Thanks for the comments. I am responsioble for the PIX side I dnt know why
10 and 5 do exist i will check with the other admin and try to wipe them if
possible.
Regards,
Ali
On Fri, Jun 19, 2009 at 10:12 AM, Alexei Monastyrnyi <alexeim73_at_gmail.com>wrote:
> Hi Ali.
>
> A quick observation would be to look out for "crypto map interfacemap 10
> ipsec-isakmp dynamic dynmap" on your ASA unit. Make sure you know what it is
> and its dynamic part is configured correctly. Your VPN tunnel originating
> from PIX might land on that crypto may and consequentiality fail if that
> crypto map is not for that tunnel/traffic.
>
> You also have "crypto map interfacemap 5" which is either incomplete or you
> haven't posted the whole one. If it is incomplete in your config, you'd
> better wipe it off.
>
> HTH,
> A.
>
> Ali El Moussaoui wrote:
>
>> ASA:
>> access-list vpnbey extended permit ip 192.168.100.0 255.255.255.0
>> 192.168.40.0 255.255.248.0
>> access-list vpnbey extended permit ip 192.168.3.0 255.255.255.0
>> 192.168.40.0
>> 255.255.248.0
>> crypto ipsec transform-set dxbbey esp-des esp-none
>> crypto map interfacemap 5 set security-association lifetime seconds 28800
>> crypto map interfacemap 5 set security-association lifetime kilobytes
>> 4608000
>> crypto map interfacemap 10 ipsec-isakmp dynamic dynmap
>> crypto map interfacemap 20 match address vpnbey
>> crypto map interfacemap 20 set peer 1.1.1.1
>> crypto map interfacemap 20 set transform-set dxbbey
>> crypto map interfacemap 20 set security-association lifetime seconds 28800
>> crypto map interfacemap 20 set security-association lifetime kilobytes
>> 4608000
>> crypto map interfacemap interface outside
>> crypto isakmp enable outside
>> crypto isakmp policy 10
>> authentication pre-share
>> encryption 3des
>> hash sha
>> group 2
>> lifetime 86400
>> crypto isakmp policy 20
>> authentication pre-share
>> encryption des
>> hash sha
>> group 5
>> lifetime 86400
>> PIX:
>> Show run | i crypto
>> crypto ipsec transform-set DXBBEY esp-des esp-none
>> crypto map OUTSIDE_MAP 20 match address VPNDXB
>> crypto map OUTSIDE_MAP 20 set peer 2.2.2.2
>> crypto map OUTSIDE_MAP 20 set transform-set DXBBEY
>> crypto map OUTSIDE_MAP interface OUTSIDEINT
>>
>> access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0
>> 192.168.100.0 255.255.255.0
>> access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0
>> 192.168.3.0
>> 255.255.255.0
>>
>>
>> Note that i changed the peers IPs ;)
>>
>> Ali
>> On
>> Thu, Jun 18, 2009 at 3:10 PM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>>
>>
>>> Without seeing the relevant information that Phase 2 must match on
>>> (interesting traffic and transform sets), it is hard to tell. Please
>>> post
>>> the following:
>>>
>>> If you're running post 6.3(5), you can run the ASA commands on the PIX.
>>>
>>> ASA:
>>> Show run crypto
>>> Show run access-list <insert interesting traffic ACLs>
>>>
>>> PIX:
>>> Show run | i crypto
>>> Show run | i access-list <insert interesting traffic ACLs>
>>>
>>> -ryan
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Ali El Moussaoui
>>> Sent: Thursday, June 18, 2009 4:47 AM
>>> To: ccielab_at_groupstudy.com
>>> Subject: IPsec VPN
>>>
>>> Hello Experts,
>>>
>>> I am building an IPsec tunnel between 2 remote sites (ASA and PIX). The
>>> tunnel is comin up only when the ASA initiates the communication. When
>>> the
>>> pix initiate the tunnel negotiation the following error shows up:
>>>
>>> Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table
>>> failed,
>>> no match!
>>> Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x.
>>> Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
>>> Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No
>>> proposal chosen (14)
>>> Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
>>>
>>> Any clue about what could cos the above?
>>>
>>> Ali
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 19 2009 - 10:27:04 ART
This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART