Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
1
Replies

PIX ENCRYPTION ISSUE?

ciscoacs
Level 1
Level 1

‎11-21-2004 06:47 AM - edited ‎02-20-2020 11:45 PM

I have 2 pix's that are set up to connect to each other via vpn. but the pix's only setup as per below

the SA seems to be fine but nothing created:

Total : 2

Embryonic : 0

dst src state pending created

xxx xxxx QM_IDLE 0 0

also the remote pix does not seem to encrypt the traffic:

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1379, #recv errors 0

i am unable to find any info on this anywhere on cisco.

so i do not understand why the pix establishes the SA but does not encrypt the traffic.

any help much appreciated.

0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎11-21-2004 06:54 PM

Please post the relevant ike and crypto config statements from both pix units.

You menetioned about an SA being created, would that be the phase 1 (ISAKMP) sa?

With regards to ipsec (phase 2) sa setup, you want to insure that the crypto acls on both pix units are mirror images of each other, and that the crypto map configs contain the same lifetime, DH group, encrypt and hash values.

I will review the config statements and let you know what I find.

A handy troubleshooting tool are the debug cry isa, debug cry ipsec, and the debug cry engine commands.

If possible, run all 3 commands on both pix units, try to get the tunnel working, and post the debug output from both units here as well.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card