Re: PIX to ASA site2site

ofir · ‎01-10-2011

I have one working site2site between my ASA to another ASA (PROD1) and I try to add a site2site with a PIX (NEW-PEER)

any idea what does this mean?

Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3

1   IKE Peer: PROD1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: NEW-PEER
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3
3   IKE Peer: NEW-PEER
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

Jennifer Halim · ‎01-10-2011

Phase 1 (IKE/ISAKMP) uses UDP/500 and consists of exchanges of 6 messages.

For the second IKE connection: State : MM_WAIT_MSG3:

- This means that it is waiting for message# 3 from the peer. As the role is a responder, that means that the connection is initiated from the other end. The peer will send the 1st message, and your ASA has replied with the 2nd message, and currently waiting for the reply from the peer for the 3rd message.

For the third IKE connection: State : MM_WAIT_MSG2:

- This means that it is waiting for message# 2 from its peer. As the role is an initiator, that means that the connection is initiated from this end (your ASA). Your ASA has sent the 1st message to the peer, and waiting for its peer to reply.

Base on the observation of the traffic flow, it seems that UDP/500 might be blocked in the direction of your ASA towards the new PIX peer. Because if they can initiate the connection and your ASA received the message, that means from the new PIX peer towards your ASA direction, it's not blocked. However, when your ASA replied or initiated the connection, it seems that your ASA never get any replies, which means the opposite direction might be blocked.

Hope that makes sense.

ofir · ‎01-10-2011

so you're saying udp/500 is blocked on ASA going out to the PIX...

I'll check it

is it possible my other (working) ASA to ASA doesn't need the UDP/500 to be opened)?

Jennifer Halim · ‎01-10-2011

Not on the ASA itself, it's like that it's a device in front of the ASA or a device in front of the PIX on the other end.

ofir · ‎01-10-2011

now I lost you...

ASA1 go out via the same network to the internet and then to ASA2 & PIX

so if there was somehting blocking ASA1 it would fail the connection to ASA2 - is this correct?

now, PIX for this test is totally open with both inside & outside interfaces allow any any, this device is directly connected to the internet

so where would UDP/500 be blocked?

how can I test it?

thanks!

ofir · ‎01-10-2011

more info:

when I try to initiate the connection from ASA side I see the MSG2 on the ASA and nothing on PIX

when I try to initiate the connection from PIX side I see MSG2 on the PIX & MG3 (responder) on the ASA

Jennifer Halim · ‎01-10-2011

Thanks. You are right. If your ASA connects to another ASA, that means it should be good at your end, unless, there is access-list that allow the VPN to the other ASA specifically.

You might want to check with the PIX end ISP and see if they are blocking inbound VPN (UDP/500 and ESP).

ofir · ‎01-10-2011

so i'll just ask again - what could possibly block this from the adsl side? I'll check it tomorrow morning but it doesn't sound like they would bother blocking it

also, how do I test it - is there any way to verify it is not blocked on the pix?

Jennifer Halim · ‎01-10-2011

You can run packet capture on the PIX outside interface and see if you are seeing the inbound UDP/500 packet from your ASA. If you are not seeing the inbound UDP/500 packet on the PIX outside interface, that means it's being blocked before it reaches the PIX firewall.