Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX 515e: more than one l2l vpn don't work

Hello,

I have this initial config with one l2l vpn with a firewall Zyxel

Zywall 2plus

Logs on pix seems to be right, but no data (ping, ssh, http, or other)

comes from or goes to remote zywall.

18 REPLIES

Re: PIX 515e: more than one l2l vpn don't work

post the output of "sh crypto ipsec sa"

Community Member

Re: PIX 515e: more than one l2l vpn don't work

here it is the show crypto ipsec sa

Re: PIX 515e: more than one l2l vpn don't work

OK - that vpn crypto is from your existing VPN peer #1.

Can you ping the #2 VPN peer and post the output of the show crypto ipsec sa again?>

Community Member

Re: PIX 515e: more than one l2l vpn don't work

When I ping 192.168.122.X, that is behind the first peer it works.

I'm not able to ping the 192.168.151.X that is behind the second peer.

Here it is the output of the command show crypto ipsec sa:

Result of the command: "show crypto ipsec sa"

interface: outside

Crypto map tag: outside_dyn_map, seq num: 1, local addr: 192.168.1.5

access-list outside_cryptomap_65535.1 permit ip 192.168.100.0 255.255.255.0 192.168.122.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 213.26.147.172

#pkts encaps: 842, #pkts encrypt: 842, #pkts digest: 842

#pkts decaps: 797, #pkts decrypt: 797, #pkts verify: 797

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 842, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.5, remote crypto endpt.: 213.26.147.172

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 1DC4349D

inbound esp sas:

spi: 0x9128E54D (2435376461)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 113, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 25835

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x1DC4349D (499397789)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 113, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 25835

IV size: 8 bytes

replay detection support: Y

Crypto map tag: outside_dyn_map, seq num: 1, local addr: 192.168.1.5

access-list outside_cryptomap_65535.1 permit ip 192.168.100.0 255.255.255.0 192.168.151.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: 82.89.82.245

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.5, remote crypto endpt.: 82.89.82.245

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: FA91CC6A

inbound esp sas:

spi: 0x72B8A29F (1924702879)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 131, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28774

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xFA91CC6A (4203859050)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 131, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28774

IV size: 8 bytes

replay detection support: Y

Thank you for help.

Re: PIX 515e: more than one l2l vpn don't work

On your previous config you posted:-access-list dmz_nat0_outbound extended permit ip 192.168.100.0

255.255.255.0 192.168.131.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.100.0

255.255.255.0 192.168.131.0 255.255.255.0

BUT in this post you have said "I'm not able to ping the 192.168.151.X that is behind the second peer" where is your no-nat and interesting traffic for 192.168.151.x

I think you have a config error, you have multiple acl's that do not match.

Check the remote end IP subnet - and configure you acl's accordingly.

HTH>

Community Member

Re: PIX 515e: more than one l2l vpn don't work

You are right,

I have made a mistake on posting the configuration in my first message,

here there is the right one, any way the problem is that when I make this configuration for the first tunnel it works, the second doesn't work,

I have noted that in the output of the show crypto isakmp sa command there is local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

is that normal or in the destination address there should be the address of my remote subnet ?

I attach again the configuration.

Thank you

Re: PIX 515e: more than one l2l vpn don't work

The attached is just another jumble of config - can you post the current config, remove sensitive config.

just post the output of "sh run"

Community Member

Re: PIX 515e: more than one l2l vpn don't work

Attachedthe exact configuration that is running.

Thank you.

Regards

Re: PIX 515e: more than one l2l vpn don't work

The post is the same from the initial post - there is no consitancy.

I suggest you double check ALL your config with the remote end and submit your findings.

Community Member

Re: PIX 515e: more than one l2l vpn don't work

Hi,

what do you mean with there is not consistency, it could be exactly this my problem.

Thank You

Re: PIX 515e: more than one l2l vpn don't work

Post the output of "show run" from your pix 515e as the config is right now please, remove any sensitive information.

This will help to identify if there are any config errors.

Community Member

Re: PIX 515e: more than one l2l vpn don't work

Attached the configuration file.

Thank you.

Re: PIX 515e: more than one l2l vpn don't work

OK - so which one out of the 4 VPN tunnels does not work?

Community Member

Re: PIX 515e: more than one l2l vpn don't work

the only one that works is the first one, the 192.168.122.X

Thanks

Re: PIX 515e: more than one l2l vpn don't work

Try adding the below:-

crypto isakmp identity address

remove the below

isakmp keepalive disable

from all l2l tunnel ipsec-attributes

Then re-establish all tunnels - and post the output from show crypto ispec sa

Re: PIX 515e: more than one l2l vpn don't work

Also add:-

route outside 192.168.122.0 255.255.255.0 192.168.1.5

route outside 192.168.131.0 255.255.255.0 192.168.1.5

route outside 192.168.151.0 255.255.255.0 192.168.1.5

route outside 192.168.188.0 255.255.255.0 192.168.1.5

Community Member

Re: PIX 515e: more than one l2l vpn don't work

The only one that is up now is the "Address C", but still there is no traffic passing.

following the output of the command show crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 30, local addr: 192.168.1.5

access-list outside_cryptomap_30 permit ip 192.168.100.0 255.255.255.0 192.168.151.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer: "Address site C"

#pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 60, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.5, remote crypto endpt.: "Address site C"

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: D2283656

inbound esp sas:

spi: 0x203405A6 (540280230)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 415, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 28286

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xD2283656 (3525850710)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 415, crypto-map: outside_map

sa timing: remaining key lifetime (sec): 28286

IV size: 8 bytes

replay detection support: Y

Re: PIX 515e: more than one l2l vpn don't work

The fact that:-

#pkts encaps: 60, #pkts encrypt: 60, #pkts digest: 60

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Also what is slightly worrying is:-

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

I would expect to see this from a remote CLIENT connection - no a site to site, but again it could be something to do with the remote end equipment.

Indicates to me the issue is with the remote end. I would start to troubleshoot with assitance of the remote end IT support.

HTH>

161
Views
0
Helpful
18
Replies
CreatePlease to create content