Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Problems building VPN Tunnel with remote site.

I'm having issues creating a tunnel between us and a remote site. Our topology is as follows:

LAN - Pix 515E - 3640 - INTERNET - Cisco 877.

Here's the pertinent portion of the config of our 515E (running version 7.2):

interface Ethernet0

description INAP

nameif outside

security-level 0

interface Ethernet2

description VLAN 47 at DMS

nameif dms

security-level 50

access-list NAME extended permit ip 192.168.x.0 255.255.255.0 10.y.z.0 255.255.254.0

crypto ipsec transform-set set1 esp-3des esp-sha-hmac

crypto map map 20 match address NAME

crypto map map 20 set peer a.b.c.d

crypto map map 20 set transform-set set1

crypto map map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group a.b.c.d type ipsec-l2l

tunnel-group a.b.c.d ipsec-attributes

pre-shared-key *

When i try to establish the tunnel by pinging a device on the remote site, here's the output i get.

On the Pix:

c0 00 00 00

Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, IKE MM Initiator FSM error history (struct &0x28cedb8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, IKE SA MM:2eb371fa terminating: flags 0x01000022, refcnt 0, tuncnt 0

Feb 29 10:56:35 [IKEv1 DEBUG]: IP = a.b.c.d, sending delete/delete with reason message

Feb 29 10:56:35 [IKEv1]: IP = a.b.c.d, Removing peer from peer table failed, no match!

Feb 29 10:56:35 [IKEv1]: IP = a.b.c.d, Error: Unable to remove PeerTblEntry

Feb 29 10:56:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 29 10:56:36 [IKEv1]: IP = a.b.c.d, IKE Initiator: New Phase 1, Intf 2, IKE Peer a.b.c.d local Proxy Address 192.168.x.0, remote Proxy Address 10.y.z.0, Crypto map (map)

Feb 29 10:56:36 [IKEv1 DEBUG]: IP = a.b.c.d, constructing ISAKMP SA payload

Feb 29 10:56:36 [IKEv1 DEBUG]: IP = a.b.c.d, constructing Fragmentation VID + extended capabilities payload

Feb 29 10:56:36 [IKEv1]: IP = a.b.c.d, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

So, the tunnel isn't building. Any ideas anyone?

2 REPLIES
New Member

Re: Problems building VPN Tunnel with remote site.

Instead of Extended ping try to generate interesting traffic by back-to-back connected router interface.

New Member

Re: Problems building VPN Tunnel with remote site.

Sadbulali,

Thanks for the reply. I actually figured out what happened.

Basically, there's a subinterface on our core router that connects the PIX to the outside. Somehow this aspect of the configuration on the router was missing(i'm guessing a reboot w/out the running config saved). The moment i re-created the subinterface, the tunnel was built. So, it was a WAN issue after all.

156
Views
0
Helpful
2
Replies
CreatePlease to create content