02-16-2006 06:04 AM - edited 03-09-2019 01:57 PM
Hi, I've posted several times here requesting help. A few of those times I was asked to post my configs but I'm wondering if anyone ever looks at them. Usually, I just get a link to a config example which doesn't really help me since I already used specific examples to configure the systems (trying to create a static tunnel between two sites to be specific - I followed the Spoke-to-Client examp. pretty closely but I can't establish a the static tunnel. I don't know what I'm doing wrong. When I run:
show crypto isakmp sa
...at the main site (while trying to ping the other side), I see the following:
PIX515E# show crypt isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: xxx.xxx.152.117
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
...but it eventually times out. I don't know what I'm doing wrong or how to debug the issue.
Please help - I'm willing to pay somebody to help me get the tunnel up.
Thank you!
02-16-2006 06:19 AM
Does nat-traversal enabled on the pix?
02-16-2006 06:38 AM
I'm not sure. How can I find that out and enable it if necessary.
02-16-2006 08:21 AM
I did "isakmp nat-traversal" on both ends even though the Spoke-to-Client example doesn't mention it but it didn't make a difference.
02-16-2006 12:37 PM
Is the client behind a firewall blocking udp/500?
02-16-2006 05:35 PM
There are no other firewalls involved on the client's end. Could Cablevision/Optimum be blocking udp:500? ...it's the business service?
02-17-2006 06:29 AM
In order to perform resolution for this pblm, I'd suggest the following steps:
1)Place a client directly on the VPN-interface and try a VPN connection.
2)On the pix check for the client authentication.(show uauth)
3)Check the client syslog.
4)Check the firewall syslog's to see if policies defined on the pix are found for the client.
It might not be your case but zone-alarm installed on the client may be blocking traffic. There is a procedure on cisco.com (uninstall/install VPN client) to resolve this.
02-17-2006 01:46 PM
1. How do I do that? (not sure what you mean)
2. The "show auth" command displays nothing on the PIX506E (6.3) end.
On the PIX515E (7.0) "show run auth" displays nothing as well.
3. The client syslog? The network is Windows based.
4. How do I check PIX's syslog?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: