Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco2600 VPN to PIX506 with PIX515 in between (static NAT)

Hi everybody,

I got this situation, LAN to LAN between cisco 2600 and PIX506, in between there is a PIX515 doing static NAT. I follow the sample configuration on the web

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

I cannot even finish phase 1 negotication. here is the debug message i got which i don't understand

*Mar 1 01:05:06.927: ISAKMP (0:2): sending packet to 216.98.115.36 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH

*Mar 1 01:05:06.927: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 1 01:05:06.927: ISAKMP (0:2): Old State = IKE_I_MM4 New State = IKE_I_MM5

*Mar 1 01:05:16.920: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...

*Mar 1 01:05:16.920: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

*Mar 1 01:05:16.920: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH

*Mar 1 01:05:36.207: ISAKMP (0:2): peer does not do paranoid keepalives.

*Mar 1 01:05:36.207: ISAKMP (0:2): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (p

eer 216.98.115.36) input queue 0

*Mar 1 01:05:36.211: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar 1 01:05:36.211: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (p

eer 216.98.115.36) input queue 0

*Mar 1 01:05:36.211: ISAKMP (0:2): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (p

eer 216.98.115.36) input queue 0

*Mar 1 01:05:36.215: ISAKMP (0:2): deleting node -1577672335 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

*Mar 1 01:05:36.215: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 1 01:05:36.215: ISAKMP (0:2): Old State = IKE_I_MM5 New State = IKE_DEST_SA

*Mar 1 01:05:36.215: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (p

eer 216.98.115.36) input queue 0

*Mar 1 01:05:36.219: ISAKMP (0:1): deleting node -1810945128 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"

*Mar 1 01:05:36.219: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 1 01:05:36.219: ISAKMP (0:1): Old State = IKE_I_MM5 New State = IKE_DEST_SA

*Mar 1 01:05:36.588: ISAKMP (0:3): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 1 01:05:36.588: ISAKMP (0:3): vendor ID is NAT-T v3

*Mar 1 01:05:36.588: ISAKMP (0:3): processing vendor id payload

*Mar 1 01:05:36.588: ISAKMP (0:3): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 1 01:05:36.592: ISAKMP (0:3): vendor ID is NAT-T v2

I have never seen this kind of mismatch before, if anyone have any idea, pls let me know. I would really appreicate!!

1 REPLY
Cisco Employee

Re: Cisco2600 VPN to PIX506 with PIX515 in between (static NAT)

If you're running 12.2(13)T or later on the router, and 6.3 or later on the PIX then they'll probably be detecting that there's a NAT device in between and they'll start encapsulating everything in UDP 4500 packets, so make sure you allow these through the 515 in the middle as well (your sample doc was written well before NAT Transparency came out). The debug messages sort of look like NAT-T messages if I remember them correctly.

You may need the "isakmp nat-traversal" command on the PIX, again only if you're running 6.3 code though.

110
Views
0
Helpful
1
Replies
CreatePlease to create content