02-20-2007 07:24 AM - edited 02-21-2020 02:53 PM
Hi,
Our other office just moved and we setup a the new VPN l2l connection for the new office with two PIX 515e hardware. I am run PIX 7.0(4). when I run show crypto ipsec sa, I see it is up, but I can not reach the servers on the other side. We did notice the remote office's MTU size is 1400 only for the VPN connection, whil the interface is set to 1500. Could that be issues? I also check the crypto match access list and counters are incrementing.
show access-list XO_cryptomap_40_1
access-list XO_cryptomap_40_1; 3 elements
access-list XO_cryptomap_40_1 line 1
access-list XO_cryptomap_40_1 line 2 extended permit ip 10.13.36.0 255.255.254.0 10.2.0.0 255.255.192.0 (hitcnt=47)
access-list XO_cryptomap_40_1 line 3
access-list XO_cryptomap_40_1 line 4 extended permit ip 172.16.1.0 255.255.255.0 10.2.0.0 255.255.192.0 (hitcnt=15)
access-list XO_cryptomap_40_1 line 5
access-list XO_cryptomap_40_1 line 6 extended permit ip 172.16.2.0 255.255.255.0 10.2.0.0 255.255.192.0 (hitcnt=0)
PIX-FW# show crypto ipsec sa
interface: XO
Crypto map tag: XO_map, seq num: 40, local addr: XX.XX.XX.XX
access-list XO_cryptomap_40_1 permit ip 172.16.1.0 255.255.255.0 10.2.0.0 255.255.192.0
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.192.0/0/0)
current_peer: XX.XX.XX.XX
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: XXXXX
inbound esp sas:
spi: 0xXXXXXX (XXXXXXXXXX)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12, crypto-map: XO_map
sa timing: remaining key lifetime (kB/sec): (3824999/1367)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xXXXXXXXX (xxxxxxxxx)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12, crypto-map: XO_map
sa timing: remaining key lifetime (kB/sec): (3825000/1365)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: XO_map, seq num: 40, local addr: XX.XX.XX.XX
access-list XO_cryptomap_40_1 permit ip 10.13.36.0 255.255.254.0 10.2.0.0 255.255.192.0
local ident (addr/mask/prot/port): (10.13.36.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.192.0/0/0)
current_peer: XX.XX.XX.XX
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: XX.XX.XX.XX path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: XXXXXXX
inbound esp sas:
spi: 0xDXXXXXXX (XXXXXXXXX)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12, crypto-map: XO_map
sa timing: remaining key lifetime (kB/sec): (3824999/2218)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3XXXXXXX (XXXXXXXXXXX)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12, crypto-map: XO_map
sa timing: remaining key lifetime (kB/sec): (3825000/2218)
IV size: 8 bytes
replay detection support: Y
02-20-2007 07:44 AM
Also the show ipsec stats show that the inbound and outbound data is incrementing as well. Any help would be greatly appreciated.
Thanks,
Kap
show ipsec stats
IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 371
Inbound
Bytes: 832734215
Decompressed bytes: 832734215
Packets: 6338989
Dropped packets: 7
Replay failures: 0
Authentications: 6338982
Authentication failures: 7
Decryptions: 6338982
Decryption failures: 0
Outbound
Bytes: 1651752913
Uncompressed bytes: 1651752913
Packets: 8060482
Dropped packets: 0
Authentications: 8060482
Authentication failures: 0
Encryptions: 8060482
Encryption failures: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
02-20-2007 09:09 AM
Acutally on hte inbound data is incremteenting, I am not able to get any outbound data incrementing.
02-20-2007 12:48 PM
nevemind we resolve the issue, seems like there is a conflict from the XO_map 40 and another XO_map 20. Why is that the case, since they each have been assigned to a diffrent peer ?
Anywa i remove XXO-map20 completey and it resolve all my VPN issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide