Solved

VPN tunnel not comming up on PIX and ASA. Any suggestions?

Posted on 2008-10-31
5
888 Views
Last Modified: 2011-10-19
Hello All,

I am having trouble establishing a VPN tunnel between a ASA and PIX. Everything looks right on my configuration and I am at a lose to explain why the tunnel is not coming up. I have included my configurations. Any suggestions. Thank you.


Main-Branch-PIX.txt
Remote-Branch-ASA.txt
0
Comment
Question by:greenbeanx81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 7

Expert Comment

by:geergon
ID: 22855517
Hi Sir!

It could be anything.

Please we can start testing with:
Add "sysopt connection permit-ipsec" int the PIX and in the ASA is "sysopt connection permit-vpn"
And delete "crypto map VPNmap 10 set pfs" in ASA.

Just to double check the sub-net behind the PIX is 172.21.173.0/24
And the subnet behind the ASA is: 172.21.174.0/24
Right?


So I recommend you to update this case with a capture of the debug and the show, in console mode:
Please type show crypto isakmp sa to see if the issue is related to phase 1.
And type show crypto ipsec sa if is something with phase 2.
And
"debug crypto isakmp 128"
or "debug crypto isakmp 254"
Copy an paste the debug.
Then "un all" --> refers to undebug all.

Also if would be a great idea if check this link too!
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution12

Maybe I going to recreate this in my lab.
Bye!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22855583
Agree that you need the syspot commands on both sides.
Also agree that you need to remove the PFS on the ASA

On the PIX, this line:
 >isakmp key ******** address 24.x.x.x netmask 255.255.255.255

Should have added tags:
isakmp key ******** address 24.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
0
 

Author Comment

by:greenbeanx81
ID: 22869595
Yes, the PIX subnet is 172.21.173.0/24 and the ASA is 172.21.174.0/24. I have added and removed the required lines but the tunnel is still not coming up. No output from the debug crypto isakmp 150 command either.
0
 
LVL 7

Expert Comment

by:geergon
ID: 22873370
What about:
debug crypto isakmp 254

&

debug crypto ipsec 254

Please attach the debugs.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22873547
Since you do not have any deny statements in the acl, you can remove it from the Main branch:
  no access-group 101 in interface inside

on Remote, add:
  crypto isakmp identity address

what do you get with "show crypto is sa" ? Issue the command several times until you get something..

Do you have traffic from these two networks? Setup a continuous ping from a host on one side to a host on the other side.
Then post result of "show crypto ip sa"
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA RADIUS Authetication for Management Access 13 48
What is the VPn crypto table on a Cisco ASA? 2 29
NAT/PAT unable to config correctly 7 44
Password recovery 2960S 4 35
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question