03-16-2009 12:39 PM
PIX 515E
Version 6.3(5)
I am having a problem when adding a new tunnel to an existing PIX that is already terminating several existing tunnels. The existing tunnels are not having any problems. However, the new tunnel will not initiate Phase 1. When running "debug cyrpto isakmp" I do not see anything for this new tunnel. However, the NONAT and Intersting traffic ACL are incrementing. Debug packet outside dst "remote peer ip" does not return any packets. Its as if it passes the interesting traffic ACL and the packets go nowhere. has anyone experienced an issue like this?
03-16-2009 03:29 PM
Larry,
If you 'debug crypto ipsec' do you get an error like: IPSEC(sa_initiate): ACL = deny; no sa created. If so I know that removing the crypto map from the interface and reapplying will fix this - in additon to taking down all tunnels. I don't know if it's a bug or ??? I've seen it myself and the above or reloading the PIX would correct it.
Phil
03-17-2009 07:30 AM
Phil,
yes I do get the ACL=deny error when debugging crytpo IPSEC. Interesting that the ACL hitcnt is still incrementing though as if it is passing through. The last new tunnel we added a couple weeks ago was the same issue and we rebooted to rectify that hoping it wouldn't be a problem, but now I fear that everytime we add a new tunnel this may happen and rebooting or removing the crypto map from the interface is not a viable work around each time because it does cause all other tunnels to come down. Did you continue to have the problem with new tunnels after the reboot or did everything work fine after that?
03-18-2009 05:23 AM
Larry,
Yes, the problem continues on various customer PIX - my company manages several hundred. I've never gotten a good answer from TAC as to why. It could be a config issue, but I cannot see it. Maybe others in NetPro can help.
Phil
03-18-2009 08:45 AM
didnt see a previous response. Taking this one away as it doesnt apply.
03-18-2009 07:50 PM
Larry,
Can you confirm if the hitcnts on the NAT0 ACLs are increasing ? I have nvr seen that. Phase 1 parameters are ok with the remote end ??
-k
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide