Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 establish IPSEC connection but no data transmission

Hello all,

I got a strange problem with a cisco pix 501 connected remotely to cisco vpn 3000 concentrator.

The pix is configured for remote access session to the concentrator. The problem is that when i make a ping the ipsec tunnel is established and bytes will be transmittet but no or a couple of bytes are recieved by the concentrator.

So I can?t ping the Lan behind the pix.

I do not know what the probelem might be. Both phases are created.

What can be the problem ?

Attached the PIX config.

Best regards

Kai

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list outside permit ip any any

access-list inside_access_in permit ip any any

pager lines 24

mtu outside 1456

mtu inside 1456

ip address outside pppoe setroute

ip address inside 123.0.0.200 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 123.0.0.0 255.255.255.0 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group outside in interface outside

access-group inside_access_in in interface inside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 123.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 133.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname *******

vpdn group pppoe_group ppp authentication pap

vpdn username *******

password *********

vpnclient server 111.x.x.200

vpnclient mode network-extension-mode

vpnclient vpngroup vpn password ********

vpnclient username pix password ********

vpnclient enable

terminal width 80

Cryptochecksum:xxxx

: end

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: PIX 501 establish IPSEC connection but no data transmission

you're pinging from the network behind the concentrator to devices behind the PIX?

Can you then check if you see data received on the PIX end? You can check that by issueing the command

show crypto ipsec sa

It will tell you per sa how many bytes were received / transmitted.

If you see bytes received and transmitted, and they increase after you issue a ping (usually the increase is 4 packets), you know it's not the pix, but something like nat-traversal that's blocking the return traffic.

7 REPLIES
New Member

Re: PIX 501 establish IPSEC connection but no data transmission

There could be different reasons why traffic can't flow through the tunnel.

Based upon the config you've posted I'd first enable IPSEC traffic to bypass the access-lists you've created with the following command (in config mode)

sysopt connection permit-ipsec

Then, you should be able to verify on both endpoints whether the Internet itself is the problem for not flowing traffic. You can do that by checking how many packets are encapsulated/encrypted and decrypted/decapsulated on both sides.

On the pix you can use the command:

show crypto ipsec sa

and on the concentrator you can use the statistics for that specific tunnel.

Based upon those results you can determine what the actual problem is:

- NAT on the internet (sometimes transparant nat at an ISP)

- MTU Sizes on the internet

- Outbound traffic is blocked on the pix or concentrator (e.g. traffic is not encapsulated)

- Return traffic (the echo-reply) is not sent through the tunnel

Hope this helps

New Member

Re: PIX 501 establish IPSEC connection but no data transmission

Thank?s for the fast reply.

The command sysopt don?t work with this configuration because the pix tells me that I can?t anter the command when easy vpn is enabled.

The pix itself behaves like a client PC connected to the concentrator.

I will also check on the concentrator for mismatch.

Cisco Employee

Re: PIX 501 establish IPSEC connection but no data transmission

Looking at the head end stats do you see RX bytes for this tunnel? If yes it could be an internal routing issue; check things like tunnel default gateway and other routing if you are doing RRI.

Do other devices pass traffic ok?

If you see no RX bytes it could you that you are blocking esp (protocol 50) at a FW in between (phase one and two IKE are built and maintained on udp port 500 unless using nat-t in which case you'll see data and IKE on udp 4500).

New Member

Re: PIX 501 establish IPSEC connection but no data transmission

I see bytes transmittet and a much more less bytes recieved. From my windows client I always got an timeout. When I update the stats I see only bytes transmittet.

I?ve checked the filters and rules but it?s always the same as before ( as it works).

The pix operates in the network extension mode with group and username.

Does the pix needs a routing entry when it is connected via ppoe to the internet ?

New Member

Re: PIX 501 establish IPSEC connection but no data transmission

you're pinging from the network behind the concentrator to devices behind the PIX?

Can you then check if you see data received on the PIX end? You can check that by issueing the command

show crypto ipsec sa

It will tell you per sa how many bytes were received / transmitted.

If you see bytes received and transmitted, and they increase after you issue a ping (usually the increase is 4 packets), you know it's not the pix, but something like nat-traversal that's blocking the return traffic.

New Member

Re: PIX 501 establish IPSEC connection but no data transmission

Hello again,

I made a few test from the pix and the concentrator.

On the pix I?ve checked the whole config and it was ok. I also checked the config on the concentrator and also built up a new vpnuser for the pix but all does not work.

What I found out:

When I make a ping from the concentrator side to the pix (remote) side I see bytes transmitted and only a few recieved by the concentrator.

When I make a ping from a client PC behind a pix I see bytes recieved on the concentrator but only a few transmitted back to the pix.

That?s very strange to me. How can these bytes be lost ?

I made also a debug isakmp:

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:133.133.133.133, dest 144.144.144.14

spt:500 dpt:500

ISAKMP processing NOTIFY payload 36137 protocol 1

spi 0, message ID 219159104

recieved DPD_R_U_THERE_ACK from peer 133.133.133.133

return status is IKMP_NO_ERR_NO_TRANS

Hope this helps. I got no more ideas.

p.S.: May it be possible that the ISP changed something at the DSL connection that could impair/harm the tunnel ?

P.P.S: I also made a show ipsec sa but no bytes were recieved.

I?ve checked also the tunnel sh isakmp sa and tells me that 2 tunnels are established. One from the offical Ip from the provide the pix gets and one for the network behind the concentrator

Have a nice weekend

Kai

New Member

Re: PIX 501 establish IPSEC connection but no data transmission

Hello all.

it?s working ! Do not ask me why I did not changed anything. I just checked it one more time and it?s working

Could it be that ths ISP cheanged sonething ?

anyway thanks a lot for your help

Best regards

Kai

208
Views
0
Helpful
7
Replies
CreatePlease login to create content