Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX site to site vpn issues

Hi,

My IPSEC VPN tunnel between two pix's has gone down and after trying

the normal reboots I attached a syslog to one end and got a ipsec

isakmp phase 1 retransmit message

cisco doesnt really explain the causes of this.

Does anyone have any ideas what this means ? or the causes ?

I have attached both configs

Thanks

Alex

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PIX site to site vpn issues

That is not good - you need to do the below:-

1) Check your config

2) Check your config

I say it twice as about 99% of network related issues are configuration based.

HTH>

11 REPLIES

Re: PIX site to site vpn issues

try "debug crypto isakmp"

then post the output

Community Member

Re: PIX site to site vpn issues

Where you able to get the VPN's back up?

Community Member

Re: PIX site to site vpn issues

Im still having problems.

here is the debug output requested.

I noticed this line in the debug

crypto_isakmp_process_block:src:81.129.167.199, dest:Local IP of PIX spt:50996 dpt:500

The IP seems to below to BT, is this normal ?

Thanks

Alex

Re: PIX site to site vpn issues

check the following:-

1) You have the same IKE config at both sites.

2) You have configure the correct IP address for the remote peer on both sites.

The capture log indicates you are not neogtiating IKE correctly, either due to hash/encryption mis-match or incorrect peer IP address or both.

HTH>

Community Member

Re: PIX site to site vpn issues

Hi, I have checked the above with no luck. could a nat/router problem cause that output ?

also what does this line mean ?

crypto_isakmp_process_block:src:81.129.167.199, dest: a.a.a.a spt:50996 dpt:500

Many Thanks

Alex

Re: PIX site to site vpn issues

it is possible if you are not directly connecting to the internet, and there is a NAT device in between.

It says that it is blocking an ISKMP packet from 81.129.167.199 to a.a.a.a

Community Member

Re: PIX site to site vpn issues

Thanks, I think the actual config's are ok so im going to try swapping the router.

Community Member

Re: PIX site to site vpn issues

hi, changed the router over and now receive this error

ISAKMP (0): speaking to another IOS box!

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT does not match MINE

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT does not match HIS hash

Alex

Re: PIX site to site vpn issues

That is not good - you need to do the below:-

1) Check your config

2) Check your config

I say it twice as about 99% of network related issues are configuration based.

HTH>

Community Member

Re: PIX site to site vpn issues

Thanks for all your help.

The issue was that the remote boarder router although in its config said it was not doing any NAT it actually was. As soon as the router was swapped out the tunnel came back up.

Alex

Re: PIX site to site vpn issues

np - glad to help.

194
Views
4
Helpful
11
Replies
CreatePlease to create content