07-21-2008 09:59 AM - edited 02-21-2020 03:50 PM
Comming across a strange issue here. I have a VPN that connects a PIX 505 running PIX version 6.3(4) to two PIX 515Es with ver. 7.0(6). Both the PIX 505 and the 515Es show that a VPN connection is established between them (the 505 shows QM_IDLE). However, no traffic is flowing between the 505 and the 515Es. When I try to ping a client behind either device, I get no response. Earlier this morning, I was getting responses, and then out of the blue, everthying stopped. I have reset all devices and even blew away and redid the VPN Config on the 505, but still nothing. Again, they show the VPN as being connected, but I am getting no traffic across it. Any debug commands I could be checking?
Thanks in adavance,
Matt
07-21-2008 10:13 AM
Hi Matt,
Post "show crypto ipsec sa" and the configs of both ends for which traffic is not working .
This could be a routing issue .
HTH
Saju
07-21-2008 10:52 AM
Thanks for the quick reply. BTW, it's actually a 501 not a 505...sorry for any confusion.
Well, things get stranger still. In the middle of collecting the requested info the connection between the 501 and one of the 515s suddenly came alive and I started getting responses back from my ping requests. I am still having non-traffic issues between the 501 and the other 515 though.
Attached is the config for the 501 along with the sh ipsec ouput for all three devices. Note that public IPs have been changed for secturiy reasons. The 501's IP has been changed to 1.1.1.1 while the 515s have been changed to 2.2.2.2 and 3.3.3.3. Currently, the connection between 1.1.1.1 and 3.3.3.3 is showing traffic while 1.1.1. to 2.2.2.2 is still showing a VPN tunnel but no traffic.
Thanks again for your help!
07-21-2008 10:54 AM
07-21-2008 11:20 AM
Your config looks ok to me. Are you able to ping the inside interface of 515s from 501 private network side ? This is a routing issue.
Check the default gateway on the devices you are pinging .If its a router in that network then that router must have have a route back to PIX for the remote subnet.
HTH
Saju
07-21-2008 02:31 PM
Well...I don't know what to say. I blew away the VPN configs in the 501 and typed them back in EXACTLY the way they were before. I went to lunch, came back an hour later, and now, everything is working just as it should be. I am getting reposes back from both sides of the 515e's and the 501. So I don't know if it was some sort of caching issue with the Isakmp/Ipsec engines or what. But traffic across BOTH VPN tunnels appears to be working now. This is something I have never seen before, but I guess stranger stuff does happen.
Thanks for you help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide