Solved

Remote site/site VPN connection stopped working on PIX.  3 others sites still working fine.

Posted on 2007-11-28
5
250 Views
Last Modified: 2010-04-09
A remote office running a PIX 506e has been setup w/ a site-site VPN link with our PIX 515E in my main office.   (I have 3 other sites set up the same way).   Today the link dropped and will not reconnect.  

I'm not a pix master, and after trying some things out, I came across the crypto isakmp debug data that might be helpful.  The curious line is the "Peer info for xxxx not found".  


crypto_isakmp_process_block:src:x7.154.55.74, dest:x4.80.97.66 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
crypto_isakmp_process_block:src:x7.154.55.74, dest:64.80.97.66 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:x7.154.55.74, dest:x4.80.97.66 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4

ISAKMP: larval sa found
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
ISAKMP (0): deleting SA: src x4.80.97.66, dst x7.154.55.74
ISADB: reaper checking SA 0x12c33dc, conn_id = 0
ISADB: reaper checking SA 0x12b48ac, conn_id = 0
ISADB: reaper checking SA 0xffebc4, conn_id = 0
ISADB: reaper checking SA 0xfffb54, conn_id = 0
ISADB: reaper checking SA 0x12bd1a4, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Here is my config for  the vpn connections.



crypto ipsec transform-set bLockvIsionvpn01-set esp-des esp-md5-hmac
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cisco 20 set transform-set bLockvIsionvpn01-set
crypto dynamic-map cisco 25 set transform-set bLockvIsionvpn01-set
crypto map bLockvIsionvpn01-map 1 ipsec-isakmp
crypto map bLockvIsionvpn01-map 1 match address 101
crypto map bLockvIsionvpn01-map 1 set peer x16.138.124.162
crypto map bLockvIsionvpn01-map 1 set transform-set vpnset
crypto map bLockvIsionvpn01-map 10 ipsec-isakmp
crypto map bLockvIsionvpn01-map 10 match address 95
crypto map bLockvIsionvpn01-map 10 set peer x7.67.115.163
crypto map bLockvIsionvpn01-map 10 set transform-set vpnset
crypto map bLockvIsionvpn01-map 15 ipsec-isakmp
crypto map bLockvIsionvpn01-map 15 match address 200
crypto map bLockvIsionvpn01-map 15 set peer x.151.180.34
crypto map bLockvIsionvpn01-map 15 set transform-set vpnset
crypto map bLockvIsionvpn01-map 20 ipsec-isakmp
crypto map bLockvIsionvpn01-map 20 match address 123
crypto map bLockvIsionvpn01-map 20 set peer xx.167.114.220
crypto map bLockvIsionvpn01-map 20 set transform-set ESP-3DES-SHA
crypto map bLockvIsionvpn01-map 40 ipsec-isakmp
crypto map bLockvIsionvpn01-map 40 match address outside_cryptomap_40
crypto map bLockvIsionvpn01-map 40 set peer xx.154.55.74
crypto map bLockvIsionvpn01-map 40 set transform-set ESP-3DES-MD5
crypto map bLockvIsionvpn01-map 100 ipsec-isakmp dynamic cisco
crypto map bLockvIsionvpn01-map client authentication LOCAL
crypto map bLockvIsionvpn01-map interface outside
isakmp enable outside
isakmp key ******** address x.38.124.162 netmask 255.255.255.255
isakmp key ******** address x.51.180.34 netmask 255.255.255.255
isakmp key ******** address x.7.115.163 netmask 255.255.255.255
isakmp key ******** address x.67.114.220 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address x.154.55.74 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400



0
Comment
Question by:xenetar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 20369089
message
crypto_isakmp_process_block:src:x7.154.55.74, dest:x4.80.97.66 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for x7.154.55.74/500 not found - peers:4
shows you do not have valid configuration for peer xx.154.55.74/500

as you show in your config file you do not have isakmp policy for bLockvIsionvpn01-map 40, like you have for bLockvIsionvpn01-map 20

create:
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
0
 
LVL 1

Author Comment

by:xenetar
ID: 20369662
I tried that... no luck.   Any other possibilities?
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20371652
please paste your updated configuration and show log output
0
 
LVL 1

Accepted Solution

by:
xenetar earned 0 total points
ID: 20398112
Ended up being an ISP issue.  
0
 
LVL 21

Expert Comment

by:from_exp
ID: 20401187
nice!
then we can close this question
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question