Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 VPN to 2851 Router stuck at negotiation

I am total noob to these produts.  Is there a command I can run on either end of this to determine why they do not connect?

Thanks

Everyone's tags (6)
4 REPLIES
Cisco Employee

Re: PIX 501 VPN to 2851 Router stuck at negotiation

You would need to check which phase the negotiation is stuck on.

You can run the following command to check the status:

show cry isa sa

show cry ipsec sa

And also the following debug to check where and why exactly it's failing:

debug cry isa

debug cry ipsec

New Member

Re: PIX 501 VPN to 2851 Router stuck at negotiation

I have ran the commands you showed me.

the command show cry isa sa

does tell me it is negotiating.

when I run debug cry isa or debug cry ipsec

it tells me debug is on. nothing else.

What command tells me the detailed VPN information?

New Member

Re: PIX 501 VPN to 2851 Router stuck at negotiation

Anyone?

Cisco Employee

Re: PIX 501 VPN to 2851 Router stuck at negotiation

What do you mean by it's negotiating? What is the status? Is it MM_NO_STATE, QM_IDLE, MM_WAIT_MSG2, etc?

In terms of debug, if you try to send interesting traffic between PIX and the 2851 router, it will log detailed messages on each VPN messages/phase.

Here is a sample configuration for LAN-to-LAN between PIX and router for your reference (it also has sample debug output):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

Please share your config to see if there is any configuration error.

789
Views
0
Helpful
4
Replies
CreatePlease to create content