topic Re: PIX535 VPN Remote peer issue in Network Security

PIX535 VPN Remote peer issue

russell.kelly — Mon, 11 Mar 2019 11:38:04 GMT

Quite a strange problem and also intermittent. One particular VPN in crypto map list keeps picking up the wrong remote peer to the one configured in the crypto map, sometimes this can be an invalid peer address, such as 50.0.0.0. This is currently happening about once a week. PIX OS is 6.3(5) any suggestions?

Re: PIX535 VPN Remote peer issue

Alan Huseyin Kayahan — Mon, 03 Dec 2007 14:28:11 GMT

Hi russell

How do you dedect that it picks a wrong IP? Any syslog output?

Regards

Re: PIX535 VPN Remote peer issue

russell.kelly — Mon, 03 Dec 2007 14:48:15 GMT

Hi - normally the cusomer lets us know that it has stopped working and issueing the command "sh crypto ipsec sa" confirms that the peer is 50.0.0.0

(local ident (addr/mask/prot/port): AXA_ftpap001/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)

current_peer: 50.0.0.0:0)

local crypto endpt.: TheAAPIX_Peer, remote crypto endpt.: 50.0.0.0

After a reboot the same command outputs the correct peer information (AXA_Peer) for about a week then the same thing happens again.

Here is the releavant config for this connection. Line 2 on the ACL is the only one that gets used.

name x.x.x.x AXA_Peer

name x.x.x.x AXA_ftpap001

access-list AXA permit tcp host 192.168.1.1 host AXA_ftpap001 eq 1363

access-list AXA permit tcp host 192.168.1.1 host AXA_ftpap001 eq 1364

access-list AXA permit tcp host TheAA_FTP host AXA_ftpap001 eq 1363

access-list AXA permit tcp host TheAA_FTP host AXA_ftpap001 eq 1364

access-list AXA permit ip host 192.168.1.1 host AXA_ftpap001

access-list AXA permit tcp host AXA_ftpap001 host 192.168.1.1 eq 1364

access-list AXA permit tcp host AXA_ftpap001 host 192.168.1.1 eq 1363

access-list AXA permit ip host AXA_ftpap001 host 192.168.1.1

access-list AXA permit tcp host AXA_ftpap001 host TheAA_FTP eq 1363

access-list AXA permit tcp host AXA_ftpap001 host TheAA_FTP eq 1364

access-list AXA permit ip host AXA_ftpap001 host TheAA_FTP

access-list AXA1 permit ip host TheAA_FTP host AXA_ftpap001

static (dmz_v905,outside) 192.168.1.1 access-list AXA1 0 0

crypto map aa3party 250 ipsec-isakmp

crypto map aa3party 250 match address AXA

crypto map aa3party 250 set peer AXA_Peer

crypto map aa3party 250 set transform-set aa

isakmp key ******** address AXA_Peer netmask 255.255.255.255 no-xauth no-config-mode

crypto ipsec transform-set aa esp-3des esp-md5-hmac

Re: PIX535 VPN Remote peer issue

ajagadee — Mon, 03 Dec 2007 14:48:35 GMT

Can you provide some additional information on this issue.

Also, make sure that you dont have Overlapping Access-list, meaning same destination network configured for two different peers.

Regards,

Arul

Re: PIX535 VPN Remote peer issue

russell.kelly — Mon, 03 Dec 2007 16:57:09 GMT

I have just rebooted the PIX and as you can see below the correct peer information is there and the file transfer is now working.

local ident (addr/mask/prot/port): (AXA_ftpap001/255.255.255.255/6/0)

remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/6/1364)

current_peer: AXA_Peer:0

PERMIT, flags={origin_is_acl,reassembly_needed,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: TheAAPIX_Peer, remote crypto endpt.: AXA_Peer

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas: