Hi ,

It took time to get back on this issue but here I am again.

I've checked again the configuration of the ASA and it seems correct to me .

Then I tried to ping the ethernet interface of the PIX 515 from the console of the ASA5510

Below the result . It seems to me that PHASE 1 Isakmp is ok

The IP of the internal interface of PIX is 192.168.0.230

The IP of the internal interface of ASA is 172.16.2.248

asa5510# ping 192.168.0.230
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to PIX-515, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
asa5510# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: PIX_515
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

I'm going to check the configuration of PIX as well.

thanks

having the debug crypto isakmp enabled on the asa and trying to ping

from the PIX I got this on the asa console

%ASA-7-713222: Group = 194.x.x.2, IP = 194.x.x.2, Static Crypto Map check, map = Internet_map, seq = 20, ACL does not match proxy IDs src:0.0.0.0 dst:REMOTE_LAN_CLIENT %ASA-3-713061: Group = 194.x.x.2, IP = 194.x.x.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/1/0 local proxy 172.16.2.0/255.255.254.0/1/0 on interface Internet %ASA-7-713906: Group = 194.x.x.2, IP = 194.x.x.2, sending notify message %ASA-7-715046: Group = 194.x.x.2, IP = 194.x.x.2, constructing blank hash payload %ASA-7-715046: Group = 194.x.x.2, IP = 194.x.x.2, constructing qm hash payload %ASA-7-713236: IP = 194.x.x.2, IKE_DECODE SENDING Message (msgid=16b8d4c6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 416 %ASA-3-713902: Group = 194.x.x.2, IP = 194.x.x.2, QM FSM error (P2 struct &0xd82fd598, mess id 0xc6f734d4)! %ASA-7-715065: Group = 194.x.x.2, IP = 194.x.x.2, IKE QM Responder FSM error history (struct &0xd82fd598)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH %ASA-7-713906: Group = 194.x.x.2, IP = 194.x.x.2, sending delete/delete with reason message %2, Username = 194.x.x.2, IP = REMOTEPIX_NAT, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found %ASA-7-713906: Ignoring msg to mark SA with dsID 49152 dead because SA deleted .27.2, IKE Responder starting QM: msg id = 6ea4a349

Pinging from the console will typically not work to bring up the vpn as the outside interfaces are probably not part of your

crypto acl.

Post your configs.

Your problem is the following:

nat (inside) 0 access-list outside_40_cryptomap

access-list outside_40_cryptomap is being used on the nat exempt config, and it is also used on the following crypto map:

crypto map STS 40 match address outside_40_cryptomap

AND the tunnel you are trying to configure is defined after this crypto map, since the traffic for tunnel 600 is included on line outside_40_crypto map this will be the crypto map processed intead of 600.

You should never define the nat exempt list to be one already used for the crypto map of another tunnel, so go ahead and duplicate access-list outside_40_crypto map into another one called something like nonat make sure it has all the lines for all the tunnels (which I believe crypto 40 has) and apply it to the nat (inside) 0 access-list nonat setup.

Then clean your crypto 40 from lines on the acl that do not belong to it. And try again.

I think you posted in the wrong thread.

I think you are right.. my apologies, will check your debugs in a second.

All right, I made sure I am reading the right one now, based on this line:

ejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/1/0 local proxy 172.16.2.0/255.255.254.0/1/0 on interface Internet

it means that either you are receiving an SA formed with 0.0.0.0 mask of 0.0.0.0 in other words any any, which either you or the remote side will have to mirror, can you please post your crypto acls here as well as the remote side ones?

Here the config at the moment

PIX 515:

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 hostname terminator .... .... access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.128.0 172.16.2.0 255.255.255.0 access-list inside_outbound_nat0_acl  "contains other entries for local dmz zones" ..... access-list outside_cryptomap_50 permit ip 192.168.0.0 255.255.128.0 172.16.2.0 255.255.255.0 ip address outside 194.x.x.2 255.255.255.240 ip address inside 192.168.0.230 255.255.128.0 global (outside) 1 interface global (dmz) 1 192.168.168.8 nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (dmz) 1 0.0.0.0 0.0.0.0 0 0 ..... sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60 crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80 crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100 crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer xxxxx crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 30 ipsec-isakmp crypto map outside_map 30 match address vpn_tc crypto map outside_map 30 set peer xxxxx crypto map outside_map 30 set transform-set ESP-DES-MD5 crypto map outside_map 50 ipsec-isakmp crypto map outside_map 50 match address outside_cryptomap_50 crypto map outside_map 50 set pfs group2 crypto map outside_map 50 set peer 80.x.x.x crypto map outside_map 50 set transform-set ESP-3DES-MD5 ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication RADIUS crypto map outside_map interface outside isakmp enable outside isakmp key ******** address x netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address x netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 80.x.x.x netmask 255.255.255.255 no-xauth no-config-mode isakmp nat-traversal 20 isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash sha isakmp policy 5 group 2 isakmp policy 5 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 isakmp policy 40 authentication pre-share isakmp policy 40 encryption des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 ASA5510 interface Ethernet0/0 nameif Internet security-level 0 ip address 80.x.x.x 255.255.255.240 interface Ethernet0/3 nameif Internal security-level 100 ip address 172.16.2.248 255.255.255.0 ..... access-list Internal_Internet_Nat0 extended permit ip 172.16.2.0 255.255.255.0 192.168.0.0 255.255.128.0 access-list Crypto_Map_ACL extended permit ip 172.16.2.0 255.255.255.0 192.168.0.0 255.255.128.0 nat (Internal) 0 access-list Internal_Internet_Nat0 crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 rypto map Internet_map 20 match address Crypto_Map_ACL crypto map Internet_map 20 set pfs crypto map Internet_map 20 set peer 194.x.x.x crypto map Internet_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-MD5 ESP-DES-SHA crypto map Internet_map interface Internet crypto isakmp identity address crypto isakmp enable Internet crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 10 authentication pre-share encryption des hash sha group 2 lifetime 86400 crypto isakmp policy 15 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 86400 tunnel-group 194.244.27.2 type ipsec-l2l tunnel-group 194.244.27.2 ipsec-attributes pre-shared-key * ....

Mhhh can you attach it on a text file and upload it, it is all mixed up, can't read it.

Sorry ...

attached a text file with the relevant part of configuration

Hi ,

Today I'm back on this issue hoping for some help.

I started again from the basics and checked the configuration , which seems to be good ( at least to me ) ,

I made some basic troubleshooting ( sh crypto isakmp sa , sh crypto ipsec sa ) and found a change from last week.

Here below the findings. It seems that the tunnel is established but somehow the traffic is not treated as interesting and crypted(tunneled)

The configuration are :

PIX 515  Internal IP 192.168.0.230/24  Outside IP 192.x.x.x

ASA5510  Internal IP  172.16.0.248    Outside IP  80.x.x.x

PIX 515 SIDE :

terminator# sh crypto isakmp sa

Total    : 2

Embryonic : 0

    dst            src            state    pending    created

    194.x.x.x    151.x.x.x    QM_IDLE        0          1

    194.x.x.x    80.x.x.x      QM_IDLE        0          1

terminator# sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, local addr. 194.x.x.x

  local  ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/1/0)

  remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/1/0)

  current_peer: 80.x.x.x:0

    PERMIT, flags={origin_is_acl,}

  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

  #pkts compressed: 0, #pkts decompressed: 0

  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

  #send errors 0, #recv errors 0

    local crypto endpt.: 194.x.x.x, remote crypto endpt.: 80.x.x.x

    path mtu 1500, ipsec overhead 0, media mtu 1500

    current outbound spi: 0

    inbound esp sas:

local  ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)

remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

current_peer: 80.x.x.x:500

dynamic allocated peer ip: 0.0.0.0

  PERMIT, flags={origin_is_acl,}

  #pkts encaps: 201, #pkts encrypt: 201, #pkts digest 201

  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

  #pkts compressed: 0, #pkts decompressed: 0

  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

  #send errors 1, #recv errors 0

  local crypto endpt.: 194.x.x.x, remote crypto endpt.: 80.x.x.x

  path mtu 1500, ipsec overhead 56, media mtu 1500

BELOW THE OUTPUT OF SH CRYPTO IPSEC WHILE PINGING THE REMOTE SITE

local  ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)

remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

current_peer: 80.x.x.x:500

dynamic allocated peer ip: 0.0.0.0

  PERMIT, flags={origin_is_acl,}

  #pkts encaps: 264, #pkts encrypt: 264, #pkts digest 264

  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

  #pkts compressed: 0, #pkts decompressed: 0

  #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

  #send errors 2, #recv errors 0

  local crypto endpt.: 194.x.x.x, remote crypto endpt.: 80.x.x.x

  path mtu 1500, ipsec overhead 56, media mtu 1500

  current outbound spi: 821a3915

  inbound esp sas:

    spi: 0x1cc96a1b(482961947)

      transform: esp-3des esp-md5-hmac ,

      in use settings ={Tunnel, }

      slot: 0, conn id: 3, crypto map: outside_map

      sa timing: remaining key lifetime (k/sec): (4608000/28506)

      IV size: 8 bytes

      replay detection support: Y

  inbound ah sas:

  inbound pcp sas:

  outbound esp sas:

    spi: 0x821a3915(2182756629)

      transform: esp-3des esp-md5-hmac ,

      in use settings ={Tunnel, }

      slot: 0, conn id: 4, crypto map: outside_map

      sa timing: remaining key lifetime (k/sec): (4607993/28483)

      IV size: 8 bytes

      replay detection support: Y

  outbound ah sas:

  outbound pcp sas:

What I see here is that your pix is encrypting the traffic, however the remote side (ASA?) is not encrypting back, can you get the show crypto ipsec sa from the asa for this tunnel? Do you see the opposite behavior? decrypted packets and no encrypted packets?