Cisco Student VPN exercise problem : gen_unrfrag: fail to generate unreachable, unexpected args

Discussion in 'Cisco' started by robert, Jun 2, 2004.

  1. robert

    robert Guest

    I'm a student at a community taking a class on cisco pix 501
    - ver. 6.03 software

    We have an exercise that creates a VPN tunnel beween 2 pix's
    in the lab : pix11 and pix7

    To test to see if the tunnel is working we attempt to open
    a web browser on a host behind pix11 and browse to a web
    page running on a host behind pix7


    It seems to work. Packets get encrypted - The web page opens
    - EXCEPT - The web page will not open the 2nd time if you
    close and open the browser on the host behind pix11 and
    re-browse the host behind pix7 - the browser just times out
    instead of opening the page as it did the first time.

    If I close and open the web browser and again attempt to
    browse the destination host I also get this following
    message on the console of pix11 :


    gen_unrfrag: fail to generate unreachable, unexpected args


    If I clear the crypto map on the hosts and then put the
    crypto map commands back in to create a new crypto map
    it works again - BUT - Only for the first time again.
    The second time I close/open the browser on the host
    behind pix11 and try to browse the page on the host
    behind pix7 - it times out again.

    The instructor cannot figure it out either. Below are the
    commands I run on both pixes.

    Any help would be appreciated. Thanks, Robert

    - I have included the Configuration commands i entered
    for both pix's below :


    PIX9 Configuration Commands I enter for Pix9:

    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    names
    name 10.0.9.11 insidehost
    hostname Pix9
    ip address inside 10.0.9.1 255.255.255.0
    ip address outside 192.168.9.2 255.255.255.0
    nat (inside) 1 10.0.9.0 255.255.255.0 0 0
    route outside 0 0 192.168.9.1 1
    static (inside,outside) 192.168.9.11 10.0.9.11 netmask 255.255.255.255
    access-list ACLIN permit tcp 192.168.11.0 255.255.255.0 host 192.168.9.11 eq
    www
    access-list ACLIN permit tcp 192.168.11.0 255.255.255.0 host 192.168.9.11 eq
    ftp
    access-list ACLIN permit icmp any any echo
    access-list ACLIN permit icmp any any echo-reply
    access-list ACLIN permit icmp any any unreachable
    access-list ACLIN deny ip any any
    access-group ACLIN in interface outside
    sysopt connection permit-ipsec
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp identity address
    isakmp key cisco123 address 192.168.11.2 netmask 255.255.255.255
    access-list 101 permit ip host 192.168.9.11 host 192.168.11.11
    crypto ipsec transform-set pixQ esp-des
    crypto map peerQ 10 ipsec-isakmp
    crypto map peerQ 10 match address 101
    crypto map peerQ 10 set peer 192.168.11.2
    crypto map peerQ 10 set transform-set pixQ
    crypto map peerQ interface outside

    PIX11 Configuration Commands I enter for PIX11

    interface ethernet0 100full
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    names
    name 10.0.11.11 insidehost
    hostname Pix11
    ip address inside 10.0.11.1 255.255.255.0
    ip address outside 192.168.11.2 255.255.255.0
    nat (inside) 1 10.0.11.0 255.255.255.0 0 0
    route outside 0 0 192.168.11.1 1
    static (inside,outside) 192.168.11.11 10.0.11.11 netmask 255.255.255.255
    access-list ACLIN permit tcp 192.168.9.0 255.255.255.0 host 192.168.11.11 eq
    www
    access-list ACLIN permit tcp 192.168.9.0 255.255.255.0 host 192.168.11.11 eq
    ftp
    access-list ACLIN permit icmp any any echo
    access-list ACLIN permit icmp any any echo-reply
    access-list ACLIN permit icmp any any unreachable
    access-list ACLIN deny ip any any
    access-group ACLIN in interface outside
    sysopt connection permit-ipsec
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp identity address
    isakmp key cisco123 address 192.168.9.2 netmask 255.255.255.255
    access-list 101 permit ip host 192.168.11.11 host 192.168.9.11
    crypto ipsec transform-set pixQ esp-des
    crypto map peerQ 10 ipsec-isakmp
    crypto map peerQ 10 match address 101
    crypto map peerQ 10 set peer 192.168.9.2
    crypto map peerQ 10 set transform-set pixQ
    crypto map peerQ interface outside
    robert, Jun 2, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MyndPhlyp
    Replies:
    12
    Views:
    4,349
    MyndPhlyp
    Dec 16, 2003
  2. Laurent Lepage
    Replies:
    0
    Views:
    476
    Laurent Lepage
    Mar 3, 2004
  3. vortex
    Replies:
    0
    Views:
    487
    vortex
    Apr 22, 2004
  4. John Whelihan

    Exercise problem

    John Whelihan, Dec 22, 2009, in forum: MCITP
    Replies:
    1
    Views:
    1,796
    Lawrence Garvin [MVP]
    Dec 29, 2009
  5. E. Thornton

    70-640 AD CS exercise problem

    E. Thornton, Feb 28, 2010, in forum: MCITP
    Replies:
    0
    Views:
    1,505
    E. Thornton
    Feb 28, 2010
Loading...

Share This Page