VPN issues
ConstantlyLearning
Member Posts: 445
in Off-Topic
Hey guys, don't have any experience with pix and vpn's but was interested in this issue. VPN from company to another company. Can connect to some of the addresses in the object-group TEST_LA below but not to others. The addresses in the object-group below are actually in differant offices around the country.
I was hoping it was an issue on our end but considering the config relates to what's in the TEST_LA object-group, and we can connect to some of them, I'm thinking it's an issue at the remote sites.
Anyone any ideas?
Some of the config on the PIX (Some status messages at the bottom)
name 100.100.100.100 TEST_LA_VPN
name 200.200.200.200 COMPANY
name 172.16.2.2 server
object-group network TEST_LA
network-object 10.1.1.1 255.255.255.255
network-object 10.2.2.2 255.255.255.255
network-object 10.3.3.3 255.255.255.255
network-object 10.4.4.4 255.255.255.255
network-object 10.5.5.5 255.255.255.255
network-object 10.6.6.6 255.255.255.255
network-object 10.7.7.7 255.255.255.255
access-list TEST_LA_ACL permit ip host server object-group TEST_LA
access-list TEST_LA_ACL permit ip host 10.50.50.50 object-group TEST_LA
access-list TEST_NAT1 permit ip host server object-group TEST_LA
static (dmz-mgmt,outside) 10.50.50.50 access-list TEST_NAT1 0 0
crypto map s2s 34 match address TEST_LA_ACL
crypto map s2s 34 set peer TEST_LA_VPN
crypto map s2s 34 set transform-set s2strans
crypto map s2s 34 set security-association lifetime seconds 28800 kilobytes 1000000
isakmp key ************* address TEST_LA_VPN netmask 255.255.255.255 no-xauth no-config-mode
When connecting to a site that works and then disconnecting:
Feb 4 23:12:30 pix-fw Feb 04 2010 23:12:30: %PIX-6-302013: Built outbound TCP connection 10794522 for outside:10.1.1.1/3389 (10.1.1.1/3389) to dmz-mgmt:172.16.2.2/58147 (10.50.50.50/58147) <-- ***DIFFERANT TO BELOW***
Feb 4 23:12:50 pix-fw Feb 04 2010 23:12:50: %PIX-6-302014: Teardown TCP connection 10794522 for outside:10.1.1.1/3389 to dmz-mgmt:172.16.2.2/58147 duration 0:00:19 bytes 33099 TCP Reset-O
When connecting to a site that doesn't work:
Feb 4 23:05:32 pix-fw Feb 04 2010 23:05:32: %PIX-6-302013: Built outbound TCP connection 10793626 for outside:10.2.2.2/3389 (10.2.2.2/3389) to dmz-mgmt:172.16.2.2/58087 (172.16.2.2/58087) <-- ***DIFFERANT TO ABOVE***
Feb 4 23:05:32 pix-fw Feb 04 2010 23:05:32: %PIX-7-702303: sa_request, (key eng. msg.) src= COMPANY, dest= TEST_LA_VPN, src_proxy= server/255.255.255.255/0/0 (type=1), dest_proxy= 10.2.2.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 1000000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
Feb 4 23:06:02 pix-fw Feb 04 2010 23:06:02: %PIX-7-702303: sa_request, (key eng. msg.) src= COMPANY, dest= TEST_LA_VPN, src_proxy= server/255.255.255.255/0/0 (type=1), dest_proxy= 10.2.2.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 1000000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
Feb 4 23:07:05 pix-fw Feb 04 2010 23:07:05: %PIX-7-702303: sa_request, (key eng. msg.) src= COMPANY, dest= TEST_LA_VPN, src_proxy= server/255.255.255.255/0/0 (type=1), dest_proxy= 10.50.0.3/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 1000000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
Feb 4 23:07:34 pix-fw Feb 04 2010 23:07:34: %PIX-6-302014: Teardown TCP connection 10793626 for outside:10.2.2.2/3389 to dmz-mgmt:172.16.2.2/58087 duration 0:02:01 bytes 0 SYN Timeout
According to System Log Messages,
Error Message %PIX-7-702303: sa_request...
Explanation IPSec has requested IKE for new SAs.
Recommended Action Debugging message.
Cheers for any pointers.
I was hoping it was an issue on our end but considering the config relates to what's in the TEST_LA object-group, and we can connect to some of them, I'm thinking it's an issue at the remote sites.
Anyone any ideas?
Some of the config on the PIX (Some status messages at the bottom)
name 100.100.100.100 TEST_LA_VPN
name 200.200.200.200 COMPANY
name 172.16.2.2 server
object-group network TEST_LA
network-object 10.1.1.1 255.255.255.255
network-object 10.2.2.2 255.255.255.255
network-object 10.3.3.3 255.255.255.255
network-object 10.4.4.4 255.255.255.255
network-object 10.5.5.5 255.255.255.255
network-object 10.6.6.6 255.255.255.255
network-object 10.7.7.7 255.255.255.255
access-list TEST_LA_ACL permit ip host server object-group TEST_LA
access-list TEST_LA_ACL permit ip host 10.50.50.50 object-group TEST_LA
access-list TEST_NAT1 permit ip host server object-group TEST_LA
static (dmz-mgmt,outside) 10.50.50.50 access-list TEST_NAT1 0 0
crypto map s2s 34 match address TEST_LA_ACL
crypto map s2s 34 set peer TEST_LA_VPN
crypto map s2s 34 set transform-set s2strans
crypto map s2s 34 set security-association lifetime seconds 28800 kilobytes 1000000
isakmp key ************* address TEST_LA_VPN netmask 255.255.255.255 no-xauth no-config-mode
When connecting to a site that works and then disconnecting:
Feb 4 23:12:30 pix-fw Feb 04 2010 23:12:30: %PIX-6-302013: Built outbound TCP connection 10794522 for outside:10.1.1.1/3389 (10.1.1.1/3389) to dmz-mgmt:172.16.2.2/58147 (10.50.50.50/58147) <-- ***DIFFERANT TO BELOW***
Feb 4 23:12:50 pix-fw Feb 04 2010 23:12:50: %PIX-6-302014: Teardown TCP connection 10794522 for outside:10.1.1.1/3389 to dmz-mgmt:172.16.2.2/58147 duration 0:00:19 bytes 33099 TCP Reset-O
When connecting to a site that doesn't work:
Feb 4 23:05:32 pix-fw Feb 04 2010 23:05:32: %PIX-6-302013: Built outbound TCP connection 10793626 for outside:10.2.2.2/3389 (10.2.2.2/3389) to dmz-mgmt:172.16.2.2/58087 (172.16.2.2/58087) <-- ***DIFFERANT TO ABOVE***
Feb 4 23:05:32 pix-fw Feb 04 2010 23:05:32: %PIX-7-702303: sa_request, (key eng. msg.) src= COMPANY, dest= TEST_LA_VPN, src_proxy= server/255.255.255.255/0/0 (type=1), dest_proxy= 10.2.2.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 1000000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
Feb 4 23:06:02 pix-fw Feb 04 2010 23:06:02: %PIX-7-702303: sa_request, (key eng. msg.) src= COMPANY, dest= TEST_LA_VPN, src_proxy= server/255.255.255.255/0/0 (type=1), dest_proxy= 10.2.2.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 1000000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
Feb 4 23:07:05 pix-fw Feb 04 2010 23:07:05: %PIX-7-702303: sa_request, (key eng. msg.) src= COMPANY, dest= TEST_LA_VPN, src_proxy= server/255.255.255.255/0/0 (type=1), dest_proxy= 10.50.0.3/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 1000000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
Feb 4 23:07:34 pix-fw Feb 04 2010 23:07:34: %PIX-6-302014: Teardown TCP connection 10793626 for outside:10.2.2.2/3389 to dmz-mgmt:172.16.2.2/58087 duration 0:02:01 bytes 0 SYN Timeout
According to System Log Messages,
Error Message %PIX-7-702303: sa_request...
Explanation IPSec has requested IKE for new SAs.
Recommended Action Debugging message.
Cheers for any pointers.
"There are 3 types of people in this world, those who can count and those who can't"
Comments
-
ConstantlyLearning
Member Posts: 445
In the status messages, it looks like it's trying to create the ipsec SA, i'm assuming this because it's sending it's transform set which it does in phase 2. So phase 1 was completed.
If the transform sets were differant on both ends I'm sure there would be error messages in relation to that which there arn't...
Looks like phase 1 gets completed, phase fails because it tried to create the SA but just gets no reply?"There are 3 types of people in this world, those who can count and those who can't"