Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1783
Views
0
Helpful
0
Replies

IKE Phase 2 - local and remote proxy host IDs are outside IPs not inside LAN subnets

sseifel
Level 1
Level 1

‎05-10-2011 07:01 AM

My client's Background:

Main site:  PIX-515e running 7.2(1) (was upgraded from ver. 6.x).

Remote sites:  All are PIX-501 except for one, which is a ASA-5505 running 7.2(4).

The ASA 5505 was configured for site-to-site IPSec VPN two years ago and was working. However, VPN has not been used since Fall 2010.  Attempted to get VPN tunnel up and running, but does not.  All other sites have VPNs working.  Ecessa Powerlink 100 unit was put in at main office in March 2011 to load balance three ISP Internet connections; Ecessa folks say configuration of unit is correct.  The original ISP connection is still being used but terminates at the Ecessa Powerlink 100 unit, which translates traffic to a private IP address 172.16.10.158, which is now the IP address of the PIX 515e outside interface.  Since the VPN tunnel for 5505 was not used for many months prior, I am not sure when problem occured.

Problem:

The site-to-site IPSec VPN between remote site (ASA5505) and main site does not come up - fails on IKE Phase 2.  On the PIX-515e, the debug logs show that the Proxy Host data in the ID Payload, both for local and remote, are the outside interface IP addresses instead of the local the remote inside LAN subnets, which is why there are no matches with the Crypto Map checks since the mappings are using the LAN subnets.

Since there are three Internet connections at the main site, the 5505 is configured to originate the tunnel and the PIX to "answer only".   Originally, the 5505 was configured with the "crypto isakmp identity automatic" , and I have since tried "crypto isakmp identity hostname" command to match the PIX configuration as well as "crypto isakmp identity address."  Nothing worked.  Both firewalls have been restarted, I reapplied the crypto mappings to the outside interface, practicly redid all of the commands, and still nothing worked.  I enabled and disabled NAT-T on both sides.

Why are the Proxy-ID hosts the outside interface IP addresses and not the respective LAN subnets?

The attached file - "Pix-515 logs - Oswego VPN Failure 3 5-7-2011.txt" file shows "local Proxy Host data in ID Payload" as "204.213.242.158" where it should be "192.168.1.0 255.255.255.0" and the remote Proxy Host data in ID Payload as "208.105.241.34" and it should be "192.168.6.0 255.255.255.0".

Thanks for any assistance!

Labels:
86059-Pix-515 logs 6 - successful VPN with Sunderland2 site 5-7-2011.txt.zip
86060-Oswego ASA5505 debug logs 1 5-8-2011.txt.zip
86061-Pix-515 logs - Oswego VPN failure 3 5-7-2011.txt.zip
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents