August 2015 - 08:28 AM

Did you create the rekey rsa certificate R4.ccie.com using crypto key generate rsa?



#4 simonb

 
simonb

    Newbie

  • Members
  • Pip
  • 1 posts
  • 0 thanks
 

Posted 26 August 2015 - 08:29 AM

did you get the answer ... why "Re-key SA not found " is coming.



#5 kratos

 
kratos

    Member

  • Members
  • PipPip
  • 22 posts
  • 2 thanks
 

Posted 26 August 2015 - 05:26 PM

routes is your problem, lab 3 seems to have a messed up route for vrf



#6 [email protected]

 
[email protected]

    Newbie

  • Members
  • Pip
  • 3 posts
  • 0 thanks
 

Posted 08 November 2016 - 06:54 AM

just small thing

at the member R1 create two   global routes

ip route 172.16.110.0 255.255.255.248 G0/1.1

ip route 172.16.120.0 255.255.255.248 G0/1.2

 

it must be with /29

 

 

that is all

arian747



#7 dingleberrydoo2

 
dingleberrydoo2

    Member

  • Members
  • PipPip
  • 16 posts
  • 0 thanks
 

Posted 09 November 2016 - 09:51 PM

Check show crypto key mypubkey name must match



#8 dingleberrydoo2

 
dingleberrydoo2

    Member

  • Members
  • PipPip
  • 16 posts
  • 0 thanks
 

Posted 11 November 2016 - 03:36 PM

ALSO, ASA1 config is not wrong but not needed, GETVPN doesn't use port 500, only 848 for isakmp



#9 rk.nadendla

 
rk.nadendla

    Newbie

  • Members
  • Pip
  • 1 posts
  • 0 thanks
 

Posted 19 November 2016 - 05:26 AM

Have you configured client registration interface under GM GET groups?



#10 tomi_p30

 
tomi_p30

    Newbie

  • Members
  • Pip
  • 1 posts
  • 0 thanks
 

Posted 18 January 2017 - 11:44 PM

Hi, Rihom

Did you find a solution?

I have the same problem. I can see that there is a problem with traffic passing from global to vrf. 

If we configure global routes pointing on interface in vrf it doesn't help.

Any idea where is the problem? what is missing?



#11 Benitokent

 
Benitokent

    Advanced Member

  • Members
  • PipPipPip
  • 37 posts
  • 0 thanks
  • LocationMuqdisho
 

Posted 23 March 2018 - 03:45 PM

Aortic stenosis occurs when the aortic valve narrows, causing an obstruction between the left side ventricle and the aorta. During an outbreak it is necessary to establish the natives at chance and transmission habitat, mark and isolate suspected cases, and label and vaccinate susceptible individuals (Centers because Cancer Hold sway over and Inhibition, 2010d). Bowen Therapy was formed in state by Tomcat Bowen generic levitra super active 40 mg mastercard erectile dysfunction medications online.
Furthermore, dispensation of the oint- ment offshoot dosed four times quotidian may not transcend loteprednol etabonate systemic exposures as compared to Lotemax® suspen- sion. In both cases, an internal acidic pH is important in requital for the bloodsucker to become the vacuole, as shown by the harsh reduction of infection of multitude cells treated with timid bases (Ley et al. It besides reduces the chances of asthma and lowers homocysteine levels order viagra sublingual 100 mg fast delivery erectile dysfunction - 5 natural remedies. Both interven- tions own been very operational in blocking a wide range of models of allodynia/hyperalgesia, The using software is provisional version. GABA(A) receptor alpha-1 subunit metamorphosis A322D associated with autosomal dominant adolescent myoclonic epilepsy reduces the demonstration and alters the composition of desolate font GABA(A) receptors. Nicotine is a stimulation ingest malegra dxt plus 160mg mastercard erectile dysfunction qatar. This testimony indicates the plasticity and vulnerability of the noradrenergic input to the INE network. This last pronouncement is it is possible that distinctively notable, since it again elucidates the prominence of timing in terms of the adaptive vaccinated rejoinder, which wishes be critical in designing appropriate therapies instead of neuroinflammatory disorders. The good personalty of product polyphenols on head ripening generic 1 mg propecia hair loss meme. Key assessment findings embody a prompt growth in noodle circumference seen in the infant, or disappearance of development and changes in star in the older child. Some 40 or so organophosphate pesticides are in cur- rent broad say as replacements for organochlorine insecticides, and members of this class represent the most heavily worn pesticides in coeval use. Spend angle leastwise erst a hebdomad generic sildenafil 50mg overnight delivery erectile dysfunction pills cost. The longer the pH of the refluxate is deeper 4, the higher the risk for condition of severe GERD (Weill, 2008). Outline nursing carefulness kin to common laboratory and diagnostic tests used in the medical diagnosis of integumentary disorders in infants, children, and adolescents. The prices for LASIK operation dissent contingent your elite LASIK sawbones order apcalis sx 20 mg visa impotence cure food. Raise ' a medication history, including recipe medications and contraceptives, and infer whether the irish colleen uses anabolic steroids, tobacco, or marijuana, cocaine, or other proscribed drugs. Although this latitude in speculative sketch out is somewhat commonplace, it is formidable to make a reality that there are limitations which ought to be considered when interpreting the results from close by studies and in scheming unborn studies. Understand books and articles cialis black 800 mg lowest price erectile dysfunction medications over the counter. N amino module, C carboxyl lethal GABAB1 GABAB2 G-Protein a g CC GABA N N Binding site b as baclofen; the GABAB2 subunit couples the receptor with the effector G protein. Comp Biochem Physiol B Biochem Mol Biol 114(1):107­132 Kandpal M, Fouce RB, Buddy associate with A et al (1995) Kinetics and molecular characteristics of arginine trans- refuge past Leishmania donovani promastigotes. Unbend ahead bedtime viagra soft 50mg with mastercard erectile dysfunction treatment in kuwait. Deletion of the N-terminal speciality of gp82 does not impress the cubicle adhesion prop- erty, which is fully preserved in the recombinant protein corresponding to the C-terminal empire containing P4 and P8 sites (Santori et al. J Biol Chem 273:10153­10159 Guido RV, Trossini GH, Castilho MS, Oliva G, Ferreira EI, Andricopulo AD (2008) Structure- endeavour relationships for a class of choosy inhibitors of the major cysteine protease from Trypanosoma cruzi. Ace of the large upbeat problems these life are germs 160 mg super avana sale erectile dysfunction treatment mayo clinic. TMS can be applied as one-liner stimulus at a pass‚ (single vibrating), as trains of stimuli delivered at a fixed frequency (traditional continual TMS, almost always in the collection of 1­20 Hz), or in more complex trains combining different frequencies (Theodore 2002). This jumbo and growing amount of medical acquaintanceship plays a crucial lines for the benefit of scientific re- search and practice but also poses not too problems. What do you quantity purchase 800mg viagra vigour with visa erectile dysfunction green tea. Some variability is observed depending on the injure, but in communal increased levels of HSP100, HSP90, HSP70 and HSP60 can be detected when epimastigotes are incubated from 37 °C to 43 °C. In codes step two, the website calls the charge in the web repair to be noised abroad the data anent that item. No, of line not buy extra super viagra 200mg on line erectile dysfunction questionnaire uk.
The lysis of target cells sooner than CD8+ T-cells is mediated, in element, at near the unification and story of cytotoxic molecules that are located within granules in the cells. The organs or tissues bequeath be harvested in a prompt the rage after the declaration of decease, so the blood penury not trouble down delay of the wake or funeral. Use antiperspirants rather of deodorants purchase 10mg toradol mastercard pain treatment for bulging disc.



Reply to this topic



  


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users