Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515E Upgraded to 7.2 - Client VPN Not Working

Status
Not open for further replies.

imalc3142

MIS
Jun 29, 2006
18
US
I upgraded a PIX 515E from 6.3(5) to 7.2(2. Upgrade went fine except my client VPN is not working (was working before the software upgrade). Relevant config:

access-list nonat extended permit ip 10.1.0.0 255.255.248.0 192.168.0.0 255.255.255.0
ip local pool vpnpool 192.168.0.1-192.168.0.11
nat (inside) 0 access-list nonat
group-policy admin internal
group-policy admin attributes
dns-server value 10.180.1.240
vpn-idle-timeout 60
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
default-domain value mydomain.com
crypto ipsec transform-set vpn esp-aes-256 esp-md5-hmac
crypto dynamic-map clvpn 10 set transform-set vpn
crypto map vpnmap 10 ipsec-isakmp dynamic clvpn
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group DefaultRAGroup general-attributes
tunnel-group admin type ipsec-ra
tunnel-group admin general-attributes
address-pool vpnpool
default-group-policy admin
tunnel-group admin ipsec-attributes
pre-shared-key *

When I try to connect with my VPN client (4.6.4)the client stays on "Contacting the security gateway at...)

The only info I am getting from debug (debug crypto ipsec & debug crypto isakmp) is when I cancel the VPN client attempt:

Nov 24 18:37:45 [IKEv1]: Group = admin, IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!
Nov 24 18:37:45 [IKEv1]: Group = admin, IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry

Any idea why my vpn is not working?

Thanks for any help you can offer.
 
Hi,

I faced the same problem, and the solution was by removing the whole configuration regarding VPN based IPSEC ( ISAKMP, CRYPTOMAP..etc) and put it again, and even with XAUTH configuration, you will find the PIX prompts you ( as a VPN client) to enter a username and password, so tro to create any local account

I hope this would help!!
 
Thanks for responding. I did a third reload on the PIX and most of the errors went away. Where I am at now is that the username/password box on the client keeps popping up. I have changed the password on the PIX but that does not help.

Any additional help that you can offer is greatly appreciated.

Thanks,
 
i guess it's a default behaviour ofr OS 7.2 , as it sees it as a more security for authentication ( i.e no workarround to disable it) In other words just create any local account on your PIX ( not a must to configure a real ACS or AAA)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top