Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Obtaining help here/static tunnel

Hi, I've posted several times here requesting help. A few of those times I was asked to post my configs but I'm wondering if anyone ever looks at them. Usually, I just get a link to a config example which doesn't really help me since I already used specific examples to configure the systems (trying to create a static tunnel between two sites to be specific - I followed the Spoke-to-Client examp. pretty closely but I can't establish a the static tunnel. I don't know what I'm doing wrong. When I run:

show crypto isakmp sa

...at the main site (while trying to ping the other side), I see the following:

PIX515E# show crypt isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: xxx.xxx.152.117

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

...but it eventually times out. I don't know what I'm doing wrong or how to debug the issue.

Please help - I'm willing to pay somebody to help me get the tunnel up.

Thank you!

7 REPLIES
New Member

Re: Obtaining help here/static tunnel

Does nat-traversal enabled on the pix?

New Member

Re: Obtaining help here/static tunnel

I'm not sure. How can I find that out and enable it if necessary.

New Member

Re: Obtaining help here/static tunnel

I did "isakmp nat-traversal" on both ends even though the Spoke-to-Client example doesn't mention it but it didn't make a difference.

New Member

Re: Obtaining help here/static tunnel

Is the client behind a firewall blocking udp/500?

New Member

Re: Obtaining help here/static tunnel

There are no other firewalls involved on the client's end. Could Cablevision/Optimum be blocking udp:500? ...it's the business service?

New Member

Re: Obtaining help here/static tunnel

In order to perform resolution for this pblm, I'd suggest the following steps:

1)Place a client directly on the VPN-interface and try a VPN connection.

2)On the pix check for the client authentication.(show uauth)

3)Check the client syslog.

4)Check the firewall syslog's to see if policies defined on the pix are found for the client.

It might not be your case but zone-alarm installed on the client may be blocking traffic. There is a procedure on cisco.com (uninstall/install VPN client) to resolve this.

New Member

Re: Obtaining help here/static tunnel

1. How do I do that? (not sure what you mean)

2. The "show auth" command displays nothing on the PIX506E (6.3) end.

On the PIX515E (7.0) "show run auth" displays nothing as well.

3. The client syslog? The network is Windows based.

4. How do I check PIX's syslog?

104
Views
0
Helpful
7
Replies