test for ISAKMP/IPSec port being available

Unanswered Question
Jul 31st, 2007
User Badges:

I suspect that the ISP managed router that is sitting in front of my PIX is somehow blocking ISAKMP (UDP 500) packets from reaching my PIX. Is there a way I can test if this is the case? Maybe something like telnetting to port 25 to see if an SMTP host is responding or something similar?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
srue Tue, 07/31/2007 - 12:03
User Badges:
  • Blue, 1500 points or more

what model pix and what OS version? is there a lan switch that connects the PIX and isp managed router?

you have a couple options...

capturing traffic on the pix...

using span if there's a switch between the two.

last but not least, call the isp and ask them.

Jon Marshall Tue, 07/31/2007 - 12:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


In addition to all Steven's suggestions you could run "debug crypto isa" and then initiate a connection. If you see nothing on your pix then yes it could be getting blocked.


purohit_810 Tue, 07/31/2007 - 12:20
User Badges:
  • Silver, 250 points or more

You can use Ethereal and USE TCPDUMP utility.

It will show you easyly... How traffic floow in between two device.

Sniffer: You can SPAN switch port use ETHERPEAK ANALYZER NX. You will get idea.

3) Implement below

access-list capin permit ip host {Firewall outside IP} host (Router Outside)

access-list capin permit ip host (Router outside) host {Firewall Outside}

access-list capin permit ip host (Firewall Outside IP) host {Router IP}

access-list capin permit ip host {Router IP} host {Fiewall Outside IP} capture capin access-list capin interface Outside

See show capin callin command Output


Dharmesh Purohit

DIEGO ALONSO Wed, 08/01/2007 - 19:12
User Badges:

Thanks for all your help guys. I had already called the ISP and was told that there was no blocking. I called again, got a different tech, and my problem was solved when the 2nd tech reconfigured the router fronting my PIX.



srue Thu, 08/02/2007 - 05:10
User Badges:
  • Blue, 1500 points or more

that usually means something was being blocked and they didn't want to admit it the second time - and the first time you called they didn't even look at it. Same thing has happened to me before.


This Discussion