VPN Tunnel 506 vs 515e

Unanswered Question
Mar 17th, 2008
User Badges:

I upgraded from a PIX506 to a PIX515e w/vac+ and all of my software based VPN connections work execpt for the two site-to-site tunnels I had. We rechecked the pre-shared keys. How can I determine why these tunnels won't work on the 515e? They were fine on the 506. We even have the 515e at the same IOS level the 506 was. Thanks for any and all assistance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Mon, 03/17/2008 - 17:07
User Badges:
  • Green, 3000 points or more

First check show version on new PIX 515E, and make sure VPN-3DES-AES: is Enabled.If 3DES/AES is ok then you will need to debug it to find out where the tunnel fails.


vitalcom1 Mon, 03/17/2008 - 17:18
User Badges:

It's enabled

What commands do I use to debug a tunnel?


JORGE RODRIGUEZ Mon, 03/17/2008 - 17:40
User Badges:
  • Green, 3000 points or more

Dwayne, please double check l2l configuration again between both firewalls , all parameters must match. Debuging is your last resort! and as you know should be use in non production hours. go over again on some config checks


for debugging

pix#config t

pix(config)#loggin buffer debugging

pix#debug crypto isakmp

pix#debug crypto ipsec

try to bring up the tunnel by sending interesting traffic

pix#show debug

copy debugg output and post it

edit: when done with capturing debug output disable debugging process.

pix#no debug crypto isakmp

pix#no debug crypto ipsec

vitalcom1 Mon, 03/17/2008 - 18:09
User Badges:

I get

debug crypto disakmp 1

debug crypto ipsec 1

Not exactly what I was expecting.

JORGE RODRIGUEZ Mon, 03/17/2008 - 19:36
User Badges:
  • Green, 3000 points or more


pix(config)#terminal monitor

bring up tunnel by sending a ping to destination host.. you should see output of tunnel negotiation .. please try. and post output..


This Discussion