05-31-2006 12:05 AM - edited 02-21-2020 02:26 PM
Hi all,
I want to establish a VPN tunnel between 2 PIX515E, a site-to-site VPN.
I have used the wizard of the PDM.
First, the tunnel seems ok : I can ping hosts on remote site, telnet, etc.
But sometimes, the tunnel seems to be down: I cannot ping remote hosts for example anymore.
I think that when there is no traffic through the tunnel, it's ok that the tunnel is down. And when I try to ping remote hosts, I think that the tunnel should turn to up. Is it correct?
I look in the logs and I notice that whenever I try to ping/telnet a remote host, I generate in statistics:
"PIX pkts no sa (send)".
No packets are encrypted.
Could someone tell me where is the problem?
Thanks you for helping me!
05-31-2006 01:25 AM
Hi,
can you paste the configuration details your
pix device then it will we easier to shortout the issue
Thanks & Regards
Krish
05-31-2006 01:44 AM
Hi,
Here is the result of the "debug crypto isakmp" command.. It seems that phase 2 of IKE is not successful...:
----------------
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 28800
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing keep alive: proposal=32767/32767 sec., actual=600/10 sec.
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of 1370673357:51b2d0cdIPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x773f7309(2000646921) for SA
from remote-pix to A.B.C.D for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:remote-pix/500 Total VPN Peers:4
VPN Peer: ISAKMP: Peer ip:remote-pix/500 Ref cnt incremented to:1 Total VPN Peers:4
crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500
<-------until here, it seems Ok, i think?------->
<------- I compare theses lines with the lines I get when it works (in fact, I have multiple tunnels VPN on my PIX A, PIX A <--> PIX B, PIX A <--> PIX C, etc.) and I notice that theses 3 lines are missing....
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
------->
<------- End of the debug: ------->
ISAKMP (0): processing NOTIFY payload 18 protocol 1
spi 0, message ID = 2482419244
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 2738261993, spi size = 16
ISAKMP (0): deleting SA: src A.B.C.D, dst remote-pix
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x10ffe3c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:remote-pix/500 Ref cnt decremented to:0 Total VPN Peers:4
VPN Peer: ISAKMP: Deleted peer: ip:remote-pix/500 Total VPN peers:3IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with remote-pix
ISADB: reaper checking SA 0x10d8c34, conn_id = 0
ISADB: reaper checking SA 0xfea484, conn_id = 0
ISADB: reaper checking SA 0x1106b14, conn_id = 0
----------------
Any Idea please?
05-31-2006 03:34 AM
Hi ,
Can you paste your config Details of both Pix devices
Thanks
Krish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: