Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2064
Views
0
Helpful
2
Replies

Weird VPN issue after ISP change

smunzani
Level 1
Level 1

‎01-27-2010 09:28 AM

Team,

I used to have this remote access VPN working for 3+ years on our PIX-515 platform. Recently we changed to comcast business and the VPN doesn't work. I get following debug message.

PIX(config)# sh crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
  5.5.5.5    98.228.65.187    QM_IDLE         0           0

Debug Messages for IPSEC: (5.5.5.5 is pix outside interface sanitized address)
PIX(config)# IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with   98.228.65.187

I have attached my sanitized VPN config too.

Initially I thought ISP might be blocking ESP protocol since the capture doesn't see any ESP packets but they confirm that there is no filter on their end.

What this message really mean?

Thanks in advance,

Labels:
60412-VPN config.txt.zip
0 Helpful
2 Replies 2

smunzani
Level 1
Level 1

‎01-27-2010 09:55 AM

I resolved my issue by doing this.

Remove the crypto map applied to outside interface.

reload

Reapply the crypto map.

For some reason the firewall started thinking it didn't have a crypto map applied.

Thanks,


Sam

0 Helpful

sequoyatech
Level 1
Level 1

‎03-04-2010 08:18 AM

I just ran into the exact same situation, but did not have to reload.

(my commands in bold, PIX response unbolded)

sh ipsec sa

interface: outside
    Crypto map tag: mprogress, local addr.1.2.3.4 <----old IP

no crypto map mapname interface outside

crypto map mapname interface outside

sh ipsec sa

interface: outside
    Crypto map tag: mprogress, local addr. 10.10.10.10 <--new IP

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents