Question

PIX VPN QM_IDLE

Asked by: Pentrix2

I am in the progress of creating a VPN tunnel through a PIX 515 to a PIX 501.  Both ends shows the state of QM_IDLE.  What does this mean, and shouldn't it show connected instead?  I'm pretty sure I got my configuration on both ends correctly.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2005-06-16 at 03:47:28ID21460181
Tags

qm_idle

Topics

Network Software Firewalls

,

Cisco PIX Firewall

,

Enterprise Firewalls

Participating Experts
4
Points
500
Comments
16

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. VPN on PIX
    Is the following configuration on the PIX 6.1 enough to configure VPN . The PIX connects to a catalyst switch on the inside and ISP router on the outside. Do I have to add something to the catayst as well to configure vpn access. ip local pool vpnpool 192.168.1.1-192.168....
  2. Pix to Pix VPN
    Ok, here goes my first question at Experts-Exchange, which looks to me like the perfect place to get an answer. This first post is intended to explain the case and get some preliminary advice (if needed). Hopefully tomorrow i will be able to post more specific information abo...
  3. PIX-to-PIX VPN
    Hi Experts !!. Ok, one more VPN troubleshooting. I have some experience now with PIX VPN, but i cant get this one to work, eventhough i learned almost everything i know about PIX VPN in this great web site. Site-to-site VPN with two 501. Both Firewalls are each behind an ADS...
  4. Vpn Tunnel ios to pix
    I am setting a vpn tunnel ios to pix, but could not get it to work. the vpn client works, but not the site to site. the pix previously was connecting to another pix fine. So I think is that the problem in the router. Any help is appreciated. here is the config of the rou...
  5. PIX to PIX VPN not working!
    I have had a site to site vpn working between a pix 515 and a pix 501 for years. All of a sudden it stopped working. Internet on both sides is fine. I have rebooted the pixes and internet modems. If I run show crypto is sa on the pix 515 it shows a tunnel to the 501 with ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: lrmoorePosted on 2005-06-16 at 04:06:48ID: 14229675

QM_IDLE is exatly what you want to see. This is PIX's way of letting you know that Phase I is complete, the tunnel is ready.
I guess something like "connected" would be too obvious for Cisco..

 

by: Pentrix2Posted on 2005-06-16 at 04:08:32ID: 14229684

At this point shouldn't the PIX 501 network be able to ping any routers or telnet to them on the PIX 515 network side?

 

by: lrmoorePosted on 2005-06-16 at 04:16:22ID: 14229761

That depends. The PIX's know how to talk to each other, but does the router behind the PIX515 know how to route back to the subnet behind the 501?
Also, you must test from an actual workstation behind the 501 to an actual workstation/server behind the 515. You can't do it from the PIX console.

Take a look at phase 2 with "sho cry ip sa" and look for encap/decap counters and error counters

 

by: Pentrix2Posted on 2005-06-16 at 04:21:02ID: 14229786

Here's a copy of my PIX 515 sho cry ip sa output.  Is this a good or bad result?  And I can't find the encap/decap counters and error counters either.

PIX01# sh cry ip sa


interface: outside
    Crypto map tag: VPNMAP, local addr. 65.125.12.14

   local  ident (addr/mask/prot/port): (SUBNET_1/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (SUBNET_2/255.255.255.0/0/0)
   current_peer: 66.93.55.119:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 209, #pkts decrypt: 209, #pkts verify 209
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 65.125.12.14, remote crypto endpt.: 66.93.55.119
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: f539d588

     inbound esp sas:
      spi: 0x2b68a50f(728278287)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4608000/12872)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0xf539d588(4114208136)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4608000/12836)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


PIX01#

 

by: harbor235Posted on 2005-06-16 at 04:27:04ID: 14229814

It just means that the security association is built but at the current time it is idle(not encrypting or decrypting packets). The other information you left out concerning the status is the ipsec peer addresses which shows that the ipsec tunnel is active.

harbor235

 

by: Pentrix2Posted on 2005-06-16 at 04:43:28ID: 14229945

65.125.12.14 is the PIX 515 which I got the below output from.  And 66.93.55.119 is the PIX 501 output.  Did did I do this correctly?


PIX01(config)# sh cry isak sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   65.125.12.14     66.93.55.119    QM_IDLE         0           3
PIX01(config)#

 

by: lrmoorePosted on 2005-06-16 at 04:46:54ID: 14229975

>#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
>#pkts decaps: 209, #pkts decrypt: 209, #pkts verify 209

Decaps with no encaps. Looks like a routing issue or an acl issue on your 501. Is the 501 inside IP the local default gateway?
Did you apply a nat_0 acl to the nat process?
Take a look at "show access-list" and see if the hit counters are increasing on your vpn traffic defining acls and/or your nat_0 acl..

 

by: Pentrix2Posted on 2005-06-16 at 06:03:46ID: 14230620

Yes, on both sides I issue a "nat (inside) 0 access-list ACL_VPN1"

When I do a sh nat here is my output:

PIX01# sh nat
nat (inside) 0 access-list ACL_VPN1
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
PIX01#

I thought from my PIX 515 (192.168.85.0) it would say the below but it's not??

nat (inside) 0 access-list ACL_VPN1
nat (inside) 1 192.168.85.0 255.255.255.0 0 0

 

by: Pentrix2Posted on 2005-06-16 at 06:04:28ID: 14230626

Yes, the hit counters are increasing.  Now it's at 192.

 

by: lrmoorePosted on 2005-06-16 at 06:21:37ID: 14230796

>I thought from my PIX 515 (192.168.85.0) it would say the below but it's not??
>nat (inside) 0 access-list ACL_VPN1

Did you define the ACL_VPN1 ? Did you define a separate one for the VPN tunnel match traffic? Even though they are identical today, it is easier to grow, and besides I don't like assigning the same acl to two different processes (nat and cyrpto)
Given on 501 local lan = 192.168.1.x
Given on 515 local lan = 192.168.85.0

501:
access-list nat_zero permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list ACL_VPN1 permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
nat (inside) 0 access-list nat_zero

The ACL_VPN1 is still applied as a match statement in the crypto map

515: mirror image
access-list nat_zero permit ip 192.168.85.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list ACL_VPN1 permit ip 192.168.85.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nat_zero

 

by: tim_holmanPosted on 2005-06-16 at 07:20:10ID: 14231391

If packets are only being encrypted one way, this means your VPN config is fine, but your routing config is not.  I suspect your internal network has no idea how to get to the remote network, and you need to add a route to your default gateway to point to the PIX.
Do you have something that looks like this?

PIX 501
|
Internet
|
PIX 515
|
ROUTER
|
Inside

 

by: Pentrix2Posted on 2005-06-16 at 08:01:08ID: 14231926

Correct.  Let me do it like this


Workstation
|
PIX 501
|
DSL Modem
|
Internet
|
GW Router
|
PIX 515
|
Catalyst switch
|
Workstation

 

by: Pentrix2Posted on 2005-06-16 at 08:41:16ID: 14232451

My mistake.  Let me redo this:


Workstation
|
PIX 501
|
DSL Modem
|
Internet
|
GW Router
|
Cisco FastHub 400     <-------
|
PIX 515
|
Catalyst switch
|
Workstation

 

by: tim_holmanPosted on 2005-06-16 at 18:06:37ID: 14236773

Is there any routing on the Catalyst switch going on ?
If routing's all OK, then perhaps NAT is causing the problem...?
If the VPN config was screwed, then phase 1 and phase 2 wouldn't even come up, so this usually means your config is OK.

 

by: lrmoorePosted on 2005-06-16 at 18:22:06ID: 14236824

>If routing's all OK, then perhaps NAT is causing the problem...?
My thoughts exactly, which led me to validate the access-lists and to separate the crypto match and the nat 0 acls..

 

by: shirkkanPosted on 2005-06-18 at 03:52:30ID: 14247913

how about posting the config with scrambled ip addresses, in most cases its something you forgot or somthing thats easily overlooked. Whats in your logs - any denies? then acl may be wrong. dont just look at the nat0 acl - if you have an LAN->internet outgoing acl you need to allow traffic to the other sides too

anyways,   posting the config would help

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...