Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN Proplem between Pixfirewall506E and Contivity (Nortel)

Unanswered Question
Feb 19th, 2003
User Badges:

The tunnel is up but not transfer routing, so we are can not ping between 2 sites although we are using the static routing. What can I do to solve this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Thu, 02/20/2003 - 11:07
User Badges:
  • Cisco Employee,


If your tunnel is up and routing is looking good, we need to check the IPSec SA's to see whether there are any encrypts and decrypts and also make sure that you are bypassing NAT ( NAT 0 ) on the pix for the IPSec traffic, if the pix is configured for NAT.



bphanthanh Mon, 02/24/2003 - 02:31
User Badges:

Hi Arul

I have checked informations which you advice me by command: sh crypt is sa

and I'm sure that the NAT 0 on the pix bypassing NAT for the IPSec traffic. When I ping other site have packet outbound but haven't packet Inbound. I don't known why ?. Can you give me advices. Thanks


dsi1cco Wed, 03/05/2003 - 10:17
User Badges:

I am having the same problem with our 515e talking to a nortel contivity 4500. I have the tunnel up but can not reach the host on the other side. My question is related to your suggestion of NAT 0 being used on the IPSec traffic. The client we ar working with has overlapping internal ip addreses with us so I cannot by pass NAT. I'm wondering if the NAT tranlation is some how causing the problem... ? Any suggestions


dsi1cco Fri, 03/07/2003 - 08:04
User Badges:

The problem was resolved by matching the isakmp policy's lifetime between the pix and the nortel box.


jfrahim Thu, 02/20/2003 - 15:21
User Badges:
  • Cisco Employee,

Hi there,

Can you do "sh cry ip sa" on the pix ans see if it is encrypting/decrypting the traffic



This Discussion