cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
249
Views
0
Helpful
2
Replies

PIX501->PIX515...tunnel up but no traffic passing

rterpstra
Level 1
Level 1

Have a PXI501 on 6.3(5) connecting to a PIX515 also 6.3.(5). Have 20 other's in the exact same configuration (connecting to same PIX515). Yesterady PIX501 stopped sending traffic over tunnel. I'm pulling my hair out.

The tunnel comes up fine, no errors from debug output. ACL counters increment as expected when passing interesting traffic.

On both ends when I check output of "show ipsec sa" I see the "pkts encaps" counters going up, but both ends always show 0 for "pkts decaps". Suggesting neeither end thinks it's getting valid ipsec traffic from the other.

My config has not changed, this tunnel had been working for several weeks without issue. I have tried pointing the PIX501 to a new PIX515 running 7.0 software on the other end (I have a spare I setup), exact same issue. Tunnels comes up as soon as interesting traffic passes, both sides ACL counters go up, but neither end shows any packets decapsulated.

I have turned on packet capturing and verified that packets using UDP port 500 are in fact making their way to both PIXes, but they don't recognize it for some reason.

I have verified the outgoing/incoming SPIs match on either end in the "show ipsec sa" output.

Any suggestions on debugging to try? I'm half tempted to just ship a new unit out there.

2 Replies 2

Ivan Martinon
Level 7
Level 7

Encrypted traffic does not travel on UDP 500, it either goes on ESP protocol (portless protocol 50 for native IPSec) or UDP 4500 when NAT-T is used. Can you try to capture ESP packets between the peers? have you restored (cleared on both ends) the tunnels?

Had tried that, and rebooted the 501 (and pointed it at a new 515).

Sorry, I know UDP 500 is just for ike (and obviously I see that traffic landing during negotiation).

I actually solved problem by rebooting an upstream router. At this location I (unfortunately) have a Linksys WAG200 soho router in front of the pix (i'm borrowing someone else's internet access, and they didn't watn to give up their linksys). My PIX is behind it in DMZ mode. I got access to the linksys and rebooted it...and viola everything worked again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: