Ok, I removed the extra line there, did a write mem, then rebooted the 501. I still havent gotten anything...

I have a silly question to ask... I cant seem to stop a debug I started a while back. I am pretty sure I did a 'debug access-list all' (it displays lines like,

Mar 24 2003 01:31:20: %PIX-4-106023: Deny tcp src inside:192.168.50.97/2054 dst outside:165.166.139.87/80 by access-group "acl_outbound")

But now when I do a 'no debug access-li all' it goes to the next line prompt, but the debug keeps running.

I wanted to run debug on the crypto lines to see whats happening with the VPN connections, but there's so much existing debug info rolling I cant see squat.

But I am guessing my next move should be to get more info on the vpn status to see where its failing and the best way for that is debug....

Anyway, thanks for your time, if you know if I'm putting in the wrong 'no debug...' line , please let me know. :)

Thanks,

Dave

Does anyone else have any ideas? I'm still stumped here.... Please help,

Thanks,

Dave

try this:

in the savannah config specific to the acls and commands that utilize them, you are using the same acl for the nat 0 command as in the crypto map commands...acl 101. look at your yrpci config, you are using separate acls for the nat 0 commands and the crypto map commands. on your savannah config insert another acl same parameters as acl 101 and add it to the crypto map command instead of acl 101. not sure if this is your issue, but i have a feeling.

so your config will look something like this:

501: (VPN that isnt working)

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 7RD3DIuHCed/Bft9 encrypted

passwd 7RD3DIuHCed/Bft9 encrypted

hostname Savannah

domain-name yrpci.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name x.x.152.238 Savannah

name x.x.71.7 MainOffice

access-list acl_outbound permit ip 192.168.53.0 255.255.255.0 any

access-list acl_outbound permit ip host MainOffice 192.168.53.0 255.255.255.0

access-list acl_inbound permit icmp any any echo-reply

access-list acl_inbound permit icmp any any time-exceeded

access-list acl_inbound permit icmp any any unreachable

access-list acl_inbound permit ip x.x.152.0 255.255.252.0 192.168.50.0 255.255.255.0

access-list 101 permit ip 192.168.53.0 255.255.255.0 192.168.50.0 255.255.255.0

*****************newacl************************************

access-list 102 permit ip 192.168.53.0 255.255.255.0 192.168.50.0 255.255.255.0

***********************************************************

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 192.168.53.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

no pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 192.168.53.0 255.255.255.0 0 0

access-group acl_inbound in interface outside

access-group acl_outbound in interface inside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 x.x.152.1 1

...

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto map vpn1 30 ipsec-isakmp

************new acl command**************************************

crypto map vpn1 30 match address 102

***************************************************************

crypto map vpn1 30 set pfs group2

crypto map vpn1 30 set peer MainOffice

crypto map vpn1 30 set transform-set myset

isakmp enable outside

isakmp key ******** address MainOffice netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

telnet 192.168.53.0 255.255.255.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 20

dhcpd address 192.168.53.55-192.168.53.60 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:57589b8bf8636b0a7f8a2d5a5e582649

: end

It was a good thought, but didnt fix it. I'm definitely bumfuzzled here, I have looked over these configs so many times now that I'm wondering if I'll ever see whats wrong...

I ran debug on both firewalls and got a lot of stuff, but the important lines I think are these:

515: MainOffice

crypto_isakmp_process_block: src Savannah, dest MainOffice

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

501: Savannah

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 0

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block: src MainOffice, dest Savannah

Ive reentered the isakmp key on both boxes at least 3 times now just to make sure they match. What else would cause the SA to not be acceptable on one but would be on the other?

that really doesn't mean much unfortunately. it only really means that those particular attributes at that time didn't match on both ends to build the SA. i believe we are going to need the entire debugs to show all the steps. but before you do that, go to this site, and maybe it will have some click while you are looking at the debugs yourself. if you can't figure it out, by all means paste them in and we will figure this out.

regards.

http://www.cisco.com/warp/customer/707/ipsec_debug.html

Thats a great link, i learned a good bit just reading through that, but ... alas....:)

Ok, here's the deal, on that debug link, it says according to my debug,

>>>>

"The message below appears if the Phase II (IPSec) doesn't match on both sides. This most commonly occurs if there is a mismatch in the transform-set.

1d00h: IPSec (validate_proposal): transform proposal (port 3, trans 2, hmac_alg 2) not supported

1d00h: ISAKMP (0:2) : atts not acceptable. Next payload is 0

1d00h: ISAKMP (0:2) SA not acceptable

"

>>>>>>>>

Here's my debug info...

515e: MainOffice

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src Savannah, dest MainOffice

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of 162460060:9aef19c

return status is IKMP_NO_ERROR

>>>>>>>>>>>>>>>>>>>>>>>

501e: Savannah

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

>>>>>>>>>>>>>

(I think that's all the pertinent debug info, there's a lot of gibberish there otherwise)

I tried removing and reentering the transform-set on the Sav, I cant quite do that to the MainOffice one since two other VPN's are running and its best if I dont take them down in the day.

I even added a new transform-set line in the Savannah one with a diff name and no luck.

Thanks for your time as always!

Dave

with this being the case, and them looking the same i would do some clear crypto ipsec sa stuff.

i suspect you will find how to do everything you need to fix this from this site:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/c.htm#1026972 ....good reading.

good luck and i will check back tomorrow....hope this helps.

Does it make a difference if you have "Set pfs group2" and "Isakmp policy 10 group1" ?

so....where are we at today??? any luck with that site that talked about all the pix commands that i believe would help??

and about the question above, i am not 100% sure, but i don't believe they have anything to do with each other. separate phases of ipsec, one is in phase one, and the other is in phase two. like i said not 100% sure though.

This did the number, ha, it always seems I forget something like this! Thanks bud, I owe you one!

All of you, thanks for your time.

Dave :)

excellent...i overlooked this as well, at any rate i am glad you got it fixed!!!