Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
3
Replies

VPN not linking

Go to solution
cknipe
Level 1
Level 1

‎07-12-2005 12:51 AM - edited ‎02-21-2020 01:51 PM

Something strange. This is on a PIX 6.3(1)

Config:

crypto map flamer 90 ipsec-isakmp

crypto map flamer 90 match address h3

crypto map flamer 90 set peer x.x.x.x

crypto map flamer 90 set transform-set esp-3des-sha

crypto map flamer 90 set security-association lifetime seconds 3600

isakmp policy 90 authentication pre-share

isakmp policy 90 hash sha

isakmp policy 90 encryption 3des

isakmp policy 90 group 2

isakmp policy 90 lifetime 86400

isakmp key <removed> address x.x.x.x netmask 255.255.255.255

access-list h3 line 1 permit ip a.a.a.a 255.255.255.192 host b.b.b.b (hitcnt=28)

The moment anything from a.a.a.a/29 accesses b.b.b.b debug crypto ipsec shows

IPSEC(sa_initiate): ACL = deny; no sa created

And the *really* strange part, my isakmp policy 90 is missing from the running config... not there... as if it was never configured.

Uhm, help???????? :(

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmia
Level 7
Level 7

‎07-12-2005 01:30 AM

Chris,

Use the following document to troubleshoot:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Also, can you issue: clear crypto ipsec sa

and : clear crypto isakmp sa

On your debug it shows that there is a ACL that is denying SA creation!!

If you are still stuck then please post your pix config (take out any sensitive info) and I'll take a look or if you like you can post to me at: jmia@ohgroup.co.uk

Jay

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jmia
Level 7
Level 7

‎07-12-2005 01:30 AM

Chris,

Use the following document to troubleshoot:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

Also, can you issue: clear crypto ipsec sa

and : clear crypto isakmp sa

On your debug it shows that there is a ACL that is denying SA creation!!

If you are still stuck then please post your pix config (take out any sensitive info) and I'll take a look or if you like you can post to me at: jmia@ohgroup.co.uk

Jay

0 Helpful

Go to solution
cknipe
Level 1
Level 1
In response to jmia

‎07-12-2005 01:53 AM

Uhm.. Thanks Jay, you where right.

Small ACL clitch on my side, MAJOR mess up on the other side of the VPN which is a 3rd party company. I have had them on the phone for about 30 minutes now while they try and figure out what is blocking us on their check-points... -g- Will be resolved soon. Thanks.

--

Chris.

0 Helpful

Go to solution
jmia
Level 7
Level 7
In response to cknipe

‎07-12-2005 04:24 AM

Chris, glad to be of help. Maybe you need to pass on the following to your third party:

IPsec VPN Between PIX and Check Point 4.1

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml

or

IPSec VPN Between PIX and Check Point NG

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml

Let me know if you need any further help.

Jay

0 Helpful
Customers Also Viewed These Support Documents