Pix 501 Problem: gen_unrfrag: fail to generate unreachable, unexpected args

From: robert (nowave_at_speakeasy.net)
Date: 06/02/04


Date: Wed, 2 Jun 2004 12:28:45 -0700

I'm a student at a community taking a class on cisco pix 501
- ver. 6.03 software

We have an exercise that creates a VPN tunnel beween 2 pix's
in the lab : pix11 and pix7

To test to see if the tunnel is working we attempt to open
a web browser on a host behind pix11 and browse to a web
page running on a host behind pix7

It seems to work. Packets get encrypted - The web page opens
- EXCEPT - The web page will not open the 2nd time if you
close and open the browser on the host behind pix11 and
re-browse the host behind pix7 - the browser just times out
instead of opening the page as it did the first time.

If I close and open the web browser and again attempt to
browse the destination host I also get this following
message on the console of pix11 :

gen_unrfrag: fail to generate unreachable, unexpected args

If I clear the crypto map on the hosts and then put the
crypto map commands back in to create a new crypto map
it works again - BUT - Only for the first time again.
The second time I close/open the browser on the host
behind pix11 and try to browse the page on the host
behind pix7 - it times out again.

The instructor cannot figure it out either. Below are the
commands I run on both pixes.

Any help would be appreciated. Thanks, Robert

 - I have included the Configuration commands i entered
for both pix's below :

PIX9 Configuration Commands I enter for Pix9:

interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name 10.0.9.11 insidehost
hostname Pix9
ip address inside 10.0.9.1 255.255.255.0
ip address outside 192.168.9.2 255.255.255.0
nat (inside) 1 10.0.9.0 255.255.255.0 0 0
route outside 0 0 192.168.9.1 1
static (inside,outside) 192.168.9.11 10.0.9.11 netmask 255.255.255.255
access-list ACLIN permit tcp 192.168.11.0 255.255.255.0 host 192.168.9.11 eq
www
access-list ACLIN permit tcp 192.168.11.0 255.255.255.0 host 192.168.9.11 eq
ftp
access-list ACLIN permit icmp any any echo
access-list ACLIN permit icmp any any echo-reply
access-list ACLIN permit icmp any any unreachable
access-list ACLIN deny ip any any
access-group ACLIN in interface outside
sysopt connection permit-ipsec
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp identity address
isakmp key cisco123 address 192.168.11.2 netmask 255.255.255.255
access-list 101 permit ip host 192.168.9.11 host 192.168.11.11
crypto ipsec transform-set pixQ esp-des
crypto map peerQ 10 ipsec-isakmp
crypto map peerQ 10 match address 101
crypto map peerQ 10 set peer 192.168.11.2
crypto map peerQ 10 set transform-set pixQ
crypto map peerQ interface outside

PIX11 Configuration Commands I enter for PIX11

interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
name 10.0.11.11 insidehost
hostname Pix11
ip address inside 10.0.11.1 255.255.255.0
ip address outside 192.168.11.2 255.255.255.0
nat (inside) 1 10.0.11.0 255.255.255.0 0 0
route outside 0 0 192.168.11.1 1
static (inside,outside) 192.168.11.11 10.0.11.11 netmask 255.255.255.255
access-list ACLIN permit tcp 192.168.9.0 255.255.255.0 host 192.168.11.11 eq
www
access-list ACLIN permit tcp 192.168.9.0 255.255.255.0 host 192.168.11.11 eq
ftp
access-list ACLIN permit icmp any any echo
access-list ACLIN permit icmp any any echo-reply
access-list ACLIN permit icmp any any unreachable
access-list ACLIN deny ip any any
access-group ACLIN in interface outside
sysopt connection permit-ipsec
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp identity address
isakmp key cisco123 address 192.168.9.2 netmask 255.255.255.255
access-list 101 permit ip host 192.168.11.11 host 192.168.9.11
crypto ipsec transform-set pixQ esp-des
crypto map peerQ 10 ipsec-isakmp
crypto map peerQ 10 match address 101
crypto map peerQ 10 set peer 192.168.9.2
crypto map peerQ 10 set transform-set pixQ
crypto map peerQ interface outside