cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
891
Views
0
Helpful
4
Replies

VPN - Pix 515e to Cisco router

dgeorgeadis
Level 1
Level 1

I have the following configuration and I can't seem to get the tunnel to come up. My end is a PIX 515e running 7.2(4).The other end is a Cisco router of some sort - not sure of the model or IOS version.

PIX:

access-list 90 extended permit ip host a.a.a.a host b.b.b.b

nat (inside) 0 access-list 90

crypto map mymap 20 match address 90
crypto map mymap 20 set peer x.x.x.x
crypto map mymap 20 set transform-set strong
crypto map mymap interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 8
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key 12345

Router:

ip access-list extended SDM_5

  permit ip host b.b.b.b host a.a.a.a

crypto isakmp key 12345 address y.y.y.y no-xauth

crypto map SDM_CMAP_1 5 ipsec-isakmp

  description vpn to Lab

  set peer y.y.y.y

  set transform-set ESP-3DES-SHA

  match address SDM_5

I am running the following debugs:


debug crypto ipsec enabled at level 1
debug crypto isakmp enabled at level 1

I get the following output from debug:

Aug 16 04:16:10 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!
Aug 16 04:16:10 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry

sh isa sa

   IKE Peer: x.x.x.x
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

Any ideas?

Thanks,

Dave

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

If you are seeing MM_WAIT_MSG2, that means that the peer (the other side) does not response and this side where the MM_WAIT_MSG2 status is seen has sent the first IKE message out, however, did not hear back from the peer.

You might want to check if UDP/500 is blocked along the path between the 2 sites.

Try to initiate the traffic from the other side and see if you are also getting the same status of MM_WAIT_MSG2. If you do, that confirms 100% that UDP/500 is being blocked along the way  between the 2 sites.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

If you are seeing MM_WAIT_MSG2, that means that the peer (the other side) does not response and this side where the MM_WAIT_MSG2 status is seen has sent the first IKE message out, however, did not hear back from the peer.

You might want to check if UDP/500 is blocked along the path between the 2 sites.

Try to initiate the traffic from the other side and see if you are also getting the same status of MM_WAIT_MSG2. If you do, that confirms 100% that UDP/500 is being blocked along the way  between the 2 sites.

Thanks,


I'm going to have the connection initated from the other side as you suggest, and checking to see if anything is in front of the router that could be blocking UDP 500.

Can u plz check if u hv enabled isakmp on interface also applied cryptomap as well

dgeorgeadis
Level 1
Level 1

Thanks for the feedback. It turns out that the admin if the router side gave me the incorrect IP of the router. Everything is working fine now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: