Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix 515 to sonicwall vpn issue

Good afternoon,

I'm having some trouble getting a site-to-site vpn setup between a pix 515 running 6.3(5) and a sonicwall. We've verified the phase1&2 settings and reset the pre-shared key. On the sonicwall they are getting a message stating that the pix doesn't support nat traversal. I didn't have it on at first, so I turned it on. But it didn't help the issue. Has anyone seen this issue with the sonicwall's? When I run a debug on the pix side and generate traffic I get an error message stating unauthenticated SA.

Thanks,

Chris

9 REPLIES
Cisco Employee

Re: pix 515 to sonicwall vpn issue

Chris,

If you could enable the debugs "deb cry isa" & " deb cry ipsec" on the PIX. Then do " clear cry isa sa" & " cle cry ipsec sa" -

Send interesting traffic after that, collect the debugs and send it to me.

Thanks

Gilbert

New Member

Re: pix 515 to sonicwall vpn issue

I worked with the far side some more. They found an article where the sonicwall had problems with smaller ip blocks than was on the inside interface. We opened our acl's up and now we are getting slightly different messages. Here's the debug that I'm getting.

Thanks,

Chris

Cisco Employee

Re: pix 515 to sonicwall vpn issue

Chris,

Seems like there is retransmission of Phase 2 occurring and the tunnel doesn't get established.

ISAKMP (0): retransmitting phase 2 (9/3)... mess_id 0x11f4d1d4

ISAKMP (0): retransmitting phase 2 (3/3)... mess_id 0x1ec3c7a6

Can you check the Access-list on your end and make sure the access-list on their end is mirror image of each other.

Thanks

Gilbert

New Member

Re: pix 515 to sonicwall vpn issue

I just double-checked with the far end admin and he confirmed that they are indeed the reciprocal of each other.

He stated earlier that he keeps getting a message on his sonicwall that the far end (pix) isn't supporting nat traversal. I'm sure that's sonic-speak for something else. But I'm not sure what the option would be. I do have nat traversal on, but we aren't trying to nat inside of the tunnel.

Thanks,

Chris

Cisco Employee

Re: pix 515 to sonicwall vpn issue

Can you send the output of

sh run | in isakmp

Thanks

Gilbert

New Member

Re: pix 515 to sonicwall vpn issue

Here it is. I've changed the public IP's of the peers, but the peer I'm working with on this one is the last one (

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 60 ipsec-isakmp

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

isakmp enable outside

isakmp key ******** address 1.2.3.4 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 2.3.4.5 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 3.4.5.6 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 4.5.6.7 netmask 255.255.255.255 no-xauth no-config-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

Thanks again,

Chris

Cisco Employee

Re: pix 515 to sonicwall vpn issue

Chris,

If we are not going through a NAT device, and if the Sonic wall is complaining about the NAT-T, have you tried to take out "isakmp nat-traversal 20" from the config and see if it works.

If not, can you please copy and paste the exact error message from the sonicwall - let me do some searching on the error message.

Thanks

Gilbert

New Member

Re: pix 515 to sonicwall vpn issue

This is the messages they are seeing:

12 06/01/2007 14:21:31.208 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal 1.2.3.4, 500 5.6.7.8, 500

13 06/01/2007 14:21:31.160 IKE Initiator: Start Main Mode negotiation (Phase 1) 1.2.3.4, 500 5.6.7.8, 500

Thanks,

Chris

New Member

Re: pix 515 to sonicwall vpn issue

We got this resolved. Thanks for all of your help. The issue turned out to be that the identity was set to hostname instead of address. We changed that one value on the pix and the tunnel started passing traffic.

Thanks again,

Chris Smith

1265
Views
0
Helpful
9
Replies