L2L IPSEC VPN between PIX 515E and CVPN 3020

Unanswered Question
Aug 9th, 2007
User Badges:

Hello All,


I have a L2L VPN setup between a PIX 515E and a 3020 concentrator. On the PIX side, I have a single subnet; behind the 3020 I have 4 subnets.


The tunnel will work initially but will then drop one of the IPSEC SA for one of the subnets, at least according to a sh crpyto ipsec sa on the PIX, at random durations. The only way to get it working again is to re-establish the tunnel.


I did a debug on the PIX side and looked at the logs on the 3020 and I do see QM FSM errors but I double checked the crypto map and network lists on both sides and they match up in order.


I also tried playing with IKE keepalives per an older thread with no luck either. Any idea what else should I be checking? There's also occasionally a phase 2 authentication duplicate error that I'm looking into now as well.


It's weird because it does work and sometimes for days on end but recently it's been dropping subnets more frequently.


One other item: 1 of the 4 subnets behind the 3020 is actually hairpinning since it is a remote access VPN network. Not sure if it makes a difference.


Any suggestions? Thanks in advance.


-CS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
amritpatek Thu, 08/16/2007 - 09:30
User Badges:
  • Silver, 250 points or more

I think that the QM FSM syslog, in and of itself, does not tell a very complete story and the syslogs preceding and following this syslog are needed to properly diagnose any potential problems. The phase 2 authentication duplicate error usually occurs when there is some problem in configuration usually on 3k concentrator. I think you should check the configuration on VPN concentrator.

Actions

This Discussion