12-03-2007 06:22 AM - edited 03-11-2019 04:38 AM
Quite a strange problem and also intermittent. One particular VPN in crypto map list keeps picking up the wrong remote peer to the one configured in the crypto map, sometimes this can be an invalid peer address, such as 50.0.0.0. This is currently happening about once a week. PIX OS is 6.3(5) any suggestions?
12-03-2007 06:28 AM
Hi russell
How do you dedect that it picks a wrong IP? Any syslog output?
Regards
12-03-2007 06:48 AM
Hi - normally the cusomer lets us know that it has stopped working and issueing the command "sh crypto ipsec sa" confirms that the peer is 50.0.0.0
(local ident (addr/mask/prot/port): AXA_ftpap001/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
current_peer: 50.0.0.0:0)
local crypto endpt.: TheAAPIX_Peer, remote crypto endpt.: 50.0.0.0
After a reboot the same command outputs the correct peer information (AXA_Peer) for about a week then the same thing happens again.
Here is the releavant config for this connection. Line 2 on the ACL is the only one that gets used.
name x.x.x.x AXA_Peer
name x.x.x.x AXA_ftpap001
access-list AXA permit tcp host 192.168.1.1 host AXA_ftpap001 eq 1363
access-list AXA permit tcp host 192.168.1.1 host AXA_ftpap001 eq 1364
access-list AXA permit tcp host TheAA_FTP host AXA_ftpap001 eq 1363
access-list AXA permit tcp host TheAA_FTP host AXA_ftpap001 eq 1364
access-list AXA permit ip host 192.168.1.1 host AXA_ftpap001
access-list AXA permit tcp host AXA_ftpap001 host 192.168.1.1 eq 1364
access-list AXA permit tcp host AXA_ftpap001 host 192.168.1.1 eq 1363
access-list AXA permit ip host AXA_ftpap001 host 192.168.1.1
access-list AXA permit tcp host AXA_ftpap001 host TheAA_FTP eq 1363
access-list AXA permit tcp host AXA_ftpap001 host TheAA_FTP eq 1364
access-list AXA permit ip host AXA_ftpap001 host TheAA_FTP
access-list AXA1 permit ip host TheAA_FTP host AXA_ftpap001
static (dmz_v905,outside) 192.168.1.1 access-list AXA1 0 0
crypto map aa3party 250 ipsec-isakmp
crypto map aa3party 250 match address AXA
crypto map aa3party 250 set peer AXA_Peer
crypto map aa3party 250 set transform-set aa
isakmp key ******** address AXA_Peer netmask 255.255.255.255 no-xauth no-config-mode
crypto ipsec transform-set aa esp-3des esp-md5-hmac
12-03-2007 06:48 AM
Can you provide some additional information on this issue.
Also, make sure that you dont have Overlapping Access-list, meaning same destination network configured for two different peers.
Regards,
Arul
12-03-2007 08:57 AM
I have just rebooted the PIX and as you can see below the correct peer information is there and the file transfer is now working.
local ident (addr/mask/prot/port): (AXA_ftpap001/255.255.255.255/6/0)
remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/6/1364)
current_peer: AXA_Peer:0
PERMIT, flags={origin_is_acl,reassembly_needed,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: TheAAPIX_Peer, remote crypto endpt.: AXA_Peer
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide