VPN between Concentrator 3000 and PIX 501 - PHASE 2 COMPLETED, but QM FSM

cmoliver · ‎06-09-2006

I have been having some trouble getting a remote connection established to one of our remote offices, which has a PIX 501 managing the connection. In our main office, we have a Concentrator 3000. The connection establishes, but no data is received from the remote end.

However, I use this same LAN-to-LAN setup on the Concentrator to establish to a second PIX 501 in that office with a different Internet connection (they switch manually when one goes down) and that establishes and transfers data fine.

Here's the log:

23 06/09/2006 08:35:53.570 SEV=4 AUTH/22 RPT=1 <remote public IP>

User [L2L: TPG-Ecuador] Group [L2L: TPG-Ecuador] connected, Session Type: IPSec/

LAN-to-LAN

26 06/09/2006 08:35:57.830 SEV=5 IKE/35 RPT=1 <remote public IP>

Group [L2L: TPG-Ecuador]

Received remote IP Proxy Subnet data in ID Payload:

Address 172.16.18.0, Mask 255.255.255.0, Protocol 0, Port 0

29 06/09/2006 08:35:57.830 SEV=5 IKE/34 RPT=1 <remote public IP>

Group [L2L: TPG-Ecuador]

Received local IP Proxy Subnet data in ID Payload:

Address 172.18.0.0, Mask 255.255.0.0, Protocol 0, Port 0

32 06/09/2006 08:35:57.830 SEV=5 IKE/66 RPT=1 <remote public IP>

Group [L2L: TPG-Ecuador]

IKE Remote Peer configured for SA: L2L: TPG-Ecuador

33 06/09/2006 08:35:58.030 SEV=5 IKE/35 RPT=2 <remote public IP>

Group [L2L: TPG-Ecuador]

Received remote IP Proxy Subnet data in ID Payload:

Address 172.16.18.0, Mask 255.255.255.0, Protocol 0, Port 0

36 06/09/2006 08:35:58.030 SEV=5 IKE/34 RPT=2 <remote public IP>

Group [L2L: TPG-Ecuador]

Received local IP Proxy Subnet data in ID Payload:

Address 172.16.5.0, Mask 255.255.255.0, Protocol 0, Port 0

39 06/09/2006 08:35:58.030 SEV=5 IKE/66 RPT=2 <remote public IP>

Group [L2L: TPG-Ecuador]

IKE Remote Peer configured for SA: L2L: TPG-Ecuador

40 06/09/2006 08:35:58.330 SEV=4 IKE/49 RPT=1 <remote public IP>

Group [L2L: TPG-Ecuador]

Security negotiation complete for LAN-to-LAN Group (L2L: TPG-Ecuador)

Initiator, Inbound SPI = 0x3ea0c1e7, Outbound SPI = 0x20b10bfc

43 06/09/2006 08:35:58.340 SEV=4 IKE/120 RPT=1 <remote public IP>

Group [L2L: TPG-Ecuador]

PHASE 2 COMPLETED (msgid=17aca739)

44 06/09/2006 08:35:58.500 SEV=4 IKE/49 RPT=2 <remote public IP>

Group [L2L: TPG-Ecuador]

Security negotiation complete for LAN-to-LAN Group (L2L: TPG-Ecuador)

Initiator, Inbound SPI = 0x2c3c0d43, Outbound SPI = 0x9670db86

47 06/09/2006 08:35:58.510 SEV=4 IKE/120 RPT=2 <remote public IP>

Group [L2L: TPG-Ecuador]

PHASE 2 COMPLETED (msgid=b828283a)

48 06/09/2006 08:36:06.870 SEV=5 IKE/35 RPT=3 <remote public IP>

Group [L2L: TPG-Ecuador]

Received remote IP Proxy Subnet data in ID Payload:

Address 172.16.18.0, Mask 255.255.255.0, Protocol 0, Port 0

51 06/09/2006 08:36:06.870 SEV=5 IKE/34 RPT=3 <remote public IP>

Group [L2L: TPG-Ecuador]

Received local IP Proxy Subnet data in ID Payload:

Address 172.16.3.0, Mask 255.255.255.0, Protocol 0, Port 0

54 06/09/2006 08:36:06.870 SEV=5 IKE/66 RPT=3 <remote public IP>

Group [L2L: TPG-Ecuador]

IKE Remote Peer configured for SA: L2L: TPG-Ecuador

55 06/09/2006 08:36:07.060 SEV=4 IKE/49 RPT=3 <remote public IP>

Group [L2L: TPG-Ecuador]

Security negotiation complete for LAN-to-LAN Group (L2L: TPG-Ecuador)

Initiator, Inbound SPI = 0x55ffdf81, Outbound SPI = 0xc52210fb

58 06/09/2006 08:36:07.080 SEV=4 IKE/120 RPT=3 <remote public IP>

Group [L2L: TPG-Ecuador]

PHASE 2 COMPLETED (msgid=d037e421)

Suggestions appreciated -

a.kiprawih · ‎06-09-2006

Hi,

What your PIX vpn config looks like?

Rgds,

AK