06-24-2014 01:47 PM
We have configured an IPSec tunnel between two PIX 501 firewall's at different locations over a PTP ethernet connection. PIX-1 Outside Interface is 172.16.92.20 and PIX-2 Outside Interface is X.X.X.106. The error I am getting on the debug isakmp on PIX-1;
ISAKMP (0): beginning Main Mode exchange
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): retransmitting phase 1 (2)...
ISAKMP (0): retransmitting phase 1 (3)...
ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 172.16.92.20, remote= X.X.X.106,
local_proxy= 192.168.251.200/255.255.255.248/0/0 (type=4),
remote_proxy= 192.168.251.12/255.255.255.252/0/0 (type=4)
ISAKMP (0): deleting SA: src 172.16.92.20, dst X.X.X.106
ISADB: reaper checking SA 0xad73dc, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for X.X.X.106/500 not found - peers:0
IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 172.16.92.20, remote= X.X.X.106,
local_proxy= 192.168.251.200/255.255.255.248/0/0 (type=4),
remote_proxy= 192.168.251.12/255.255.255.252/0/0 (type=4)
Both PIX's are able to ping each other.
06-24-2014 02:57 PM
172.16.254.254
06-25-2014 08:06 AM
I don't understand your reply? Please clarify.
06-24-2014 10:32 PM
Can you share configuration for both PIX
06-25-2014 08:05 AM
06-26-2014 06:30 AM
Can you share output of "show ver" command?
06-26-2014 06:57 AM
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(4)
Compiled on Thu 04-Aug-05 21:40 by morlee
FW1 up 6 days 16 hours
Hardware: PIX-501, 16 MB RAM, CPU Am5x86 133 MHz
Flash E28F640J3 @ 0x3000000, 8MB
BIOS Flash E28F640J3 @ 0xfffd8000, 128KB
0: ethernet0: address is 0011.211c.XXXX, irq 9
1: ethernet1: address is 0011.211c.XXXX, irq 10
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: 50
Throughput: Unlimited
IKE peers: 10
06-27-2014 04:51 AM
Hi Darron,
How is pix1 (172.16.92.20) connected with other PIX? Are you doing static NAT for 172.16.92.20 (being aprivate IP)? if so than will you ensure if NAT-T is enabled on both firewalls. As I can see in the logs on 172.16.92.20 it is not able to connect with X.X.X.106/500 (port 500).It happens when we have nat factor in between these 2 firewalls.
06-25-2014 03:07 AM
Hello Darron,
you have problem with IKE phase I, try these configurations on both sides
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
HTH
kazim
06-25-2014 07:56 AM
Made these changes to both sides. No luck so far...
06-27-2014 05:20 AM
I think your pix 1 is behind the nat, so make sure you have configured properly this machine which is used for natting in front of pix1.
ip nat inside source static udp x.x.x.x 4500 interface FastEthernet1/1 4500 (for pat)
ip nat inside source static udp x.x.x.x 500 interface FastEthernet1/1 500 (isakmp)
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide