Weird VPN issue after ISP change

Unanswered Question

Team,


I used to have this remote access VPN working for 3+ years on our PIX-515 platform. Recently we changed to comcast business and the VPN doesn't work. I get following debug message.


PIX(config)# sh crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
  5.5.5.5    98.228.65.187    QM_IDLE         0           0


Debug Messages for IPSEC: (5.5.5.5 is pix outside interface sanitized address)
PIX(config)# IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with   98.228.65.187


I have attached my sanitized VPN config too.


Initially I thought ISP might be blocking ESP protocol since the capture doesn't see any ESP packets but they confirm that there is no filter on their end.


What this message really mean?


Thanks in advance,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sequoyatech Thu, 03/04/2010 - 08:18
User Badges:

I just ran into the exact same situation, but did not have to reload.


(my commands in bold, PIX response unbolded)


sh ipsec sa

interface: outside
    Crypto map tag: mprogress, local addr.1.2.3.4 <----old IP

no crypto map mapname interface outside

crypto map mapname interface outside

sh ipsec sa

interface: outside
    Crypto map tag: mprogress, local addr. 10.10.10.10 <--new IP

Actions

This Discussion

Related Content