I have one working site2site between my ASA to another ASA (PROD1) and I try to add a site2site with a PIX (NEW-PEER)
any idea what does this mean?
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: PROD1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: NEW-PEER
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
3 IKE Peer: NEW-PEER
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Phase 1 (IKE/ISAKMP) uses UDP/500 and consists of exchanges of 6 messages.
For the second IKE connection: State : MM_WAIT_MSG3:
- This means that it is waiting for message# 3 from the peer. As the role is a responder, that means that the connection is initiated from the other end. The peer will send the 1st message, and your ASA has replied with the 2nd message, and currently waiting for the reply from the peer for the 3rd message.
For the third IKE connection: State : MM_WAIT_MSG2:
- This means that it is waiting for message# 2 from its peer. As the role is an initiator, that means that the connection is initiated from this end (your ASA). Your ASA has sent the 1st message to the peer, and waiting for its peer to reply.
Base on the observation of the traffic flow, it seems that UDP/500 might be blocked in the direction of your ASA towards the new PIX peer. Because if they can initiate the connection and your ASA received the message, that means from the new PIX peer towards your ASA direction, it's not blocked. However, when your ASA replied or initiated the connection, it seems that your ASA never get any replies, which means the opposite direction might be blocked.
Hope that makes sense.
so you're saying udp/500 is blocked on ASA going out to the PIX...
I'll check it
is it possible my other (working) ASA to ASA doesn't need the UDP/500 to be opened)?
now I lost you...
ASA1 go out via the same network to the internet and then to ASA2 & PIX
so if there was somehting blocking ASA1 it would fail the connection to ASA2 - is this correct?
now, PIX for this test is totally open with both inside & outside interfaces allow any any, this device is directly connected to the internet
so where would UDP/500 be blocked?
how can I test it?
when I try to initiate the connection from ASA side I see the MSG2 on the ASA and nothing on PIX
when I try to initiate the connection from PIX side I see MSG2 on the PIX & MG3 (responder) on the ASA
Thanks. You are right. If your ASA connects to another ASA, that means it should be good at your end, unless, there is access-list that allow the VPN to the other ASA specifically.
You might want to check with the PIX end ISP and see if they are blocking inbound VPN (UDP/500 and ESP).
so i'll just ask again - what could possibly block this from the adsl side? I'll check it tomorrow morning but it doesn't sound like they would bother blocking it
also, how do I test it - is there any way to verify it is not blocked on the pix?
You can run packet capture on the PIX outside interface and see if you are seeing the inbound UDP/500 packet from your ASA. If you are not seeing the inbound UDP/500 packet on the PIX outside interface, that means it's being blocked before it reaches the PIX firewall.