Hi, all,
We are going to upgrade the PIX515E IOS 6.3 to the IOS V7.2; however we found that no upgrade IOS for PIX506E IOS V6.3.
Our network has one PIX515E and three PIX506E, they are forming the site-to-site VPN as the hub-and-spoke structure.
We found today, we could not form the site-to-site VPN between PIX515E IOS v7.2 & PIX506E IOS V6.3.
Any suggestion ?
Thank you
And why not, it should work....
Further debug result :
PI-Line(config)# ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3 ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN ISAKMP (0:0): constructed HIS NAT-D ISAKMP (0:0): constructed MINE NAT-D ISAKMP (0:0): Detected port floating return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT match MINE hash ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT match HIS hash ISAKMP (0): ID payload next-payload : 8 type : 2 protocol : 17 port : 500 length : 25 ISAKMP (0): Total payload length: 29 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500
............................ ............................. ....................................
VPN Peer:ISAKMP: Peer Info for JIL_FW/500 not found - peers:0 IPSEC(key_engine): request timer fired: count = 2, (identity) local= Local_FW, remote= JIL_FW, local_proxy= 172.27.30.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.27.1.0/255.255.255.0/0/0 (type=4)
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3 ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN ISAKMP (0:0): constructed HIS NAT-D ISAKMP (0:0): constructed MINE NAT-D ISAKMP (0:0): Detected port floating return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500 ISAKMP: sa not found for ike msg ................................ crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a VPN3000 concentrator
ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT match MINE hash ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT match HIS hash ISAKMP (0): ID payload next-payload : 8 type : 2 protocol : 17 port : 500 length : 25 ISAKMP (0): Total payload length: 29 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:JIL_FW, dest:Local_FW spt:500 dpt:500 ISAKMP: error, msg not encrypted PI-Line(config)# IPSEC(key_engine): request timer fired: count = 1, (identity) local= Local_FW, remote= JIL_FW, local_proxy= 172.27.30.0/255.255.255.0/0/0 (type=4), remote_proxy= 172.27.1.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): deleting SA: src Local_FW, dst JIL_FW ISADB: reaper checking SA 0xfa77e4, conn_id = 0 DELETE IT!
I'm fairly sure the 506e won't run v7.x software.
However there should be no problem with a normal LAN to LAN VPN between a 515E running v7.x and a 506E running v6.3. It's not clear to me what's wrong from the debug output, but it looks as though it's the security association that's failing. Did you use the PDM wizard to create the VPN, or did you hand craft it?
JR
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.