weird ip address is in a weird place

swraight · ‎11-25-2002

I was checking some things on a 515 PIX that I have. This firewall has about 20 people that use it to VPN to our network. They use the latest Cisco VPN client.

Well I ran this command to see who was on at that moment:

show isa sa

and what I saw surprised me. Normally it looks like this:

dst src state pending created

63.x.x.x 24.x.x.x QM_IDLE 0 0

63.x.x.x 24.x.x.x QM_IDLE 0 2

The IP in the dst column is our IP address on the outside interface on the PIX. The addresses in the src column are the various IP's of the users connecting.

Well this showed up today:

dst src state pending created

24.x.x.x 63.x.x.x QM_IDLE 0 1

Why would an address (one I don't recognize) show up in the dst column? Shouldn't it always be our address? If someone could help me with this, I would appreciate it!

kdurrett · ‎11-26-2002

The output of that command shows destination, souce and status of isakmp. The source will always be the device who initiated the isakmp session with the destination being where the target was. So if your ip is the source, it would appear that your pix initiated a isakmp session. Do you have any L2L tunnels configured? I remember there being a bug that was purely cosmetic on something like this but I dont remember the id, perhaps bug toolkit will pull something up on this for you.

Kurtis Durrett

swraight · ‎11-26-2002

We do have a PIX to PIX VPN tunnel going, but that wasn't the IP address that was the source. So...that is what makes me nervous. But if it is something cosmetic, then I will be much calmer. Thanks for your response!