Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1132
Views
0
Helpful
1
Replies

VPN Failing between two Pix devices (DEBUG)

SteveDadMan
Level 1
Level 1

‎10-03-2012 08:47 AM

My tunnel had been running fine for a couple of months. Now, not so much.


Here is some debug. I hope this has enough info for someone to assist me. Thanks!

ISADB: reaper checking SA 0x12ecb04, conn_id = 0

ISADB: reaper checking SA 0x12ecb04, conn_id = 0

ISAKMP: rekeying phase 1 SA, src s.s.s.s, dst d.d.d.d

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

crypto_isakmp_process_block:src:d.d.d.d, dest:s.s.s.s spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0


ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP:      encryption DES-CBC

ISAKMP:      hash MD5

ISAKMP:      default group 1

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (basic) of 1000

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload


ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload


ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:d.d.d.d, dest:s.s.s.s spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0


ISAKMP (0): processing NONCE payload. message ID = 0


ISAKMP (0): processing vendor id payload


ISAKMP (0): processing vendor id payload


ISAKMP (0): received xauth v6 vendor id


ISAKMP (0): processing vendor id payload


ISAKMP (0): speaking to another IOS box!


ISAKMP (0): processing vendor id payload


ISAKMP (0): speaking to a VPN3000 concentrator


ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT match HIS hash

ISAKMP (0): ID payload

        next-payload : 8

        type         : 1

        protocol     : 17

        port         : 500

        length       : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:d.d.d.d, dest:s.s.s.s spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload


ISAKMP (0): remote peer supports dead peer detection


ISAKMP (0): SA has been authenticated


return status is IKMP_NO_ERROR

VPN Peer: ISAKMP: Peer ip:d.d.d.d/500 Ref cnt incremented to:4 Total VPN Peers:1

ISAKMP (0): deleting SA: src s.s.s.s, dst d.d.d.d

ISADB: reaper checking SA 0x137cc64, conn_id = 0

ISADB: reaper checking SA 0x12ecb04, conn_id = 0  DELETE IT!


VPN Peer: ISAKMP: Peer ip:d.d.d.d/500 Ref cnt decremented to:3 Total VPN Peers:1

ISADB: reaper checking SA 0x137cc64, conn_id = 0

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-04-2012 06:10 AM

Not quite. It doesn't really tell what is failing.

Can you please share the output of:

show cry isa sa

show cry ipsec sa

from both PIX, and also run the debugs again on both PIX (debug cry isa, and debug cry ipsec).

Plus config from both PIX would be great.

0 Helpful
Customers Also Viewed These Support Documents