PIX535 VPN Remote peer issue

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Mon, 12/03/2007 - 06:28
User Badges:
  • Gold, 750 points or more

Hi russell

How do you dedect that it picks a wrong IP? Any syslog output?


Regards

Hi - normally the cusomer lets us know that it has stopped working and issueing the command "sh crypto ipsec sa" confirms that the peer is 50.0.0.0

(local ident (addr/mask/prot/port): AXA_ftpap001/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)

current_peer: 50.0.0.0:0)


local crypto endpt.: TheAAPIX_Peer, remote crypto endpt.: 50.0.0.0


After a reboot the same command outputs the correct peer information (AXA_Peer) for about a week then the same thing happens again.


Here is the releavant config for this connection. Line 2 on the ACL is the only one that gets used.


name x.x.x.x AXA_Peer

name x.x.x.x AXA_ftpap001


access-list AXA permit tcp host 192.168.1.1 host AXA_ftpap001 eq 1363

access-list AXA permit tcp host 192.168.1.1 host AXA_ftpap001 eq 1364

access-list AXA permit tcp host TheAA_FTP host AXA_ftpap001 eq 1363

access-list AXA permit tcp host TheAA_FTP host AXA_ftpap001 eq 1364

access-list AXA permit ip host 192.168.1.1 host AXA_ftpap001

access-list AXA permit tcp host AXA_ftpap001 host 192.168.1.1 eq 1364

access-list AXA permit tcp host AXA_ftpap001 host 192.168.1.1 eq 1363

access-list AXA permit ip host AXA_ftpap001 host 192.168.1.1

access-list AXA permit tcp host AXA_ftpap001 host TheAA_FTP eq 1363

access-list AXA permit tcp host AXA_ftpap001 host TheAA_FTP eq 1364

access-list AXA permit ip host AXA_ftpap001 host TheAA_FTP


access-list AXA1 permit ip host TheAA_FTP host AXA_ftpap001


static (dmz_v905,outside) 192.168.1.1 access-list AXA1 0 0


crypto map aa3party 250 ipsec-isakmp

crypto map aa3party 250 match address AXA

crypto map aa3party 250 set peer AXA_Peer

crypto map aa3party 250 set transform-set aa


isakmp key ******** address AXA_Peer netmask 255.255.255.255 no-xauth no-config-mode


crypto ipsec transform-set aa esp-3des esp-md5-hmac




ajagadee Mon, 12/03/2007 - 06:48
User Badges:
  • Cisco Employee,

Can you provide some additional information on this issue.


Also, make sure that you dont have Overlapping Access-list, meaning same destination network configured for two different peers.


Regards,

Arul

I have just rebooted the PIX and as you can see below the correct peer information is there and the file transfer is now working.


local ident (addr/mask/prot/port): (AXA_ftpap001/255.255.255.255/6/0)

remote ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/6/1364)

current_peer: AXA_Peer:0

PERMIT, flags={origin_is_acl,reassembly_needed,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: TheAAPIX_Peer, remote crypto endpt.: AXA_Peer

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0


inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:



Actions

This Discussion