Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
0
Helpful
6
Replies

pix 501 strange problem

sadok.mouha
Level 1
Level 1

‎08-13-2005 02:06 AM - edited ‎02-21-2020 12:19 AM

I have a 501 device. I have configured a site 2 site tunnel. It worked for a while (2 days) and then stopped. The problem now is that I'm blocked in Phase 1. My pix send a packet ISAKMP to the other side, the second respond and my pix does nothing when receiving it, strange.

attached is the config and the debug, any help please?

Thanx

Preview file
4 KB
Preview file
3 KB
0 Helpful
6 Replies 6

jmia
Level 7
Level 7

‎08-13-2005 10:39 AM

I presume that you have a pix-to-pix vpn tunnel, if so can you issue the following command on both pix's :

(in config mode)

clear isakmp sa

clear cry ipsec sa

now ping from an internal client to an internal peer client to bring up the vpn tunnel.

Also, why do you have two transform-set statements on your 501?

Let me know how you get on.

Jay

0 Helpful

sadok.mouha
Level 1
Level 1
In response to jmia

‎08-14-2005 11:32 PM

The second transform set is unused and I have removed it and applied clear isakmp sa & clear cty ipsec sa but no changes. When I make difference between the two peers, I received "NO PROPOSAL CHOOSEN", it's ok. the problem is when the two configs are the same, I receives a response from the distant vpn gateway and then my pix ignore it and restarts phase negociation again. Stange !!! I'm blocked :(

0 Helpful

jmia
Level 7
Level 7
In response to sadok.mouha

‎08-14-2005 11:38 PM

Use the following document to compare and troubleshoot :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Let me know how you get on.

Jay

0 Helpful

sadok.mouha
Level 1
Level 1
In response to jmia

‎08-15-2005 01:05 AM

Thank you. I used this document but no changes. I have changed from 3des to des with the other side and still the same problem. I don't understand why is my pix don't continue phase 1 negociation :(

Any help please?

0 Helpful

sadok.mouha
Level 1
Level 1
In response to sadok.mouha

‎08-15-2005 01:49 AM

I have captured packets between my pix (192.168.99.250) who is nated and the distant gateway (xxx.xxx.xxx.xxx public ip). Is the packets are normal? As you can see, my pix ignore the response of the distant gateway.

attaeched s is the debug output.

Preview file
5 KB
0 Helpful

sadok.mouha
Level 1
Level 1
In response to sadok.mouha

‎08-16-2005 03:15 AM

Thank you for your help during last days. Finaly, It worked :) I reset to factory default and reconfigured the vpn Tunnel. Until now, I don't understand the real problem. I'm going to restore my config (access-list, ...) and see where is the problem.

Thank you again

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card