Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
2
Replies

VPN Pix v.7

conred
Level 1
Level 1

‎07-22-2005 02:23 AM

I have set a VPN L2L connection between a Cisco Pix 515 v.7 and a VPN concentrator 3005.

The Tunnel works fine when the Pix part initiates the connection but there is no way to start the tunnel from the concentrator side.

I get the following errors:

Concentrator side:

40936 07/22/2005 12:16:43.040 SEV=4 IKE/41 RPT=7451 80.33.221.49

IKE Initiator: New Phase 1, Intf 2, IKE Peer 80.33.221.49

local Proxy Address 172.22.1.26, remote Proxy Address 172.200.0.2,

SA (L2L: zzzz)

40939 07/22/2005 12:16:43.110 SEV=5 IKEDBG/64 RPT=8056 80.33.221.49

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: True

40941 07/22/2005 12:16:43.680 SEV=4 IKE/119 RPT=14967 80.33.221.49

Group [80.33.221.49]

PHASE 1 COMPLETED

40942 07/22/2005 12:16:43.690 SEV=4 AUTH/22 RPT=13415

User [80.33.221.49] Group [80.33.221.49] connected, Session Type: IPSec/LAN-to-L

AN

40944 07/22/2005 12:16:43.690 SEV=4 AUTH/84 RPT=3696

LAN-to-LAN tunnel to headend device 80.33.221.49 connected

40945 07/22/2005 12:16:43.780 SEV=5 IKE/68 RPT=2120 80.33.221.49

Group [80.33.221.49]

Received non-routine Notify message: Invalid ID info (18)

40946 07/22/2005 12:16:43.790 SEV=5 IKE/50 RPT=19961 80.33.221.49

Group [80.33.221.49]

Connection terminated for peer 80.33.221.49.

Reason: Peer Terminate

Remote Proxy N/A, Local Proxy N/A

40949 07/22/2005 12:16:43.800 SEV=4 AUTH/23 RPT=3705 80.33.221.49

User [80.33.221.49] Group [80.33.221.49] disconnected: duration: 0:00:00

Pix side:

Jul 22 2005 12:16:33 : %PIX-3-713119: Group = 195.53.213.2, IP = 195.53.213.2, PHASE 1 COMPLETED

Jul 22 2005 12:16:33 : %PIX-5-713904: QM IsRekeyed old sa not found by addr

Jul 22 2005 12:16:33 : %PIX-3-713061: Group = 195.53.213.2, IP = 195.53.213.2, Tunnel rejected: Crypto Map Policy not found for Src:172.22.1.26, Dst: 172.200.0.2!

Jul 22 2005 12:16:33 : %PIX-3-713902: QM FSM error (P2 struct &0x204c058, mess id 0xedeedb50)!

Jul 22 2005 12:16:33 : %PIX-3-713902: Group = 195.53.213.2, IP = 195.53.213.2, Removing peer from correlator table failed, no match!

Jul 22 2005 12:16:33 : %PIX-4-113019: Group = 195.53.213.2, Username = 195.53.213.2, IP = 195.53.213.2, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

Jul 22 2005 12:16:33 : %PIX-5-713904: IP = 195.53.213.2, Received encrypted packet with no matching SA, dropping

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎07-25-2005 09:45 PM

This looks like your access-lists don't match on both sides, they need to be the EXACT opposite of each other.

On the VPN3000 L2L config you have 172.22.1.26 configured as the Local Network, and 172.200.0.2 as the Remote Network.

This means your PIX crypto ACL should be something like:

access-list crypto permit ip host 172.200.0.2 host 172.22.1.26

Check both sets of access/network lists and make sure they're the exact opposite of each other.

0 Helpful

conred
Level 1
Level 1
In response to gfullage

‎07-26-2005 12:40 AM

Hello,

thank you for your reply. That is exactly what I thought at first, but both access lists are exact opposites of each other. Otherwise the tunnel would not work at all. And the problem I have is that it does work when the host on the pix's side starts de connection but it does not work when it is the concentrator's side who starts the connection.

0 Helpful
Customers Also Viewed These Support Documents