Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

no vpn after update from 6.34 to 7.02(2) interims release

Status
Not open for further replies.
Fritjof

Fritjof

Technical User
Aug 23, 2002
15
DE
I had a site to site ipsec vpn up and running perfectly well the last year.

Pix515e static IP <-> Pix501 dynamic IP (3DEs/MD5/DHG2)

Yesterday I did an upgrade to the 515e to 7.02(2). Everything went well accept the site to site connection. Its not working anymore.

Here are some infos from the 501 trying to build up the connection.

In the PDM monitoring in the IKE SAs I get the status MM_SA_SETUP.

And that are the IPSec details from the 501:

Details for HLNet/255.255.255.0/0/0 ITinside/255.255.255.0/0/0 at Fri Aug 26 22:05:09 CEST 2005

local ident (addr/mask/prot/port): (HLNet/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ITinside/255.255.255.0/0/0)
current_peer: 213.xxx.xxx.66:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#pkts no sa (send) 366, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 213.xxx.xxx.37, remote crypto endpt.: 213.xxx.xxx.66
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0


Is anybody here with the same problems after the upgrade ? Any hints ?



best regards

Fritjof
 
Sort by date Sort by votes
My site to site survived the upgrade. Why don't you post your config. Or is it working now?


*****************

What's ADD again?
 
Upvote 0 Downvote
Like I said, my site to site is still working great, but I had an issue with the Client based VPNs--which I resolved. I have info on how to fix that if you need.


*****************

What's ADD again?
 
Upvote 0 Downvote
Not on the site to site--it just survived the code translation. I'll dig out the commands referencing it though and paste them so you can compare.


*****************

What's ADD again?
 
Upvote 0 Downvote
I'm still getting comfortable with ver 7.x, but I think these are all the related commands.


access-list 101 extended permit ip X.Y.2.0 255.255.255.0 host Doc400_Server
access-list 101 extended permit ip X.Y.2.0 255.255.255.0 host SAS_Query_Server
access-list 101 remark The previous 2 lines are for XXX to YYY VPN access

access-list 220 extended permit ip X.Y.2.0 255.255.255.0 host Doc400_Server
access-list 220 extended permit ip X.Y.2.0 255.255.255.0 host SAS_Query_Server
access-list 220 remark states what traffic is allowed through the XXX VPN

nat (inside) 0 access-list 101


crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 90 set transform-set myset
crypto map newmap 10 match address 220
crypto map newmap 10 set peer Z.R.C.94
crypto map newmap 10 set transform-set myset1
crypto map newmap 90 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication rsa-sig
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400 This policy 65535 is new--I didn't create it.
isakmp nat-traversal 15


tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
authentication-server-group (outside) none
tunnel-group Z.R.C.94 type ipsec-l2l
tunnel-group Z.R.C.94 ipsec-attributes
pre-shared-key *

class-map inspection_default
match default-inspection-traffic


Roland


*****************

What's ADD again?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
301
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
245
nnaarrnn
nnaarrnn
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top