[c-nsp] vpn l2l issue - pix 506E to an asa5510

Kenny Long long.kenny at gmail.com
Thu Dec 24 09:25:11 EST 2009


Dalton,

I dont see the problem in the debug, but it would be better to have both
debugs (PIX and ASA) and also a sanitized copy of each config.

Kenny

On Thu, Dec 24, 2009 at 4:46 AM, dalton <daltons at panix.com> wrote:

>
> Hi all,
>
> I am having a strange issue trying to establish a tunnel between a pix
> 506E and an ASA5510.
>
> sh isa sa on my pix shows tunnel status as failing at MM_KEY_EXCH
>
> i have verified the phase 1 settings and key to be correct here,
>
> also running the pix in debug mode, it appears the pix is passing phase 1.
>
> I am natting the destination nets here, and am wondering if perhaps this
> is causing the issue.
>
> Phase 2 settings and acls also appear to be correct, tho in some sense i
> can't seem to get beyond phase 1 according to the pix.
>
> Any insight would be greatly appreciated. Pix debug output is below.
>
> Thanks alot,
> dalton
>
> ISAKMP (0): Checking ISAKMP transform 4 against priority 18 policy
> ISAKMP:      encryption 3DES-CBC
> ISAKMP:      hash MD5
> ISAKMP:      default group 2
> ISAKMP:      auth pre-share
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (basic) of 28800
> ISAKMP (0): atts are acceptable. Next payload is 0
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0:0): vendor ID is NAT-T
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): SA is doing pre-shared key authentication using id type
> ID_IPV4_ADDR
> ISAKMP (0:0): constructed HIS NAT-D
> ISAKMP (0:0): constructed MINE NAT-D
> ISAKMP (0:0): Detected port floating
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
> OAK_MM exchange
> ISAKMP (0): processing KE payload. message ID = 0
>
> ISAKMP (0): processing NONCE payload. message ID = 0
>
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): received xauth v6 vendor id
>
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): speaking to another IOS box!
>
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): speaking to a VPN3000 concentrator
>
> ISAKMP (0:0): Detected NAT-D payload
> ISAKMP (0:0): NAT does not match MINE hash
> hash received: 88 37 3a f4 5e bc 63 c4 9a fd 62 1b d a3 73 ea
> my nat hash  : 79 d4 19 aa 2e 88 fb b7 46 52 64 6e 11 5a 21 23
> ISAKMP (0:0): Detected NAT-D payload
> ISAKMP (0:0): NAT match HIS hash
> ISAKMP: Locking UDP_ENC struct 0xf5267c from crypto_ikmp_udp_enc_ike_init,
> count 1
> ISAKMP (0): ID payload
>        next-payload : 8
>        type         : 1
>        protocol     : 17
>        port         : 0
>        length       : 8
> ISAKMP (0): Total payload length: 12
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block:src: x.x.x.x, dest:x.x.x.x spt:500 dpt:500
> ISAKMP: error, msg not encrypted
> crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
> ISAKMP: sa not found for ike msg
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list