Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
0
Helpful
7
Replies

Followup: Pix515 - 831

augsupport
Level 1
Level 1

‎12-02-2005 09:18 AM - edited ‎03-09-2019 01:14 PM

Good afternoon everyone.

We are trying to pass traffic from a Cisco 831 to a Pix 515 over broadband. Both have static ips. When trying to establish the tunnel (sending a ping), we can see that the tunnel shows a status of "UP-IDLE" from the 831 and the PIX shows a state of "QM-IDLE". The ping is to a server on the PIX side from the 831 internal interface (yes it allows icmp requests).

From the 831, a "show crypto ipsec sa" shows that there are sending errors.

My question, what are the commands to troubleshoot from the PIX side? We have numerous PIXtoPIX vpns, but this is the first 831-PIX. I am attaching the configs of each site (1.1.1.1 for the PIX and 2.2.2.2 for the 831). The 831 has the inspection rules applied (I've tried removing them but still no luck).

Thanks for any help in advance. Have a great weekend.

Tim

Labels:
Preview file
4 KB
0 Helpful
7 Replies 7

jackko
Level 7
Level 7

‎12-03-2005 03:51 AM

on the 831, the inbound acl needs to include the traffic from pix inside net to router inside net.

e.g.

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit esp any any

access-list 101 permit ip 10.1.0.0 0.0.255.255 10.50.1.0 0.0.0.255

access-list 101 deny ip any any

with pix, the command "sysopt connection permit-ipsec" will force the pix to ignore the acl for all crypto traffic. however, router has no such command, thus the inbound acl needs to be configured in order to permit the crypto traffic.

0 Helpful

augsupport
Level 1
Level 1
In response to jackko

‎12-07-2005 11:55 AM

Unfortunately, this did not correct the problem. The tunnels still how a state of "QM_IDLE" and when viewing the "show crypto ipsec sa" on the 831 (the sending side) it shows numerous sending errors. I have checked the policies on both sides but still can't find the problem. Any ideas?

0 Helpful

augsupport
Level 1
Level 1
In response to augsupport

‎12-07-2005 12:39 PM

Here is a debug output from the PIX side when sending from the 831 (2.2.2.2).

Preview file
3 KB
0 Helpful

augsupport
Level 1
Level 1
In response to augsupport

‎12-08-2005 06:38 AM

Here is a debug from the 831 when pinging to the remote lan. Again, thank you for any help or insight on this. Everyone appreciates these forums.

Preview file
13 KB
0 Helpful

augsupport
Level 1
Level 1
In response to augsupport

‎12-08-2005 12:29 PM

The original issue has been resolved. It was a routing issue in that the LANs subnet masks collided. By changing the 831 IP schema traffic was able to be passed from the 831 side to the PIX Lan (IPSEC VPN tunnel made).

I am still troubleshooting establishing a tunnel from the PIX side as well. I can open a tunnel from the 831 and pass traffic from both ends, but the tunnel cannot be established from the PIX side. Any insight would be appreciated. Thank you for your help..

0 Helpful

jackko
Level 7
Level 7
In response to augsupport

‎12-08-2005 03:47 PM

the issue maybe related to the inbound acl on the 831. please post the latest inbound acl.

0 Helpful

augsupport
Level 1
Level 1
In response to jackko

‎12-09-2005 07:14 AM

I included an attachment of the acls on the 831.

Preview file
2 KB
0 Helpful
Customers Also Viewed These Support Documents