PIX L2L VPN issue - no debugs displaying on screen

Unanswered Question
Nov 7th, 2008


there seems to be a problem with a site to site vpn on my pix 515 (IOS 6.3(3)). it seems that even phase 1 wont initiate and when i enter debug crypto isakmp or debug crypto ipsec, nothing seems to output to screen. (current the secondary pix is active as it failed over last week)

1)should this make a diff as to why no debud messages appear on screen?

2)how can you force phase 1 to start?

3) short of rebooting the firewall is there anything else i can do?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Sat, 11/08/2008 - 00:24

Hello Suleiman,

Most probably something is wrong with interesting traffic ACL that no traffic occurs that is interesting to IPSEC tunnel to kick in. Post your running config and let us advise.


solpandor Mon, 11/10/2008 - 02:10

Hi there

here is the part of the config relating to this tunnel. the thing is although i run debug cryptop isakmp command i cant see any messages on screen.

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption des

isakmp policy 15 hash md5

isakmp policy 15 group 2

isakmp policy 15 lifetime 3600

isakmp enable outside

isakmp key ******** address {supplier peer} netmask no-xauth no-config-mode

access-list supplier permit ip host {my server public ip} host {supplier server public ip}

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 82 ipsec-isakmp

crypto map outside_map 82 match address supplier

crypto map outside_map 82 set pfs group2

crypto map outside_map 82 set peer {supplier peer}

crypto map outside_map 82 set transform-set ESP-DES-MD5

crypto map outside_map 82 set security-association lifetime seconds 3600 kilobytes 4608000

husycisco Mon, 11/10/2008 - 03:00


Add this

crypto map outside_map interface outside

Why is interesting traffic based on public IPs? To what IP addresses at remote site d o you want to establish connection over VPN?

solpandor Mon, 11/10/2008 - 03:46

hi there husycisco,

that command was there as well, i forgot to include it..the latest on it is, its working.

i rang tac, and he ran the same commands as i did interms of clearing sa's. the only thing i didnt do, clear the crypto map outside_map command and then reapply it.

thanks for your help tho.


This Discussion