08-16-2010 07:58 AM
I have the following configuration and I can't seem to get the tunnel to come up. My end is a PIX 515e running 7.2(4).The other end is a Cisco router of some sort - not sure of the model or IOS version.
PIX:
access-list 90 extended permit ip host a.a.a.a host b.b.b.b
nat (inside) 0 access-list 90
crypto map mymap 20 match address 90
crypto map mymap 20 set peer x.x.x.x
crypto map mymap 20 set transform-set strong
crypto map mymap interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 8
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key 12345
Router:
ip access-list extended SDM_5
permit ip host b.b.b.b host a.a.a.a
crypto isakmp key 12345 address y.y.y.y no-xauth
crypto map SDM_CMAP_1 5 ipsec-isakmp
description vpn to Lab
set peer y.y.y.y
set transform-set ESP-3DES-SHA
match address SDM_5
I am running the following debugs:
debug crypto ipsec enabled at level 1
debug crypto isakmp enabled at level 1
I get the following output from debug:
Aug 16 04:16:10 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!
Aug 16 04:16:10 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
sh isa sa
IKE Peer: x.x.x.x
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Any ideas?
Thanks,
Dave
Solved! Go to Solution.
08-16-2010 02:37 PM
If you are seeing MM_WAIT_MSG2, that means that the peer (the other side) does not response and this side where the MM_WAIT_MSG2 status is seen has sent the first IKE message out, however, did not hear back from the peer.
You might want to check if UDP/500 is blocked along the path between the 2 sites.
Try to initiate the traffic from the other side and see if you are also getting the same status of MM_WAIT_MSG2. If you do, that confirms 100% that UDP/500 is being blocked along the way between the 2 sites.
08-16-2010 02:37 PM
If you are seeing MM_WAIT_MSG2, that means that the peer (the other side) does not response and this side where the MM_WAIT_MSG2 status is seen has sent the first IKE message out, however, did not hear back from the peer.
You might want to check if UDP/500 is blocked along the path between the 2 sites.
Try to initiate the traffic from the other side and see if you are also getting the same status of MM_WAIT_MSG2. If you do, that confirms 100% that UDP/500 is being blocked along the way between the 2 sites.
08-16-2010 03:29 PM
Thanks,
I'm going to have the connection initated from the other side as you suggest, and checking to see if anything is in front of the router that could be blocking UDP 500.
08-17-2010 05:22 AM
Can u plz check if u hv enabled isakmp on interface also applied cryptomap as well
08-19-2010 07:22 AM
Thanks for the feedback. It turns out that the admin if the router side gave me the incorrect IP of the router. Everything is working fine now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide