• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1705
  • Last Modified:

how do i debug? PIX to PIX vpn

i'm trying to figure out where my VPN (site-to-site) is failing. what commands do i give, and what output do i look at? (or better yet, what output will the experts looks at!)
thanks.

PIX 501 - to - PIX 501
0
Trevor Local
Asked:
Trevor Local
  • 4
  • 4
1 Solution
 
nodiscoCommented:
Logon to each pix at the console

conf t
logging console 7
logging on
debug crypto isakmp

This will shop phase 1 negotiations - if this is succesful - you should be able to type:
sh crypto isakmp sa
and see the session setup with both peers listed and the status QM_IDLE

If not - the problem will be in the debug output.

If this is succesfull, you may be having a problem with phase 2 negotiation.

same as before - first of all turn off isakmp debugging to limit the amount of data on screen:
undebug crypto isakmp
debug crypto ipsec

This will show you where phase 2 is going astray.  Crypto debugs are daunting at first but post it all into notepad and dive in - you will see obvious errors when they are present.

hope this helps
0
 
nodiscoCommented:
BTW - the first thing I would check are to compare the isakmp settings on both sides and make sure they, and the isakmp key match.
0
 
Trevor LocalAuthor Commented:
should i retype the isakmp key on both just to make sure?
i'll try the debug now.
thanks.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
nodiscoCommented:
You can do if you're not positive it matches - the isakmp debug would show it anyway.  If you have made any changes to the crypto map on either side, make sure to reapply it to the interface:

crypto map [mapname] interface outside
0
 
Trevor LocalAuthor Commented:
thanks nodisco- here's what i got on my corp PIX:

JABUZA# conf t
JABUZA(config)# logging console 7
JABUZA(config)# logging on
JABUZA(config)# debug crypto isakmp
JABUZA(config)#
ISADB: reaper checking SA 0x80b47388, conn_id = 0
JABUZA(config)# sh crypto isakmp sa
Total     : 1
Embryonic : 0
        dst             src          state       pending    created
  x.110.144.226     x.64.120.41    QM_IDLE         0           3
JABUZA(config)#

that src IP is me remoting in. so I'm not getting past Phase 1?
0
 
nodiscoCommented:
When you are logged in to the pix - you need a machine on the inside network to try and establish a connection with a machine on the other side of the pix tunnel - this should bring the tunnel up.  The isakmp phase 1 negotiations should begin and you should see lots of activity on the screen - this is the debug crypto isakmp output which will tell you whether phase 1 is working or not.  

The tunnel will not try and come up unless "interesting" traffic is trying to cross it - ie. that the remote network stipulated in the access-list is being requested and this tries to establish the tunnel over the crypto map.  If you wish - post the configs of both pixes and we can see if there is a config issue.

hth
0
 
Trevor LocalAuthor Commented:
ok, i remoted in to my server and ping'd my remote PIX. here's the output:

ISAKMP : Checking IPSec proposal 3

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 9

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (9)
ISAKMP : Checking IPSec proposal 10

crypto_isakmp_process_block: src x.66.138.177, dest x.110.144.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
        inbound SA from   x.66.138.177 to  x.110.144.226 (proxy 192.168.102.100 to         0.0.0.0)
        has spi 3752318385 and conn_id 2 and flags 4
        lifetime of 2147483 seconds
        outbound SA from x.110.144.226 to   x.66.138.177 (proxy         0.0.0.0 to 192.168.102.100)
        has spi 2450756522 and conn_id 1 and flags 4
        lifetime of 2147483 seconds
VPN Peer: IPSEC: Peer ip:68.66.138.177 Ref cnt incremented to:2 Total VPN Peers:2
VPN Peer: IPSEC: Peer ip:68.66.138.177 Ref cnt incremented to:3 Total VPN Peers:2
return status is IKMP_NO_ERROR
ISAKMP (0): sending NOTIFY message 11 protocol 3
ISAKMP (0): sending NOTIFY message 11 protocol 3
VPN Peer: ISAKMP: Added new peer: ip:x.229.60.250 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:x.229.60.250 Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer   x.229.60.250
VPN Peer: ISAKMP: Peer ip:x.229.60.250 Ref cnt decremented to:0 Total VPN Peers:3
VPN Peer: ISAKMP: Deleted peer: ip:x.229.60.250 Total VPN peers:2
crypto_isakmp_process_block: src x.64.120.41, dest x.110.144.226
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1249463872
ISAMKP (0): received DPD_R_U_THERE from peer x.64.120.41
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
VPN Peer: ISAKMP: Added new peer: ip:x.229.60.250 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:x.229.60.250 Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer   x.229.60.250
VPN Peer: ISAKMP: Peer ip:x.229.60.250 Ref cnt decremented to:0 Total VPN Peers:3
VPN Peer: ISAKMP: Deleted peer: ip:x.229.60.250 Total VPN peers:2
VPN Peer: ISAKMP: Added new peer: ip:x.229.60.249 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:x.229.60.249 Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src x.229.60.249, dest x.110.144.226
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src x.229.60.249, dest x.110.144.226
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src x.229.60.249, dest 63.110.144.226
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer node for x.229.60.249
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1473546455:a82b7729
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src x.229.60.249, dest 63.110.144.226
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 3709329376
ISAKMP (0): processing notify INITIAL_CONTACT
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src x.229.60.249, dest 63.110.144.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2821420841

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 2821420841

ISAKMP (0): processing ID payload. message ID = 2821420841
ISAKMP (0): processing ID payload. message ID = 2821420841
ISAKMP (0): Creating IPSec SAs
        inbound SA from   x.229.60.249 to  x.110.144.226 (proxy   192.168.103.0 to   192.168.102.0)
        has spi 2662738948 and conn_id 8 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytes
        outbound SA from  x.110.144.226 to   x.229.60.249 (proxy   192.168.102.0 to   192.168.103.0)
        has spi 4212403844 and conn_id 7 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytes
VPN Peer: IPSEC: Peer ip:x.229.60.249 Ref cnt incremented to:2 Total VPN Peers:3
VPN Peer: IPSEC: Peer ip:x.229.60.249 Ref cnt incremented to:3 Total VPN Peers:3
return status is IKMP_NO_ERROR
ISAKMP (0): sending NOTIFY message 11 protocol 3
ISAKMP (0): sending NOTIFY message 11 protocol 3
crypto_isakmp_process_block: src x.64.120.41, dest x.110.144.226
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3428320261
ISAMKP (0): received DPD_R_U_THERE from peer x.64.120.41
ISAKMP (0): sending NOTIFY message 36137 protocol 1

i believe the .249 IP is the right one for the remote PIX. i have two entries for remote - .249 and .250, not sure why
i'll post both my configs too.

thanks in advance.
0
 
Trevor LocalAuthor Commented:
ok- i can ping a pc behind the remote PIX, but not the PIX itself (from my server at corp office)
0
 
lrmooreCommented:
>ok- i can ping a pc behind the remote PIX, but not the PIX itself (from my server at corp office)
You'll never be able to ping the PIX's own inside IP from a remote  VPN connection.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now