We are trying to pass traffic from a Cisco 831 to a Pix 515 over broadband. Both have static ips. When trying to establish the tunnel (sending a ping), we can see that the tunnel shows a status of "UP-IDLE" from the 831 and the PIX shows a state of "QM-IDLE". The ping is to a server on the PIX side from the 831 internal interface (yes it allows icmp requests).
From the 831, a "show crypto ipsec sa" shows that there are sending errors.
My question, what are the commands to troubleshoot from the PIX side? We have numerous PIXtoPIX vpns, but this is the first 831-PIX. I am attaching the configs of each site (188.8.131.52 for the PIX and 184.108.40.206 for the 831). The 831 has the inspection rules applied (I've tried removing them but still no luck).
Thanks for any help in advance. Have a great weekend.
on the 831, the inbound acl needs to include the traffic from pix inside net to router inside net.
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit esp any any
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.50.1.0 0.0.0.255
access-list 101 deny ip any any
with pix, the command "sysopt connection permit-ipsec" will force the pix to ignore the acl for all crypto traffic. however, router has no such command, thus the inbound acl needs to be configured in order to permit the crypto traffic.
Unfortunately, this did not correct the problem. The tunnels still how a state of "QM_IDLE" and when viewing the "show crypto ipsec sa" on the 831 (the sending side) it shows numerous sending errors. I have checked the policies on both sides but still can't find the problem. Any ideas?
The original issue has been resolved. It was a routing issue in that the LANs subnet masks collided. By changing the 831 IP schema traffic was able to be passed from the 831 side to the PIX Lan (IPSEC VPN tunnel made).
I am still troubleshooting establishing a tunnel from the PIX side as well. I can open a tunnel from the 831 and pass traffic from both ends, but the tunnel cannot be established from the PIX side. Any insight would be appreciated. Thank you for your help..
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :