topic PIX ENCRYPTION ISSUE? in Network Security

PIX ENCRYPTION ISSUE?

ciscoacs — Fri, 21 Feb 2020 07:45:39 GMT

I have 2 pix's that are set up to connect to each other via vpn. but the pix's only setup as per below

the SA seems to be fine but nothing created:

Total : 2

Embryonic : 0

dst src state pending created

xxx xxxx QM_IDLE 0 0

also the remote pix does not seem to encrypt the traffic:

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1379, #recv errors 0

i am unable to find any info on this anywhere on cisco.

so i do not understand why the pix establishes the SA but does not encrypt the traffic.

any help much appreciated.

Re: PIX ENCRYPTION ISSUE?

ehirsel — Mon, 22 Nov 2004 02:54:33 GMT

Please post the relevant ike and crypto config statements from both pix units.

You menetioned about an SA being created, would that be the phase 1 (ISAKMP) sa?

With regards to ipsec (phase 2) sa setup, you want to insure that the crypto acls on both pix units are mirror images of each other, and that the crypto map configs contain the same lifetime, DH group, encrypt and hash values.

I will review the config statements and let you know what I find.

A handy troubleshooting tool are the debug cry isa, debug cry ipsec, and the debug cry engine commands.

If possible, run all 3 commands on both pix units, try to get the tunnel working, and post the debug output from both units here as well.