I am trying to set up an l2l tunnel between 2 pix firewalls. I used sysopt connection permit-ipsec to bypass the acl on the outside int. The interesting traffic is set to permit any any. When I ping from one side to another the tunnel establishes without problems, when I send ftp traffic from one side to the other the tunnel does not establish. The debug output of "debug crypto isakmp 1":
ftp traffic: (what does the last line mean?)
Sep 04 10:01:45 [IKEv1]: IP = 172.31.1.1, IKE Initiator: New Phase 1, Intf 2, IKE Peer 172.31.1.1 local Proxy Address 0.0.0.
0, remote Proxy Address 0.0.0.0, Crypto map (CMAP)
Sep 04 10:01:45 [IKEv1]: IP = 172.31.1.1, Connection landed on tunnel_group 172.31.1.1
Sep 04 10:01:45 [IKEv1]: IP = 172.31.1.1, Connection landed on tunnel_group 172.31.1.1
Sep 04 10:01:45 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, PHASE 1 COMPLETED
Sep 04 10:01:46 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, Removing peer from correlator table failed, no match!
========================================================================================================================
ping works:
Sep 04 10:04:10 [IKEv1]: IP = 172.31.1.1, IKE Initiator: New Phase 1, Intf 2, IKE Peer 172.31.1.1 local Pr
oxy Address 0.0.0.0, remote Proxy Address 172.31.1.200, Crypto map (CMAP)
Sep 04 10:04:10 [IKEv1]: IP = 172.31.1.1, Connection landed on tunnel_group 172.31.1.1
Sep 04 10:04:10 [IKEv1]: IP = 172.31.1.1, Connection landed on tunnel_group 172.31.1.1
Sep 04 10:04:10 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, PHASE 1 COMPLETED
Sep 04 10:04:11 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, Security negotiation complete for LAN-to-LAN Group (172.31.1.1)
Initiator, Inbound SPI = 0xcaa05555, Outbound SPI = 0x5919b568
Sep 04 10:04:11 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, Starting P2 Rekey timer to expire in 24480 seconds
Sep 04 10:04:11 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, PHASE 2 COMPLETED (msgid=eddaf91b)