Looking for ideas - Site-to-Site VPN Won't Come Up

Unanswered Question

I know this is a bit general, but I could really use some ideas on what else to check.

We have had a site-to-site VPN up and running for several months. As of last Monday, the tunnel will no longer come up when traffic is initiated from my side of the tunnel. The tunnel will come up when initiated from the other side. But, my hosts are the initiators of the traffic so we need to be able to bring up the tunnel.

Nothing changed in my PIX 515 (v6.3.5). The other side is an ASA 5540 (v7.1) and there are changes made on that end frequently. I do not control or have access to that device.

It appears that when I initiate traffic, Phase 1 completes. Then, when I propose Phase 2 - there is no response from the other side.

My basic question is - what can cause that?

We both have TAC cases open and aren't getting anywhere. We have both rebooted a number of times. We have both completely ripped out all ACLs and Crypto Maps and Tunnel-Groups (on the ASA) and then reconfigured using different names/numbers. Nothing seems to help.

I know this is difficult without any configuration or debug info, but if anyone can provide a few things for us to look for I would appreciate it. There are no apparent errors or failures in the debugs on my side and he says the same about the other side. But, I can see Logging messages indicating that my device is tearing down the tunnel because there is not response from the other device.

I appreciate any advice or comments anyone may have!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Hi Mike

I know my answer is a bit general, if more information could be provided then I think I would be able to help more. I have broken the IPSEC into 5 steps, if you could check all the configuration.

IPsec negotiation can be broken down into five steps, and includes two Internet Key Exchange (IKE) phases.

An IPsec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPsec peers.

In IKE Phase 1, the IPsec peers negotiate the established IKE Security Association (SA) policy. Once the peers are authenticated, a secure tunnel is created using Internet Security Association and Key Management Protocol (ISAKMP).

In IKE Phase 2, the IPsec peers use the authenticated and secure tunnel to negotiate IPsec SA transforms. The negotiation of the shared policy determines how the IPsec tunnel is established.

The IPsec tunnel is created and data is transferred between the IPsec peers based on the IPsec parameters configured in the IPsec transform sets.

The IPsec tunnel terminates when the IPsec SAs are deleted or when their lifetime expires.

Note: IPsec negotiation between the two PIXes fails if the SAs on both of the IKE phases do not match on the peers.

If you are able to provide the config + which version of 7.1 the other side is on.

What changes have been made on the remote side are they able to share this with you?

Regards MJ

MJ, thanks for your comments. This issue has been resolved.

After spending 2 hours on the phone with TAC, who had remote access to both devices, they concluded that the configurations where correct but it just wasn't working. So, they suggested a reboot of my PIX. This resolved the issue.

After explaining that we had rebooted both devices numerous times over the previous 4 days, TAC had no explanation for the problem.

I do not feel good about it, but it is working and has been reliable since then.

Thanks again for offering to help!

Actions

This Discussion