Problems building VPN Tunnel with remote site.

Unanswered Question
Feb 29th, 2008
User Badges:

I'm having issues creating a tunnel between us and a remote site. Our topology is as follows:

LAN - Pix 515E - 3640 - INTERNET - Cisco 877.

Here's the pertinent portion of the config of our 515E (running version 7.2):

interface Ethernet0

description INAP

nameif outside

security-level 0

interface Ethernet2

description VLAN 47 at DMS

nameif dms

security-level 50

access-list NAME extended permit ip 192.168.x.0 10.y.z.0

crypto ipsec transform-set set1 esp-3des esp-sha-hmac

crypto map map 20 match address NAME

crypto map map 20 set peer a.b.c.d

crypto map map 20 set transform-set set1

crypto map map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d ipsec-attributes

pre-shared-key *

When i try to establish the tunnel by pinging a device on the remote site, here's the output i get.

On the Pix:

c0 00 00 00

Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, IKE MM Initiator FSM error history (struct &0x28cedb8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, IKE SA MM:2eb371fa terminating: flags 0x01000022, refcnt 0, tuncnt 0

Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, sending delete/delete with reason message

Feb 29 10:56:35 [IKEv1]: IP = a.b.c.d, Removing peer from peer table failed, no match!

Feb 29 10:56:35 [IKEv1]: IP = a.b.c.d, Error: Unable to remove PeerTblEntry

Feb 29 10:56:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 29 10:56:36 [IKEv1]: IP = a.b.c.d, IKE Initiator: New Phase 1, Intf 2, IKE Peer a.b.c.d local Proxy Address 192.168.x.0, remote Proxy Address 10.y.z.0, Crypto map (map)

Feb 29 10:56:36 [IKEv1 DEBUG]: IP = a.b.c.d, constructing ISAKMP SA payload

Feb 29 10:56:36 [IKEv1 DEBUG]: IP = a.b.c.d, constructing Fragmentation VID + extended capabilities payload

Feb 29 10:56:36 [IKEv1]: IP = a.b.c.d, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

So, the tunnel isn't building. Any ideas anyone?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sadbulali Thu, 03/06/2008 - 14:36
User Badges:
  • Bronze, 100 points or more

Instead of Extended ping try to generate interesting traffic by back-to-back connected router interface.

zkasilag11 Thu, 03/06/2008 - 14:50
User Badges:


Thanks for the reply. I actually figured out what happened.

Basically, there's a subinterface on our core router that connects the PIX to the outside. Somehow this aspect of the configuration on the router was missing(i'm guessing a reboot w/out the running config saved). The moment i re-created the subinterface, the tunnel was built. So, it was a WAN issue after all.


This Discussion