1 00:00:00,510 --> 00:00:03,330 Hello and welcome to this lecture in this lecture. 2 00:00:03,330 --> 00:00:10,890 We start troubleshooting scenarios and specifically in this one we'll talk about the pressure key mismatch. 3 00:00:10,890 --> 00:00:16,890 Now first of all you should know that the debunkers are not self explanatory for most of the vendors 4 00:00:17,400 --> 00:00:24,120 so it's not like you will find in the log or in the diagnose as you will see here in in 48 fire all 5 00:00:24,450 --> 00:00:24,710 that. 6 00:00:24,720 --> 00:00:29,040 I don't know appreciate a key mismatch or I don't know. 7 00:00:29,310 --> 00:00:35,500 Let's say encryption is not the same on both on both equipment's configured to say so. 8 00:00:35,640 --> 00:00:43,290 So it is absolutely critical that you know exactly how the debug looks when the configuration is functional 9 00:00:43,650 --> 00:00:51,450 so that in case the debug is not self-explanatory you can just find quickly that something is missing 10 00:00:51,450 --> 00:00:55,070 or maybe something is not behaving like you know it should. 11 00:00:55,070 --> 00:00:59,270 When when the when the network is functioning correctly. 12 00:00:59,340 --> 00:01:07,530 So in this in this scenario because we have two tunnels configured on the HQ 48 we will miss configure 13 00:01:07,530 --> 00:01:11,990 or break the configuration between the NSA and the HQ for the gate. 14 00:01:12,090 --> 00:01:14,920 And this way we will see how the debug looks. 15 00:01:15,030 --> 00:01:22,140 But at the same time because we have a VPN a VPN tunnel between the two for the gate firewalls we will 16 00:01:22,140 --> 00:01:28,790 also see how the holiday bug should look when things do work correctly. 17 00:01:28,800 --> 00:01:30,340 So what we'll do now. 18 00:01:30,360 --> 00:01:33,670 Let's go on VPC is one. 19 00:01:33,690 --> 00:01:37,590 So at this moment the the tunnel is working. 20 00:01:37,670 --> 00:01:44,990 I am no pinging from from the HQ from the from the test B.C. on the HQ side. 21 00:01:45,130 --> 00:01:54,190 I am pinging the NSA and I will start also upping let's say from from the branch once or from the 40 22 00:01:54,340 --> 00:02:04,630 gate fire or branch toll words let's say two words one the one hundred minus C and a lot of packets 23 00:02:06,310 --> 00:02:11,450 so that we see exactly how how they behave and how the how bugs. 24 00:02:11,490 --> 00:02:13,110 How did the bugs look. 25 00:02:13,130 --> 00:02:21,720 So at this moment both of the both of the tunnels are up and we can see these by going in the user interface 26 00:02:21,780 --> 00:02:23,230 graphical user interface. 27 00:02:23,230 --> 00:02:30,100 I don't know I'll now log in later later and I will look in the VPN in the IP SEC tunnels as you can 28 00:02:30,100 --> 00:02:36,580 see the status for both of them it's up now because in this scenario we want to test the pressure key 29 00:02:36,580 --> 00:02:37,560 mismatch. 30 00:02:37,560 --> 00:02:46,860 I will have now to bring the configuration for branch 2 and I will say edit and let's go to authentication 31 00:02:46,870 --> 00:02:53,620 appreciate key and instead of 14 and I will do something like this. 32 00:02:53,640 --> 00:03:02,100 So let's say that there is a typo there and you just typed fast and you didn't see it anyway. 33 00:03:02,130 --> 00:03:10,680 So now we have to troubleshoot the error and say OK now going to the monitor and going to IP sic monitor 34 00:03:11,100 --> 00:03:18,190 I'm seeing that the first tunnel to the 40 gate in branch one is up and 4 4 branch 2 for Cisco I say 35 00:03:18,210 --> 00:03:21,720 we have a tunnel down so let's check. 36 00:03:21,720 --> 00:03:24,680 Also VPC is one. 37 00:03:24,680 --> 00:03:27,320 So now I am trying to ping the NSA. 38 00:03:27,320 --> 00:03:29,810 I see that the ping is not successful. 39 00:03:29,810 --> 00:03:33,530 And for the second one I see that the ping is successful. 40 00:03:33,620 --> 00:03:38,180 So let me just arrange that to a little bit like this 41 00:03:42,590 --> 00:03:43,450 okay. 42 00:03:43,590 --> 00:03:55,090 And now let's go in the NSA sorry in the in the HQ so in the HQ 48 and I will start some debugging. 43 00:03:55,420 --> 00:04:03,360 So the debugging is in this case to diagnose. 44 00:04:03,910 --> 00:04:06,120 So let's say this one is not important. 45 00:04:06,130 --> 00:04:12,310 You can just filter the box so that you you outline only the the tunnel that you want. 46 00:04:12,310 --> 00:04:14,020 But I don't want any filter. 47 00:04:14,020 --> 00:04:16,720 I want to see everything that's happening there. 48 00:04:16,740 --> 00:04:22,170 The having their in in terms of the process. 49 00:04:22,240 --> 00:04:23,680 So what's the first command. 50 00:04:23,680 --> 00:04:32,660 I just thought the debugging for AI application I would just enable them the diagnosing debug and I 51 00:04:32,660 --> 00:04:39,770 would restart the whole AI process so that I can see the negotiation from the beginning to the end or 52 00:04:39,770 --> 00:04:43,750 at least from the beginning till the moment it breaks. 53 00:04:43,760 --> 00:04:48,770 Now after you start the debate you will see that more and more messages will come. 54 00:04:48,770 --> 00:04:54,200 So you will not you will be you will not be able to to read or to analyze the logs. 55 00:04:54,200 --> 00:05:00,530 So it is better to stop the debugging and you can say this way you can do this. 56 00:05:00,530 --> 00:05:10,630 We diagnose the bug reset and diagnose the bug NDA. 57 00:05:11,220 --> 00:05:21,450 So now that we have the command prepared let's go on and put them here in the CLIA of the 48 the HQ 58 00:05:21,460 --> 00:05:21,940 48. 59 00:05:22,960 --> 00:05:34,340 So I'll leave some space here and I will now just run the comments so a lot of commands a lot of commands. 60 00:05:34,360 --> 00:05:43,810 Now I will stop it so that I can copy all of the debug that resulted here and analyze it in a notepad. 61 00:05:43,810 --> 00:05:49,330 It is a good idea because you can see it you can see it better. 62 00:05:49,480 --> 00:05:52,920 You can be sure that nothing will change and no logs will appear. 63 00:05:52,930 --> 00:05:57,500 Although we have we have stopped it anyway. 64 00:05:57,550 --> 00:06:06,050 Let's analyze it here and we will copy paste in there just for reference and so let's start from the 65 00:06:06,050 --> 00:06:09,030 beginning so from here. 66 00:06:09,030 --> 00:06:19,990 And let's see now so you can see here that you have branch one and branch two so branch one refers to 67 00:06:20,230 --> 00:06:25,780 the the tunnel that is working going to the other for the gate and branch two is going to the Cisco 68 00:06:25,780 --> 00:06:26,210 essay. 69 00:06:26,770 --> 00:06:32,810 So let's go now through the logs and see the differences between the two remember I have changed appreciate 70 00:06:32,960 --> 00:06:37,690 key on the on the tile going to the Sisko essay. 71 00:06:37,820 --> 00:06:41,900 So now we are looking here at the debugger for branch 1. 72 00:06:41,960 --> 00:06:46,960 So this one is working let's see what's the information presented. 73 00:06:47,090 --> 00:06:52,410 So negotiation result proposal I.D. number one protocol Ida Isaac cam. 74 00:06:52,410 --> 00:06:53,750 So we have. 75 00:06:53,760 --> 00:06:58,180 Does and Emily five let's see what's next. 76 00:06:58,270 --> 00:07:09,060 Pressured key lifetime let's continue to look for the logs and let's say branch one branch 1 branch 77 00:07:09,060 --> 00:07:09,660 1. 78 00:07:09,750 --> 00:07:10,470 Here it is. 79 00:07:10,980 --> 00:07:13,670 So this is something that you will not see for branch 2. 80 00:07:14,250 --> 00:07:15,560 So peer identifier. 81 00:07:15,570 --> 00:07:17,710 This is the I.P. address configured again. 82 00:07:17,910 --> 00:07:18,810 Let's take a look. 83 00:07:18,810 --> 00:07:19,980 Nineteen ninety ninety. 84 00:07:19,980 --> 00:07:22,560 So configure on the branch 48. 85 00:07:22,620 --> 00:07:26,150 Let's come back to the HQ 48 and you see here. 86 00:07:26,160 --> 00:07:34,370 So pure identifies this as a case of Bishop key authentication succeeded and authentication is OK. 87 00:07:34,470 --> 00:07:42,890 So after after after establishing the essay we see that there has been negotiation. 88 00:07:43,050 --> 00:07:44,260 And here is the result. 89 00:07:44,430 --> 00:07:45,690 We have been prevented. 90 00:07:45,710 --> 00:07:47,780 But we have been presenting this here. 91 00:07:47,880 --> 00:07:51,240 So negotiation result proposal idea is this. 92 00:07:51,510 --> 00:07:55,710 Then you see that the authentication has succeeded. 93 00:07:55,740 --> 00:07:57,050 So authentication succeeded. 94 00:07:57,060 --> 00:08:04,370 And authentication is OK established I say so security association with this with this I.D.. 95 00:08:05,280 --> 00:08:13,970 Now we move on to branch to let's see what's the message for branch to so branch 2. 96 00:08:14,070 --> 00:08:18,120 So negotiation result proposal is this is again is this. 97 00:08:18,130 --> 00:08:21,120 Nothing changed until this until this step. 98 00:08:21,130 --> 00:08:22,450 So let's see what happens now. 99 00:08:23,700 --> 00:08:28,050 So coming from coming from this IP. 100 00:08:28,050 --> 00:08:35,800 This is the NSA on UDP port five hundred coming to my IP and port is the same five hundred. 101 00:08:35,840 --> 00:08:38,310 This is the classic negotiation. 102 00:08:39,120 --> 00:08:42,690 Let's see next what's happening. 103 00:08:42,750 --> 00:08:44,320 Let's go. 104 00:08:44,580 --> 00:08:47,470 More and this is it. 105 00:08:48,370 --> 00:08:55,790 So on branch to tunnel negotiation immediately after saying that OK this is the proposal I'm using it 106 00:08:55,790 --> 00:09:00,280 says ignoring unencrypted payload mail phone message from. 107 00:09:00,460 --> 00:09:03,110 And this is the NSA IP. 108 00:09:03,110 --> 00:09:11,400 So basically this is the message that that highlights the appreciate key authentication mismatch. 109 00:09:11,510 --> 00:09:20,360 And if we continue to look we will see that there has been some retransmission again for branch 2. 110 00:09:20,420 --> 00:09:28,450 So it's trying again and again and again to renegotiate and let's see that it's going to happen again. 111 00:09:28,490 --> 00:09:38,210 So sending a message of retransmission between us and the NSA again retransmission resent last message 112 00:09:39,710 --> 00:09:41,190 let's continue. 113 00:09:41,630 --> 00:09:44,870 We transmit and that's it. 114 00:09:45,530 --> 00:09:53,870 So again for any pressure key authentication mismatch between the 48 and and the other peer you would 115 00:09:53,870 --> 00:09:55,210 see a message. 116 00:09:55,370 --> 00:10:02,790 Again I would look for it to to highlight to highlight the message and is this so ignoring unencrypted 117 00:10:02,790 --> 00:10:10,390 payload malformed message from this and I will now paste it here just that we have it for our reference 118 00:10:10,390 --> 00:10:11,380 for Pete appreciate. 119 00:10:11,410 --> 00:10:15,220 Key mismatch so mismatch. 120 00:10:15,220 --> 00:10:17,650 This is what we have seen. 121 00:10:17,650 --> 00:10:19,770 So this is it. 122 00:10:21,200 --> 00:10:26,750 So again now let's uh let's fix it so let's have it working. 123 00:10:27,350 --> 00:10:42,090 Now again at mean and later and later we will go to VPN and IP sic tunnels for branch to edit and for 124 00:10:42,150 --> 00:10:46,670 authentication I will now type it correctly. 125 00:10:46,680 --> 00:10:55,620 So it's 14 that I would say this and this and now we should see that the VPN should come up. 126 00:10:55,770 --> 00:10:57,820 So let's see if this happens or not. 127 00:11:00,910 --> 00:11:08,740 So that one hundred yes this is it and we should see the IP SEC tunnel in the upstate. 128 00:11:08,740 --> 00:11:10,030 And here it is. 129 00:11:10,120 --> 00:11:20,170 Now if I go again on the age of 48 just to have it to see it working here as well I'll now start again. 130 00:11:20,230 --> 00:11:28,480 The diagnosis debug and here it is and now I will stop it. 131 00:11:33,200 --> 00:11:40,070 So let's look now for branch 2 and see the same that authentication has succeeded. 132 00:11:40,070 --> 00:11:47,780 So again because the bugs are not self-explanatory we should get used to what's the oral or what's the 133 00:11:47,780 --> 00:11:53,840 debugger how should the debug look like when things work so that when they do not work correctly we 134 00:11:53,840 --> 00:11:58,970 can easily spot the difference and pinpoint the exact problem. 135 00:11:59,750 --> 00:12:02,450 So let's see for branch to 136 00:12:05,200 --> 00:12:06,130 branch 2. 137 00:12:06,160 --> 00:12:06,700 Here it is. 138 00:12:06,760 --> 00:12:09,940 So for branch 2 We have pure identifier. 139 00:12:09,940 --> 00:12:15,230 This is the IP of the essay pressured guilt indication succeeded and authentication. 140 00:12:15,250 --> 00:12:16,430 It's okay. 141 00:12:16,510 --> 00:12:18,910 This is the log saying that okay. 142 00:12:18,940 --> 00:12:23,990 The ISAF the Security Association has been established and this is the. 143 00:12:24,310 --> 00:12:25,960 This is the I.D.. 144 00:12:26,200 --> 00:12:27,780 So this is all for this lecture. 145 00:12:27,790 --> 00:12:34,450 Thanks a lot and see you in the upcoming lecture where we study the next debug and specifically we are 146 00:12:34,450 --> 00:12:36,200 going to break this time. 147 00:12:36,370 --> 00:12:37,570 The Phase 1. 148 00:12:37,600 --> 00:12:44,980 So we will modify other are the other SHA 1 so encryption authentication and we'll see how the debug 149 00:12:44,980 --> 00:12:45,280 looks. 150 00:12:45,280 --> 00:12:46,590 Again thanks a lot.