PIX to ASA Tunnel termination problem

Unanswered Question
Apr 30th, 2008
User Badges:

I am having a problem with IPSec tunnel between sites A and B. Site A has PIX with 8.x code and SITE B has an ASA with 7.2(3) code. The Crypto access-lists are as under :

SITE A has :

access-list 119 extended permit ip object-group Support_DMZ object-group SITEB

access-list 119 extended permit ip 10.60.6.0 255.255.255.0 object-group SITEB

Object Group SITEB is as under :

object-group network SITEB

network-object 10.238.18.0 255.255.255.0

network-object 210.x.x.x 255.255.255.255


Object Group Support_DMZ is as under :

object-group network Support_DMZ

network-object a.a.a.a 255.255.255.192

network-object b.b.b.b 255.255.255.0

network-object c.c.c.c 255.255.255.0

network-object d.d.d.d 255.255.255.0

network-object e.e.e.e 255.255.255.0

network-object f.f.f.f 255.255.255.0


Now on the ASA at SITE B :

access-list TO_SITEA extended permit ip 10.238.18.0 255.255.255.0 object-group SITEA_NETWORK

access-list TO_SITEA extended permit ip host 210.x.x.253 object-group SITEA_NETWORK


Object Group SITEA_NETWORK is ;

object-group network SITEA_NETWORK

network-object b.b.b.b 255.255.255.0

network-object c.c.c.c 255.255.255.0

network-object d.d.d.d 255.255.255.0

network-object e.e.e.e 255.255.255.0

network-object a.a.a.a 255.255.255.192

network-object f.f.f.f 255.255.255.0

network-object g.g.g.g 255.255.255.0


Pls note that there is an extra network g.g.g.g in Object Group SITA_NETWORK. This is not there in the other side. Now the error I get on the ASA at SITE B is :

%ASA-5-713050: Group = 64.x.x.x, IP = 64.x.x.x, Connection terminated for peer 64.x.x.x. Reason: Peer Terminate Remote Proxy 210.x.x.253, Local Proxy b.b.b.b

Looks like the tunnel gets terminated. If you see in the error above Local Proxy is b.b.b.b which is a network on the SITEA side. Sometimes this Local Proxy is d.d.d.d or f.f.f.f or e.e.e.e


I am wondering if the order of the networks in the Object Group both sides need to be the same to be an exact mirror image. If you see they are not exact mirror images on both sides. Also there is g.g.g.g network in SITEB which is not there in SITEA side Object Group.

If anybody can help on this it would be great.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion