07-05-2002 03:30 AM - edited 02-21-2020 11:54 AM
Hello Guys
I configue a VPN Site to Site with Leased Line and every things work fine
Zentral PIX 535
Branch Office Cisco 2620
the prob is, sometime if the branch is close (nobody working) at this time and the tunnel lifetime ist done, the Admin on the zentrale behind the PIX is not able to ping or connect to any server on the branch office.
cann you tell me what to do and solve this ?
Thankx
Alain
07-05-2002 08:44 AM
-Check the ACL that apply to the IPSEC traffic (to see if they match at both ends)
- Start a debug in the 535 with the SA down (or shut it) then start the pings from the NET behind the 535 and see if the tunnel starts or the error messages, and do this in the 2620 too.
(Commands related in the 535)
clear crypto isakmp sa
debug crypto ipsec
debug crypto isakmp
(commands related in the 2620)
debug crypto ipsec
debug crypto isakmp
clear crypto sa
show crypto engine connections active
I think it could be a problem related to peer declarations in the 535.
both end have fixed IP addresses? i mean, no dhcp clients or dynamic maps?
Alexis
07-06-2002 02:21 AM
Hi Alexis,
thank for your help: I check it. but the prob is that the tunnel sometime going down i put the life time on 86400 but the tunnel is also going down maybe someone have experience with this.
see the show crypto isakmp sa on the zentral Firewall
-------------------------------------------------------------------------------------
PTFW101# sh cry is sa 10:52
Total : 6
Embryonic : 0
dst src state pending created
213.70.26.36 139.4.136.122 QM_IDLE 0 3
213.70.26.36 146.188.38.30 QM_IDLE 0 5
213.70.26.36 139.4.134.58 QM_IDLE 0 6
213.70.26.36 139.4.136.118 QM_IDLE 0 11
213.70.26.36 212.75.32.25 QM_IDLE 0 2
213.70.26.36 139.4.139.74 QM_IDLE 0 2
PTFW101#
----------------------------------
PTFW101# sh cry isa sa 11:06
Total : 7
Embryonic : 0
dst src state pending created
213.70.26.36 139.4.136.122 QM_IDLE 0 4
213.70.26.36 146.188.38.30 QM_IDLE 0 5
213.70.26.36 139.4.134.58 QM_IDLE 0 7
213.70.26.36 139.4.136.118 QM_IDLE 0 13
213.70.26.36 212.75.32.25 QM_IDLE 0 2
213.70.26.36 212.75.32.25 QM_IDLE 0 0
213.70.26.36 139.4.139.74 QM_IDLE 0 2
PTFW101#
------------------------------------------------------
PTFW101# sh cry is sa 11:47
Total : 5
Embryonic : 0
dst src state pending created
213.70.26.36 139.4.136.122 QM_IDLE 0 5
213.70.26.36 139.4.134.58 QM_IDLE 0 1
213.70.26.36 139.4.136.118 QM_IDLE 0 14
213.70.26.36 212.75.32.25 QM_IDLE 0 2
213.70.26.36 139.4.139.74 QM_IDLE 0 3
PTFW101#
---------------------------------------------------------
PTFW101# sh cry isa sa 11:58
Total : 5
Embryonic : 0
dst src state pending created
213.70.26.36 139.4.136.122 QM_IDLE 0 5
213.70.26.36 146.188.38.30 QM_IDLE 0 1
213.70.26.36 139.4.134.58 QM_IDLE 0 1
213.70.26.36 212.75.32.25 QM_IDLE 0 3
213.70.26.36 139.4.139.74 QM_IDLE 0 3
PTFW101#
--------------------------------
PTFW101# sh cry is sa 12:03
Total : 6
Embryonic : 0
dst src state pending created
213.70.26.36 139.4.136.122 QM_IDLE 0 6
213.70.26.36 146.188.38.30 QM_IDLE 0 1
213.70.26.36 139.4.134.58 QM_IDLE 0 2
213.70.26.36 139.4.136.118 QM_IDLE 0 1
213.70.26.36 212.75.32.25 QM_IDLE 0 2
213.70.26.36 139.4.139.74 QM_IDLE 0 3
thanks for any help
Alain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: