VPN Tunnel 506 vs 515e

Unanswered Question
Mar 17th, 2008

I upgraded from a PIX506 to a PIX515e w/vac+ and all of my software based VPN connections work execpt for the two site-to-site tunnels I had. We rechecked the pre-shared keys. How can I determine why these tunnels won't work on the 515e? They were fine on the 506. We even have the 515e at the same IOS level the 506 was. Thanks for any and all assistance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Mon, 03/17/2008 - 17:07

First check show version on new PIX 515E, and make sure VPN-3DES-AES: is Enabled.If 3DES/AES is ok then you will need to debug it to find out where the tunnel fails.

Jorge

vitalcom1 Mon, 03/17/2008 - 17:18

It's enabled

What commands do I use to debug a tunnel?

Thanks

JORGE RODRIGUEZ Mon, 03/17/2008 - 17:40

Dwayne, please double check l2l configuration again between both firewalls , all parameters must match. Debuging is your last resort! and as you know should be use in non production hours. go over again on some config checks

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#intro

for debugging

pix#config t

pix(config)#loggin buffer debugging

pix#debug crypto isakmp

pix#debug crypto ipsec

try to bring up the tunnel by sending interesting traffic

pix#show debug

copy debugg output and post it

edit: when done with capturing debug output disable debugging process.

pix#no debug crypto isakmp

pix#no debug crypto ipsec

vitalcom1 Mon, 03/17/2008 - 18:09

I get

debug crypto disakmp 1

debug crypto ipsec 1

Not exactly what I was expecting.

JORGE RODRIGUEZ Mon, 03/17/2008 - 19:36

Sorry..

pix(config)#terminal monitor

bring up tunnel by sending a ping to destination host.. you should see output of tunnel negotiation .. please try. and post output..

Actions

This Discussion