• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1703
  • Last Modified:

how do i debug? PIX to PIX vpn

i'm trying to figure out where my VPN (site-to-site) is failing. what commands do i give, and what output do i look at? (or better yet, what output will the experts looks at!)
thanks.

PIX 501 - to - PIX 501
0
Trevor Local
Asked:
Trevor Local
  • 4
  • 4
1 Solution
 
nodiscoCommented:
Logon to each pix at the console

conf t
logging console 7
logging on
debug crypto isakmp

This will shop phase 1 negotiations - if this is succesful - you should be able to type:
sh crypto isakmp sa
and see the session setup with both peers listed and the status QM_IDLE

If not - the problem will be in the debug output.

If this is succesfull, you may be having a problem with phase 2 negotiation.

same as before - first of all turn off isakmp debugging to limit the amount of data on screen:
undebug crypto isakmp
debug crypto ipsec

This will show you where phase 2 is going astray.  Crypto debugs are daunting at first but post it all into notepad and dive in - you will see obvious errors when they are present.

hope this helps
0
 
nodiscoCommented:
BTW - the first thing I would check are to compare the isakmp settings on both sides and make sure they, and the isakmp key match.
0
 
Trevor LocalAuthor Commented:
should i retype the isakmp key on both just to make sure?
i'll try the debug now.
thanks.
0
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

 
nodiscoCommented:
You can do if you're not positive it matches - the isakmp debug would show it anyway.  If you have made any changes to the crypto map on either side, make sure to reapply it to the interface:

crypto map [mapname] interface outside
0
 
Trevor LocalAuthor Commented:
thanks nodisco- here's what i got on my corp PIX:

JABUZA# conf t
JABUZA(config)# logging console 7
JABUZA(config)# logging on
JABUZA(config)# debug crypto isakmp
JABUZA(config)#
ISADB: reaper checking SA 0x80b47388, conn_id = 0
JABUZA(config)# sh crypto isakmp sa
Total     : 1
Embryonic : 0
        dst             src          state       pending    created
  x.110.144.226     x.64.120.41    QM_IDLE         0           3
JABUZA(config)#

that src IP is me remoting in. so I'm not getting past Phase 1?
0
 
nodiscoCommented:
When you are logged in to the pix - you need a machine on the inside network to try and establish a connection with a machine on the other side of the pix tunnel - this should bring the tunnel up.  The isakmp phase 1 negotiations should begin and you should see lots of activity on the screen - this is the debug crypto isakmp output which will tell you whether phase 1 is working or not.  

The tunnel will not try and come up unless "interesting" traffic is trying to cross it - ie. that the remote network stipulated in the access-list is being requested and this tries to establish the tunnel over the crypto map.  If you wish - post the configs of both pixes and we can see if there is a config issue.

hth
0
 
Trevor LocalAuthor Commented:
ok, i remoted in to my server and ping'd my remote PIX. here's the output:

ISAKMP : Checking IPSec proposal 3

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: unknown ESP transform!
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 9

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (9)
ISAKMP : Checking IPSec proposal 10

crypto_isakmp_process_block: src x.66.138.177, dest x.110.144.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
        inbound SA from   x.66.138.177 to  x.110.144.226 (proxy 192.168.102.100 to         0.0.0.0)
        has spi 3752318385 and conn_id 2 and flags 4
        lifetime of 2147483 seconds
        outbound SA from x.110.144.226 to   x.66.138.177 (proxy         0.0.0.0 to 192.168.102.100)
        has spi 2450756522 and conn_id 1 and flags 4
        lifetime of 2147483 seconds
VPN Peer: IPSEC: Peer ip:68.66.138.177 Ref cnt incremented to:2 Total VPN Peers:2
VPN Peer: IPSEC: Peer ip:68.66.138.177 Ref cnt incremented to:3 Total VPN Peers:2
return status is IKMP_NO_ERROR
ISAKMP (0): sending NOTIFY message 11 protocol 3
ISAKMP (0): sending NOTIFY message 11 protocol 3
VPN Peer: ISAKMP: Added new peer: ip:x.229.60.250 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:x.229.60.250 Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer   x.229.60.250
VPN Peer: ISAKMP: Peer ip:x.229.60.250 Ref cnt decremented to:0 Total VPN Peers:3
VPN Peer: ISAKMP: Deleted peer: ip:x.229.60.250 Total VPN peers:2
crypto_isakmp_process_block: src x.64.120.41, dest x.110.144.226
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1249463872
ISAMKP (0): received DPD_R_U_THERE from peer x.64.120.41
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
VPN Peer: ISAKMP: Added new peer: ip:x.229.60.250 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:x.229.60.250 Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer   x.229.60.250
VPN Peer: ISAKMP: Peer ip:x.229.60.250 Ref cnt decremented to:0 Total VPN Peers:3
VPN Peer: ISAKMP: Deleted peer: ip:x.229.60.250 Total VPN peers:2
VPN Peer: ISAKMP: Added new peer: ip:x.229.60.249 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:x.229.60.249 Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src x.229.60.249, dest x.110.144.226
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src x.229.60.249, dest x.110.144.226
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src x.229.60.249, dest 63.110.144.226
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer node for x.229.60.249
ISAKMP (0): beginning Quick Mode exchange, M-ID of -1473546455:a82b7729
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending INITIAL_CONTACT notify
crypto_isakmp_process_block: src x.229.60.249, dest 63.110.144.226
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 3709329376
ISAKMP (0): processing notify INITIAL_CONTACT
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src x.229.60.249, dest 63.110.144.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2821420841

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.
ISAKMP (0): processing NONCE payload. message ID = 2821420841

ISAKMP (0): processing ID payload. message ID = 2821420841
ISAKMP (0): processing ID payload. message ID = 2821420841
ISAKMP (0): Creating IPSec SAs
        inbound SA from   x.229.60.249 to  x.110.144.226 (proxy   192.168.103.0 to   192.168.102.0)
        has spi 2662738948 and conn_id 8 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytes
        outbound SA from  x.110.144.226 to   x.229.60.249 (proxy   192.168.102.0 to   192.168.103.0)
        has spi 4212403844 and conn_id 7 and flags 4
        lifetime of 28800 seconds
        lifetime of 4608000 kilobytes
VPN Peer: IPSEC: Peer ip:x.229.60.249 Ref cnt incremented to:2 Total VPN Peers:3
VPN Peer: IPSEC: Peer ip:x.229.60.249 Ref cnt incremented to:3 Total VPN Peers:3
return status is IKMP_NO_ERROR
ISAKMP (0): sending NOTIFY message 11 protocol 3
ISAKMP (0): sending NOTIFY message 11 protocol 3
crypto_isakmp_process_block: src x.64.120.41, dest x.110.144.226
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3428320261
ISAMKP (0): received DPD_R_U_THERE from peer x.64.120.41
ISAKMP (0): sending NOTIFY message 36137 protocol 1

i believe the .249 IP is the right one for the remote PIX. i have two entries for remote - .249 and .250, not sure why
i'll post both my configs too.

thanks in advance.
0
 
Trevor LocalAuthor Commented:
ok- i can ping a pc behind the remote PIX, but not the PIX itself (from my server at corp office)
0
 
lrmooreCommented:
>ok- i can ping a pc behind the remote PIX, but not the PIX itself (from my server at corp office)
You'll never be able to ping the PIX's own inside IP from a remote  VPN connection.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now