This just simulates some http traffic from 10.0.0.1 to 172.16.0.1. These are hosts that should be able to communicate over the tunnel.
This doesn’t work, and no SA’s formed. So, phase-1 looks like a good place to focus on.
Check IKE Proposals
The first step in troubleshooting phase-1 (IKEv2 in my case) is to confirm that there are matching proposals on both sides. The proposals include acceptable combinations of cyphers, hashes, and other crypto information.
This is easy if you control both ends of the ASA VPN tunnel. Just look at what’s configured. In my case, it’s a little harder, as a third-party manages the remote end of the tunnel.
Instead, I can find this with a debug command:
debug crypto ikev2 protocol 64
This will show us any errors with IKEv2 (you can substitute IKEv1 if you need to).
The ’64’ is the debugging level. This can be from 1 to 256. The higher the number, the more detail you get. Don’t go too high too quickly, as there may be too much information to search through.
So you want to peer with a service provider. Never done it before? Overwhelmed? Don’t know where to start? If this sounds familiar, then this article is for you! We’re going to have a look at the process of peering with an ISP. We’re not going to look too deeply into the technical details. Rather, we’ll focus more on the process.
Recently Cisco released NXOS 7.0(3)I7(1) for the Nexus 9000 series switches. This brings two new features, called vPC Fast Convergence and LACP Convergence. These are also available on the 7000 series switches.
There wasn’t a lot of information readily available, so I’m going to share what I’ve learned here. I’d like to take a moment to thank Amith Ronad from Cisco for helping me to understand these features.
“Always two there are; no more, no less. A vPC primary and a vPC secondary.”Yoda (paraphrased)
Like Yoda says, there has always been a primary and secondary in a vPC relationship. But, they’ve always been non-preemptive. That means that a secondary will not automatically become primary unless there’s a failure of some sort.
If you’ve never worked in a third-party data centre before, the first time can be a bit of a shock. There are a lot of rules and procedures to follow, and each data centre is a bit different from the last one.
A few weeks ago I was working on a customer’s network when I found an OSPF problem. For some reason, an ASA wouldn’t peer with a Nexus switch. To make it a bit weirder, the problem only happened on the default VRF, and only with OSPFv3. On the Nexus side, I could see the ASA neighbour, but it was stuck in INIT. On the ASA side, I couldn’t see the neighbour at all.