06-01-2012 09:51 AM
Before I talk to India I thought I throw this out here.
I have a site with Master/Master backup and 5 local controllers running 3.4.4FIPS.
Recently had to replace a local sup card, the new one which was configured with basic IP settings to enable me to access. I have full HTTPS/SSL connectivity, was able to upgrade to current code and transfer licenses, but cannot get the Master connect to the local. I have deleted the Local Controller IPSec config and readded it on the Master to no avail. I can ping the local from any other local (or other devices), but not from either of the masters. The other locals are in other buildings and subnets, this is a layer 2 network. From the new local I can ping whatever I want, masters, locals, gateways.....
Solved! Go to Solution.
06-01-2012 10:41 AM
Ping from the masters is probably not working because IPSEC is trying to get established. If you were to remove the master-local configuration from both controllers, the ping should recover.
You can enable "logging level debugging security" on the master and local controller, and check "show log security 50" to understand why the IPSEC is not getting established.
A few more commands to check to determine whether phase1 or phase2 is failing are:
show crypto isakmp sa
show crypto ipsec sa
06-01-2012 01:22 PM
I ran into something very similar, and what I found was that my pre-shared key was wrong on the local. You've probably already checked that, but if you want to take a closer look, do a "encrypt disable" on the local and check that key.
06-08-2012 10:55 AM
It will be a good idea to make sure that whether the ipsec link to the master is estalished using the interface ip or loopback ip of the local.
On the Master check "show running-config | include localip" and on the local check the switch ip.
I have seen issue when both of them are not same.
06-18-2012 08:08 AM
What happened was the sup card was sent out to the site (we don't have the capability of preconfiguring an RMAed card, go figure) and the local contact mistakenly set this sup card as a master. Once we realized this, set it to local everything else fell into place.
Tried deleting all IPSec settings and still couldn't ping the "local" from the master till after we changed the role to local.
Thanks for the suggestions.
01-24-2013 10:15 AM
I just worked through a similar issue and turned out I had the wrong switch role on my local controller. On top of that I had a typo with the loopback IP address on my local so it didn't match the "localip x.x.x.x ipec xxx" config from the master. I found the advice on this thread to very helpful in troubleshooting my issues.
04-07-2015 09:16 AM
I resolved the issue with the information in this thread. Thanks everyone. Below is my findings to share:
For my case: there is a firewall in between the local and Master devices. Nothing is blocked, debugging on the controllers shows IPSec phase1 messages were going back and forth but no ISKMP SA established.
Using "Encrypt disable" confirmed key matches.
By clearing the session on the firewall in between, the local and master automatically completed the IPSec negotiation successfully.
In conclusion: for my case the issue appear to have the same symptoms but the root cause has nothing to do with the Local or Master configurations, but traffic in between. Thus, it's worthwhile to check all devices in between if possible.