Solved

Remote site/site VPN connection stopped working on PIX.  3 others sites still working fine.

Posted on 2007-11-28
5
236 Views
Last Modified: 2010-04-09
A remote office running a PIX 506e has been setup w/ a site-site VPN link with our PIX 515E in my main office.   (I have 3 other sites set up the same way).   Today the link dropped and will not reconnect.  

I'm not a pix master, and after trying some things out, I came across the crypto isakmp debug data that might be helpful.  The curious line is the "Peer info for xxxx not found".  


crypto_isakmp_process_block:src:x7.154.55.74, dest:x4.80.97.66 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
crypto_isakmp_process_block:src:x7.154.55.74, dest:64.80.97.66 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:x7.154.55.74, dest:x4.80.97.66 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src x4.80.97.66, dst x7.154.55.74
ISADB: reaper checking SA 0x12c33dc, conn_id = 0
ISADB: reaper checking SA 0x12b48ac, conn_id = 0
ISADB: reaper checking SA 0xffebc4, conn_id = 0
ISADB: reaper checking SA 0xfffb54, conn_id = 0
ISADB: reaper checking SA 0x12bd1a4, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Here is my config for  the vpn connections.



crypto ipsec transform-set bLockvIsionvpn01-set esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cisco 20 set transform-set bLockvIsionvpn01-set
crypto dynamic-map cisco 25 set transform-set bLockvIsionvpn01-set
crypto map bLockvIsionvpn01-map 1 ipsec-isakmp
crypto map bLockvIsionvpn01-map 1 match address 101
crypto map bLockvIsionvpn01-map 1 set peer x16.138.124.162
crypto map bLockvIsionvpn01-map 1 set transform-set vpnset
crypto map bLockvIsionvpn01-map 10 ipsec-isakmp
crypto map bLockvIsionvpn01-map 10 match address 95
crypto map bLockvIsionvpn01-map 10 set peer x7.67.115.163
crypto map bLockvIsionvpn01-map 10 set transform-set vpnset
crypto map bLockvIsionvpn01-map 15 ipsec-isakmp
crypto map bLockvIsionvpn01-map 15 match address 200
crypto map bLockvIsionvpn01-map 15 set peer x.151.180.34
crypto map bLockvIsionvpn01-map 15 set transform-set vpnset
crypto map bLockvIsionvpn01-map 20 ipsec-isakmp
crypto map bLockvIsionvpn01-map 20 match address 123
crypto map bLockvIsionvpn01-map 20 set peer xx.167.114.220
crypto map bLockvIsionvpn01-map 20 set transform-set ESP-3DES-SHA
crypto map bLockvIsionvpn01-map 40 ipsec-isakmp
crypto map bLockvIsionvpn01-map 40 match address outside_cryptomap_40
crypto map bLockvIsionvpn01-map 40 set peer xx.154.55.74
crypto map bLockvIsionvpn01-map 40 set transform-set ESP-3DES-MD5
crypto map bLockvIsionvpn01-map 100 ipsec-isakmp dynamic cisco
crypto map bLockvIsionvpn01-map client authentication LOCAL
crypto map bLockvIsionvpn01-map interface outside
isakmp enable outside
isakmp key ******** address x.38.124.162 netmask 255.255.255.255
isakmp key ******** address x.51.180.34 netmask 255.255.255.255
isakmp key ******** address x.7.115.163 netmask 255.255.255.255
isakmp key ******** address x.67.114.220 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.154.55.74 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400



0
Comment
Question by:xenetar
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20369089
message
crypto_isakmp_process_block:src:x7.154.55.74, dest:x4.80.97.66 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4
shows you do not have valid configuration for peer xx.154.55.74/500

as you show in your config file you do not have isakmp policy for bLockvIsionvpn01-map 40, like you have for bLockvIsionvpn01-map 20

create:
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
0
 
LVL 1

Author Comment

by:xenetar
ID: 20369662
I tried that... no luck.   Any other possibilities?
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20371652
please paste your updated configuration and show log output
0
 
LVL 1

Accepted Solution

by:
xenetar earned 0 total points
ID: 20398112
Ended up being an ISP issue.  
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20401187
nice!
then we can close this question
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now