Re: VPN Tunnel 506 vs 515e

vitalcom1 · ‎03-17-2008

I upgraded from a PIX506 to a PIX515e w/vac+ and all of my software based VPN connections work execpt for the two site-to-site tunnels I had. We rechecked the pre-shared keys. How can I determine why these tunnels won't work on the 515e? They were fine on the 506. We even have the 515e at the same IOS level the 506 was. Thanks for any and all assistance.

JORGE RODRIGUEZ · ‎03-17-2008

First check show version on new PIX 515E, and make sure VPN-3DES-AES: is Enabled.If 3DES/AES is ok then you will need to debug it to find out where the tunnel fails.

Jorge

Jorge Rodriguez

vitalcom1 · ‎03-17-2008

It's enabled

What commands do I use to debug a tunnel?

Thanks

JORGE RODRIGUEZ · ‎03-17-2008

Dwayne, please double check l2l configuration again between both firewalls , all parameters must match. Debuging is your last resort! and as you know should be use in non production hours. go over again on some config checks

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#intro

for debugging

pix#config t

pix(config)#loggin buffer debugging

pix#debug crypto isakmp

pix#debug crypto ipsec

try to bring up the tunnel by sending interesting traffic

pix#show debug

copy debugg output and post it

edit: when done with capturing debug output disable debugging process.

pix#no debug crypto isakmp

pix#no debug crypto ipsec

Jorge Rodriguez

vitalcom1 · ‎03-17-2008

I get

debug crypto disakmp 1

debug crypto ipsec 1

Not exactly what I was expecting.

JORGE RODRIGUEZ · ‎03-17-2008

Sorry..

pix(config)#terminal monitor

bring up tunnel by sending a ping to destination host.. you should see output of tunnel negotiation .. please try. and post output..

Jorge Rodriguez