ipsec vpn between ASA 5505 and PIX 501

Discussion in 'Cisco' started by H. Steuer, Mar 22, 2008.

  1. H. Steuer

    H. Steuer Guest

    Hi everybody,

    I have an interesting issue when using ipsec between an ASA 5505 and a
    PIX 501.
    The tunnel comes up fine and works well so far. When using debug for
    isakmp/ipsec on the 501, I get the following output:



    ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    spi 0, message ID = 2076513142
    ISAMKP (0): received DPD_R_U_THERE from peer VPN_PEER_ASA
    ISAKMP (0): sending NOTIFY message 36137 protocol 1
    return status is IKMP_NO_ERR_NO_TRANS


    On the ASA, everything looks fine, the DPD_R_U_THERE_ACK is processed well.
    Can one of you help me on that "IKMP_NO_ERR_NO_TRANS" return status?
    There are multiple 501´s connceted to that ASA, just this single one
    throws this status.
    All the 501´s are running 6.3(5), the ASA runs 8.0(2)


    I was looking for the possibility to check if the IKE SA is using DPD or
    regular keepalive messages. Unfortunately, "show crypto isakmp sa
    detail" does not show any of those flags at all, not on the ASA nor on
    the 501. I remember that this command was showing that info on PIX 515?


    Thanks alot for your help!

    Cheers,
    Heri
     
    H. Steuer, Mar 22, 2008
    #1
    1. Advertising

  2. In article <fs3fid$pli$>,
    H. Steuer <> wrote:

    >I have an interesting issue when using ipsec between an ASA 5505 and a
    >PIX 501.
    >The tunnel comes up fine and works well so far. When using debug for
    >isakmp/ipsec on the 501, I get the following output:


    >
    >ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    > spi 0, message ID = 2076513142
    >ISAMKP (0): received DPD_R_U_THERE from peer VPN_PEER_ASA
    >ISAKMP (0): sending NOTIFY message 36137 protocol 1
    >return status is IKMP_NO_ERR_NO_TRANS


    >On the ASA, everything looks fine, the DPD_R_U_THERE_ACK is processed well.
    >Can one of you help me on that "IKMP_NO_ERR_NO_TRANS" return status?
    >There are multiple 501´s connceted to that ASA, just this single one
    >throws this status.


    It appears that that status might be normal. It might perhaps
    have to do with Network Extension Mode (NEM), which keeps the tunnel
    up without keepalives (and so would not need to transmit a keepalive
    hence NO_TRANS)

    http://www.cisco.com/warp/public/110/easyvpn-pix.html
     
    Walter Roberson, Mar 22, 2008
    #2
    1. Advertising

  3. H. Steuer

    H. Steuer Guest

    Walter,

    thanks alot for your answer. I am not really familiar with NEM as I
    thought it is only in conjunction with cisco hardware ipsec client mode
    (easyvpn).


    Cheers,
    Heri


    Walter Roberson schrieb:
    > In article <fs3fid$pli$>,
    > H. Steuer <> wrote:
    >
    >> I have an interesting issue when using ipsec between an ASA 5505 and a
    >> PIX 501.
    >> The tunnel comes up fine and works well so far. When using debug for
    >> isakmp/ipsec on the 501, I get the following output:

    >
    >> ISAKMP (0): processing NOTIFY payload 36136 protocol 1
    >> spi 0, message ID = 2076513142
    >> ISAMKP (0): received DPD_R_U_THERE from peer VPN_PEER_ASA
    >> ISAKMP (0): sending NOTIFY message 36137 protocol 1
    >> return status is IKMP_NO_ERR_NO_TRANS

    >
    >> On the ASA, everything looks fine, the DPD_R_U_THERE_ACK is processed well.
    >> Can one of you help me on that "IKMP_NO_ERR_NO_TRANS" return status?
    >> There are multiple 501ÂŽs connceted to that ASA, just this single one
    >> throws this status.

    >
    > It appears that that status might be normal. It might perhaps
    > have to do with Network Extension Mode (NEM), which keeps the tunnel
    > up without keepalives (and so would not need to transmit a keepalive
    > hence NO_TRANS)
    >
    > http://www.cisco.com/warp/public/110/easyvpn-pix.html
     
    H. Steuer, Mar 23, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Buck Rogers
    Replies:
    3
    Views:
    3,239
    Walter Roberson
    Jan 5, 2007
  2. Replies:
    1
    Views:
    3,459
  3. Buck Rogers

    Pix 501 Versus ASA 5505

    Buck Rogers, Dec 22, 2007, in forum: Cisco
    Replies:
    4
    Views:
    686
    Buck Rogers
    Dec 23, 2007
  4. Tilman Schmidt
    Replies:
    0
    Views:
    3,405
    Tilman Schmidt
    Jan 24, 2008
  5. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    733
    Dogg Child
    Jun 7, 2010
Loading...

Share This Page