01-21-2011 01:25 AM
Hi Team,
I have configured one L2L VPN and an easy VPN in my PIX firewall with version of 7.2(1). Both tunnel are up and my L2L VPN traffic is passing through, but my easy VPN traffic is not passing. The traffic is getting encrypted from the client side and decrypted at PIX server side, but not encrypting from PIX server side. Whenever I am removing the L2L VPN , the easy VPN is working fine. Please respond if anybody is having the same experience.
Thanks
Abison
01-22-2011 06:00 PM
Hi,
What mode is the EzVPN client connecting using, that is, client or network extension? Is there a conflicting subnet between the L2L vpn and the EzVPN remote networks?
Please post the output of "show cry ips sa" when both the L2L and EzVPN are connected.
Cheers,
Prapanch
01-22-2011 09:29 PM
01-22-2011 10:36 PM
Wht is the IP 10.10.0.203 that we are trying to ping? Are you able to ping the PIX's interface itself (remember you need the "management-access" command applied for the interface you are trying to ping and that interface should be in the 10.0.0.0/8 subnet)?
Cheers,
Prapanch
01-22-2011 10:41 PM
The IP 10.10.0.203 is one of the server which is connected to inside to the PIX. We could ping this server if L2L VPN is removed. Should I configure management-access in this case ? The PIX inside interface IP is 10.6.6.254.
Thanks
Abison
01-22-2011 11:09 PM
Hi,
Please enable "management-access inside" on the PIX and let me know if you are able to ping the ip 10.6.6.254.
Cheers,
Prapanch
01-22-2011 11:14 PM
Hi,
I have enabled the management-access in PIX, but still I couldn't ping.
PIX525(config)# sh run management-access
management-access inside
PhaseII-ADSL#ping 10.6.6.254 source 172.30.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.6.254, timeout is 2 seconds:
Packet sent with a source address of 172.30.30.1
.....
Success rate is 0 percent (0/5)
Thanks
Abison
01-23-2011 07:35 AM
Hi Abison,
Do you see any syslogs on the PIX? Please enable syslogs at debugging level and see if anything pops up.
Cheers,
Prapanch
01-23-2011 10:27 PM
Hi,
You meant , I have to run a syslog server inside and collecting output of debugging ? or just enabling Syslog and debug ?
Thanks
Abison
01-23-2011 10:42 PM
Hey,
You can either setup a syslog server or enable buffered logging at "debugging" level. Syslog server would be ideal as buffer can get overwrapped pretty fast if volume of traffic thorugh the PIX is a lot.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html
Cheers,
Prapanch
01-23-2011 11:00 PM
Hi,
I have enabled the syslog at debugging level and still I am not getting any hit on this traffic. You can see other traffic on this same server from the output below
%PIX-4-106023: Deny udp src DMZ2:db/2272 dst inside:10.10.0.203/53 by access-group "DMZ2_access_in" [0x0, 0x0]
PIX525# show logging | inc 10.10.0.203
PIX525# show logging | inc 10.10.0.203
PIX525# sh run logg
PIX525# sh run logging
logging enable
logging standby
logging monitor debugging
logging buffered debugging
logging message 111009 level errors
PIX525# show logging | inc 10.10.0.203
PIX525# show logging | inc 172.30.30.1
Thanks
Abison
01-23-2011 11:41 PM
Hi,
The bahvior you have mentioned certainly suggests a conflict to me but i can not spot anything. I would suggest you open a TAC case to get this investigated as access to the devices would help in gathering all information needed.
Cheers,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide