01-27-2010 09:28 AM
Team,
I used to have this remote access VPN working for 3+ years on our PIX-515 platform. Recently we changed to comcast business and the VPN doesn't work. I get following debug message.
PIX(config)# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
5.5.5.5 98.228.65.187 QM_IDLE 0 0
Debug Messages for IPSEC: (5.5.5.5 is pix outside interface sanitized address)
PIX(config)# IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(validate_proposal): invalid local address 5.5.5.5
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 98.228.65.187
I have attached my sanitized VPN config too.
Initially I thought ISP might be blocking ESP protocol since the capture doesn't see any ESP packets but they confirm that there is no filter on their end.
What this message really mean?
Thanks in advance,
01-27-2010 09:55 AM
I resolved my issue by doing this.
Remove the crypto map applied to outside interface.
reload
Reapply the crypto map.
For some reason the firewall started thinking it didn't have a crypto map applied.
Thanks,
Sam
03-04-2010 08:18 AM
I just ran into the exact same situation, but did not have to reload.
(my commands in bold, PIX response unbolded)
sh ipsec sa
interface: outside
Crypto map tag: mprogress, local addr.1.2.3.4 <----old IP
no crypto map mapname interface outside
crypto map mapname interface outside
sh ipsec sa
interface: outside
Crypto map tag: mprogress, local addr. 10.10.10.10 <--new IP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide