08-17-2007 06:23 AM - edited 02-21-2020 03:13 PM
Hi all
I am having problem in bringing up VPN link between PIX firewall and 3825 router. It was working fine but all of a sudden it stopped. Debug of 3825 is attached for reference. Any work arounds??
Sheeraz
08-18-2007 06:41 PM
Please post your configs.
08-19-2007 11:58 AM
The error is at phase 1 itself.
Are you sure you have the same properties at both the ends in terms on isakmp policies, encryption, hash, authentication and group?
Narayan
08-19-2007 03:51 PM
again, please post your configs.
08-19-2007 08:53 PM
08-19-2007 10:24 PM
Hi Sheeraz,
On router can you replace,
crypto isakmp key 6 cisco123 address 203.82.55.106 255.255.255.252
with
crypto isakmp key cisco123 address 203.82.55.106 255.255.255.252
and check.
Also, if you can remove the netmask on both the device in the crypto isakmp key cli if you are establising the tunnel just between these two device.
Cli will to look as below w/o mask-
On router -
crypto isakmp key cisco123 address 203.82.55.106
on pix -
isakmp key cisco123 address 203.130.2.164
HTH,
Radhika
08-20-2007 05:39 AM
Thank you Radhika for the advise... I did what you suggested but didnt work... Anymore ideas ??
Sheeraz
08-20-2007 09:39 AM
have you deleted access-list 104 on router by any chance? or just did not include it in the attachment?
Thanks,
Radhika
08-21-2007 05:17 AM
Sorry for that... ACL 104 is not in the attachement. Following is the ACL 104.
access-list 104 permit ip 10.0.0.0 0.0.255.255 190.190.0.0 0.0.255.255
access-list 104 permit ip 172.16.0.0 0.0.255.255 190.190.0.0 0.0.255.255
access-list 104 permit ip 10.3.1.224 0.0.0.31 190.190.0.0 0.0.255.255
access-list 104 permit ip 10.0.0.0 0.0.255.255 172.16.21.0 0.0.0.255
access-list 104 permit ip 10.3.1.224 0.0.0.31 172.16.21.0 0.0.0.255
access-list 104 permit ip 172.16.0.0 0.0.255.255 172.16.21.0 0.0.0.255
Hope this works.
Sheeraz
08-21-2007 09:10 AM
From attached config files.
crypto access list on pix(101) seems to contain different ace's from that on router(104).
Otherwise all the vpn cli seems to be ok.
Can you check the nat is not done for the traffic on both the device.
2.
ip route 190.190.0.0 255.255.0.0 203.82.55.106
here I do not see any interface with ip on this subnet 203.82.55.106.
If 190.190.0.0 is the inside network of pix , then doesn't the next hop ip in this route needs to be 203.130.2.161 instead of 203.82.55.106.
Thanks,
Radhika
08-21-2007 09:15 AM
Also if possible , can you disable the ipsec on both the devices and check if you are able to ping the peer ip address and the inside network of the remote device from router (both outside interface and inside interface).
Thanks,
Radhika
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide