VPN IP Sec problem

Answered Question
Mar 18th, 2010
User Badges:

Hy all,


I have a problem with IPSec VPN established between a PIX 515e and a Nortel contivity 1010. I make the configuration of the tunnel on both side and it works correctly but I can not get communication between the two LANs.


I show in the PIX log this :



2010-03-18 08:57:52 Local7.Info 172.17.1.250 :Mar 18 08:57:52 WEST: %PIX-6-602302: deleting SA, (sa) sa_dest= 62.48.238.3, sa_prot= 50, sa_spi= 0x3fcc692a(1070360874), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 4

2010-03-18 08:57:52 Local7.Info 172.17.1.250 :Mar 18 08:57:52 WEST: %PIX-6-602302: deleting SA, (sa) sa_dest= 213.223.214.52, sa_prot= 50, sa_spi= 0x1f7f65(2064229), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 3



This to line comes every 2 minutes .... Is it possible that this may be causing my problem? and what is this message ?


I show you my pix configuration :






For me this configuration is fine but, it's dont work fine !!!!


Can you help me please ?


Regards,


Correct Answer by Jennifer Halim about 7 years 3 months ago

It actually matches the following:

   local  ident  (addr/mask/prot/port): (AENOR_ALL/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port):  (192.168.9.0/255.255.255.0/0/0)

   current_peer: 213.223.214.52:500

     PERMIT, flags={origin_is_acl,}

   #pkts encaps: 0, #pkts encrypt: 0,  #pkts digest 0

     #pkts decaps: 60, #pkts decrypt: 60, #pkts verify 60

    #pkts compressed: 0, #pkts  decompressed: 0

     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress  failed: 0

    #send  errors 0, #recv errors 0



So packets are received and decapsulated, however, no reply back to be encapsulated.


Please configure "fixup protocol icmp error" for the icmp inspection.


Please check on the 172.17.1.7 host itself to see if it's default gateway is configured to be 172.17.1.250, and if the host has any other specific routes configured. If it's a windows host, you can check "route print" from the DOS prompt.


Please also check if it is allowing inbound RDP session? Are you able to RDP to it from internally?


Are you able to telnet on port 3389 from DOS prompt (telnet 172.17.1.7 3389)? What are you getting?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Thu, 03/18/2010 - 05:11
User Badges:
  • Cisco Employee,

crypto ACL: access-list 15 does not look correct:

access-list 15 permit ip  AENOR_ALL 255.255.0.0 192.168.9.0 255.255.255.0 log 7

access-list 15 permit ip 192.168.9.0  255.255.255.0 interface inside log 7

access-list 15 permit icmp 192.168.9.0 255.255.255.0  interface inside log 7


Assuming that AENOR_ALL is your PIX LAN and 192.168.9.0/24 is your Nortel LAN, I would only configure the following line:

access-list 15 permit ip  AENOR_ALL 255.255.0.0 192.168.9.0 255.255.255.0 log 7


And remove the other 2 lines.


Please also make sure that you only have 1 line configured on Nortel end with the access-

list mirror image of the above ACL.


If it still doesn't work, please run "debug crypto ipsec" and also after trying to initiate interesting traffic, run: "show crypto ipsec sa"

multitoll Thu, 03/18/2010 - 05:54
User Badges:

I delete the 2 ACL of my config :

access-list DMZ_FTP_access_in deny ip any any log 1  access-list 15 permit ip AENOR_ALL 255.255.0.0 192.168.9.0 255.255.255.0 log 7

access-list inside_outbound_nat0_acl permit ip 172.17.1.0 255.255.255.0 192.168.9.0 255.255.255.0 log 7

access-list inside_outbound_nat0_acl permit ip 172.17.132.0 255.255.255.0 192.168.9.0 255.255.255.0 log 7

access-list inside_outbound_nat0_acl permit ip 172.17.138.0 255.255.255.0 192.168.9.0 255.255.255.0 log 7

access-list inside_outbound_nat0_acl permit ip AENOR_ALL 255.255.0.0 192.168.9.0 255.255.255.0 log 7


There is no change !!! but in my pix log i can show this line when I doing a ping or RDP connexion :


Teardown TCP connection 10906392 for outside:192.168.9.4/1286 to inside:172.17.1.7/3389 duration 0:02:01 bytes 0 SYN Timeout


In my Nortel I do a rule for let all the trafic (just for test).


When I run "show crypto ipsec sa" i have this :


Result of firewall command: "show crypto ipsec sa"



Thanks ...

Jennifer Halim Thu, 03/18/2010 - 14:27
User Badges:
  • Cisco Employee,

From the show output, the VPN tunnel has been established. From the PIX end, the packets have been decrypted/decapsulated, however, no reply back from your PIX LAN. The NAT exemption seems to be correctly configured.


The error message is showing as SYN timeout, ie: SYN packet is being sent from 192.168.9.4 towards 172.17.1.7, however, 172.17.1.7 does not reply back with SYN-ACK.


In regards to ping, please enable "fixup procotol icmp" and see if you can ping.


I also assume that 172.17.1.7 host knows to  route to PIX inside interface 172.17.1.250 to connect to 192.168.9.0/24 subnet.


Hope that helps.

multitoll Fri, 03/19/2010 - 01:07
User Badges:

Thank you for your answer.


How I can fixuop protocol icmp ? When I try to put this command line "fixup protocol icmp" the pix say to me "Usage: [no] fixup protocol icmp error

Command failed"...


I also assume that 172.17.1.7 host knows to  route to PIX inside interface 172.17.1.250 to connect to 192.168.9.0/24 subnet.

(How I can verify that 172.17.1.7 host knows to route to PI inside interface ???

I show the route in the PIX interface and I have got this :

outside 192.168.9.0 255.255.255.0 213.223.214.52 1 OTHER static -->OK

inside AENOR_ALL 255.255.0.0 172.17.1.254 1 OTHER static -->OK

outside 62.48.238.3 255.255.255.255 62.48.238.3 1 CONNECT static --> What this rules ???? it seems strange to me


How I can configure the good route ?


Thanks,





multitoll Fri, 03/19/2010 - 01:35
User Badges:

Postscript: I saw when I run the command "show crypto ipsec SA" in the PIX, following lines that seem inaccurate:



interface: outside

    Crypto map tag: pix, local addr. 62.48.238.3

   local  ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/1/0)     --> The local ident was not 172.17.0.0/24

   remote ident (addr/mask/prot/port): (172.17.1.250/255.255.255.255/1/0)   --> The remote ident was not 192.168.9.0/16


What do you think about this ?


regards,

Correct Answer
Jennifer Halim Fri, 03/19/2010 - 02:31
User Badges:
  • Cisco Employee,

It actually matches the following:

   local  ident  (addr/mask/prot/port): (AENOR_ALL/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port):  (192.168.9.0/255.255.255.0/0/0)

   current_peer: 213.223.214.52:500

     PERMIT, flags={origin_is_acl,}

   #pkts encaps: 0, #pkts encrypt: 0,  #pkts digest 0

     #pkts decaps: 60, #pkts decrypt: 60, #pkts verify 60

    #pkts compressed: 0, #pkts  decompressed: 0

     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress  failed: 0

    #send  errors 0, #recv errors 0



So packets are received and decapsulated, however, no reply back to be encapsulated.


Please configure "fixup protocol icmp error" for the icmp inspection.


Please check on the 172.17.1.7 host itself to see if it's default gateway is configured to be 172.17.1.250, and if the host has any other specific routes configured. If it's a windows host, you can check "route print" from the DOS prompt.


Please also check if it is allowing inbound RDP session? Are you able to RDP to it from internally?


Are you able to telnet on port 3389 from DOS prompt (telnet 172.17.1.7 3389)? What are you getting?

multitoll Fri, 03/19/2010 - 07:02
User Badges:

IT WORKS !!!!!!!!


Thank you for your help, the problem is the routing !!! my customer change there networks equipement and he not put the route rules on the config !!!!


All is OK and thank a lot !!!


regards,

multitoll Thu, 03/18/2010 - 08:34
User Badges:

Just for information look what I have in the Nortel side for the IPSec connection :



 



Help me please ............

Actions

This Discussion