VPN Tunnel 506 vs 515e

Unanswered Question
Mar 17th, 2008
User Badges:

I upgraded from a PIX506 to a PIX515e w/vac+ and all of my software based VPN connections work execpt for the two site-to-site tunnels I had. We rechecked the pre-shared keys. How can I determine why these tunnels won't work on the 515e? They were fine on the 506. We even have the 515e at the same IOS level the 506 was. Thanks for any and all assistance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 03/17/2008 - 17:07
User Badges:
  • Green, 3000 points or more

First check show version on new PIX 515E, and make sure VPN-3DES-AES: is Enabled.If 3DES/AES is ok then you will need to debug it to find out where the tunnel fails.


Jorge





vitalcom1 Mon, 03/17/2008 - 17:18
User Badges:

It's enabled


What commands do I use to debug a tunnel?


Thanks

JORGE RODRIGUEZ Mon, 03/17/2008 - 17:40
User Badges:
  • Green, 3000 points or more

Dwayne, please double check l2l configuration again between both firewalls , all parameters must match. Debuging is your last resort! and as you know should be use in non production hours. go over again on some config checks

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#intro


for debugging


pix#config t

pix(config)#loggin buffer debugging

pix#debug crypto isakmp

pix#debug crypto ipsec


try to bring up the tunnel by sending interesting traffic


pix#show debug


copy debugg output and post it


edit: when done with capturing debug output disable debugging process.


pix#no debug crypto isakmp

pix#no debug crypto ipsec







vitalcom1 Mon, 03/17/2008 - 18:09
User Badges:

I get


debug crypto disakmp 1

debug crypto ipsec 1



Not exactly what I was expecting.

JORGE RODRIGUEZ Mon, 03/17/2008 - 19:36
User Badges:
  • Green, 3000 points or more

Sorry..


pix(config)#terminal monitor


bring up tunnel by sending a ping to destination host.. you should see output of tunnel negotiation .. please try. and post output..


Actions

This Discussion