Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1078
Views
0
Helpful
4
Replies

ipsec vpn failure

roshanverg
Level 1
Level 1

‎08-24-2011 10:37 PM - edited ‎02-21-2020 05:32 PM

hello

i am trying to setup ipsec vpn tunnel between my network and remote site. i,am using ISA server 2006 run on windows 2003 server. sp2.  other end use a cisco vpn. 

when i access website i recived " 500 internal server error host server unreachable (10065)

i have attached firewall and ipsec logs

Labels:
112569-netsh_ipsec_static_show_all.txt.zip
112570-netsh_ipsec_dynamic_show_all.txt.zip
112572-firewalllog.txt.zip
87 KB
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎08-24-2011 11:53 PM

Please share the config and logs from the cisco vpn side. As this is cisco forum, we are more familiar with cisco product than ISA. For ISA related logs, please post it on Microsoft forum. If you can share the cisco side, we can look through further for you.

0 Helpful

roshanverg
Level 1
Level 1
In response to Jennifer Halim

‎08-25-2011 12:30 AM

thank you for the reply. when i test with a juniper firewall instead of ISA server it worked well. i will try to gety cisco logs

0 Helpful

roshanverg
Level 1
Level 1
In response to Jennifer Halim

‎08-25-2011 03:37 AM

here the part of configuration what i could get

crypto isakmp key s413st4r! address 123.231.21.114

crypto isakmp peer address 123.231.21.114

crypto ipsec transform-set 3ptrans esp-3des esp-sha-hmac

crypto map 3pmap 210 ipsec-isakmp

set peer 123.231.21.114

set transform-set 3ptrans

match address salestar_test

ip route 10.0.0.240 255.255.255.240 10.40.14.17 name salestar_POSreg_test

ip route 123.231.21.114 255.255.255.255 10.40.14.17 name salestar-tunnel

ip nat pool salestar-test-nat 10.40.210.197 10.40.210.197 netmask 255.255.255.0

ip nat inside source list salestar-test-range pool salestar-test-nat overload

ip access-list extended salestar-test-nat

permit ip 10.0.0.240 0.0.0.15 host 149.254.251.84

ip access-list extended salestar_test

permit ip host 149.254.251.84 10.0.0.240 0.0.0.15

interface GigabitEthernet0/1

description Busines to Business VPN inside DMZ

ip address 10.x.x.12 255.255.255.240

ip accounting output-packets

ip nat outside

no ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

media-type rj45

no negotiation auto

standby 1 ip 10.x.x.14

standby 1 priority 105

standby 1 preempt

standby 1 track GigabitEthernet0/2

!

interface GigabitEthernet0/2

description Busines to Business VPN Outside DMZ

ip address 10.x.x.28 255.255.255.240

ip nat inside

no ip virtual-reassembly

ip route-cache flow

no ip route-cache cef

duplex full

speed 100

media-type rj45

no negotiation auto

standby 2 ip 10.40.14.30

standby 2 priority 105

standby 2 preempt

standby 2 track GigabitEthernet0/1

crypto map 3pmap redundancy hsrp-Gi0/2-2

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to roshanverg

‎08-25-2011 04:54 AM

Config does not look correct.

If you can provide the full topology, as well as the peer IP from each side, full config, what you are trying to encrypt on both sides, plus if NATing is required, that would help.

Currently just looking at part of the config, it does not make sense.

can you also share the output of:

show cry isa sa

show cry ipsec sa

debug cry isa

debug cry ipsec

from the router when trying to establish the session. So we can pinpoint where the issue is.

0 Helpful
Customers Also Viewed These Support Documents