Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
2
Replies

Problems building VPN Tunnel with remote site.

zkasilag11
Level 1
Level 1

‎02-29-2008 11:32 AM - edited ‎02-21-2020 03:35 PM

I'm having issues creating a tunnel between us and a remote site. Our topology is as follows:

LAN - Pix 515E - 3640 - INTERNET - Cisco 877.

Here's the pertinent portion of the config of our 515E (running version 7.2):

interface Ethernet0

description INAP

nameif outside

security-level 0

interface Ethernet2

description VLAN 47 at DMS

nameif dms

security-level 50

access-list NAME extended permit ip 192.168.x.0 255.255.255.0 10.y.z.0 255.255.254.0

crypto ipsec transform-set set1 esp-3des esp-sha-hmac

crypto map map 20 match address NAME

crypto map map 20 set peer a.b.c.d

crypto map map 20 set transform-set set1

crypto map map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d ipsec-attributes

pre-shared-key *

When i try to establish the tunnel by pinging a device on the remote site, here's the output i get.

On the Pix:

c0 00 00 00

Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, IKE MM Initiator FSM error history (struct &0x28cedb8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, IKE SA MM:2eb371fa terminating: flags 0x01000022, refcnt 0, tuncnt 0

Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, sending delete/delete with reason message

Feb 29 10:56:35 [IKEv1]: IP = a.b.c.d, Removing peer from peer table failed, no match!

Feb 29 10:56:35 [IKEv1]: IP = a.b.c.d, Error: Unable to remove PeerTblEntry

Feb 29 10:56:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 29 10:56:36 [IKEv1]: IP = a.b.c.d, IKE Initiator: New Phase 1, Intf 2, IKE Peer a.b.c.d local Proxy Address 192.168.x.0, remote Proxy Address 10.y.z.0, Crypto map (map)

Feb 29 10:56:36 [IKEv1 DEBUG]: IP = a.b.c.d, constructing ISAKMP SA payload

Feb 29 10:56:36 [IKEv1 DEBUG]: IP = a.b.c.d, constructing Fragmentation VID + extended capabilities payload

Feb 29 10:56:36 [IKEv1]: IP = a.b.c.d, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

So, the tunnel isn't building. Any ideas anyone?

Labels:
0 Helpful
2 Replies 2

sadbulali
Level 4
Level 4

‎03-06-2008 02:36 PM

Instead of Extended ping try to generate interesting traffic by back-to-back connected router interface.

0 Helpful

zkasilag11
Level 1
Level 1
In response to sadbulali

‎03-06-2008 02:50 PM

Sadbulali,

Thanks for the reply. I actually figured out what happened.

Basically, there's a subinterface on our core router that connects the PIX to the outside. Somehow this aspect of the configuration on the router was missing(i'm guessing a reboot w/out the running config saved). The moment i re-created the subinterface, the tunnel was built. So, it was a WAN issue after all.

0 Helpful
Customers Also Viewed These Support Documents