can I issue these debug statements safely in this 515E? reason I ask is because this pix is the door to more than 700 users currently connecting to services behind the L3 switch.

Will this degrade the performance of the PIX and perhaps cause it to freeze up?

Angel,

Here's a PIX-to-PIX VPN tunnel example. Change the variables according to your setup.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

Let us know if you continue to experience problems. If you can post a sanitized copy of both PIX configuration it would help us identify the issue quickly.

HTH

Sundar

Downloading and printing the document right now.

Both config are very long and to sanitize them will take even longer.

I will try however.

I wouldn't run the debugging in production hours if you can help. All debugging puts an extra load on the CPU.

If you do a

"sh crypto isa sa" on the pix 515E do you see the remote peer address and what is the state.

If you see the remote peer address and state is QM_IDLE can you run

"sh run crypto ipsec sa" and see if you can find the entry for the VPN.

Jon

"sh crypto isa sa" displays this:

64.21.75.165 63.123.69.140 QM_IDLE 0 1

64. is the Ip address of the 515E

"sh run crypto ipsec sa" only displays the entire running config, as if I did a "sh run"

sh crypto ipsec sa NOT

sh run crypto ipsec sa

I just did them again and same results. The "sh run crypto ipsec sa" only lists the running config.

So, what does the QM_IDLE means?

Is this tunnel and only not passing traffic? Or is the tunnel completely down?

QM_IDLE means IKE Phase 1 has been setup. So basically the peer IP addresses and the secret key agree.

If this is the pix 515E you are entering the commands

the command is not

sh run crypto ipsec sa

it is

sh crypto ipsec sa NOTE - there is no "run" in the command

Jon

I just issued a "sh crypto isa sa" in the 525 and these are the results:

Active SA: 2

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1 IKE Peer: 68.195.218.131

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

2 IKE Peer: 63.123.69.140

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

I think it is looking good right?

I see. I knew everything else was right, so it is just something else... but I can't figure out what.

I just did a "sh crypto ipsec sa" and here are the results:

MDS-PIX-01# sh crypto ipsec sa

interface: outside

Crypto map tag: VPNTunnel, local addr. 63.123.69.140

local ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.131.10.0/255.255.255.0/0/0)

current_peer: 64.21.75.165:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 162, #pkts encrypt: 162, #pkts digest 162

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 63.123.69.140, remote crypto endpt.: 64.21.75.165

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 74d8f047

inbound esp sas:

spi: 0x3c2e6154(1009672532)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 41, crypto map: VPNTunnel

sa timing: remaining key lifetime (k/sec): (4608000/28546)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x74d8f047(1960374343)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 42, crypto map: VPNTunnel

sa timing: remaining key lifetime (k/sec): (4607990/28537)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (192.168.106.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)

Which pix is this taken from.

It looks like you have established a VPN tunnel and packets are being sent out but no packets are returning.

Jon

from the 515E

How do I know which side is the one not returning the traffic?

Which side is initiating the connection. If this is the Pix 515E it looks like it is sending traffic out but not receiving any back.

The 525 is the initiator according to the results of "sh crypto isa sa" command I entered in the 525