troubleshooting Question

Pix to Pix Vpn Problem

Avatar of Wandering_Wizard
Wandering_Wizard asked on
Software FirewallsCisco
12 Comments1 Solution2131 ViewsLast Modified:
I have setup a pn between 2 pixs, the configuration was tested in the office. But by the time it has been implimented the configuation of the main pix has been changed to permit a des vpn aswell as the 3des.

When you connect from the remote site. the connection fails (i haven't been able to try from the HO).
On recieving interesting data the remote site trys to initiate the vpn, trys to do the isa key exchange and then fails.

The following is the debug trace (ips change to protect the innocent!) does anyone know what "ISAKMP: reserved not zero on payload 5!" means??????

=====Debug from HO site=============
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 10.0.0.1, dest 172.16.1.1
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 10.0.0.1, dest 172.16.1.1
ISAKMP: reserved not zero on payload 5!
crypto_isakmp_process_block: src 10.0.0.1, dest 172.16.1.1
ISAKMP: reserved not zero on payload 5!
ISADB: reaper checking SA 0x80d61c20, conn_id = 0
crypto_isakmp_process_block: src 10.0.0.1, dest 172.16.1.1
ISAKMP: reserved not zero on payload 5!
ISAKMP (0): deleting SA: src 10.0.0.1, dst 172.16.1.1
ISADB: reaper checking SA 0x80d61c20, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:10.0.0.1 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:10.0.0.1 Total VPN peers:0
ASKER CERTIFIED SOLUTION
llyquid

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 12 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros