Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
5
Replies

No Phase 1 initiating on PIX 515E

hornlarryj
Level 1
Level 1

‎03-16-2009 12:39 PM

PIX 515E

Version 6.3(5)

I am having a problem when adding a new tunnel to an existing PIX that is already terminating several existing tunnels. The existing tunnels are not having any problems. However, the new tunnel will not initiate Phase 1. When running "debug cyrpto isakmp" I do not see anything for this new tunnel. However, the NONAT and Intersting traffic ACL are incrementing. Debug packet outside dst "remote peer ip" does not return any packets. Its as if it passes the interesting traffic ACL and the packets go nowhere. has anyone experienced an issue like this?

Labels:
0 Helpful
5 Replies 5

Phil Williamson
Level 1
Level 1

‎03-16-2009 03:29 PM

Larry,

If you 'debug crypto ipsec' do you get an error like: IPSEC(sa_initiate): ACL = deny; no sa created. If so I know that removing the crypto map from the interface and reapplying will fix this - in additon to taking down all tunnels. I don't know if it's a bug or ??? I've seen it myself and the above or reloading the PIX would correct it.

Phil

0 Helpful

hornlarryj
Level 1
Level 1
In response to Phil Williamson

‎03-17-2009 07:30 AM

Phil,

yes I do get the ACL=deny error when debugging crytpo IPSEC. Interesting that the ACL hitcnt is still incrementing though as if it is passing through. The last new tunnel we added a couple weeks ago was the same issue and we rebooted to rectify that hoping it wouldn't be a problem, but now I fear that everytime we add a new tunnel this may happen and rebooting or removing the crypto map from the interface is not a viable work around each time because it does cause all other tunnels to come down. Did you continue to have the problem with new tunnels after the reboot or did everything work fine after that?

0 Helpful

Phil Williamson
Level 1
Level 1
In response to hornlarryj

‎03-18-2009 05:23 AM

Larry,

Yes, the problem continues on various customer PIX - my company manages several hundred. I've never gotten a good answer from TAC as to why. It could be a config issue, but I cannot see it. Maybe others in NetPro can help.

Phil

0 Helpful

jgiles
Level 1
Level 1

‎03-18-2009 08:45 AM

didnt see a previous response. Taking this one away as it doesnt apply.

0 Helpful

kunal.shandil
Level 1
Level 1

‎03-18-2009 07:50 PM

Larry,

Can you confirm if the hitcnts on the NAT0 ACLs are increasing ? I have nvr seen that. Phase 1 parameters are ok with the remote end ??

-k

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents