sh isa sa on PIX 515 ?

Discussion in 'Cisco' started by òTTó, May 10, 2004.

  1. òTTó

    òTTó Guest

    Is there someone who can explain me a "strange" behavior on the VPN tunnel
    connection. See the part sh isa sa. This PIX is connected to a Symantec
    Gateway Security 5420 Cluster combination. The normal behavior should be :

    pix-fwl01# sh isa sa
    Total : 1
    Embryonic : 0
    dst src state
    pending created
    123.xxx.xxx.123 82.xxx.xx.12 QM_IDLE 0 4
    pix-fwl01#

    Thanks in advance

    =====================

    But I get this response

    pix-fwl01# sh isa sa
    Total : 92
    Embryonic : 0
    dst src state
    pending created
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 1
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 1
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 1
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 1
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 1
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 2
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 1
    82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    pix-fwl01#
    pix-fwl01#


    pixfwl01# sh ver

    Cisco PIX Firewall Version 6.3(1)
    Cisco PIX Device Manager Version 3.0(1)

    Compiled on Wed 19-Mar-03 11:49 by morlee

    pix-fwl01 up 4 days 2 hours

    Hardware: PIX-515, 32 MB RAM, CPU Pentium 200 MHz
    Flash i28F640J5 @ 0x300, 16MB
    BIOS Flash AT29C257 @ 0xfffd8000, 32KB

    0: ethernet0: address is 0050.54ff.e1ac, irq 10
    1: ethernet1: address is 0050.54ff.e1ad, irq 7
    Licensed Features:
    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Disabled
    Maximum Interfaces: 3
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: Unlimited
    Throughput: Unlimited
    IKE peers: Unlimited

    This PIX has a Restricted (R) license.

    Running Activation Key: 0x64exbbb9 0xaxb6b0df 0x236xfd79 0x74x0d8xd
    Configuration last modified by enable_15 at 10:21:35.515 CEDT Mon May 10
    2004
    pix-fwl01#


    pix-fwl01# wr t
    Building configuration...
    : Saved
    :
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password
    passwd
    hostname pix-fwl01
    domain-name intern.xx.com
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    no names
    access-list acl_inbound permit icmp any host 82.xxx.xx.12 echo-reply log
    access-list acl_inbound permit tcp any any eq domain
    access-list acl_inbound permit udp any any eq domain
    access-list acl_inbound permit tcp any any eq smtp

    access-list acl_outbound permit ip host 10.64.1.1 any
    access-list acl_outbound permit ip host 10.64.1.3 any
    access-list acl_outbound permit tcp 10.64.1.0 255.255.255.0 any eq pop3
    access-list acl_outbound permit udp 10.64.1.0 255.255.255.0 any eq isakmp
    access-list acl_outbound permit tcp 10.64.1.0 255.255.255.0 any eq 10000
    access-list acl_outbound permit ip 10.64.1.0 255.255.255.0 10.32.1.0
    255.255.255.0
    access-list acl_outbound permit ip 10.64.1.0 255.255.255.0 10.32.2.0
    255.255.255.0
    access-list acl_outbound permit ip 10.64.1.0 255.255.255.0 10.32.4.0
    255.255.255.0
    access-list acl_outbound permit ip 10.64.1.0 255.255.255.0 10.32.5.0
    255.255.255.0

    access-list nonat permit ip 10.64.1.0 255.255.255.0 10.32.1.0 255.255.255.0
    access-list nonat permit ip 10.64.1.0 255.255.255.0 10.32.2.0 255.255.255.0
    access-list nonat permit ip 10.64.1.0 255.255.255.0 10.32.4.0 255.255.255.0
    access-list nonat permit ip 10.64.1.0 255.255.255.0 10.32.5.0 255.255.255.0

    access-list to-remote permit ip 10.64.1.0 255.255.255.0 10.32.1.0
    255.255.255.0
    access-list to-remote permit ip 10.64.1.0 255.255.255.0 10.32.2.0
    255.255.255.0
    access-list to-remote permit ip 10.64.1.0 255.255.255.0 10.32.4.0
    255.255.255.0
    access-list to-remote permit ip 10.64.1.0 255.255.255.0 10.32.5.0
    255.255.255.0

    pager lines 24
    logging on
    logging timestamp
    logging trap warnings
    logging history notifications
    logging host inside 10.64.1.33
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 10.64.1.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn_pool 10.64.7.32-10.64.7.223

    pdm history enable
    arp timeout 14400

    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 10.64.1.0 255.255.255.0 0 0

    static (inside,outside) tcp interface domain 10.64.1.3 domain netmask
    255.255.255.255 0 0
    static (inside,outside) udp interface domain 10.64.1.3 domain netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface smtp 10.64.1.3 smtp netmask
    255.255.255.255 0 0

    access-group acl_inbound in interface outside
    access-group acl_outbound in interface inside

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 10.64.1.3 [removed] timeout 5
    aaa-server LOCAL protocol local
    aaa-server radius protocol radius
    ntp server 10.64.1.3 source inside prefer
    http server enable
    http 10.64.1.0 255.255.255.0 inside
    snmp-server host inside 10.64.1.33 poll
    no snmp-server location
    no snmp-server contact
    snmp-server community x
    snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set vpn-ps esp-des esp-md5-hmac
    crypto dynamic-map dynmap 120 set transform-set vpn-ps
    crypto map dynmap 10 ipsec-isakmp
    crypto map dynmap 10 match address to-remote
    crypto map dynmap 10 set pfs
    crypto map dynmap 10 set peer 123.xxx.xxx.123
    crypto map dynmap 10 set transform-set vpn-ps
    crypto map dynmap 120 ipsec-isakmp dynamic dynmap
    crypto map dynmap client authentication RADIUS
    crypto map dynmap interface outside
    isakmp enable outside
    isakmp key ******** address 123.xxx.xxx.123 netmask 255.255.255.255 no-xauth
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup vpn-client address-pool vpn_pool
    vpngroup vpn-client dns-server 10.64.1.3
    vpngroup vpn-client wins-server 10.64.1.1
    vpngroup vpn-client default-domain intern.xx.com
    vpngroup vpn-client split-tunnel nonat
    vpngroup vpn-client idle-time 1800
    vpngroup vpn-client password ********
    telnet 10.64.1.0 255.255.255.0 inside
    telnet timeout 10
    ssh timeout 5
    console timeout 0
    terminal width 80
    banner exec
    banner exec Connected to pix-fwl01
    banner exec
    Cryptochecksum:1bf6e72c54cd41d09ae1bf931817b32f
    : end
    [OK]
     
    òTTó, May 10, 2004
    #1
    1. Advertising

  2. In article <409f431d$0$21804$4all.nl>,
    òTTó <> wrote:
    :Is there someone who can explain me a "strange" behavior on the VPN tunnel
    :connection. See the part sh isa sa. This PIX is connected to a Symantec
    :Gateway Security 5420 Cluster combination.

    :But I get this response

    :pix-fwl01# sh isa sa
    :Total : 92
    :Embryonic : 0
    : dst src state
    :pending created
    : 82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    : 82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    : 82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0

    There is a particular isakmp option that would have to be sent to
    inform the remote end that the an isakmp session is a "new" session
    and that all previous sa's with that peer should be flushed. Newer PIX
    versions send that option automatically; older PIX versions might not.
    I have no information about whether the Symantec devices support that
    isakmp option.

    Does your line state go up and down a lot? Do you have very short
    sa lifetime set (or does the Symantec?) Is the connection working?
    Is it possible that the ACLs are not symmetrical between the two
    devices? If you turn on debugging of crypto isakmp and clear the
    SA's, then does anything unusual show up?
    --
    Inevitably, someone will flame me about this .signature.
     
    Walter Roberson, May 10, 2004
    #2
    1. Advertising

  3. òTTó

    òTTó Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:c7oar9$777$...
    > In article <409f431d$0$21804$4all.nl>,
    > òTTó <> wrote:
    > :Is there someone who can explain me a "strange" behavior on the VPN

    tunnel
    > :connection. See the part sh isa sa. This PIX is connected to a Symantec
    > :Gateway Security 5420 Cluster combination.
    >
    > :But I get this response
    >
    > :pix-fwl01# sh isa sa
    > :Total : 92
    > :Embryonic : 0
    > : dst src state
    > :pending created
    > : 82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    > : 82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    > : 82.xxx.xx.12 123.xxx.xxx.123 QM_IDLE 0 0
    >
    > There is a particular isakmp option that would have to be sent to
    > inform the remote end that the an isakmp session is a "new" session
    > and that all previous sa's with that peer should be flushed. Newer PIX
    > versions send that option automatically; older PIX versions might not.
    > I have no information about whether the Symantec devices support that
    > isakmp option.


    > Does your line state go up and down a lot? Do you have very short
    > sa lifetime set (or does the Symantec?) Is the connection working?
    > Is it possible that the ACLs are not symmetrical between the two
    > devices? If you turn on debugging of crypto isakmp and clear the
    > SA's, then does anything unusual show up?
    > --
    > Inevitably, someone will flame me about this .signature.


    Oké, I understand. The flushing part was working in the old combination of
    Cisco pixes at the remote sites and the old Symantec Gateway Security
    cluster model 5310. Now I've got a newer Cluster, model 5420.



    The line goes down ones a week or 2 weeks at a random time, only a reload of
    the pix will help at that moment to re-establish the VPN tunnels. A clear
    isa sa in config mode won't help. The lifetime at the Symantec site is 480
    min, the PIX should be the master for the re-key. Info by Symantec.



    The connection is working correct, we can reach the four subnets we
    configured on both ends. If they are not the same, it isn't working at all.
    After a reload of the pix then I see a normal behaviour of the sh isa sa
    command as below.



    pix-fwl01# sh isa sa
    Total : 1
    Embryonic : 0
    dst src state pending created
    123.xxx.xxx.123 82.xxx.xx.12 QM_IDLE 0 4
    pix-fwl01#
     
    òTTó, May 10, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest

    pix 515 to pix 501

    Guest, Feb 4, 2004, in forum: Cisco
    Replies:
    2
    Views:
    668
    Guest
    Feb 5, 2004
  2. Michael Kiessling

    PIX 515 'PIX-1FE=' Problems

    Michael Kiessling, Jul 6, 2004, in forum: Cisco
    Replies:
    4
    Views:
    2,547
    Michael Kiessling
    Jul 13, 2004
  3. Scott Townsend
    Replies:
    8
    Views:
    752
    Roman Nakhmanson
    Feb 22, 2006
  4. Stephen M
    Replies:
    1
    Views:
    726
    mcaissie
    Nov 14, 2006
  5. Terry Cole
    Replies:
    0
    Views:
    440
    Terry Cole
    Jan 18, 2007
Loading...

Share This Page