Remote site/site VPN connection stopped working on PIX. 3 others sites still working fine.
A remote office running a PIX 506e has been setup w/ a site-site VPN link with our PIX 515E in my main office. (I have 3 other sites set up the same way). Today the link dropped and will not reconnect.
I'm not a pix master, and after trying some things out, I came across the crypto isakmp debug data that might be helpful. The curious line is the "Peer info for xxxx not found".
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src x4.80.97.66, dst x7.154.55.74
ISADB: reaper checking SA 0x12c33dc, conn_id = 0
ISADB: reaper checking SA 0x12b48ac, conn_id = 0
ISADB: reaper checking SA 0xffebc4, conn_id = 0
ISADB: reaper checking SA 0xfffb54, conn_id = 0
ISADB: reaper checking SA 0x12bd1a4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4
!!!!!!!!!!!!!!!!!!!!!!!!!!
Here is my config for the vpn connections.
crypto ipsec transform-set bLockvIsionvpn01-set esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cisco 20 set transform-set bLockvIsionvpn01-set
crypto dynamic-map cisco 25 set transform-set bLockvIsionvpn01-set
crypto map bLockvIsionvpn01-map 1 ipsec-isakmp
crypto map bLockvIsionvpn01-map 1 match address 101
crypto map bLockvIsionvpn01-map 1 set peer x16.138.124.162
crypto map bLockvIsionvpn01-map 1 set transform-set vpnset
crypto map bLockvIsionvpn01-map 10 ipsec-isakmp
crypto map bLockvIsionvpn01-map 10 match address 95
crypto map bLockvIsionvpn01-map 10 set peer x7.67.115.163
crypto map bLockvIsionvpn01-map 10 set transform-set vpnset
crypto map bLockvIsionvpn01-map 15 ipsec-isakmp
crypto map bLockvIsionvpn01-map 15 match address 200
crypto map bLockvIsionvpn01-map 15 set peer x.151.180.34
crypto map bLockvIsionvpn01-map 15 set transform-set vpnset
crypto map bLockvIsionvpn01-map 20 ipsec-isakmp
crypto map bLockvIsionvpn01-map 20 match address 123
crypto map bLockvIsionvpn01-map 20 set peer xx.167.114.220
crypto map bLockvIsionvpn01-map 20 set transform-set ESP-3DES-SHA
crypto map bLockvIsionvpn01-map 40 ipsec-isakmp
crypto map bLockvIsionvpn01-map 40 match address outside_cryptomap_40
crypto map bLockvIsionvpn01-map 40 set peer xx.154.55.74
crypto map bLockvIsionvpn01-map 40 set transform-set ESP-3DES-MD5
crypto map bLockvIsionvpn01-map 100 ipsec-isakmp dynamic cisco
crypto map bLockvIsionvpn01-map client authentication LOCAL
crypto map bLockvIsionvpn01-map interface outside
isakmp enable outside
isakmp key ******** address x.38.124.162 netmask 255.255.255.255
isakmp key ******** address x.51.180.34 netmask 255.255.255.255
isakmp key ******** address x.7.115.163 netmask 255.255.255.255
isakmp key ******** address x.67.114.220 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.154.55.74 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
I'm not a pix master, and after trying some things out, I came across the crypto isakmp debug data that might be helpful. The curious line is the "Peer info for xxxx not found".
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4
ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src x4.80.97.66, dst x7.154.55.74
ISADB: reaper checking SA 0x12c33dc, conn_id = 0
ISADB: reaper checking SA 0x12b48ac, conn_id = 0
ISADB: reaper checking SA 0xffebc4, conn_id = 0
ISADB: reaper checking SA 0xfffb54, conn_id = 0
ISADB: reaper checking SA 0x12bd1a4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4
!!!!!!!!!!!!!!!!!!!!!!!!!!
Here is my config for the vpn connections.
crypto ipsec transform-set bLockvIsionvpn01-set esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cisco 20 set transform-set bLockvIsionvpn01-set
crypto dynamic-map cisco 25 set transform-set bLockvIsionvpn01-set
crypto map bLockvIsionvpn01-map 1 ipsec-isakmp
crypto map bLockvIsionvpn01-map 1 match address 101
crypto map bLockvIsionvpn01-map 1 set peer x16.138.124.162
crypto map bLockvIsionvpn01-map 1 set transform-set vpnset
crypto map bLockvIsionvpn01-map 10 ipsec-isakmp
crypto map bLockvIsionvpn01-map 10 match address 95
crypto map bLockvIsionvpn01-map 10 set peer x7.67.115.163
crypto map bLockvIsionvpn01-map 10 set transform-set vpnset
crypto map bLockvIsionvpn01-map 15 ipsec-isakmp
crypto map bLockvIsionvpn01-map 15 match address 200
crypto map bLockvIsionvpn01-map 15 set peer x.151.180.34
crypto map bLockvIsionvpn01-map 15 set transform-set vpnset
crypto map bLockvIsionvpn01-map 20 ipsec-isakmp
crypto map bLockvIsionvpn01-map 20 match address 123
crypto map bLockvIsionvpn01-map 20 set peer xx.167.114.220
crypto map bLockvIsionvpn01-map 20 set transform-set ESP-3DES-SHA
crypto map bLockvIsionvpn01-map 40 ipsec-isakmp
crypto map bLockvIsionvpn01-map 40 match address outside_cryptomap_40
crypto map bLockvIsionvpn01-map 40 set peer xx.154.55.74
crypto map bLockvIsionvpn01-map 40 set transform-set ESP-3DES-MD5
crypto map bLockvIsionvpn01-map 100 ipsec-isakmp dynamic cisco
crypto map bLockvIsionvpn01-map client authentication LOCAL
crypto map bLockvIsionvpn01-map interface outside
isakmp enable outside
isakmp key ******** address x.38.124.162 netmask 255.255.255.255
isakmp key ******** address x.51.180.34 netmask 255.255.255.255
isakmp key ******** address x.7.115.163 netmask 255.255.255.255
isakmp key ******** address x.67.114.220 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.154.55.74 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ASKER
I tried that... no luck. Any other possibilities?
please paste your updated configuration and show log output
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
nice!
then we can close this question
then we can close this question
crypto_isakmp_process_bloc
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4
shows you do not have valid configuration for peer xx.154.55.74/500
as you show in your config file you do not have isakmp policy for bLockvIsionvpn01-map 40, like you have for bLockvIsionvpn01-map 20
create:
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400