Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 501 VPN won't come up

Would someone mind glancing at my configurations and helping me to understand why I can't establish a VPN to pse-pix-outside?  VPN's to all other PIX's work just fine, and RDP, SMTP, and DNS traffic is properly mapped to the server 192.168.50.2 and works, but when I try to start a VPN I get the message:


VPN Peer:ISAKMP: Peer Info for pse-pix-outside/500 not found - peers:0

Thank you so much for any help.

Here is the configuration for the PIX initiating the VPN:

: Saved
: Written by enable_15 at 18:41:01.847 UTC Tue Jan 12 1993
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname chris-pix
domain-name
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 209.xxx.xxx.xxx ocean-pix-outside
name 209.xxx.xxx.xxx cvb-pix-outside
name 69.xxx.xxx.xxx don-pix-outside
name 65.xxx.xxx.xxx chi-pix-outside
name 208.xxx.xxx.xxx pse-pix-outside
access-list internet-traffic permit ip 192.168.3.0 255.255.255.0 any
access-list ping-permit permit icmp any any
access-list chris-to-allGvnPix-vpn permit ip 192.168.3.0 255.255.255.0 192.168.27.0 255.255.255.0
access-list chris-to-allGvnPix-vpn permit ip 192.168.3.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list chris-to-allGvnPix-vpn permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list chris-to-allGvnPix-vpn permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list chris-to-allGvnPix-vpn permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list chris-to-ocean-vpn permit ip 192.168.3.0 255.255.255.0 192.168.27.0 255.255.255.0
access-list chris-to-cvb-vpn permit ip 192.168.3.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list chris-to-don-vpn permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0
access-list chris-to-chi-vpn permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list chris-to-pse-vpn permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging on
logging trap informational
logging host inside 192.168.27.1
no logging message 313003
no logging message 313001
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 302010
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302012
no logging message 609002
no logging message 609001
no logging message 302016
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list chris-to-allGvnPix-vpn
nat (inside) 1 access-list internet-traffic 0 0
access-group ping-permit in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.3.3 chris-pix-config
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set GvnPix-set esp-des esp-md5-hmac
crypto map toGvnPix 5 ipsec-isakmp
crypto map toGvnPix 5 match address chris-to-chi-vpn
crypto map toGvnPix 5 set peer chi-pix-outside
crypto map toGvnPix 5 set transform-set GvnPix-set
crypto map toGvnPix 7 ipsec-isakmp
crypto map toGvnPix 7 match address chris-to-don-vpn
crypto map toGvnPix 7 set peer don-pix-outside
crypto map toGvnPix 7 set transform-set GvnPix-set
crypto map toGvnPix 27 ipsec-isakmp
crypto map toGvnPix 27 match address chris-to-ocean-vpn
crypto map toGvnPix 27 set peer ocean-pix-outside
crypto map toGvnPix 27 set transform-set GvnPix-set
crypto map toGvnPix 28 ipsec-isakmp
crypto map toGvnPix 28 match address chris-to-cvb-vpn
crypto map toGvnPix 28 set peer cvb-pix-outside
crypto map toGvnPix 28 set transform-set GvnPix-set
crypto map toGvnPix 50 ipsec-isakmp
crypto map toGvnPix 50 match address chris-to-pse-vpn
crypto map toGvnPix 50 set peer pse-pix-outside
crypto map toGvnPix 50 set transform-set GvnPix-set
crypto map toGvnPix interface outside
isakmp enable outside
isakmp key ******** address don-pix-outside netmask 255.255.255.255
isakmp key ******** address ocean-pix-outside netmask 255.255.255.255
isakmp key ******** address cvb-pix-outside netmask 255.255.255.255
isakmp key ******** address chi-pix-outside netmask 255.255.255.255
isakmp key ******** address pse-pix-outside netmask 255.255.255.255
isakmp keepalive 60
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
dhcpd address 192.168.3.2-192.168.3.33 inside
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 100
Cryptochecksum:
chris-pix(config)#

And here is the configuration for the PIX receiving the VPN request:

: Saved
: Written by enable_15 at 19:48:40.168 UTC Mon Oct 18 2010
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password encrypted
passwd encrypted
hostname xxx
domain-name xxx.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list internet-traffic permit ip 192.168.50.0 255.255.255.0 any
access-list pix-to-pse-vpn permit ip 192.168.50.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list acl-out permit ip host 192.168.50.2 any
access-list acl-out permit ip host 192.168.50.52 any
access-list acl-out permit ip host 192.168.50.55 any
access-list acl-out deny ip 192.168.50.0 255.255.255.0 any
access-list acl-in permit icmp any any
access-list acl-in permit tcp any host 208.xxx.xxx.xxx eq 3389
access-list acl-in permit tcp any host 208.xxx.xxx.xxx eq domain
access-list acl-in permit tcp any host 208.xxx.xxx.xxx eq smtp
pager lines 24
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 208.xxx.xxx.xxx 255.255.255.255
ip address inside 192.168.50.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list pix-to-pse-vpn
nat (inside) 1 access-list internet-traffic 0 0
static (inside,outside) tcp interface 3389 192.168.50.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.50.2 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.168.50.2 domain netmask 255.255.255.255 0 0
access-group acl-in in interface outside
access-group acl-out in interface inside
route outside 0.0.0.0 0.0.0.0 208.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set PsePix-set esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set PsePix-set
crypto map toPsePix 10 ipsec-isakmp dynamic dynmap
crypto map toPsePix interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp keepalive 60
isakmp nat-traversal 20
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 2
isakmp policy 9 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 100
Cryptochecksum:

2 REPLIES
Cisco Employee

Re: Pix 501 VPN won't come up

Configuration looks OK to me.

Which phase does the connection fail?

Can you please share the output of the following from both PIX:

show cry isa sa

show cry ipsec sa

And also run the following debug to see where it fails:

debug cry isa

debug cry ipsec

Pls try to ping 192.168.50.1 from 192.168.3.0/24 LAN.

New Member

Re: Pix 501 VPN won't come up

From the 192.168.3.1 PIX, here is the output:

chris-pix# sh cry isa sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
don-pix-outside     172.27.35.45    QM_IDLE         0           1
chris-pix# sh cry ipsec sa


interface: outside
    Crypto map tag: toGvnPix, local addr. 172.27.35.45

   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.7.0/255.255.255.0/0/0)
   current_peer: don-pix-outside:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 172.27.35.45, remote crypto endpt.: don-pix-outside
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 164e4b4f

     inbound esp sas:
      spi: 0xffb27f5e(4289888094)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: toGvnPix
        sa timing: remaining key lifetime (k/sec): (4607999/28256)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x164e4b4f(374229839)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: toGvnPix
        sa timing: remaining key lifetime (k/sec): (4607999/28256)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

   local  ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
   current_peer: pse-pix-outside:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 36, #recv errors 0

     local crypto endpt.: 172.27.35.45, remote crypto endpt.: pse-pix-outside
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:


chris-pix#

And here is the debug output:


chris-pix#

ISAKMP (0): retransmitting phase 1 (0)...IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 172.27.35.45, remote= pse-pix-outside,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src 172.27.35.45, dst pse-pix-outside
ISADB: reaper checking SA 0x9fef04, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for pse-pix-outside/500 not found - peers:0

IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= 172.27.35.45, remote= pse-pix-outside,
    local_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.50.0/255.255.255.0/0/0 (type=4)

chris-pix#

And from the 192.168.50.1 PIX here is the output:

protospace# sh cry isa sa
Total     : 0
Embryonic : 0
        dst               src        state     pending     created
protospace# sh cry ipsec sa


interface: outside
    Crypto map tag: toPsePix, local addr. 208.xxx.xxx.xxx
protospace#

There is no output from debug commands on this PIX when I ping from 192.168.3.x to 192.168.50.1.

Thank you for looking into this.

278
Views
0
Helpful
2
Replies
CreatePlease to create content