Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
329
Views
0
Helpful
1
Replies

tnnel establishes only with ping

mabusedira
Level 1
Level 1

‎04-25-2006 05:07 AM - edited ‎03-09-2019 02:43 PM

I am trying to set up an l2l tunnel between 2 pix firewalls. I used sysopt connection permit-ipsec to bypass the acl on the outside int. The interesting traffic is set to permit any any. When I ping from one side to another the tunnel establishes without problems, when I send ftp traffic from one side to the other the tunnel does not establish. The debug output of "debug crypto isakmp 1":

ftp traffic: (what does the last line mean?)

Sep 04 10:01:45 [IKEv1]: IP = 172.31.1.1, IKE Initiator: New Phase 1, Intf 2, IKE Peer 172.31.1.1 local Proxy Address 0.0.0.

0, remote Proxy Address 0.0.0.0, Crypto map (CMAP)

Sep 04 10:01:45 [IKEv1]: IP = 172.31.1.1, Connection landed on tunnel_group 172.31.1.1

Sep 04 10:01:45 [IKEv1]: IP = 172.31.1.1, Connection landed on tunnel_group 172.31.1.1

Sep 04 10:01:45 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, PHASE 1 COMPLETED

Sep 04 10:01:46 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, Removing peer from correlator table failed, no match!

========================================================================================================================

ping works:

Sep 04 10:04:10 [IKEv1]: IP = 172.31.1.1, IKE Initiator: New Phase 1, Intf 2, IKE Peer 172.31.1.1 local Pr

oxy Address 0.0.0.0, remote Proxy Address 172.31.1.200, Crypto map (CMAP)

Sep 04 10:04:10 [IKEv1]: IP = 172.31.1.1, Connection landed on tunnel_group 172.31.1.1

Sep 04 10:04:10 [IKEv1]: IP = 172.31.1.1, Connection landed on tunnel_group 172.31.1.1

Sep 04 10:04:10 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, PHASE 1 COMPLETED

Sep 04 10:04:11 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, Security negotiation complete for LAN-to-LAN Group (172.31.1.1)

Initiator, Inbound SPI = 0xcaa05555, Outbound SPI = 0x5919b568

Sep 04 10:04:11 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, Starting P2 Rekey timer to expire in 24480 seconds

Sep 04 10:04:11 [IKEv1]: Group = 172.31.1.1, IP = 172.31.1.1, PHASE 2 COMPLETED (msgid=eddaf91b)

Labels:
0 Helpful
1 Reply 1

Fernando_Meza
Level 7
Level 7

‎04-25-2006 10:00 PM

Hi if you can ping but are unable to establish a TCP session, then it might be related to NAT. you need to make sure you have the below in both PIXes.

nat (inside) 0 access-list NO-NAT

access-list NO-NAT permit ip any any

please rate it if you find the info helpful

0 Helpful
Customers Also Viewed These Support Documents