[c-nsp] lan-to-lan pix-vpn3k unidirectional problem
Peder at NetworkOblivion
peder at networkoblivion.com
Thu Nov 24 21:47:23 EST 2005
Without the configs from both ends, there isn't much that we can tell you.
Zacchello Marco wrote:
> Hi to all,
>
> mine: PIX 515 running 6.3(3) with 10+ vpn tunnels up and running; Theirs: VPN3K with several (a dozen or so) vpn tunnels as well.
>
> Tunnel will initiate and come up normally when they send traffic from the servers on their side to my servers. As long as they initiate the tunnel, I can get to them, and vice-versa. If the tunnel is down, I am not able to bring it up - I get the error message in my debugs:
> "IPSEC(sa_initiate): ACL = deny; no sa created" ...???
>
> We have verified phase 1 and 2 parameters, and it is not an acl mismatch - those have been checked many times. PSK's match, etc. - we cannot find a discrepancy in the configs between the two firewalls. Cisco has no answer either - the case has been open a week, and they are back to asking for my configs and debug output. Starting over at square 1...
>
> After re-reading crypto pix command documetation, I notice a TIP suggesting to clear the 'crypto map MYMAP interface outside' and then to configure it again, I've done it, and after that (pinging from ny side) the debug show some isakmp negotiation (but from the degub seems that is the VPN3k to open the isakmp negotiation) that at lst fails.
>
> I can't understand why they can bring the tunnel up, but my side cannot? I've got many vpn tunnels up and running, and have done this many times. Thanks in advance, any and all help is appreciated.
>
>
> Marco
>
>
>
>
>
> ******************* DISCLAIMER *******************************
> Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione è contraria alla legge e preghiamo di darci prontamente avviso e di cancellare quanto ricevuto. Grazie.
>
> This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message. Thank you.
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
--
Network stuff you didn't know....
http://www.networkoblivion.com
More information about the cisco-nsp
mailing list