Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Error when using PDM..

Status
Not open for further replies.

wturner80

IS-IT--Management
Nov 2, 2005
57
US
When I attempt to access the VPN tab in PDM I get the following message: PDM does not support multiple dynamic crypto maps per interface. Please collapse them into one. Otherwise you will not be able to manage crypto map via PDM.
Can anyone give me some leadway on how to correct this?
 
Do you currently have users using a vpn through your PIX? If so, it might be kind of tricky as to what you need to "collapse" or replace with an up-to-date command in the cli. Or, remove one of the crypto maps that share the same interface and then reenter them via the PDM.

What version of software do you have on the pix?

Can you copy/paste your crypto maps here? Just the lines that look like so...

crypto dynamic-map outside_dyn_map
crypto dynamic-map outside_dyn_map
crypto dynamic-map outside_dyn_map
 
Software version: 6.3(4)
crypto lines:
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set NGU esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map dynmap 10 set transform-set ESP-DES-MD5
crypto map outside_map 1 ipsec-isakmp
crypto map outside_map 1 match address 101
crypto map outside_map 1 set peer xx.xx.xx.xx
crypto map outside_map 1 set transform-set NGU
crypto map outside_map 10 ipsec-isakmp dynamic dynmap
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address respond
crypto map outside_map interface outside
 
I have VPN clients that use the pix. A site to site was previously setup but it doesn't work now since an ISP change at the remote site.
 
wturner-

All you have to do is take out the dynamic crypto-map named dynmap and rename it to reflect the the name outside_dyn_map. So it should look like this..

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

after looking at your config you posted, you are not even using the dynamic map called dynmap. It repeats outside_dyn_map 20.

Frank
 
Thanks for the help. I just used CLI to delete the crypto lines and then used PDM to start a site to site VPN.

Thanks again for the help.
 
Update...after deleting the crypto lines my remote users were not able to login in via VPN client. Which lines are directly related to client logins?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top