PIX VPN error

a.crippa · ‎03-20-2007

Hi to all,

I have a PIX 506e (6.3.1), it works fine with site2site VPN from 3 years.

Last week ask me to make a new VPN with a brach office (I don't admin anything of the branch office), I create a classic VPN on my PIX (preshared key 3des sha), but it not works.

With command "sh crypto isakmp sa" I see the tunnel in QM_IDLE status like other VPNs, but traffic doesn't pass and the other adminstrator say me that it's firewall doesn't complete the authentications (is it possible?).

If I do command "sh crypto ipsec sa" I see the "send errors" what it's mean?

this the show

current_peer: 80.16.55.186:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 115, #recv errors 0

local crypto endpt.: 82.119.200.18, remote crypto endpt.: 80.16.55.186

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

local ident (addr/mask/prot/port): (172.17.1.232/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)

thnak a lot

Augusto.

ggilbert · ‎03-20-2007

Augusto,

Can you please look into your NAT exemption ACL and also your ACL should match with what the remote peer has configured. It should be mirror image.

Seems like you have an ACL as follows

access-list per ip host 172.17.1.232 172.16.0.0 255.255.0.0

Please make sure that they have the proper NAT exemption for that.

Thanks

Gilbert

Rate this post, if it helps.

a.crippa · ‎03-20-2007

Hi,

I check the NAT execmption ACL and thare are this rules (I try also to create the VPN with PDM) so I think the ACL rules is right!

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any

access-list outside_access_in permit ip 217.22.252.120 255.255.255.248 any

access-list outside_access_in permit ip 192.168.1.0 255.255.255.0 172.17.1.0 255.255.255.0

access-list outside_access_in permit ip 172.16.0.0 255.255.0.0 82.119.200.0 255.255.255.0

access-list outside_access_in permit ip 192.168.245.0 255.255.255.0 172.17.1.0 255.255.255.0

access-list outside_access_in permit tcp object-group cantel_external_fino host 82.119.200.20 object-group as400

access-list outside_access_in permit tcp host 82.119.198.154 host 82.119.200.19 object-group as400

access-list outside_access_in permit tcp host 82.119.198.154 host 82.119.200.19 eq ftp

access-list outside_access_in permit tcp object-group cantel_external_fino host 82.119.200.22 object-group cantel2

access-list outside_access_in permit tcp object-group cantel_external_fino host 82.119.200.21 object-group cantel1

access-list outside_access_in permit tcp object-group Easynet_server host 82.119.200.21 eq smtp

access-list outside_access_in remark da eliminare tra un po'

access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip host 172.17.1.232 172.16.0.0 255.255.0.0

access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 10.39.0.0 255.255.240.0

access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 192.168.245.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 172.17.1.192 255.255.255.192

access-list outside_cryptomap_20 permit ip 172.17.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_40_1 permit ip host 172.17.1.232 172.16.0.0 255.255.0.0

access-list outside_cryptomap_60 permit ip 172.17.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_cryptomap_80 permit ip 172.17.1.0 255.255.255.0 10.39.0.0 255.255.240.0

access-list outside_cryptomap_80 permit ip 172.17.1.0 255.255.255.0 192.168.245.0 255.255.255.0

In my first post I send the wrong sh crypto isakmp sa the right is it.

local ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.245.0/255.255.255.0/0/0)

current_peer: 80.16.55.186:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 16, #recv errors 0

local crypto endpt.: 82.119.200.18, remote crypto endpt.: 80.16.55.186

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

thank a lot

Augusto

ggilbert · ‎03-20-2007

Augusto,

Seems like there is a problem with the IPSec SA creation.

Can you please clear the tunnel for the peer and can you turn on the following debugs

deb cry isa sa

deb cry ipsec sa

Try to pass traffic and get me the outputs.

Output of

sh run | in nat

a.crippa · ‎03-21-2007

Hi,

I discover which is my problem, the other firewall (Cyberguard) use as "endpoint" the IP address, instead in the pix as default endpoint is the "hostname", so if I force to send IP address it works!

Thank a lot for your help.

Augusto.