Link to home
Start Free TrialLog in
Avatar of greenbeanx81
greenbeanx81

asked on

Cisco PIX - Site to Site Tunnel not coming up.

Hello All,

        I have a really weird problem regarding two PIXs not establishing a tunnel. I have one PIX and the main office and a second PIX at the branch office. I checked the configuration and everything looks right. When I do a "debug crypto isakmp 100" command, all I get is PEER_REAPER_TIMER message that repeats. I get 0 when trying sh crypto isamp sa. When I try telneting to the IP adress I get a DSL welcome command prompt instead of the PIX prompt. My thinking is somehow the modem is interfering with the PIX. I can use cisco vpn client to connect to the PIX. My PIX configurations are below:
Any suggestions as to why they can not connect.

Main PIX:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 96utOTR.PJJoSyt2 encrypted
passwd OLwrzN2..uVF.NHM encrypted
hostname HascoPix
domain-name nt.hasco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit udp any any eq isakmp
access-list 100 permit icmp any any
access-list 100 permit esp any any
access-list 100 permit tcp any host 64.x.x.x eq 3389
access-list 100 permit tcp any host 64.x.x.x eq 3389
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list VPNCLIENT permit ip 132.147.12.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list LONGBEACH permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.x.x.x 255.255.255.224
ip address inside 132.147.12.10 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 192.168.1.50-192.168.1.100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.x.x.x 3389 132.147.12.16 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.x.x.x 3389 132.147.12.17 3389 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 64.x.x.x 1
route inside 192.168.100.0 255.255.252.0 132.147.12.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 10 ipsec-isakmp
crypto map VPNmap 10 match address LONGBEACH
crypto map VPNmap 10 set pfs group2
crypto map VPNmap 10 set peer 71.x.x.x
crypto map VPNmap 10 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address 71.x.x.x netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup HO idle-time 1800
vpngroup Hasco address-pool VPNpool
vpngroup Hasco dns-server 132.147.12.16
vpngroup Hasco wins-server 132.147.12.16
vpngroup Hasco default-domain nt.hasco.com
vpngroup Hasco split-tunnel VPNCLIENT
vpngroup Hasco idle-time 1800
vpngroup Hasco password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80

Branch PIX:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 96utOTR.PJJoSyt2 encrypted
passwd OLwrzN2..uVF.NHM encrypted
hostname Pix-Pamona
domain-name nt.hasco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit udp any any eq isakmp
access-list 100 permit icmp any any
access-list 100 permit esp any any
access-list NONAT permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list NONAT permit ip 192.168.100.0 255.255.255.0 132.147.12.0 255.255.255.0
access-list VPNCLIENT permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list POMONA permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.x.x.x 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 172.16.0.1-172.16.0.50 mask 255.255.255.0
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 10 ipsec-isakmp
crypto map VPNmap 10 match address POMONA
crypto map VPNmap 10 set pfs group2
crypto map VPNmap 10 set peer 64.x.x.x
crypto map VPNmap 10 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address 64.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup HOP idle-time 1800
vpngroup HascoP address-pool VPNpool
vpngroup HascoP dns-server 132.147.12.16
vpngroup HascoP wins-server 132.147.12.16
vpngroup HascoP default-domain nt.hasco.com
vpngroup HascoP split-tunnel VPNCLIENT
vpngroup HascoP idle-time 1800
vpngroup HascoP password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80
ASKER CERTIFIED SOLUTION
Avatar of RouterDude
RouterDude
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of greenbeanx81
greenbeanx81

ASKER

What do you mean by matching?

never mind..
I'm getting the following when debuging crypto isakmp 150 on the branch. I have the correct keys using isakmp key XXXX address xxxx netmask x.x.x.x no-xauth no-config-mode. Could the PIX be confused involving keys with also the VPNclient? I just get a PEER_REAPER_TIMER on the main pix with doing a debug.

Pix-Pamona(config)# debug crypto isakmp 150
Pix-Pamona(config)#
PEER_REAPER_TIMER
crypto_ke_process_block:
KEYENG_IKMP_SA_SPEC
isadb_create_sa:
crypto_isakmp_init_phase1_fields: initiator
is_auth_policy_configured: auth 4
gen_cookie:P
ipsec_db_add_sa_req:
ipsec_db_get_ipsec_sa_list:
ipsec_db_add_ipsec_sa_list:
ipsec_db_get_ipsec_sa_list:
is_auth_policy_configured: auth 4
ISAKMP: No cert, and no keys (public or pre-shared) with remote peer   64.x.x.x
isadb_free_isakmp_sa:
VPN Peer:ISAKMP: Peer Info for 64.x.x.x/500 not found - peers:0
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have made corrections to both the main PIX and the branch PIX. I am still unable to bring up the tunnel. Now both PIXs are reporting "PEER_REAPER_TIMER" when I run the debug crypto isakmp 150 command. The updated configurations are below. What is strange is remote VPN clients connect to the PIX using Cisco VPN client. Any suggestions? Thank you. The  client is on Verizon Business DSL with a Westell black DSL+ modem. I'm going to call the tech support and see if the modem supports IPSEC passthrough.

MAIN PIX:

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 96utOTR.PJJoSyt2 encrypted
passwd OLwrzN2..uVF.NHM encrypted
hostname HascoPix
domain-name nt.hasco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit udp any any eq isakmp
access-list 100 permit icmp any any
access-list 100 permit esp any any
access-list 100 permit tcp any host 64.x.x.x. eq 3389
access-list 100 permit tcp any host 64.x.x.x eq 3389
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NONAT permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list VPNSPLIT permit ip 132.147.12.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list POMONA permit ip 132.147.12.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 64.x.x.x 255.255.255.224
ip address inside 132.147.12.10 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 192.168.1.50-192.168.1.100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.x.x.x 3389 132.147.12.16 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 64.x.x.x 3389 132.147.12.17 3389 netmask 255.255.255.255 0 0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 64.x.x.x 1
route inside 192.168.100.0 255.255.252.0 132.147.12.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 10 ipsec-isakmp
crypto map VPNmap 10 match address POMONA
crypto map VPNmap 10 set pfs group2
crypto map VPNmap 10 set peer 71.x.x.x
crypto map VPNmap 10 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address 71.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup HO idle-time 1800
vpngroup Hasco address-pool VPNpool
vpngroup Hasco dns-server 132.147.12.16
vpngroup Hasco wins-server 132.147.12.16
vpngroup Hasco default-domain nt.hasco.com
vpngroup Hasco split-tunnel VPNSPLIT
vpngroup Hasco idle-time 1800
vpngroup Hasco password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
terminal width 80

BRANCH PIX:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 96utOTR.PJJoSyt2 encrypted
passwd OLwrzN2..uVF.NHM encrypted
hostname Pix-Pamona
domain-name nt.hasco.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list 100 permit udp any any eq isakmp
access-list 100 permit icmp any any
access-list 100 permit esp any any
access-list NONAT permit ip 192.168.100.0 255.255.255.0 132.147.12.0 255.255.255.0
access-list NONAT permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list VPNSPLIT permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.255.0
access-list LONGBEACH permit ip 192.168.100.0 255.255.255.0 132.147.12.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 71.x.x.x 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 172.16.0.1-172.16.0.50 mask 255.255.255.0
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map VPNmap 10 ipsec-isakmp
crypto map VPNmap 10 match address LONGBEACH
crypto map VPNmap 10 set pfs group2
crypto map VPNmap 10 set peer 64.x.x.x
crypto map VPNmap 10 set transform-set ESP-3DES-MD5
crypto map VPNmap 800 ipsec-isakmp dynamic outside_dyn_map
crypto map VPNmap interface outside
isakmp enable outside
isakmp key ******** address 64.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup HOP idle-time 1800
vpngroup HascoP address-pool VPNpool
vpngroup HascoP dns-server 132.147.12.16
vpngroup HascoP wins-server 132.147.12.16
vpngroup HascoP default-domain nt.hasco.com
vpngroup HascoP split-tunnel VPNSPLIT
vpngroup HascoP idle-time 1800
vpngroup HascoP password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.10-192.168.100.137 inside
dhcpd dns 132.147.12.16
dhcpd wins 132.147.12.16
dhcpd lease 604800
dhcpd ping_timeout 750
dhcpd domain nt-hasco.com
dhcpd enable inside
terminal width 80
After clearing the keys on both PIXs using "clear crypto isakmp/ipsec sa". The tunnel is now reporting MM_IDLE status when entering the "sh crypto isakmp sa". I can ping from the MAIN Office to the inside interface of the branch. but I can not ping from Branch PIX to inside interface of the Main Office. Any suggestions? I have "isakmp nat-traversal 20" on both PIXs. Thank you
I'm also having trouble pinging computers behind the pix when connected using Cisco VPN client. I can not ping anything when connected. I do have "isakmp nat-traversal 20" on both pixs. I should be able to ping what is behind the firewall. Any suggestions?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
One other thing I forgot to mention, I dont know if it has any bearing on this, but 132.147.12.0 is a routeable subnet on the internet and should not be used as a private network. If you trace one of those addresses from the branch PIX you may see that it is going out the open internet instead of trying to tunnel. Try that and see if that is the problem.
Good answers.. actually a routing issue but the tunnel is up.