No Phase 1 initiating on PIX 515E

Unanswered Question
Mar 16th, 2009
User Badges:

PIX 515E

Version 6.3(5)


I am having a problem when adding a new tunnel to an existing PIX that is already terminating several existing tunnels. The existing tunnels are not having any problems. However, the new tunnel will not initiate Phase 1. When running "debug cyrpto isakmp" I do not see anything for this new tunnel. However, the NONAT and Intersting traffic ACL are incrementing. Debug packet outside dst "remote peer ip" does not return any packets. Its as if it passes the interesting traffic ACL and the packets go nowhere. has anyone experienced an issue like this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Phil Williamson Mon, 03/16/2009 - 15:29
User Badges:

Larry,


If you 'debug crypto ipsec' do you get an error like: IPSEC(sa_initiate): ACL = deny; no sa created. If so I know that removing the crypto map from the interface and reapplying will fix this - in additon to taking down all tunnels. I don't know if it's a bug or ??? I've seen it myself and the above or reloading the PIX would correct it.


Phil

hornlarryj Tue, 03/17/2009 - 07:30
User Badges:

Phil,


yes I do get the ACL=deny error when debugging crytpo IPSEC. Interesting that the ACL hitcnt is still incrementing though as if it is passing through. The last new tunnel we added a couple weeks ago was the same issue and we rebooted to rectify that hoping it wouldn't be a problem, but now I fear that everytime we add a new tunnel this may happen and rebooting or removing the crypto map from the interface is not a viable work around each time because it does cause all other tunnels to come down. Did you continue to have the problem with new tunnels after the reboot or did everything work fine after that?

Phil Williamson Wed, 03/18/2009 - 05:23
User Badges:

Larry,

Yes, the problem continues on various customer PIX - my company manages several hundred. I've never gotten a good answer from TAC as to why. It could be a config issue, but I cannot see it. Maybe others in NetPro can help.

Phil

kunal.shandil Wed, 03/18/2009 - 19:50
User Badges:

Larry,


Can you confirm if the hitcnts on the NAT0 ACLs are increasing ? I have nvr seen that. Phase 1 parameters are ok with the remote end ??


-k

Actions

This Discussion