Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

PIX to CyberGuard Firewall VPN

Trying to establish the Site to Site VPN between PIX & CyberGuard firewall. IPSEC comes up only when the traffic is initiated from the Cyberguard side. 'Show crypto ipsec' shows only outbound SAs from the PIX side after the tunnel comes up. Posting the debug for ipsec after ISAKMP is QM_Idle.

PIX(config)# IPSEC(key_engine): request timer fired: count = 2,

(identity) local= xxx.xx.xx.10, remote= xxx.xx.xx.222,

local_proxy= 10.101.3.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xd1300600(3509585408) for SA

from xxx.xx.xx.222 to xxx.xx.xx.10 for prot 3

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= xxx.xx.xx.10, remote= xxx.xx.xx.222,

local_proxy= 10.101.3.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4)

Appreciate some light into the problem. Thanks.

Regards, Murali

1 REPLY
Silver

Re: PIX to CyberGuard Firewall VPN

A typical instance where initiating an IPSec tunnel might be possible from one end only is when dynamic address allocation is being used. If you are able to initiate a VPN from the Cyberguard end only, then it would be a good idea to check if it is configured for getting an address dynamically. You would need to assign it a static IP address and modify the configurations on the firewalls.

288
Views
0
Helpful
1
Replies
CreatePlease to create content