Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1909
Views
0
Helpful
2
Replies

peer address not found

jigsaw2026
Level 1
Level 1

‎06-13-2007 07:40 AM

Hi,

Just wondering whether anyone can help me here with a weird VPN problem. Basically offic A connects to office B over a VPN. In office A there is a c3640 VPN headend, which connects to a PIX506 at Office B. At office A there are 6 private subnets and at office B only 1.

The VPN is working for all subnets other than 1 I have just added. When I run a debug on the PIX in office B, I get the following error:

pix-1# IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 1.1.1.1, src= 2.2.2.2,

dest_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),

src_proxy= 192.168.18.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): peer address 2.2.2.2 not found

"1.1.1.1" is the 3640 in office A, "2.2.2.2" is the pix in office B (where the message is generated).

After researching this it seems that there's an issue with my access-lists, in that they're not mirrored. But I can't see anything wrong with them:

3640

access-list 178 permit ip 172.21.0.0 0.0.255.255 192.168.0.0 0.0.0.255

access-list 178 permit ip 172.20.0.0 0.0.255.255 192.168.0.0 0.0.0.255

access-list 178 permit ip 172.22.0.0 0.0.255.255 192.168.0.0 0.0.0.255

access-list 178 permit ip 10.11.0.0 0.0.255.255 192.168.0.0 0.0.0.255

access-list 178 permit ip 10.50.0.0 0.0.255.255 192.168.0.0 0.0.0.255

access-list 178 permit ip 10.51.0.0 0.0.255.255 192.168.0.0 0.0.0.255

access-list 178 permit ip 192.168.18.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 178 permit ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.0.255

Pix

access-list 103 permit ip 172.22.0.0 255.255.0.0 any

access-list 103 permit ip 172.21.0.0 255.255.0.0 any

access-list 103 permit ip 172.20.0.0 255.255.0.0 any

access-list 103 permit ip 10.11.0.0 255.255.0.0 any

access-list 103 permit ip 10.50.0.0 255.255.0.0 any

access-list 103 permit ip 10.51.0.0 255.255.0.0 any

access-list 103 permit ip 192.168.18.0 255.255.255.0 any

I'm really struggling to see where the problem lies here - does anyone have any ideas?

Thanks,

J

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎06-13-2007 11:40 PM

Hi

Could you post full configs minus any sensitive information.

It could be to do with the order of your lines in you access-list rather than whether a line is missing or not matching. Could you specify what the source and destination IP addresses are when you try your test.

Jon

0 Helpful

jigsaw2026
Level 1
Level 1

‎06-14-2007 01:42 AM

Apologies, the PIX access-list should have been:

access-list 102 permit ip 192.168.0.0 255.255.255.0 172.21.0.0 255.255.0.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 172.20.0.0 255.255.0.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 172.22.0.0 255.255.0.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 10.11.0.0 255.255.0.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 10.50.0.0 255.255.0.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 10.51.0.0 255.255.0.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.18.0 255.255.255.0

access-list 102 permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0

Source add 192.168.18.254, dest 192.168.0.8

0 Helpful
Customers Also Viewed These Support Documents