Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
248
Views
0
Helpful
1
Replies

PIX to ASA Tunnel Termination Problem

rkalia1
Level 1
Level 1

‎04-30-2008 11:33 AM

I am having a problem with IPSec tunnel between sites A and B. Site A has PIX with 8.x code and SITE B has an ASA with 7.2(3) code. The Crypto access-lists are as under :

SITE A has :

access-list 119 extended permit ip object-group Support_DMZ object-group SITEB

access-list 119 extended permit ip 10.60.6.0 255.255.255.0 object-group SITEB

Object Group SITEB is as under :

object-group network SITEB

network-object 10.238.18.0 255.255.255.0

network-object 210.x.x.x 255.255.255.255

Object Group Support_DMZ is as under :

object-group network Support_DMZ

network-object a.a.a.a 255.255.255.192

network-object b.b.b.b 255.255.255.0

network-object c.c.c.c 255.255.255.0

network-object d.d.d.d 255.255.255.0

network-object e.e.e.e 255.255.255.0

network-object f.f.f.f 255.255.255.0

Now on the ASA at SITE B :

access-list TO_SITEA extended permit ip 10.238.18.0 255.255.255.0 object-group SITEA_NETWORK

access-list TO_SITEA extended permit ip host 210.x.x.253 object-group SITEA_NETWORK

Object Group SITEA_NETWORK is ;

object-group network SITEA_NETWORK

network-object b.b.b.b 255.255.255.0

network-object c.c.c.c 255.255.255.0

network-object d.d.d.d 255.255.255.0

network-object e.e.e.e 255.255.255.0

network-object a.a.a.a 255.255.255.192

network-object f.f.f.f 255.255.255.0

network-object g.g.g.g 255.255.255.0

Pls note that there is an extra network g.g.g.g in Object Group SITA_NETWORK. This is not there in the other side. Now the error I get on the ASA at SITE B is :

%ASA-5-713050: Group = 64.x.x.x, IP = 64.x.x.x, Connection terminated for peer 64.x.x.x. Reason: Peer Terminate Remote Proxy 210.x.x.253, Local Proxy b.b.b.b

Looks like the tunnel gets terminated. If you see in the error above Local Proxy is b.b.b.b which is a network on the SITEA side. Sometimes this Local Proxy is d.d.d.d or f.f.f.f or e.e.e.e

I am wondering if the order of the networks in the Object Group both sides need to be the same to be an exact mirror image. If you see they are not exact mirror images on both sides. Also there is g.g.g.g network in SITEB which is not there in SITEA side Object Group.

If anybody can help on this it would be great.

Labels:
0 Helpful
1 Reply 1

owillins
Level 6
Level 6

‎05-07-2008 06:42 AM

It may be errors due to PFS enable. Disable PFS and try again

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents