Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
3
Replies

pix 501 (6.3.4) vpn to sef (Symantec Enterprise Fw 7.04)

cecato
Level 1
Level 1

‎12-10-2004 08:06 AM - edited ‎02-21-2020 01:29 PM

I trying to establish a vpn to a SEF 7.04, but when cisco calls sef we have the following msg:

IKMP_NO_ERR_NO_TRANS

On SEF side we have the following msg:

isakmpd Info: Error while processing data rcvd from peer 200.x.x.13:

(-3396) Invalid cookie in ISAKMP header.

When SEF conect first the vpn works fine!!!

Does anyone knows what are happening?

This is the configuration from my pix:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname apcoc03

domain-name xxxx

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 80 permit ip 10.1.0.0 255.255.255.0 10.0.180.0 255.255.255.0

access-list nonat permit ip 10.1.0.0 255.255.255.0 10.0.180.0 255.255.255.0

access-list nonat permit ip 10.1.21.0 255.255.255.0 10.0.180.0 255.255.255.0

access-list 81 permit ip 10.1.21.0 255.255.255.0 10.0.180.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 1.1.x.x.x.255.0

ip address inside 10.0.23.13 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.1.21.0 255.255.255.0 inside

pdm location 10.1.21.111 255.255.255.255 inside

pdm location 10.0.180.0 255.255.255.0 outside

pdm location 172.16.120.0 255.255.255.0 outside

pdm logging debugging 512

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list nonat

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.x.x.x.x.x.242.30.243 1

route inside 10.1.0.0 255.255.255.0 10.0.23.20 1

route inside 10.1.21.0 255.255.255.0 10.0.23.20 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.1.21.111 255.255.255.255 inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set crypto_band esp-3des esp-md5-hmac

crypto map bandbm 145 ipsec-isakmp

crypto map bandbm 145 match address 80

crypto map bandbm 145 set peer 1.1.1.2

crypto map bandbm 145 set transform-set crypto_band

crypto map bandbm 146 ipsec-isakmp

crypto map bandbm 146 match address 81

crypto map bandbm 146 set peer 1.1.1.2

crypto map bandbm 146 set transform-set crypto_band

crypto map bandbm interface outside

isakmp enable outside

isakmp key ******** address 1.1.1.2 netmask 255.255.255.255

isakmp identity address

isakmp policy 90 authentication pre-share

isakmp policy 90 encryption 3des

isakmp policy 90 hash md5

isakmp policy 90 group 2

isakmp policy 90 lifetime 86400

telnet timeout 5

ssh 10.1.21.111 255.255.255.255 inside

ssh timeout 60

console timeout 0

Labels:
Preview file
2 KB
0 Helpful
3 Replies 3

pkapoor
Level 3
Level 3

‎12-10-2004 11:12 AM

Make the following changes to your PIX IPSec config.

no crypto map bandbm 146

no access-list 81 permit ip 10.1.21.0 255.255.255.0 10.0.180.0 255.255.255.0

access-list 80 permit ip 10.1.21.0 255.255.255.0 10.0.180.0 255.255.255.0

Then test again.

0 Helpful

cecato
Level 1
Level 1
In response to pkapoor

‎12-10-2004 12:34 PM

Thank you, but I've already done this.

This was first configuration. And the message on symantec gateway was the same:

isakmpd Info: Error while processing data rcvd from peer 200.242.30.13:

(-3396) Invalid cookie in ISAKMP header.

Do you know what does IKMP_NO_ERR_NO_TRANS message mean?

0 Helpful

pkapoor
Level 3
Level 3
In response to cecato

‎12-10-2004 02:15 PM

I've seen that message when the PIX is OK with establishing the tunnel.

There are a couple of other things that I'd suggest.

At the end of the isakmp key command on the PIX, add:- "no-xauth no-config-mode" keywords.

Also ensure that PFS is disabled on the SEF.

0 Helpful
Customers Also Viewed These Support Documents