Having big problems getting the tunnel up.
Scenario is that we have an ADSL connection in remote office with a PIX connected to the ADSL router, and in the central office we have a 3005 Concentrator - for some reason the tunnel just refuses to come up although we do get various messages on the 3005 live event log. Can anybody assist with the configuration required to get this up and running please.
The following link is a sample configuration:
hope this helps,
Went through that sample a while ago - thought it should be really straightforward but it just doesn't seem to work!!!
Hi, do you have a subnet being routed down to you through the ADSL or are you gettting your IP information via DHCP? Or, are you using the base group in the concentrator to connect or are you configuring a LANtoLAN under tunneling protocols?
ADSL provide us with a single IP address, and the DSL router issues DHCP to the PIX for its outside address.
We use a LAN2LAN connection on the 3005.
We have had the tunnel up for about 1/2 hour on one occasion, albeit without any routing on it, but since this dropped off we have been unsucessful!
Wayne, can you turn up the event logging on the VPN 3005 (IKE, IKEDBG, AUTH level 13). Clear the log and then attempt to initiate the tunnel.
Please send us the log and the versions of VPN 3005 and PIX-501 you are using.
Is this a site-to-site (LAN to LAN) tunnel , or is it an Easy VPN Remote tunnel?
If Easy VPN , is the PIX-501 in Client or net extension mode?
Nelson Rodrigues- Cisco
I will be able to redo the config on both tomorrow.
In the meantime, we are currently trying to set up a LAN to LAN tunnel. Is it easier or a better method to use Easy VPN? Can you use Easy VPN from PIX to 3005?
wayne, Easy VPN Remote is the ability of any Cisco Hardware client (PIX-501,PIX-506, C806,VPN 3002) and VPN Software client to connect to any Easy VPN server (VPN 3000, Cisco IOS router, PIX firewall).
Easy VPN on PIX-501easy to configure.It requires 4 commands:
If you wish to use the HTTPS-based GUI PIX Device Manager V2.0.(2) with PIX V6.2.x all these parameters are in one screen. To bring up PDM from a host on the inside interface of the PIX-501 point the browser to https://
Here is a link describing how to configure a PIX-501 as a hardware client in network extension mode to a VPN 3000.
Concerning modes. We'll talk about PIX-501 , but it applies to all Cisco Hardware clients.
Client mode- essentially it is PAT mode where all the PCs behind the PIX are hidden from the outside. Resouces on the Corp. network cannot reach the PCs behind the PIX across the tunnel. Data initiated from the PIX private network will bring up the tunnel.
Network Extension mode (NEM)- the network behind the PIX becomes a routable network. The PCs behind the PIX can be reachable from the Corp side across the tunnel. The tunnel must be initiated from the PIX-501, however. In fact as soon as NEM mode is configured , the PIX-501 automatically attempts to bring the tunnel up, without the need for data traffic.
On the VPN 3000 side, PIX-501 NEM mode network it will be advertised in the Corp via Reverse Route Injection and RIP/OSPF.
NEM mode is essentially like a LAN-to-LAN, but easier to configure, however.
Please sends us the VPN 3000 log and the version of both PI-501 and VPN 3000 you are using, it will help diagnose the failure.
Wayne, please send me the logs. firstname.lastname@example.org
Just curious, are you using AES on the VPN 3000? There's a problem with AES SAs in 3.6.3 (bug CSCdy88797). If this is the case you must switch to 3DES or go back to Rel 3.6.1.
I found out several issues with PIX501 acting as a NEM:
1. As soon as configured as a NEM, the PIX 501 will initiate a tunnel. But if it rebooted or the Central head-end of VPN device rebooted, the PIX501 doesn`t recognize that the other side of the tunnel already gone. As you know A normal LAN-to-LAN connection usually doing tunnel healthy check with "IKE keepalive" but it seems like that a PIX 501 acting as a Ez VPN Client doesn`t implement this "keepalive".
2. "The LED VPN Tunnel" issue.
This LED is misleading an operator which is monitoring the tunnel by watching the LED. Because as soon as the PIX501 starts to negotiate IKE Phase 1, it turns "Green". Even worst that it still turns Green even if the VPN negotiation failed. Compare it with a VPN3002 VPN Led, it turns "orange" when negotiating a tunnel and only turns "green" if the VPN negotiation succeeded and the VPN tunnel created.
Does Cisco aware above the above PIX501 issues ?
BTW, we use v6.2(1).
Engel, I'll need to investigate a little further about the Keepalive when in EZ VPN mode. I'll get back to you on this.
As far as the VPN LED is concerned, the PIX-501 only has two states:
- LED off- no tunnel is yet established
- LED Green- at least one tunnel is established
I've done testing with PIX-501 V6.2(2) and it appears to be working OK, as above.
The VPN 3002 has 3 VPN LED states:
-LED off- no tunnel established
- amber LED- tunnel as failed
- green LED- VPN tunnel up.
Engelhard, there is a bug on issue #2- PIX VPN LED (CSCdy17426) for the case when the tunnel fails to establish. The bug has been resolved in the 6.2.x train and will be available I suppose on the next patch.
The VPN LED will be turned ON after a successful 1st IKE negotiation is complete...not just IKE in-progress.
When I tested it , the VPN LED behaved properly because the tunnel established successfully (LED ON) and when disconnected (LED OFF).