Site-to-Site VPN problem between PIX515E

Hi all,

I want to establish a VPN tunnel between 2 PIX515E, a site-to-site VPN.

I have used the wizard of the PDM. First, the tunnel seems ok : I can ping hosts on remote site, telnet, etc.

But sometimes, the tunnel seems to be down: I cannot ping remote hosts for example anymore.

I think that when there is no traffic through the tunnel, it's ok that the tunnel is down. And when I try to ping remote hosts, I think that the tunnel should turn to up. Is it correct?

I look in the logs and I notice that whenever I try to ping/telnet a remote host, I generate in statistics: "PIX pkts no sa (send)". No packets are encrypted.

Could someone tell me where is the problem?

------------------------------------------

More information with a debug crypto isakmp:

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3 ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 28800 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing keep alive: proposal=32767/32767 sec., actual=600/10 sec. ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of

1370673357:51b2d0cdIPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x773f7309(2000646921) for SA from remote-pix to A.B.C.D for prot 3

return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:remote-pix/500 Total VPN Peers:4 VPN Peer: ISAKMP: Peer ip:remote-pix/500 Ref cnt incremented to:1 Total VPN Peers:4 crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500

---------------------------------------------------------------

---------------------------------------------------------------

---------------------------------------------------------------

---------------------------------------------------------------

---------------------------------------------------------------

---------------------------------------------------------------

ISAKMP (0): processing NOTIFY payload 18 protocol 1 spi 0, message ID = 2482419244 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block:src:remote-pix, dest:A.B.C.D spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 2738261993, spi size = 16 ISAKMP (0): deleting SA: src A.B.C.D, dst remote-pix return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0x10ffe3c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:remote-pix/500 Ref cnt decremented to:0 Total VPN Peers:4 VPN Peer: ISAKMP: Deleted peer: ip:remote-pix/500 Total VPN peers:3IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with remote-pix

ISADB: reaper checking SA 0x10d8c34, conn_id = 0 ISADB: reaper checking SA 0xfea484, conn_id = 0 ISADB: reaper checking SA 0x1106b14, conn_id = 0

Any Idea please?

Reply to
khay.huynh
Loading thread data ...

I (tried to) answered the question in forum.cisco.com.

snipped-for-privacy@gmail.com wrote:

Reply to
Vikas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.