VPN Tunnel Creation / No Connection Is Made

[Guest]

QM_IDLE or MM_ACTIVE is good, that means Phase 1 is up and running. If you can ping from the router, that means the VPN tunnel is up and running. To check, you can issue: show crypto ipsec sa You should see packets getting encrypted and decrypted (counters should increase). Are you able to access LAN from each site?

[Guest]

Hello, Those are great news regarding the tunnel state. I can ping the LAN computers from the router side only. If I tried to ping the PIX LAN interface I do not recieved replies. Also now I have noticed this issue, after a idle period this happens: Interface: FastEthernet0/0Session status: DOWN-NEGOTIATINGPeer: A.A.A.A port 500  IKE SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.10.0.0/255.255.255.0        Active SAs: 0, origin: crypto mapInterface: FastEthernet0/0Session status: DOWNPeer: A.A.A.A port 500  IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 10.10.0.0/255.255.255.0        Active SAs: 0, origin: crypto map Reviewing the LAN connection this when I ping the remote PIX LAN interface from the router routert#pingProtocol [ip]:Target IP address: 10.10.0.1Repeat count [5]: 5000Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address or interface: 192.168.2.10Type of service [0]:Set DF bit in IP header? [no]:Validate reply data? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 5000, 100-byte ICMP Echos to 10.10.0.1, timeout is 2 seconds:Packet sent with a source address of 192.168.2.10...................................................................................................................................................................................................................................................................................... This messages looks very interesting and the VPN tunnel is still down. Can decrement IKE Call Admission Control stat outgoing negotiating since its already 0.deleting SA reason "No reason" state (I) MM_NO_STATEISAKMP:(1021):peer does not do paranoid keepalives.I cannot ping computers from the PIX side for some reason. Perhaps need ACL?, any ideas? Cheers, Harold

[Guest]

To ping the PIX interface, you would need to add "management-access inside" on the PIX. Please share the full config from both sides.

[Guest]

Hello halijenn , First of all, my apologies for the late response, I had to take unplanned vacations but now I am back in business. Thank you for your reply to my previous message. Regarding your request, attached are the configuration file for the router and the PIX (for this file I have trimmed information since it is very long), today I added an additional VPN tunnel (Thanks to your comments and assistance) since I was experimienting with routing problems with the first tunnel and I still have the same problem with the second one. Below are the ping results from the PIX and router: PIX PING to the ROUTER internal interface pix# pingInterface: dmzTarget IP address: 192.168.2.10Repeat count: [5] 100Datagram size: [100]Timeout in seconds: [2]Extended commands [n]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 100, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:????????????????????????????????????????????????????????????????????????????????????????????????????Success rate is 0 percent (0/100)ROUTER PING to a machine with route manually configured(route add 192.168.2.0 mask 255.255.255.0 10.10.0.10) router#ping 10.10.0.10 source 192.168.2.10 repeat 10Type escape sequence to abort.Sending 10, 100-byte ICMP Echos to 10.10.0.10, timeout is 2 seconds:Packet sent with a source address of 192.168.2.10 !!!!!!!!!!Success rate is 100 percent (10/10), round-trip min/avg/max = 68/72/84 msbut when I try to add the route to the router to the remote PIX network this happens: router#ping 10.10.0.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.10.0.10, timeout is 2 seconds:.....Success rate is 0 percent (0/5)router#conf tEnter configuration commands, one per line.  End with CNTL/Z.router(config)#ip route 10.10.0.0 255.255.255.0 10.10.0.1router(config)#do sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2       E1 - OSPF external type 1, E2 - OSPF external type 2       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2       ia - IS-IS inter area, * - candidate default, U - per-user static route       o - ODR, P - periodic downloaded static routeGateway of last resort is B.B.B.86 to network 0.0.0.0     B.B.0.0/29 is subnetted, 1 subnetsC       B.B.B.80 is directly connected, FastEthernet0/0     192.168.2.0/25 is subnetted, 1 subnetsC       192.168.2.0 is directly connected, FastEthernet0/1S*   0.0.0.0/0 [1/0] via B.B.B.86router(config)#For some reason, the router is not accepting the manual routes for this network. Any ideas? Now on the PIX side, I am able to add the route to the VPN remote network but I cannot ping from the PIX the network, please read below: sh routeCodes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area       * - candidate default, U - per-user static route, o - ODR       P - periodic downloaded static routeGateway of last resort is A.A.A.158 to network 0.0.0.0C    A.A.A.128 255.255.255.224 is directly connected, outsideS    172.20.26.0 255.255.255.0 [1/0] via 172.20.0.2, insideS    172.20.27.0 255.255.255.0 [1/0] via 172.20.0.2, insideS    172.20.28.0 255.255.255.0 [1/0] via 172.20.0.2, insideS    172.20.29.0 255.255.255.0 [1/0] via 172.20.0.2, insideS    172.20.31.0 255.255.255.0 [1/0] via 172.20.0.2, insideS    172.20.0.0 255.255.0.0 [1/0] via 172.20.0.2, insideC    172.20.0.0 255.255.255.252 is directly connected, insideC    10.10.0.0 255.255.255.0 is directly connected, dmzS    10.10.10.0 255.255.255.0 [1/0] via 172.20.0.2, insideS    192.168.1.0 255.255.255.0 [1/0] via 172.20.0.2, insideS    192.168.2.0 255.255.255.0 [1/0] via 192.168.2.10, dmzS*   0.0.0.0 0.0.0.0 [1/0] via A.A.A.158, outsidepix(config)# ping 192.168.2.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:???Success rate is 0 percent (0/3)pix(config)# ping dmz 192.168.2.10Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:?????Success rate is 0 percent (0/5)I have run out of the ideas to make it work!.... please help. Cheers, Harold

[Guest]

You should remove the following route from the router:no ip route 10.10.0.0 255.255.255.0 10.10.0.1 Also add the following if you would like to ping the dmz interface of the PIX:management-access dmz After removing the route, you should be able to ping:From PIX: ping dmz 192.168.2.10From router: ping 10.10.0.1 source 192.168.2.10 The above 2 ping test should be successful. If they are succcessful, you should be able to access the router 192.168.2.0/24 LAN from PIX dmz LAN 10.10.0.0/24 and vice versa.