04-30-2008 11:33 AM
I am having a problem with IPSec tunnel between sites A and B. Site A has PIX with 8.x code and SITE B has an ASA with 7.2(3) code. The Crypto access-lists are as under :
SITE A has :
access-list 119 extended permit ip object-group Support_DMZ object-group SITEB
access-list 119 extended permit ip 10.60.6.0 255.255.255.0 object-group SITEB
Object Group SITEB is as under :
object-group network SITEB
network-object 10.238.18.0 255.255.255.0
network-object 210.x.x.x 255.255.255.255
Object Group Support_DMZ is as under :
object-group network Support_DMZ
network-object a.a.a.a 255.255.255.192
network-object b.b.b.b 255.255.255.0
network-object c.c.c.c 255.255.255.0
network-object d.d.d.d 255.255.255.0
network-object e.e.e.e 255.255.255.0
network-object f.f.f.f 255.255.255.0
Now on the ASA at SITE B :
access-list TO_SITEA extended permit ip 10.238.18.0 255.255.255.0 object-group SITEA_NETWORK
access-list TO_SITEA extended permit ip host 210.x.x.253 object-group SITEA_NETWORK
Object Group SITEA_NETWORK is ;
object-group network SITEA_NETWORK
network-object b.b.b.b 255.255.255.0
network-object c.c.c.c 255.255.255.0
network-object d.d.d.d 255.255.255.0
network-object e.e.e.e 255.255.255.0
network-object a.a.a.a 255.255.255.192
network-object f.f.f.f 255.255.255.0
network-object g.g.g.g 255.255.255.0
Pls note that there is an extra network g.g.g.g in Object Group SITA_NETWORK. This is not there in the other side. Now the error I get on the ASA at SITE B is :
%ASA-5-713050: Group = 64.x.x.x, IP = 64.x.x.x, Connection terminated for peer 64.x.x.x. Reason: Peer Terminate Remote Proxy 210.x.x.253, Local Proxy b.b.b.b
Looks like the tunnel gets terminated. If you see in the error above Local Proxy is b.b.b.b which is a network on the SITEA side. Sometimes this Local Proxy is d.d.d.d or f.f.f.f or e.e.e.e
I am wondering if the order of the networks in the Object Group both sides need to be the same to be an exact mirror image. If you see they are not exact mirror images on both sides. Also there is g.g.g.g network in SITEB which is not there in SITEA side Object Group.
If anybody can help on this it would be great.
05-07-2008 06:42 AM
It may be errors due to PFS enable. Disable PFS and try again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide