Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
332
Views
0
Helpful
7
Replies

Obtaining help here/static tunnel

ph0enix
Level 1
Level 1

‎02-16-2006 06:04 AM - edited ‎03-09-2019 01:57 PM

Hi, I've posted several times here requesting help. A few of those times I was asked to post my configs but I'm wondering if anyone ever looks at them. Usually, I just get a link to a config example which doesn't really help me since I already used specific examples to configure the systems (trying to create a static tunnel between two sites to be specific - I followed the Spoke-to-Client examp. pretty closely but I can't establish a the static tunnel. I don't know what I'm doing wrong. When I run:

show crypto isakmp sa

...at the main site (while trying to ping the other side), I see the following:

PIX515E# show crypt isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: xxx.xxx.152.117

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

...but it eventually times out. I don't know what I'm doing wrong or how to debug the issue.

Please help - I'm willing to pay somebody to help me get the tunnel up.

Thank you!

Labels:
0 Helpful
7 Replies 7

mpalardy
Level 3
Level 3

‎02-16-2006 06:19 AM

Does nat-traversal enabled on the pix?

0 Helpful

ph0enix
Level 1
Level 1
In response to mpalardy

‎02-16-2006 06:38 AM

I'm not sure. How can I find that out and enable it if necessary.

0 Helpful

ph0enix
Level 1
Level 1
In response to mpalardy

‎02-16-2006 08:21 AM

I did "isakmp nat-traversal" on both ends even though the Spoke-to-Client example doesn't mention it but it didn't make a difference.

0 Helpful

mpalardy
Level 3
Level 3
In response to ph0enix

‎02-16-2006 12:37 PM

Is the client behind a firewall blocking udp/500?

0 Helpful

ph0enix
Level 1
Level 1
In response to mpalardy

‎02-16-2006 05:35 PM

There are no other firewalls involved on the client's end. Could Cablevision/Optimum be blocking udp:500? ...it's the business service?

0 Helpful

mpalardy
Level 3
Level 3
In response to ph0enix

‎02-17-2006 06:29 AM

In order to perform resolution for this pblm, I'd suggest the following steps:

1)Place a client directly on the VPN-interface and try a VPN connection.

2)On the pix check for the client authentication.(show uauth)

3)Check the client syslog.

4)Check the firewall syslog's to see if policies defined on the pix are found for the client.

It might not be your case but zone-alarm installed on the client may be blocking traffic. There is a procedure on cisco.com (uninstall/install VPN client) to resolve this.

0 Helpful

ph0enix
Level 1
Level 1
In response to mpalardy

‎02-17-2006 01:46 PM

1. How do I do that? (not sure what you mean)

2. The "show auth" command displays nothing on the PIX506E (6.3) end.

On the PIX515E (7.0) "show run auth" displays nothing as well.

3. The client syslog? The network is Windows based.

4. How do I check PIX's syslog?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents