Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Followup: Pix515 - 831

Good afternoon everyone.

We are trying to pass traffic from a Cisco 831 to a Pix 515 over broadband. Both have static ips. When trying to establish the tunnel (sending a ping), we can see that the tunnel shows a status of "UP-IDLE" from the 831 and the PIX shows a state of "QM-IDLE". The ping is to a server on the PIX side from the 831 internal interface (yes it allows icmp requests).

From the 831, a "show crypto ipsec sa" shows that there are sending errors.

My question, what are the commands to troubleshoot from the PIX side? We have numerous PIXtoPIX vpns, but this is the first 831-PIX. I am attaching the configs of each site (1.1.1.1 for the PIX and 2.2.2.2 for the 831). The 831 has the inspection rules applied (I've tried removing them but still no luck).

Thanks for any help in advance. Have a great weekend.

Tim

7 REPLIES
Gold

Re: Followup: Pix515 - 831

on the 831, the inbound acl needs to include the traffic from pix inside net to router inside net.

e.g.

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit esp any any

access-list 101 permit ip 10.1.0.0 0.0.255.255 10.50.1.0 0.0.0.255

access-list 101 deny ip any any

with pix, the command "sysopt connection permit-ipsec" will force the pix to ignore the acl for all crypto traffic. however, router has no such command, thus the inbound acl needs to be configured in order to permit the crypto traffic.

New Member

Re: Followup: Pix515 - 831

Unfortunately, this did not correct the problem. The tunnels still how a state of "QM_IDLE" and when viewing the "show crypto ipsec sa" on the 831 (the sending side) it shows numerous sending errors. I have checked the policies on both sides but still can't find the problem. Any ideas?

New Member

Re: Followup: Pix515 - 831

Here is a debug output from the PIX side when sending from the 831 (2.2.2.2).

New Member

Re: Followup: Pix515 - 831

Here is a debug from the 831 when pinging to the remote lan. Again, thank you for any help or insight on this. Everyone appreciates these forums.

New Member

Re: Followup: Pix515 - 831

The original issue has been resolved. It was a routing issue in that the LANs subnet masks collided. By changing the 831 IP schema traffic was able to be passed from the 831 side to the PIX Lan (IPSEC VPN tunnel made).

I am still troubleshooting establishing a tunnel from the PIX side as well. I can open a tunnel from the 831 and pass traffic from both ends, but the tunnel cannot be established from the PIX side. Any insight would be appreciated. Thank you for your help..

Gold

Re: Followup: Pix515 - 831

the issue maybe related to the inbound acl on the 831. please post the latest inbound acl.

New Member

Re: Followup: Pix515 - 831

I included an attachment of the acls on the 831.

119
Views
0
Helpful
7
Replies
CreatePlease to create content