PIX 6.3 IPSEC VPN.. MM_ACTIVE

amardram123 · ‎06-21-2010

Hi,

I am facing issue with VPN in pix runnung 6.3..

When i "issue sh crypto is sa" it shows the state is in MM_ACTIVE, what may be the issue... ?

is it possible to check debug for one sa in pix running 6.3 image?

Regards

amar

Federico Coto Fajardo · ‎06-21-2010

Hi,

MM_ACTIVE or QM_IDLE are good messages in phase 1.

Is phase 2 getting built?

I believe the debug crypto condition is not an option in 6.3 to check only one peer.

Federico.

amardram123 · ‎06-21-2010

Dear Federico.

I have gone through som doc and it says that the 7.0 and later should have MM_ACTIVE but earlier version should have QM_IDLE.

Regards

Amar

Federico Coto Fajardo · ‎06-21-2010

Amar,

I think you're right but let's check the following:

Is phase 2 coming up?

Is is a site to site VPN between which other device?

Federico.

amardram123 · ‎07-04-2010

Hi,

I have opened a TAC and seems its memory leak issue..

when phase 1 try to estaiblish.. device is not able to allocate memory blocks..

when run debug, we found the error saying unable to allocate 2560 bytes block size.. and due to this every time phase 1 try to establish it hangs.. it shows multiple phase 1 session for same tunnle..

TAC Recommended to upgrade to next version, but we cant upgrade immediately as upgradation required memory upgrade..

Waiting for further response from TAC as he is troubleshooting the memory leak issue..

Regards

Amar