02-29-2008 11:32 AM - edited 02-21-2020 03:35 PM
I'm having issues creating a tunnel between us and a remote site. Our topology is as follows:
LAN - Pix 515E - 3640 - INTERNET - Cisco 877.
Here's the pertinent portion of the config of our 515E (running version 7.2):
interface Ethernet0
description INAP
nameif outside
security-level 0
interface Ethernet2
description VLAN 47 at DMS
nameif dms
security-level 50
access-list NAME extended permit ip 192.168.x.0 255.255.255.0 10.y.z.0 255.255.254.0
crypto ipsec transform-set set1 esp-3des esp-sha-hmac
crypto map map 20 match address NAME
crypto map map 20 set peer a.b.c.d
crypto map map 20 set transform-set set1
crypto map map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group a.b.c.d type ipsec-l2l
tunnel-group a.b.c.d ipsec-attributes
pre-shared-key *
When i try to establish the tunnel by pinging a device on the remote site, here's the output i get.
On the Pix:
c0 00 00 00
Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, IKE MM Initiator FSM error history (struct &0x28cedb8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, IKE SA MM:2eb371fa terminating: flags 0x01000022, refcnt 0, tuncnt 0
Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, sending delete/delete with reason message
Feb 29 10:56:35 [IKEv1]: IP = a.b.c.d, Removing peer from peer table failed, no match!
Feb 29 10:56:35 [IKEv1]: IP = a.b.c.d, Error: Unable to remove PeerTblEntry
Feb 29 10:56:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Feb 29 10:56:36 [IKEv1]: IP = a.b.c.d, IKE Initiator: New Phase 1, Intf 2, IKE Peer a.b.c.d local Proxy Address 192.168.x.0, remote Proxy Address 10.y.z.0, Crypto map (map)
Feb 29 10:56:36 [IKEv1 DEBUG]: IP = a.b.c.d, constructing ISAKMP SA payload
Feb 29 10:56:36 [IKEv1 DEBUG]: IP = a.b.c.d, constructing Fragmentation VID + extended capabilities payload
Feb 29 10:56:36 [IKEv1]: IP = a.b.c.d, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
So, the tunnel isn't building. Any ideas anyone?
03-06-2008 02:36 PM
Instead of Extended ping try to generate interesting traffic by back-to-back connected router interface.
03-06-2008 02:50 PM
Sadbulali,
Thanks for the reply. I actually figured out what happened.
Basically, there's a subinterface on our core router that connects the PIX to the outside. Somehow this aspect of the configuration on the router was missing(i'm guessing a reboot w/out the running config saved). The moment i re-created the subinterface, the tunnel was built. So, it was a WAN issue after all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide