SONICFAIL and Cisco PIX vpn troubles

Bl8ckr0uter

Ok so I have a problems.

I am replacing a PIX 506e at one of our remote sites with a Sonicwall TZ210. Configuring it wasn't that difficult but now I am having a very interesting issue. I have a site to site VPN tunnel to a PIX 515 that is at our corporate office. The VPN tunnel turns up (as in I can actually see the tunnel show up on Sonicwall side and the Cisco side) but no traffic will pass. I called Sonicwall support whose only answer is "it is on the Cisco side). I explained to them that plugging the PIX 506e works fine. Has anyone seen any issues like this?

QHalo

I quickly found this. I'm guessing you've looked it over or maybe you haven't. Either way I hope it helps.

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example - Cisco Systems

it_consultant

I have not seen this with a sonicwall but I have seen this with WG and Cisco VPNs. WG has a whole tech article on how to make VPNs between those two devices work correctly.

I had a problem with a Cisco and a Checkpoint, turned out the techs on the other side (China) had problems understanding English and were just trying out different things until they got the tunnel up. Guess I can't blame that on the manufacturer.

Bl8ckr0uter

QHalo wrote: »

I quickly found this. I'm guessing you've looked it over or maybe you haven't. Either way I hope it helps.

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example - Cisco Systems

That was the document I was following. It seems pretty straight forward.

Bl8ckr0uter

***Bump***

SephStorm

did you try calling cisco?

Bl8ckr0uter

SephStorm wrote: »

did you try calling cisco?

The thing is everything works on the cisco side (if I plug in the old pix it works fine). Plus no TAC on the PIX

Bl8ckr0uter

***bump***

[Deleted User]

Bl8ckr0uter wrote: »

***bump***

Step 1:

phoeneous

xmalachi wrote: »

Step 1:

Technically and logically this would be useless since it's just a display.

phoeneous

Bl8ckr0uter wrote: »

***bump***

Can you monitor traffic to see where it is being dropped? For example, I just created a static nat for a voip box but cant hit the web interface from outside...

021075: *Sep 22 20:12:41.273 Pacific: %FW-6-DROP_PKT: Dropping tcp session X.X.X.X:49262  X.X.X.X:80 on zone-pair outin class class-default due to  DROP action found in policy-map with ip ident 0
021076: *Sep 22 20:13:23.061 Pacific: %FW-6-LOG_SUMMARY: 3 packets were dropped from  X.X.X.X:49262 =>  X.X.X.X:80 (target:class)-(outin:class-default)
021077: *Sep 22 20:13:33.093 Pacific: %FW-6-DROP_PKT: Dropping tcp session  X.X.X.X:49265  X.X.X.X:80 on zone-pair outin class class-default due to  DROP action found in policy-map with ip ident 0
021078: *Sep 22 20:14:23.061 Pacific: %FW-6-LOG_SUMMARY: 3 packets were dropped from  X.X.X.X:49265 =>  X.X.X.X:80 (target:class)-(outin:class-default)
021079: *Sep 22 20:14:24.237 Pacific: %FW-6-DROP_PKT: Dropping tcp session  X.X.X.X:80  X.X.X.X:49288 on zone-pair outin class Inbound due to  Invalid Segment with ip ident 0
021080: *Sep 22 20:15:25.933 Pacific: %FW-6-DROP_PKT: Dropping udp session  X.X.X.X:3793  X.X.X.X:1434 on zone-pair outin class class-default due to  DROP action found in policy-map with ip ident 0

[Deleted User]

phoeneous wrote: »

Technically and logically this would be useless since it's just a display.

Haha you get the idea. I just understand his frustration, I've been there unfortunately not with something like this

L0gicB0mb508

yeah...I think we had a discussion about Sonicwalls didn't we?