1
00:00:00,830 --> 00:00:03,500
Hello and welcome to this lecture in this lecture.

2
00:00:03,500 --> 00:00:11,510
We will go through the last troubleshooting scenario and we will deal with a basic face to proposal

3
00:00:11,510 --> 00:00:12,740
mismatch.

4
00:00:12,740 --> 00:00:16,710
As you can see both of the tunnels are running now are up.

5
00:00:16,970 --> 00:00:24,640
So both ICMP sessions are working and we will now go in for the gate user interface.

6
00:00:26,850 --> 00:00:34,670
And obviously I'm connected on the HQ firewall and I will break again the configuration going to the

7
00:00:34,920 --> 00:00:44,740
safe and let's say edit and now we will go to the phase to click on the pencil which means edit and

8
00:00:44,740 --> 00:00:47,440
go to the advanced options.

9
00:00:47,500 --> 00:00:51,200
And now where we change from shall want to MDG 5.

10
00:00:52,030 --> 00:00:53,120
So click OK.

11
00:00:54,690 --> 00:01:00,150
Now let's go to monitor and IP state monitor and let's say bring down.

12
00:01:01,230 --> 00:01:03,480
Yes I'm sure.

13
00:01:03,520 --> 00:01:05,140
So now it's down.

14
00:01:05,140 --> 00:01:06,760
Let's try to bring it up.

15
00:01:06,790 --> 00:01:07,560
It will not.

16
00:01:08,080 --> 00:01:13,500
It will not go up after uh after this modification after this change.

17
00:01:13,540 --> 00:01:20,080
So if you now take a look again you will see that the communication between the land P.C. in the headquarter

18
00:01:20,140 --> 00:01:24,440
going to the branch SSA Cisco a firewall is not working.

19
00:01:25,000 --> 00:01:33,330
So again obviously you have seen up to this point the debugging diagnosed messages are not so self-explanatory.

20
00:01:33,700 --> 00:01:39,200
So now we'll talk about IP sec so IP said.

21
00:01:39,220 --> 00:01:46,970
This is phase 2 and proposal mismatch.

22
00:01:47,140 --> 00:01:54,530
So let's see exactly how the debug looks like maybe it's self-explanatory maybe it's not you tell me.

23
00:01:54,670 --> 00:02:07,880
So now let's go and take the HQ 48 and let's say at mean and let's prepare the bugs.

24
00:02:08,340 --> 00:02:16,290
So let's take this copy and let's run it

25
00:02:22,310 --> 00:02:22,820
a lot.

26
00:02:22,820 --> 00:02:26,800
A lot of the bugs I know I know it's true.

27
00:02:27,140 --> 00:02:28,850
And now I will just stop it.

28
00:02:29,280 --> 00:02:31,880
It's absolutely very very noisy as you can see.

29
00:02:33,590 --> 00:02:38,320
And take it and stop.

30
00:02:38,410 --> 00:02:39,040
Perfect.

31
00:02:39,040 --> 00:02:42,460
So now let's navigate in the beginning.

32
00:02:43,240 --> 00:02:44,850
Let's take the configuration.

33
00:02:44,860 --> 00:02:52,940
Let's take the bugs and analyze it a lot a lot of the bugs.

34
00:02:53,080 --> 00:02:58,680
I agree so still not there

35
00:03:05,900 --> 00:03:06,380
or

36
00:03:23,950 --> 00:03:25,030
well that's massive

37
00:03:32,470 --> 00:03:39,120
and here it is so let's start and take everything that's here.

38
00:03:42,280 --> 00:03:44,500
Actually not we will not take it.

39
00:03:44,950 --> 00:03:48,480
We didn't take the previous debugger.

40
00:03:48,500 --> 00:03:52,110
We will analyze it here and just put the conclusion.

41
00:03:52,120 --> 00:03:55,430
So what's the end result of our analysis in.

42
00:03:56,440 --> 00:03:57,190
In.

43
00:03:57,880 --> 00:03:58,780
In the text.

44
00:03:58,810 --> 00:04:02,890
Uh in the notepad in text editor that you're using you can do the same.

45
00:04:03,850 --> 00:04:05,920
So where did it start.

46
00:04:05,950 --> 00:04:06,750
Here.

47
00:04:06,820 --> 00:04:07,180
Good.

48
00:04:09,020 --> 00:04:09,610
So let's see.

49
00:04:09,610 --> 00:04:14,760
Branch 1 and branch 2 branch 1 it's up it's running branch 2 is not.

50
00:04:14,860 --> 00:04:18,310
So we're starting with branch 2 I can see.

51
00:04:18,310 --> 00:04:21,480
So negotiation result proposal I.D. it's 1.

52
00:04:22,540 --> 00:04:24,320
Let's go and see.

53
00:04:24,400 --> 00:04:30,520
We should see the authentication working so appreciate key authentication succeeded because we have

54
00:04:30,640 --> 00:04:30,950
it.

55
00:04:30,980 --> 00:04:32,200
Uh yes.

56
00:04:32,230 --> 00:04:33,490
We haven't done anything there.

57
00:04:33,940 --> 00:04:34,560
So appreciate.

58
00:04:34,560 --> 00:04:36,660
Care the locations of cities and authentication.

59
00:04:36,820 --> 00:04:37,660
Okay.

60
00:04:37,760 --> 00:04:42,640
Established ISO Phase 1 it's up operational up.

61
00:04:42,650 --> 00:04:46,960
Now let's go on a branch 2.

62
00:04:47,170 --> 00:04:56,080
So I basically say connect between this IP our IP and the NSA IP configuration found IP assay connect

63
00:04:56,860 --> 00:05:02,080
good negotiating and let's see what the result of the negotiation for branch 2.

64
00:05:03,190 --> 00:05:12,970
So sending the IP message quick i wont send I one exchange information and this is the I.D..

65
00:05:13,460 --> 00:05:17,510
And here it is now this is something in what I called self-explanatory.

66
00:05:17,920 --> 00:05:20,000
So for branch to notify.

67
00:05:20,000 --> 00:05:22,680
Message received no proposal chosen.

68
00:05:22,940 --> 00:05:27,770
Well that's a different story and no matching IP SEC SBI.

69
00:05:28,160 --> 00:05:34,050
So we will take this and documented here

70
00:05:37,640 --> 00:05:38,830
so.

71
00:05:39,190 --> 00:05:39,740
Okay.

72
00:05:40,040 --> 00:05:43,920
So now as you can see as I told you in the previous lecture.

73
00:05:44,030 --> 00:05:48,870
So when we have an IP sic Phase 2 proposal mismatch This is a different story.

74
00:05:48,890 --> 00:05:50,640
It is indeed self-explanatory.

75
00:05:50,650 --> 00:05:51,650
Suddenly fire notify.

76
00:05:51,650 --> 00:05:59,980
Message received no proposal chosen something something indeed different then for the essay proposals

77
00:05:59,990 --> 00:06:02,330
that do not match for phase one.

78
00:06:02,390 --> 00:06:11,200
So let's say here also phase phase 1 This is a different story.

79
00:06:11,230 --> 00:06:17,500
So ignoring unsupported informational message while and the same for the pressure key mismatch ignoring

80
00:06:17,530 --> 00:06:22,980
unencrypted payload more phone message from so the end of the tunnel the other end.

81
00:06:22,990 --> 00:06:25,020
So anyway let's continue to look.

82
00:06:25,030 --> 00:06:26,400
But this is the message.

83
00:06:26,420 --> 00:06:28,050
So no proposal chosen.

84
00:06:28,330 --> 00:06:35,440
So we don't have we don't have anything to match with what what I'm receiving.

85
00:06:35,560 --> 00:06:40,570
And basically the the other end of the tunnel it's complaining the same.

86
00:06:40,600 --> 00:06:41,040
Okay.

87
00:06:41,050 --> 00:06:43,980
So I cannot establish a tunnel with you.

88
00:06:44,110 --> 00:06:50,260
We cannot send encrypted traffic we cannot encrypt the traffic and protected because we are not using

89
00:06:50,260 --> 00:06:52,830
the same phase two parameters.

90
00:06:52,900 --> 00:07:05,230
So because because the IP SEC proposal was not matched no match no matching IP sic SBI now deleting

91
00:07:05,380 --> 00:07:07,230
everything that's being configured.

92
00:07:07,780 --> 00:07:11,490
And I believe this process repeats on and on and on.

93
00:07:11,500 --> 00:07:12,540
So let's take a look.

94
00:07:12,550 --> 00:07:23,420
Branch 2 again branch 2 negotiation result for Phase 1 let's continue continue continue we can see that

95
00:07:23,420 --> 00:07:24,220
the vendor idea.

96
00:07:24,320 --> 00:07:24,900
Cisco.

97
00:07:24,910 --> 00:07:33,230
So we are trying to establish a site to site IP VPN with a Cisco equipment Cisco gear and let us continue

98
00:07:33,230 --> 00:07:37,760
to look I care is a campus say this

99
00:07:40,730 --> 00:07:41,850
and again.

100
00:07:41,910 --> 00:07:44,640
So phase 1 has been successful.

101
00:07:46,340 --> 00:07:51,870
What is it some branch to receive this.

102
00:07:51,990 --> 00:07:52,340
OK.

103
00:07:52,350 --> 00:07:54,360
So phase 1 has been successful.

104
00:07:54,360 --> 00:07:57,910
Pure identifier please you get indications exceeded authentication.

105
00:07:57,930 --> 00:07:58,620
Okay.

106
00:07:58,710 --> 00:08:04,470
And now we should see again the failure for Phase 2 failure or Phase 2.

107
00:08:04,580 --> 00:08:06,590
The IP SEC negotiation.

108
00:08:06,590 --> 00:08:08,130
And here it is again.

109
00:08:08,190 --> 00:08:16,070
So indeed the debug is absolutely noisy a lot of a lot of lines are inserted or are presented when we

110
00:08:16,070 --> 00:08:17,940
have this problem notified.

111
00:08:17,960 --> 00:08:19,950
Message received no proposal to them.

112
00:08:20,280 --> 00:08:21,870
So perfect.

113
00:08:21,920 --> 00:08:27,750
So this concludes the troubleshooting scenario and the course I hope you find it informative.

114
00:08:27,800 --> 00:08:29,900
Hopefully it makes sense to you.

115
00:08:30,140 --> 00:08:31,520
And thanks a lot.

116
00:08:31,520 --> 00:08:35,950
Thank you for being here and I hope to see you in the upcoming courses as well.

117
00:08:35,960 --> 00:08:36,510
Thank you.