L2L VPN and EAZY VPN are not working together

abison.varghese · ‎01-21-2011

Hi Team,

I have configured one L2L VPN and an easy VPN in my PIX firewall with version of 7.2(1). Both tunnel are up and my L2L VPN traffic is passing through, but my easy VPN traffic is not passing. The traffic is getting encrypted from the client side and decrypted at PIX server side, but not encrypting from PIX server side. Whenever I am removing the L2L VPN , the easy VPN is working fine. Please respond if anybody is having the same experience.

Thanks

Abison

praprama · ‎01-22-2011

Hi,

What mode is the EzVPN client connecting using, that is, client or network extension? Is there a conflicting subnet between the L2L vpn and the EzVPN remote networks?

Please post the output of "show cry ips sa" when both the L2L and EzVPN are connected.

Cheers,

Prapanch

abison.varghese · ‎01-22-2011

Hi Prapanch,

The mode is network-extension and even in client mode I couldn't establish the tunnel. I have upload the requested file output here as I couldn't see any conflict in subnet. Please let me know if you need more informations.

Thanks

Abison

praprama · ‎01-22-2011

Wht is the IP 10.10.0.203 that we are trying to ping? Are you able to ping the PIX's interface itself (remember you need the "management-access" command applied for the interface you are trying to ping and that interface should be in the 10.0.0.0/8 subnet)?

Cheers,

Prapanch

abison.varghese · ‎01-22-2011

The IP 10.10.0.203 is one of the server which is connected to inside to the PIX. We could ping this server if L2L VPN is removed. Should I configure management-access in this case ? The PIX inside interface IP is 10.6.6.254.

Thanks

Abison

praprama · ‎01-22-2011

Hi,

Please enable "management-access inside" on the PIX and let me know if you are able to ping the ip 10.6.6.254.

Cheers,

Prapanch

abison.varghese · ‎01-22-2011

Hi,

I have enabled the management-access in PIX, but still I couldn't ping.

PIX525(config)# sh run management-access
management-access inside

PhaseII-ADSL#ping 10.6.6.254 source 172.30.30.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.6.254, timeout is 2 seconds:
Packet sent with a source address of 172.30.30.1
.....
Success rate is 0 percent (0/5)

Thanks

Abison

praprama · ‎01-23-2011

Hi Abison,

Do you see any syslogs on the PIX? Please enable syslogs at debugging level and see if anything pops up.

Cheers,

Prapanch

abison.varghese · ‎01-23-2011

Hi,

You meant , I have to run a syslog server inside and collecting output of debugging ? or just enabling Syslog and debug ?

Thanks

Abison

praprama · ‎01-23-2011

Hey,

You can either setup a syslog server or enable buffered logging at "debugging" level. Syslog server would be ideal as buffer can get overwrapped pretty fast if volume of traffic thorugh the PIX is a lot.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/monitor.html

Cheers,

Prapanch

abison.varghese · ‎01-23-2011

Hi,

I have enabled the syslog at debugging level and still I am not getting any hit on this traffic. You can see other traffic on this same server from the output below

%PIX-4-106023: Deny udp src DMZ2:db/2272 dst inside:10.10.0.203/53 by access-group "DMZ2_access_in" [0x0, 0x0]
PIX525# show logging | inc 10.10.0.203
PIX525# show logging | inc 10.10.0.203
PIX525# sh run logg
PIX525# sh run logging
logging enable
logging standby
logging monitor debugging
logging buffered debugging
logging message 111009 level errors
PIX525# show logging | inc 10.10.0.203
PIX525# show logging | inc 172.30.30.1

Thanks

Abison

praprama · ‎01-23-2011

Hi,

The bahvior you have mentioned certainly suggests a conflict to me but i can not spot anything. I would suggest you open a TAC case to get this investigated as access to the devices would help in gathering all information needed.

Cheers,

Prapanch