..there hasn't been an ios upgrade either

the two pixes in question have remained the same since installation - I've (since the problem) also ripped the configs out of both & reconfigured - reapplied crypto maps saved to NV - rebooted - you name it..

the config is basically -

no nat for ipsec traffic - the two lan networks

ipsec made interesting

esp tunnels

same transform set - pre shared keys

usual stuff - as I said it was working like a dream for around 3 months...

I'll post the configs tomorrow when I'm in work

..it really seems that the pixes aren't negotiating nat-t properly as the sa is trying to establish on udp port 500..

cheers

mark

I've attached the configs and also a basic diagram.

I really can't see how it would fail after such a long time working

btw the pix in liverpool also peers with warrington pix - that vpn is working fine but it doesn't need to use nat-t

thanks for the help so far..

I had a quick look at both of the configs and it looks OK at first glance, you say that this same config was working for 3 months and then stoped. Can you answer my original question:

From your liverpool-pix can you ping the outside IP of the modem and vice-versa? To check that you have L3 connectivity. Also, have you checked with your ISP that they are not blocking UDP port 4500, used by NAT-T.

Also, have you issued - in config mode - clear cry isakmp sa and clear cry ipsec sa on both pixes and then try to ping from internal client at pix-liverpool to an internal client at modem/pix side. What does sho isakmp sa now show?

Jay

Hello Jay/all - as requested:

enabled icmp on outside of liverpool & monaco pixes

ping from liverpool pix to monaco adsl - fail

ping from monaco adsl to liverpool pix - fail

ping from sprint nap london to monaco adsl - success

ping from sprint nap london to liverpool pix - fail

----------------------------------------------------------

monaco-pix(config)# clear cry isakmp sa

monaco-pix(config)# clear cry ipsec sa

monaco-pix(config)#

monaco-pix# sh isakmp sa

Total : 1

Embryonic : 1

dst src state pending created

XXX.121.200.146 192.168.1.1 MM_NO_STATE 0 0

*****I instigated a telnet session from liverpool to a host inside monaco

monaco-pix# sh isakmp sa

Total : 2

Embryonic : 2

dst src state pending created

192.168.1.1 XXX.121.200.146 MM_SA_SETUP 0 0

XXX.121.200.146 192.168.1.1 MM_NO_STATE 0 0

monaco-pix# sh isakmp sa

Total : 1

Embryonic : 1

dst src state pending created

192.168.1.1 XXX.121.200.146 MM_SA_SETUP 0 0

monaco-pix# sh isakmp sa

Total : 1

Embryonic : 1

dst src state pending created

192.168.1.1 XXX.121.200.146 MM_SA_SETUP 0 0

monaco-pix# sh isakmp sa

Total : 1

Embryonic : 1

dst src state pending created

192.168.1.1 XXX.121.200.146 MM_SA_SETUP 0 0

*****here's liverpool pix's output for the same connection:

liverpool-pix# sh isakmp sa

Total : 1

Embryonic : 1

dst src state pending created

XXX.94.100.22 XXX.121.200.146 MM_NO_STATE 0 0

**I've also mailed our ISP here in UK and also Monaco to make sure that they're not blocking nat-t..

cheers

Mark

as you mentioned, the configs are very tidy and straight forward.

just wondering if the issue is with the adsl router at monaco performing nat. please verify whether the nat is functioning.

Yeah, I was wondering about that - the only thing is I can ssh to the Monaco router from here in Liverpool.. so it must be NATting to the outside port of the firewall successfully for that public IP - also I can see the ipsec traffic coming in on Monaco pix - just that it's trying to use port 500 and getting denied:

VPN Peer:ISAKMP: Peer Info for XXX.121.200.146/500 not found - peers:0

If you can not establish L3 connectivity between the two problamatic peers and also the sho isakmp sa is indicating MM_NO_STATE - This means that there is a problem with communication link between the two peers. I would question your ISP on this.

Jay

Would that be the Monaco ISP, UK or both?

I've looked at the debug and it seems it's failing when it's trying to authenticate using IP address

many thanks

It could be either side, hard to tell check with both providers and make sure that your equipment at both ends are functiong correctly too. What type of service are you running, xDSL?

Jay

Yeah, adsl -

I've been testing making telnet connections from liverpool to monaco and seeing the connections on the monaco pix - but then failing

I wondered whether the monaco pix was receiving the ipsec - going back to liverpool to authenticate via ip address and couldn't get back to liverpool possibly because of the nat on the adsl

so I used a backup isdn to get onto a router on monaco - put debug cry isakmp on liverpool and tried a connection from monaco to liv and sure enough no debug on liverpool

so..

we have another public subnet here in l'pool - so we moved the pix onto this and made all the necessary changes - also cleared isakp/ipsec - reapplied crypto maps - - now we can ping liverpool pix's new ip address

I can still ssh to monaco pix via the adsl

now when we try to telnet from liverpool to monaco - it doesn't show up on Monaco's debug anymore - makes me think that it's the cruddy adsl modem..

Good troubleshooting! I did have my suspicion on the modem at Monaco, and now reading your reply do believe that it might be the modem that is creating your problem but do also check with your ISP that there isn’t any issues with the comms link at both end.

Good luck.

Jay

just wondering how you go with the adsl modem.