July 6, 2008 03:21am pdt

1. RobWill 269,328
2. batry_boy 232,484
3. lrmoore 113,038
4. arnold 107,903
5. mwecompu... 64,924
6. dpk_wal 52,425
7. mkielar 41,600
8. ebjers 39,050
9. MrHusy 38,470
10. Cyclops3590 32,200
11. Voltz-dk 28,470
12. TechSoEasy 28,114
13. trinak96 26,165
14. keith_al... 21,046
15. stuknhawaii 20,075

1. RobWill 1,422,221
2. lrmoore 913,781
3. batry_boy 407,194
4. grblades 214,434
5. rsivanandan 145,141
6. calvinetter 112,055
7. arnold 109,903
8. dpk_wal 105,425
9. TechSoEasy 101,193
10. mwecompu... 82,724
11. tim_holman 75,964
12. keith_al... 75,885
13. MrHusy 71,744
14. ewtaylor 68,324
15. Cyclops3590 68,145

03.12.2008 at 06:09PM PDT, ID: 23237279

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.4

PIX site-to-site VPN connection with 851 router

Zones: Virtual Private Networking (VPN), IPSec Security Protocol, Cisco PIX Firewall

Tags: Cisco, PIX, 515, PIX site-to-site VPN connection with 851 router

Hello,
Im trying to set up an IPSec VPN tunnel between a PIX 515 and a Cisco 851 Router. I cant get the tunnel to work. Below is the VPN information from the router and PIX. Am I missing something? (The outside IPs have been xed out)

PIX ver 6.3(5):

sysopt connection permit-ipsec
crypto ipsec transform-set thunder esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map remote 10 ipsec-isakmp
crypto map remote 10 match address nonat
crypto map remote 10 set peer x.x.x.x                  <= x.x.x.x is router address
crypto map remote 10 set transform-set thunder
crypto map remote interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

nat (inside) 0 access-list nonat
access-list nonat permit ip 10.1.5.0 255.255.252.0 10.1.30.0 255.255.255.0

Router:

interface FastEthernet4
description Internet connection
ip address x.x.x.x 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map avalanche

crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
crypto isakmp key ******** address x.x.x.x                  <= x.x.x.x is PIX address
!
!
crypto ipsec transform-set avalanche esp-3des esp-sha-hmac
!
crypto map avalanche 1 ipsec-isakmp
description Tunnel to HQ
set peer x.x.x.x                              <= x.x.x.x is PIX address
set transform-set avalanche
match address 101

ip nat inside source route-map RMAP interface FastEthernet4 overload

route-map RMAP permit 1
match ip address 102

access-list 101 remark IPSec Rule
access-list 101 permit ip 10.1.30.0 0.0.0.255 10.1.5.0 0.0.3.255
access-list 102 remark route-map rule
access-list 102 deny ip 10.109.30.0 0.0.0.255 10.1.5.0 0.0.3.255
access-list 102 permit ip 10.109.30.0 0.0.0.255 any

Debug information from router:

*Mar 11 19:19:02.987: ISAKMP:(0): SA request profile is (NULL)
*Mar 11 19:19:02.987: ISAKMP: Created a peer struct for x.x.x.x, peer port 500
*Mar 11 19:19:02.987: ISAKMP: New peer created peer = 0x82E13234 peer_handle = 0x80000052
*Mar 11 19:19:02.991: ISAKMP: Locking peer struct 0x82E13234, refcount 1 for isakmp_initiator
*Mar 11 19:19:02.991: ISAKMP: local port 500, remote port 500
*Mar 11 19:19:02.991: ISAKMP: set new node 0 to QM_IDLE
*Mar 11 19:19:02.991: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82C01C44
*Mar 11 19:19:02.991: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar 11 19:19:02.991: ISAKMP:(0):found peer pre-shared key matching x.x.x.x
*Mar 11 19:19:02.991: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 11 19:19:02.991: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar 11 19:19:02.991: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar 11 19:19:02.991: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar 11 19:19:02.991: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 11 19:19:02.991: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Mar 11 19:19:02.991: ISAKMP:(0): beginning Main Mode exchange
*Mar 11 19:19:02.991: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 11 19:19:02.991: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 11 19:19:03.059: ISAKMP (0:0): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 11 19:19:03.059: ISAKMP:(0):Notify has no hash. Rejected.
*Mar 11 19:19:03.059: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Mar 11 19:19:03.059: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 11 19:19:03.059: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

*Mar 11 19:19:03.059: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at x.x.x.x
*Mar 11 19:19:12.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 11 19:19:12.991: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 11 19:19:12.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 11 19:19:12.991: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 11 19:19:12.991: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 11 19:19:22.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 11 19:19:22.991: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 11 19:19:22.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 11 19:19:22.991: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 11 19:19:22.991: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 11 19:19:32.987: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= x.x.x.x, remote= x.x.x.x,
local_proxy= 10.1.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.5.0/255.255.252.0/0/0 (type=4)
*Mar 11 19:19:32.987: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= x.x.x.x, remote= x.x.x.x,
local_proxy= 10.1.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.5.0/255.255.252.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar 11 19:19:32.987: ISAKMP: set new node 0 to QM_IDLE
*Mar 11 19:19:32.987: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local x.x.x.x, remote x.x.x.x)
*Mar 11 19:19:32.987: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 11 19:19:32.987: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 11 19:19:32.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 11 19:19:32.991: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 11 19:19:32.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 11 19:19:32.991: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 11 19:19:32.991: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 11 19:19:42.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 11 19:19:42.991: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 11 19:19:42.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 11 19:19:42.991: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 11 19:19:42.991: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 11 19:19:47.271: ISAKMP:(0):purging node 147234572
*Mar 11 19:19:47.271: ISAKMP:(0):purging node 2120078446
*Mar 11 19:19:52.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 11 19:19:52.991: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 11 19:19:52.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Mar 11 19:19:52.991: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 11 19:19:52.991: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 11 19:19:57.271: ISAKMP:(0):purging SA., sa=82E1282C, delme=82E1282C
*Mar 11 19:20:02.987: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= x.x.x.x, remote= x.x.x.x,
local_proxy= 10.1.30.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.5.0/255.255.252.0/0/0 (type=4)
*Mar 11 19:20:02.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 11 19:20:02.991: ISAKMP:(0):peer does not do paranoid keepalives.
*Mar 11 19:20:02.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Mar 11 19:20:02.991: ISAKMP:(0):peer does not do paranoid keepalives.

*Mar 11 19:20:02.991: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)
*Mar 11 19:20:02.991: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer x.x.x.x)
*Mar 11 19:20:02.991: ISAKMP: Unlocking peer struct 0x82E13234 for isadb_mark_sa_deleted(), count 0
*Mar 11 19:20:02.991: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 82E13234
*Mar 11 19:20:02.991: ISAKMP:(0):deleting node 1689572035 error FALSE reason "IKE deleted"
*Mar 11 19:20:02.991: ISAKMP:(0):deleting node -1742316464 error FALSE reason "IKE deleted"
*Mar 11 19:20:02.991: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 11 19:20:02.991: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: steno1122

Solution Provided By: batry_boy

Participating Experts: 1

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

03.12.2008 at 06:19PM PDT, ID: 21112552

Rank: Sage

batry_boy:

Your DH groups don't match on the Phase 1 (isakmp) policies. Put in these commands on the router:

crypto isakmp policy 1
group 1

Then it will match what you have configured on the PIX...try that and see if it helps...

Accepted Solution

03.12.2008 at 06:20PM PDT, ID: 21112556

Rank: Sage

batry_boy:

Also, here is a Cisco example of what you're trying to do:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

03.13.2008 at 11:37AM PDT, ID: 21119304

steno1122:

Batry Boy,
Thank you for the advice. Adding group 1 to the router fixed the problem. The tunnel is now established but traffic won't pass across it. The access-lists on both the router and PIX are being hit but I can't access anything on either side of the tunnel. Any ideas?

The configuration is the same as in my original post except I added group 1 to the router.

Thanks!

03.13.2008 at 12:25PM PDT, ID: 21119857

Rank: Sage

batry_boy:

Cisco recommends that you use separate ACL's when defining the NAT exemption traffic and the ACL defining the traffic to be sent down the tunnel. You are currently using the "nonat" ACL on the PIX for both purposes, so I would do the following:

access-list outside_1_cryptomap permit 10.1.5.0 255.255.252.0 10.1.30.0 255.255.255.0
no crypto map remote 10 match address nonat
crypto map remote 10 match address outside_1_cryptomap
clear crypto isakmp sa
clear crypto ipsec sa

then try to pass traffic across the tunnel and see what you get. Be advised that the last two commands will kill any existing VPN connections, whether they are remote users or other site-to-site VPN connections. Therefore, unless you know that there are no other VPN connections, you may want to check to see if there are any currently with the following command:

show crypto isakmp sa

03.13.2008 at 12:42PM PDT, ID: 21120068

steno1122:

Thank you for the other quick reply. I created another access list and made the changes you suggested. I am still unable to ping or connect to anything on the other side of the tunnel. What is confusing is that the ACLs are being hit. I'm baffled. Do you have anything other suggestions or recommendations?

Thanks for your help with this. I greatly appreciate it.

access-list ipsec permit ip 10.1.5.0 255.255.252.0 10.1.30.0 255.255.255.0
access-list nonat permit ip 10.1.5.0 255.255.252.0 10.1.30.0 255.255.255.0

crypto ipsec transform-set thunder esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map remote 10 ipsec-isakmp
crypto map remote 10 match address ipsec
crypto map remote 10 set peer x.x.x.x
crypto map remote 10 set transform-set thunder

access-list ipsec; 1 elements
access-list ipsec line 1 permit ip 10.1.5.0 255.255.252.0 10.1.30.0 255.255.255.0 (hitcnt=16)
access-list nonat; 1 elements
access-list nonat line 1 permit ip 10.1.5.0 255.255.252.0 10.1.30.0 255.255.255.0 (hitcnt=136)

03.13.2008 at 12:54PM PDT, ID: 21120184

Rank: Sage

batry_boy:

I just noticed this line in your router config:

access-list 102 deny ip 10.109.30.0 0.0.0.255 10.1.5.0 0.0.3.255

I believe that you need to deny the defined tunnel traffic so that it is exempted from the NAT process. Add the following lines to the router and see if this helps:

no access-list 102
access-list 102 remark route-map rule
access-list 102 deny ip 10.1.30.0 0.0.0.255 10.1.5.0 0.0.3.255
access-list 102 permit ip 10.1.30.0 0.0.0.255 any

03.14.2008 at 07:38AM PDT, ID: 21125904

steno1122:

The access list entries you mentioned were already in the config

access-list 102 remark route-map rule
access-list 102 deny ip 10.109.30.0 0.0.0.255 10.1.5.0 0.0.3.255
access-list 102 permit ip 10.109.30.0 0.0.0.255 any

I'm still scratching my head on this one. As I mentioned, the tunnel is up, the ACL's are getting hit but I can't get any traffic to cross the tunnel. There are no ACL's on the router or PIX that would be preventing any traffic flow. I'm baffled.

03.14.2008 at 07:41AM PDT, ID: 21125941

Rank: Sage

batry_boy:

You may want to take a look at the "sh cryp ip sa" output to see the number of packets being encrypted and decrypted, and then encapsulated and decapsulated for the SA that is related to this particular tunnel. If you have multiple tunnels (other site-to-site tunnels or remote access tunnels), then you will get the output of all of those tunnels, so be sure and just look at the one that is for your specific tunnel peer in question.

03.14.2008 at 08:02AM PDT, ID: 21126158

steno1122:

There is only one VPN connection. The tunnel just reconnected. Below is the output. I have no clue why traffic won't traverse the tunnel. I x'ed out the outside IP's.

CORP-PIX-1# show crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
x.x.x.x x.x.x.x QM_IDLE 0 1
CORP-PIX-1# show crypto ipsec sa

interface: outside
Crypto map tag: thunder, local addr. x.x.x.x

local ident (addr/mask/prot/port): (10.1.5.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (10.1.30.0/255.255.255.0/0/0)
current_peer: x.x.x.x:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 409, #pkts encrypt: 409, #pkts digest 409
#pkts decaps: 247, #pkts decrypt: 247, #pkts verify 247
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 5b18e900

inbound esp sas:
spi: 0xcdcad249(3452621385)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: thunder
sa timing: remaining key lifetime (k/sec): (4607967/3233)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x5b18e900(1528359168)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: thunder
sa timing: remaining key lifetime (k/sec): (4607604/3224)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:

03.14.2008 at 08:10AM PDT, ID: 21126240

Rank: Sage

batry_boy:

This shows that traffic IS traversing the tunnel:

#pkts encaps: 409, #pkts encrypt: 409, #pkts digest 409
#pkts decaps: 247, #pkts decrypt: 247, #pkts verify 247

The "pkts encaps" and "pkts encrypt" values are the packets that are going down the tunnel from the PIX to the remote site, and the "pkts decaps" and "pkts decrypt" values are the packets coming from the remote site to the PIX.

If there was an ACL blocking the traffic, these numbers wouldn't be incrementing because the ACL's are checked before the traffic is allowed into the tunnel. How are you testing the traffic through the tunnel?

03.14.2008 at 08:15AM PDT, ID: 21126279

steno1122:

I'm pinging equipment on the other side of the tunnel. I've also tried to Remote Desktop to a PC and telnet to an open port on a device.

20080236-EE-VQP-29 / EE_QW_2_20070628