HI every one. I have some problem on site-to-site VPN. Here is the Diagram.HQ using PIX 516E. Branches using Cisco 1721 router.
User at Branches always complain that unable to use resources at HQ1 through VPN. But able to use resources at HQ2. So when I login to Branches router, I noticed as below
TN_Butterworth#show cry isa sa dst src state conn-id slot status 218.208.70.xxx 210.187.78.xxx QM_IDLE 221 0 ACTIVE 218.208.70.xxx 210.187.78.xxx MM_NO_STATE 220 0 ACTIVE (deleted) 218.208.4.xxx 218.208.70.xxx QM_IDLE 1 0 ACTIVE <------ VPN to HQ2 seems fine. Branch IP is 218.208.70.xxx 210.187.78.xxx 218.208.70.xxx QM_IDLE 222 0 ACTIVE 210.187.78.xxx 218.208.70.xxx MM_NO_STATE 219 0 ACTIVE (deleted)
VPN to HQ1 keep dropping. I noticed in Cisco Web, MM_NO_STATE, means configuration doesn't match at phase 1. But there is QM_IDLE state also for VPN to HQ1. What does this realy mean? If configuration mismatch, the VPN totaly unable to establish right? But why some shows establish and some not? And the connection ID keeps increasing means the SA keeps deleted and recreate again. Sometime I can ping HQ1 LAN and some time can't. Why is it so many entries in ISAKMP SA table for in branch router for VPN to HQ1? Does this means related to Hardware issue at HQ1 PIX?
I have about 7 branches with same design as above. All branches having same problem VPN to HQ1.I have attached HQ1 PIX show run and Branch Show run file. HQ1 and HQ2 are using same device PIX516E with similar configuration. Both PIX are sitting behind a Loadbalancer, so their external IP is Private IP.
The two set peer IP is because HQ1 having two ISP. Once branch router lost connection to peer 1, it will failover to peer 2. Thats same goes to PIX configuration. The Deny statement is just nothing. equal to implicit deny.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...