03-15-2008 12:50 AM - edited 03-05-2019 09:46 PM
What does the 2nd statement means?
ip route 0.0.0.0 0.0.0.0 192.168.229.1
route inside 10.242.26.0 255.255.255.0 192.168.116.1 1
I know the first one tell the router to send all traffic destined to the internet to send it via 192.168.229.1, but the 2nd I have no clue
Solved! Go to Solution.
04-14-2008 11:10 AM
Is it the tunnel that is not coming up, or is the tunnel coming up and you cannot get any packets to pass.
Have you tried debugging on the Pix 515E ie.
debug crypto isakmp
debug crpyto ipsec
and then try connecting from the remote end.
Jon
04-14-2008 11:12 AM
can I issue these debug statements safely in this 515E? reason I ask is because this pix is the door to more than 700 users currently connecting to services behind the L3 switch.
Will this degrade the performance of the PIX and perhaps cause it to freeze up?
04-14-2008 11:13 AM
Angel,
Here's a PIX-to-PIX VPN tunnel example. Change the variables according to your setup.
Let us know if you continue to experience problems. If you can post a sanitized copy of both PIX configuration it would help us identify the issue quickly.
HTH
Sundar
04-14-2008 11:21 AM
Downloading and printing the document right now.
Both config are very long and to sanitize them will take even longer.
I will try however.
04-14-2008 11:15 AM
I wouldn't run the debugging in production hours if you can help. All debugging puts an extra load on the CPU.
If you do a
"sh crypto isa sa" on the pix 515E do you see the remote peer address and what is the state.
If you see the remote peer address and state is QM_IDLE can you run
"sh run crypto ipsec sa" and see if you can find the entry for the VPN.
Jon
04-14-2008 11:19 AM
"sh crypto isa sa" displays this:
64.21.75.165 63.123.69.140 QM_IDLE 0 1
64. is the Ip address of the 515E
"sh run crypto ipsec sa" only displays the entire running config, as if I did a "sh run"
04-14-2008 11:21 AM
sh crypto ipsec sa NOT
sh run crypto ipsec sa
04-14-2008 11:25 AM
I just did them again and same results. The "sh run crypto ipsec sa" only lists the running config.
So, what does the QM_IDLE means?
Is this tunnel and only not passing traffic? Or is the tunnel completely down?
04-14-2008 11:28 AM
QM_IDLE means IKE Phase 1 has been setup. So basically the peer IP addresses and the secret key agree.
If this is the pix 515E you are entering the commands
the command is not
sh run crypto ipsec sa
it is
sh crypto ipsec sa NOTE - there is no "run" in the command
Jon
04-14-2008 11:28 AM
I just issued a "sh crypto isa sa" in the 525 and these are the results:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 68.195.218.131
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 63.123.69.140
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
I think it is looking good right?
04-14-2008 11:34 AM
I see. I knew everything else was right, so it is just something else... but I can't figure out what.
I just did a "sh crypto ipsec sa" and here are the results:
MDS-PIX-01# sh crypto ipsec sa
interface: outside
Crypto map tag: VPNTunnel, local addr. 63.123.69.140
local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.131.10.0/255.255.255.0/0/0)
current_peer: 64.21.75.165:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 162, #pkts encrypt: 162, #pkts digest 162
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 63.123.69.140, remote crypto endpt.: 64.21.75.165
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 74d8f047
inbound esp sas:
spi: 0x3c2e6154(1009672532)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 41, crypto map: VPNTunnel
sa timing: remaining key lifetime (k/sec): (4608000/28546)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x74d8f047(1960374343)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 42, crypto map: VPNTunnel
sa timing: remaining key lifetime (k/sec): (4607990/28537)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (192.168.106.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
04-14-2008 11:42 AM
Which pix is this taken from.
It looks like you have established a VPN tunnel and packets are being sent out but no packets are returning.
Jon
04-14-2008 11:48 AM
from the 515E
How do I know which side is the one not returning the traffic?
04-14-2008 11:50 AM
Which side is initiating the connection. If this is the Pix 515E it looks like it is sending traffic out but not receiving any back.
04-14-2008 12:00 PM
The 525 is the initiator according to the results of "sh crypto isa sa" command I entered in the 525
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide