11-07-2008 03:36 AM - edited 03-11-2019 07:09 AM
hi
there seems to be a problem with a site to site vpn on my pix 515 (IOS 6.3(3)). it seems that even phase 1 wont initiate and when i enter debug crypto isakmp or debug crypto ipsec, nothing seems to output to screen. (current the secondary pix is active as it failed over last week)
1)should this make a diff as to why no debud messages appear on screen?
2)how can you force phase 1 to start?
3) short of rebooting the firewall is there anything else i can do?
Regards
11-08-2008 12:24 AM
Hello Suleiman,
Most probably something is wrong with interesting traffic ACL that no traffic occurs that is interesting to IPSEC tunnel to kick in. Post your running config and let us advise.
Regards
11-10-2008 02:10 AM
Hi there
here is the part of the config relating to this tunnel. the thing is although i run debug cryptop isakmp command i cant see any messages on screen.
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 3600
isakmp enable outside
isakmp key ******** address {supplier peer} netmask 255.255.255.255 no-xauth no-config-mode
access-list supplier permit ip host {my server public ip} host {supplier server public ip}
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 82 ipsec-isakmp
crypto map outside_map 82 match address supplier
crypto map outside_map 82 set pfs group2
crypto map outside_map 82 set peer {supplier peer}
crypto map outside_map 82 set transform-set ESP-DES-MD5
crypto map outside_map 82 set security-association lifetime seconds 3600 kilobytes 4608000
11-10-2008 03:00 AM
Suleiman,
Add this
crypto map outside_map interface outside
Why is interesting traffic based on public IPs? To what IP addresses at remote site d o you want to establish connection over VPN?
11-10-2008 03:46 AM
hi there husycisco,
that command was there as well, i forgot to include it..the latest on it is, its working.
i rang tac, and he ran the same commands as i did interms of clearing sa's. the only thing i didnt do, clear the crypto map outside_map command and then reapply it.
thanks for your help tho.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide