Re: interpretation of pix vpn debug output

cfajardo1_2 · ‎03-20-2006

i am pasting the below debug on my pix...i couldnt establish vpn connecting pix to pix

-------------------------------

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:82.xxx, dest:193.yyy spt:4500 dpt:

4500

ISAKMP (0): processing NOTIFY payload 24576 protocol 1

spi 0, message ID = 945881250

ISAKMP (0): processing responder lifetime

ISAKMP (0): phase 1 responder lifetime of 1000s

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:82.xxx/4500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:82.xxx/4500 Ref cnt incremented to:1 Total VPN P

eers:1

crypto_isakmp_process_block:src:82.xxx, dest:193.yyy spt:4500 dpt:

4500

ISAKMP: sa not found for ike msg

crypto_isakmp_process_block:src:82.xxx, dest:193.yyy spt:4500 dpt:

4500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 1424868684, message ID = 1040206926

ISAKMP (0): deleting spi 1288039764 message ID = 996742519

return status is IKMP_NO_ERR_NO_TRANS

thanks for the help

ahmed.badawy · ‎03-22-2006

Would you send me all crypto and isakmp commands on both PIXs?

xbanchon · ‎03-22-2006

I have The same Problem , I Have a VPN PIX-506e/6.3(5) and PIX-501/6.3(5) Lan-to-Lan Tunnel Up But Cannot Pass Traffic. I recieve continuously the message ISADB: reaper checking SA 0xa2f324, conn_id = 0, It's on both PIX. and return status is IKMP_NO_ERR_NO_TRANS

the output command sh crypto ipsec sa , when send a

PIX 501

interface: outside

Crypto map tag: vpnmanta, local addr. 192.168.45.4

local ident (addr/mask/prot/port): (10.4.16.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.4.0.0/255.255.255.0/0/0)

current_peer: 192.168.45.2:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.45.4, remote crypto endpt.: 192.168.45.2

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 74dd1ea

inbound esp sas:

spi: 0xa0138c28(2685635624)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: vpnmanta

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x74dd1ea(122540522)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: vpnmanta

sa timing: remaining key lifetime (k/sec): (4608000/28223)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

PIX 506E:

interface: outside

Crypto map tag: vpnmatriz, local addr. 192.168.45.2

local ident (addr/mask/prot/port): (10.4.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.4.16.0/255.255.255.0/0/0)

current_peer: 192.168.45.4:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 192.168.45.2, remote crypto endpt.: 192.168.45.4

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: a0138c28

inbound esp sas:

spi: 0x74dd1ea(122540522)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 5, crypto map: vpnmatriz

sa timing: remaining key lifetime (k/sec): (4608000/28003)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xa0138c28(2685635624)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 6, crypto map: vpnmatriz

sa timing: remaining key lifetime (k/sec): (4607999/28003)

IV size: 8 bytes

replay detection support: Y